Researchers working for the cybersecurity consultancy group IOActive discovered some troubling vulnerabilities in Panasonic Avionics’ in-flight entertainment systems. The company’s avionics subsidiary supplies hardware to 13 different airlines: Aerolineas Argentinas, Air France, American Airlines, Emirates, Etihad Airways, Finnair, Iberia, KLM, Qatar Airways, Scandinavian Airlines, Singapore Airlines, United Airlines, and Virgin America.
“I discovered I could access debug codes directly from a Panasonic in-flight display,” IOActive’s Ruben Santamarta said in a statement. “A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming.”
Santamarta performed further analysis in an attempt to find out what hackers could accomplish by interfering with an avionics device. He found it was possible to manipulate what was being displayed on the screen, to send out fake announcements over the PA system, and to control cabin lights and the reclining seats in the first-class section of the plane. There was also evidence that credit card details belonging to frequent flyers and VIP members could be stolen in this manner.
However, all of these attacks would pale in comparison to the potential for criminals to take control of the aircraft itself. Fortunately, this is impossible in most circumstances, according to a report from Tech Spot.
Most airlines keep the aircraft control domain physically isolated from the passenger entertainment domain, which means that there is no way to use in-flight entertainment hardware to interfere with the vessel’s controls. However, Santamarta states this is not always the case and urges airlines to be “incredibly vigilant” about this kind of threat.
IOActive reported these security flaws to Panasonic in March 2015 and has waited until now to release the information to the public so that the company would have time to make improvements. This is not the first time that the consultancy firm has shed light on a potential security breach — it played a key role in publicizing the high-profile Jeep hacking risk that led to a major recall in 2015.