A security flaw in the Panasonic Avionics in-flight entertainment system could enable hackers to take control of a plane when it is in the air, according to researchers at IO Active.
The system, which is used by 13 major airlines including the likes of Emirates, Virgin and Qatar, contains a hole through which hackers could access the plane’s controls, disrupting the flight and potentially putting passenger’s safety and information at risk.
Ruben Santamarta, principal security consultant at IOActive, discovered the problem and was able to control the cabin lighting, access the announcement system and “hijack” in-flight displays to change information such as altitude and location. He also managed to access the credit card details of frequent fliers and believes it would be possible to access the aircraft’s controls.
“Chained together this could be an unsettling experience for passengers,” Santamarta said. “I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said. “This only depends on the attacker’s determination and intentions, from a technical perspective it’s totally feasible.”
Santamarta warned that airlines should be “incredibly vigilant” when it comes to the segregation of in-flight systems, as this will significantly impact the amount of damage a hacker could inflict.
Panasonic has reportedly known about the vulnerabilities for some time and Emirates has assured that it regularly works with Panasonic to update its systems, saying: “The safety of our passengers and crew on board is a priority and will not be compromised.”
This isn’t the first time hackers have targeted airlines and last year the US Government Accountability Office warned that in-flight Wi-Fi could be used by terrorists or other hackers to take control of an aircraft’s avionic systems.
And it’s looking like security is set to become even more complicated for airlines. This year alone we’ve seen Lufthansa start offering in-flight Wi-Fi on its short and medium-haul routes, iPass Wi-Fi hotspots become available on 2,700 aircraft and British Airways sign a new deal with satellite broadband operator Gogo.
UPDATE: Panasonic has issued a statement accusing IOActive of making “misleading and inflammatory statements” and “unfounded, unproven conclusions.”
The company strongly denies many of the findings made by Santamarta, saying: “The conclusions suggested by IOActive to the press are not based on any actual findings or facts. The implied potential impacts should be interpreted as theoretical at best, sensationalising at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive.
“IOActive, in statements to the press, inappropriately mixed a discussion of hypothetical vulnerabilities inherent to all aircraft electronics systems with specific findings regarding Panasonic’s systems, creating a highly misleading impression that Panasonic’s systems have been found to be a source of insecurity to aircraft operation.”
Think you know about hacking and viruses? Take our quiz and find out!
A new low. International Committee of the Red Cross shuts down reunification system, after hackers…