In-flight entertainment hack: Panasonic rejects cybersecurity report
This product image provided by Virgin America Airlines shows a demonstration of the airline's in-flight on demand food and drink ordering system. (Virgin America via AP)
Published Tuesday, December 20, 2016 1:55PM EST
Last Updated Tuesday, December 20, 2016 2:32PM EST
Panasonic is denouncing a report from a cybersecurity firm, which claims that the company's widely-used in-flight entertainment system is vulnerable to hacking.
IOActive says the alleged vulnerability was accessible through a hidden button in Panasonic's seatback touchscreens, which a hacker, using publicly-available firmware files, could have exploited to hijack the passenger-facing systems on an aircraft. It might also have been possible to take control of more vital systems on certain aircraft, IOActive said.
However, Panasonic has rejected IOActive's allegations, saying they are "inaccurate and misleading." The company says IOActive mixed hypothetical vulnerabilities with specifics about Panasonic's systems to come up with its results.
IOActive says it felt a responsibility to reveal the allegations on Thursday, after informing Panasonic over the possible vulnerability in 2015. "We believe that in such a heterogeneous environment, with dozens of airlines involved and hundreds of versions of the software available, it’s difficult to say whether these issues have been completely resolved," IOActive said in a news release.
Ruben Santamarta, IOActive's principal security consultant, says the following airlines were vulnerable to the problem:
- Air France
- Aerolineas Argentias
- United Airlines
- Virgin Airlines
- Singapore Airlines
- Iberia Airlines
- Etihad Airways
- Qatar Airways
- American Airlines
- Scandinavian Airlines
Santamarta discovered the vulnerability by "touching this and that" on his screen during a flight in 2012. He eventually found Panasonic's debug screen, which allows developers to engage with the system's underlying code.
"After initial analysis, we do not believe these systems can resist solid attacks from skilled malicious actors," Santamarta wrote in a lengthy blog post about the vulnerability. He says a hack on most planes would likely be confined to passenger-related systems. An attacker would be able to spoof the passengers’ flight tracker screens, or compromise the crew app used to control the lighting, seats and public address system. It would also be possible, in some cases, to steal credit card information from frequent flyers.
"If all of these attacks are chained a malicious actor could at least create a confusing and disconcerting situation for passengers," Santamarta said.
However, it might also be possible to cross the "red line" to access the crew controls in certain aircraft configurations.
In-flight Wi-Fi is not vulnerable to the hack, he said.
Santamarta added that airlines should shoulder some of the responsibility for this kind of security hole.
"The responsibility for security does not solely rest with an (in-flight entertainment) manufacturer, an aircraft manufacturer, or the fleet operator," he said. "Each plays an important role in assuring a secure environment."
Panasonic Avionics slammed the IOActive report in a statement on Tuesday. "IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could 'theoretically' gain access to flight controls by hacking into Panasonic's (in-flight entertainment) systems." The company says IOActive's tests were unauthorized and that its results were unfounded.
Panasonic added that the suggestion that one could use the exploit to steal credit card information "is simply not true."
Panasonic says it continually tests the robustness of its systems, and that it complies with or exceeds all regulatory requirements, which include regular third-party tests.
It also suggested there should be legal consequences for those who tamper with in-flight systems.