IOActive revealed news that there are cyber security vulnerabilities in Panasonic Avionics In-Flight Entertainment (IFE) systems.
These Panasonic systems are known to be used by a number of major airlines, including Emirates, United, Virgin and American.
The vulnerability was discovered by Ruben Santamarta, principal security consultant at IOActive, and the discovery suggested that hackers could ‘hijack’ passengers’ in-flight displays and, in some instances, potentially access their credit card information.
The research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, depending on system configurations on the airplane.
According to Santamarta, once an IFE system vulnerabilities have been exploited, the hacker could gain control of what passengers see and hear from their in-flight screen.
Vulnerabilities in on-board components can also create potential entry points to more important functional systems and therefore the risks are much higher.
This new research together with Santamarta’s previously published work on Satellite Communications (SATCOM) terminals clearly demonstrates that aircraft systems are vulnerable to being hacked. Aircraft’s data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control.
Physical control systems are usually located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. This means that as long as there is a physical path that connects both domains, there is potential for attack.
The rising number of connected systems is allowing hackers additional routes into networks and why this exploit is not limited to planes.
In recent research it was demonstrated that most IoT devices can be hacked in less than 3 minutes and it is evident that cyber security solutions need to be more stringent and offer more visibility.