Panasonic Avionics has hit back at claims its inflight entertainment systems can be hacked. Its response came after hacking claims were posted on blog.ioactive.com.
In the blog, the author claims to have found debug information after “playing” with the IFE on a flight to Dubai, although this was two years ago.
The author said: “On the IT side, compromising the IFE means an attacker can control how passengers are informed aboard the plane. For example, an attacker might spoof flight information values such as altitude or speed, and show a bogus route on the interactive map.
“An attacker might compromise the CrewApp unit, controlling the PA, lighting, or actuators for upper classes. If all of these attacks are chained, a malicious actor may create a baffling and disconcerting situation for passengers.
“The capture of personal information, including credit card details, while not in scope of this research, would also be technically possible if backends that sometimes provide access to specific airlines’ frequent-flyer/VIP membership data were not configured properly.”
Panasonic Avionics has responded with a formal notice saying: “The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics Corporation (“Panasonic”) contain a number of inaccurate and misleading statements about Panasonic’s systems. These misstatements and inaccuracies call into question many of the assertions made by IOActive.
“Most notably, IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could “theoretically” gain access to flight controls by hacking into Panasonic’s IFE systems. Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference.
“IOActive has presented no evidence that its examination of Panasonic’s systems would support any such suggestion, and its statement that its “research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain” will only serve to falsely alarm the flying public.
“Furthermore, IOActive employee Ruben Santamarta’s statement regarding credit card theft is simply not true. Mr. Santamarta makes incorrect assumptions about where credit card data is stored and encrypted within Panasonic’s systems.
“It is important to note that, during the course of this unauthorized, in-service testing, the safety, security and comfort of passengers of the aircraft were never in danger or compromised due to the system segregation and robust security design of our inflight entertainment and communications (IFEC) product, and of all commercial aircraft as well. His exploit itself was limited to a single seat and information gathering; control override of the IFEC seat and system did not occur.
“It is also very important to note that, in its communications to the press, IOActive made unfounded, unproven conclusions.
“The basis for many of these conclusions would first necessitate that an attacker gained a physical connection within the IFE network. During the unauthorised testing, network penetration, or even network connection to Pansonic’s product, did not occur.
“The conclusions suggested by IOActive to the press are not based on any actual findings or facts. The implied potential impacts should be interpreted as theoretical at best, sensationalising at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive.
“IOActive, in statements to the press, inappropriately mixed a discussion of hypothetical vulnerabilities inherent to all aircraft electronics systems with specific findings regarding Panasonic’s systems, creating a highly misleading impression that Panasonic’s systems have been found to be a source of insecurity to aircraft operation.
Attack Research (AR)
“Like any responsible business, Panasonic continually tests the robustness of its systems, and reviewed all of the claims made by Mr. Santamarta. It subsequently engaged Attack Research (AR) to conduct validation testing in May 2015 and again in 2016 to ensure that the few minor concerns (in no way linked to the control of an aircraft) identified by Mr. Santamarta had been fully remediated, and this was confirmed in a written report to Panasonic.
“Panasonic does not condone unauthorised security testing during aircraft operation in uncontrolled environments, such as those conducted by IOActive. Panasonic strongly supports legislation that should be enacted to make on-board electronic intrusion a criminal act.
“Security professionals who wish to test our systems legitimately and safely can do so by participating in our Bug Bounty program ([email protected]) in which Panasonic provides unfettered access to our products to allow for in-depth security testing and analysis.”