Updated | Security vulnerabilities within entertainment systems used by 13 major airlines could allow hackers to infiltrate in-flight systems, researchers claim.
The flaw in the Panasonic Avionics system—used by airlines including Emirates, Virgin and Qatar Airways—was discovered by investigators at IOActive.
Security consultant Ruben Santamarta was able to infiltrate the system in order to change the display, hijack announcements and access credit card details of frequent flyer passengers. He did not use the flaw to take control of the plane’s controls.
Santamarta claims Panasonic was alerted to the latest vulnerability to its in-flight systems last week,
"We were unable to verify if Panasonic has fixed the flaws because the access to the systems we looked at to identify the vulnerabilities has been shut down since we disclosed the findings to them in March of 2015," Santamarta tells Newsweek.
“On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display. I don’t believe these systems can resist solid attacks from skilled malicious actors. As such, airlines must be incredibly vigilant when it comes to their [in-flight] systems.”
In an emailed statement, Panasonic said: "IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could 'theoretically' gain access to flight controls by hacking into Panasonic’s IFE systems. Panasonicstrenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference."
IOActive's research states that the vulnerability works by ‘injecting’ malicious code into the in-flight system. Depending on how isolated the airline has made the in-flight entertainment system, the hacker would then have different control possibilities.
It is not the first time that the security of planes has been called into question. Last year, the founder of cybersecurity firm One World Labs claimed that he had taken control of a United Airlines flight through its in-flight entertainment system.
“Given the high-profile terrorist attack in Germany yesterday, people will be looking for answers to what could be a catastrophic lack of security and systems segregation in a mode of transport that has already been leveraged in the past to cause untold levels of tragedy,” says Lee Munson, a researcher at security firm Comparitech.
“Even if the ability to control the avionics of the aircraft is overstated, the fact that credit card details of frequent flyers may be at risk is something that all potentially affected airlines need to consider straight away.”
IOActive hackers previously gained attention in the summer of 2015 when they took control of a Jeep’s dashboard computer and crashed the vehicle into a ditch from 10 miles away.
This article has been updated to include a comment from Panasonic.