Inflight Flaw Found, Loss of Plane Control Feared

Tuesday, December 20, 2016 @ 04:12 PM gHale

Computer systems truly control airplanes, but, like a safety system connected to the industrial control system, without proper firewalls or segmentation, it is possible to have a hacker take control of the craft.

A vulnerability in a Panasonic in-flight entertainment system could allow just that as it is possible for a hacker to take over systems and possibly get control of the aircraft, a researcher said.

RELATED STORIES
SF Metro Victim of Ransomware
Steal a Tesla Using an Android App
Drawing Up Plans for Auto Security
Learning to Eliminate Corrupted Data

The Panasonic Avionics system, which is currently on airplanes operated by 13 major airlines, can end up used to hack the on-board screens and display all kinds of information, but also to adjust cabin lighting and send announcements to passengers through the aircraft communication channel, said Ruben Santamarta of IOActive.

The affected airlines include Aerolineas Argentinas, Air France, American Airlines, Emirates, Etihad, FinnAir, KML, Iberia, Qatar, Scandinavian, Singapore, United, and Virgin, according to Santamarta.

“I don’t believe these systems can resist solid attacks from skilled malicious actors,” he said in a published report. “This only depends on the attacker’s determination and intentions, from a technical perspective it’s totally feasible.”

It’s up to airlines to limit the access the hacker can obtain should a breach occur, Santamarta said. He added although an attacker could get full control of an aircraft, there are certain protections that should be put in place to prevent this from happening.

The in-flight infotainment system should never end up connected to the aircraft controls, he said, so methods that would isolate critical systems are essential to protect against these breaches.

Santamarta said Panasonic knew about the vulnerabilities since March last year, when researchers first contacted the company. It is not yet clear if any updates ended up made to block a potential cyberattack. For the moment, however, it all comes down to airlines to minimize the risks of a hacker gaining full control of an aircraft.

This isn’t the first time Santamarta talked about airplane breaches.

In 2014, he discovered it was possible to reverse engineer a flaw allowing him to connect to the Wi-Fi signal or the in-flight entertainment system to connect to the equipment used by airplanes, including the navigation system.

In 2015, Chris Roberts, founder of the cybersecurity firm One World Labs, managed to make an airliner “climb” and move “sideways” after infiltrating its in-flight entertainment system.

He also ended up escorted off a United Airlines flight after sending in-air tweets bragging that he could deploy the oxygen masks.

“Using the in-flight entertainment system to attack aircraft isn’t a new concept,” said Tim Erlin, senior director of IT Security and Risk Strategy for Tripwire. “As soon as the USB and RJ45 ports started showing up in aircraft, security researchers became very interested. The security research community and aviation industry are clearly at odds over the feasibility and likelihood of using the in-flight entertainment system to actually affect aircraft controls. It would be a solid step forward to see cooperation instead of conflict. The majority of security researchers are interested in improving the systems they test, and partnership with industry vendors is the best way to accomplish that goal. Now that there’s credit card data on the plane, the in-flight systems are a more attractive target for profit driven criminals. The increased interest in these systems from criminals after credit card data might result in more vulnerabilities being discovered.”



Leave a Reply

You must be logged in to post a comment.