Aircraft Entertainment Systems Hacks Are Back (threatpost.com)

← Back to Stories (view on slashdot.org)

Aircraft Entertainment Systems Hacks Are Back (threatpost.com)

Posted by msmash on Tuesday December 20, 2016 @06:15AM from the security-woes dept.

Reader msm1267 writes: Researchers at IOActive today disclosed vulnerabilities in Panasonic Avionics In-Flight Entertainment Systems that were reported to the manufacturer close to two years ago. The flaws could be abused to manipulate in-flight data shown to passengers, or access personal information and credit card data swiped at the seat for premium entertainment or Internet access. Given that the firmware is customizable and used by dozens airlines in hundreds of aircraft models, the researchers said it's almost impossible to determine whether the vulnerabilities no longer exist across the board. IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, IOActive said, given that a physical path could exist that connects those systems through satellite communications terminals that provide in-flight updates to critical systems. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems. As for the vulnerabilities in passenger systems, IOActive said there is a lack of authentication and encryption between an on-board server and clients at passenger seats. This could allow an attacker on board to send commands to the IFE system to manipulate what's displayed to passengers, or read payment card data swiped at seats.

56 comments

Min score:

Reason:

Sort:

Scary, scary stuff. by Anonymous Coward · 2016-12-20 06:22 · Score: 0

I travel a lot for both business and pleasure, and keep a very close eye out for anyone attempting to hack through the in flight entertainment systems. Until these systems are air gapped from the avionics there is a possibility of smashing through a firewall and gaining root. Any attempt should be a class 3 felony similar to attempted hijacking or interfering with a flight crew and the air marshals should be trained to instantly disrupt such attack vectors. It's unfortunate the world we live in now, but people want to kill and companies want to be cheap and the two don't mix.
1. Re: Scary, scary stuff. by Anonymous Coward · 2016-12-20 10:45 · Score: 4, Informative
  
  Whilst I've worked with Panasonic Avionics , and they are not the info section "A" team...
  The IFE systems are essentially air gapped already as a mandatory requirement by regulatory agencies - ACARS is basically an RSS feed to the IFE system and anything other than that is separate again. IFE has no in the air satellite connection on any deployments I've seen .
  This is the digital equivalent of hacking a highway sign to say rude words.
2. Re: Scary, scary stuff. by Anonymous Coward · 2016-12-20 11:27 · Score: 0
  
  I worked many years as an Engineer in the safety critical avionics business and wanted to echo what you said. +5 Informative. Unfortunately, the moderators are busy working that dumb journalist flashing gif story.
3. Re: Scary, scary stuff. by Anonymous Coward · 2016-12-20 17:39 · Score: 0
  
  I interviewed with them, but they wouldn't pay me enough to join them.
  Job seemed cool though!
4. Re: Scary, scary stuff. by mjwx · 2016-12-21 01:15 · Score: 1
  
  Whilst I've worked with Panasonic Avionics , and they are not the info section "A" team...
  The IFE systems are essentially air gapped already as a mandatory requirement by regulatory agencies - ACARS is basically an RSS feed to the IFE system and anything other than that is separate again. IFE has no in the air satellite connection on any deployments I've seen .
  This is the digital equivalent of hacking a highway sign to say rude words.
  Just because it's mandated doesn't mean engineers weren't ordered to ignore that mandate. See: Volkswagen.
  
  That might be a little paranoid but air safety authorities don't know the meaning of the word paranoid.
  
  However you can do a lot of damage with just a message, like sowing mass panic. If you've ever seen a stampede inside a barn you can imagine what it's like. People aren't much smarter than cows on aircraft in my experience and if they're all told the plane has been hijacked I can see mass panic starting.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
5. Re: Scary, scary stuff. by Anonymous Coward · 2016-12-21 03:24 · Score: 0
  
  You claim they're air-gapped, but not many years ago there was a "proof of concept" that was tested by some researchers on a modern jetliner that showed they were able to directly interact with flight controls via the entertainment system. I forget what they did, but something like changing the altitude or engine output. The pilots were not happy.
ZOMG!!! by Lumpy · 2016-12-20 06:29 · Score: 1

So anyone can access the _MAKE_AIRPLANE_CRASH_ API call!
Again these hacks are fun but not scary at all. the Infotainment system has NO CONNECTION tot he avionics.

--
Do not look at laser with remaining good eye.
1. Re:ZOMG!!! by Anonymous Coward · 2016-12-20 06:39 · Score: 0
  
  "or access personal information and credit card data swiped at the seat for premium entertainment or Internet access" and that's a minimum. If they *DO* manage to get cross-domain access to the satellite low level hardware somehow in the future, THEN it CAN possibly disrupt the actual avionics and/or flight safety. But you'll never know because instead of READING THE FUCKING ARTICLE, you wanted to be a witty tapdancer instead. Thanks, Sammy Davis Jr. of vuln comprehension.
2. Re:ZOMG!!! by ComputerGeek01 · 2016-12-20 06:49 · Score: 1
  
  So anyone can access the _MAKE_AIRPLANE_CRASH_ API call!
  Again these hacks are fun but not scary at all. the Infotainment system has NO CONNECTION tot he avionics.
  You say they aren't scary. But just you wait until you're stuck in the air for 6 hours while a malicious actor plays nothing Son in Law with Pauly Shore on a loop.
3. Re:ZOMG!!! by sconeu · 2016-12-20 07:28 · Score: 1
  
  The *REAL* terrorists will play Barney the Dinosaur on a loop.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
4. Re:ZOMG!!! by Anonymous Coward · 2016-12-20 08:18 · Score: 0
  
  You sure? Where do you think the entertainment system gets the position / airspeed / altitude / OAT data?
5. Re:ZOMG!!! by Anonymous Coward · 2016-12-20 08:20 · Score: 0
  
  If it were any other industry, you'd probably be right, but fortunately for all of us the aviation authorities of the world tend not to fuck around. Any aircraft whose non-critical systems could *even theoretically* have an impact on flight-critical ones would not be considered airworthy, and as such they're only ever connected through physically unidirectional links.
6. Re: ZOMG!!! by Anonymous Coward · 2016-12-20 08:53 · Score: 1
  
  Last job was at Panasonic Avionics' cross-town rival, Thales Avionics. From the many Panasonic veterans working at Thales, they mentioned our architectures were quite similar, so I will use what I know about Thales' system to make what could be a close comparison.
  You have a system called ACARS, which is an ancient technology that sends data from the cockpit to the IFE system (GPS, airspeed, etc). ACARS I believe is a 1-way protocol (think of it as an RSS feed where you can subscribe for updates) The only bit of communication that can go the other direction (I think) is BITE (built-in test environment) which is a centralized way for a technician to see status messages and error codes sent from individual components (such as each seat-back screen, power distribution boxes, switches, wireless access points, etc). The IFE systems we developed had separate satellite systems for internet connectivity from that of the cabin, including separate antennas. From my understanding, hacking an IFE system could mean gaining access to CC info, but it would be very very unlikely to take control of the plane from a seatback screen.
7. Re:ZOMG!!! by unixisc · 2016-12-20 08:58 · Score: 1
  
  So anyone can access the _MAKE_AIRPLANE_CRASH_ API call!
  Again these hacks are fun but not scary at all. the Infotainment system has NO CONNECTION tot he avionics.
  Not just that, someone who's getting into a plane - even assuming no luggage - would have to do a number of things to rig the firmware in the flight entertainment system, while preparing for anything from an hour to days long trips. Hardly the environment conducive to hacking
8. Re:ZOMG!!! by Anonymous Coward · 2016-12-20 10:11 · Score: 0
  
  From a system sending out the '70s equivalent of text messages. On a network that is assumed to be insecure. You could use it to do truly evil things like give the pilot the wrong college football scores.
9. Re: ZOMG!!! by Anonymous Coward · 2016-12-20 13:54 · Score: 1
  
  Article says otherwise.
Download movies by PRMan · 2016-12-20 06:30 · Score: 5, Interesting

With the way a lot of these plane systems work these days, it could be a way to download a lot of "free" movies and music.

--
Peter predicted that you would "deliberately forget" creation 2000 years ago...
1. Re:Download movies by Joe_Dragon · 2016-12-20 06:32 · Score: 1
  
  With a lot of lag and buffing. Some planes are just use your own device to get movies and stuff.
2. Re:Download movies by dknj · 2016-12-20 06:51 · Score: 1
  
  Lets think critcally about this statement a bit. 160 seats, and each one wants to download a movie. A screen is 480p, so we need to have bandwidth for 160 devices to download a 480p movies at any given time. Not all 160 seats are watching movie. And you think it will lag and buffer?
3. Re:Download movies by Anonymous Coward · 2016-12-20 07:05 · Score: 0
  
  Never have i seen lag and buffing, unless you are talking about the god damn captains announcements
4. Re:Download movies by Anonymous Coward · 2016-12-20 07:12 · Score: 0
  
  You got it almost right. You forgot to account for the cheapskate factor, also known as the "Up to" factor.
  Like your ISP, it is 160 seats, but the system is built on the assumption that only 5% of them will actually use all the bandwidth. Hence the "up to".
  Then you still need to subtract the "We need a broadband subsidy, otherwise this isn't sustainable" factor and you get enough bandwidth to BARELY cover 480p for one person. At 20fps. And we'll start throttling you if you watch movies for more than 5 minutes (enough to cover the FBI "you are not a thief, but we'll imply that you might be one anyway" warning).
5. Re:Download movies by Anonymous Coward · 2016-12-20 07:12 · Score: 0
  
  There's a system used by a certain airline that uses a Flash player. After doing little looking around, one can change the stream to get access to paid content by manipulating a couple of requests and changing the parameter.
  I didn't look for CC data, but wouldn't be surprised if it was sitting there. They did a good job of hardening to deter script kiddies, but a bit more exploration does show system config files.
  Based on recent cases, I certainly would not submit anything to CVE. In the current climate with air travel, I'd be stupid to give anything specific out to anyone I don't trust.
6. Re:Download movies by MountainLogic · 2016-12-20 08:41 · Score: 1
  
  Yes, like most all other networked digital video systems the video streams are buffered to restarting every stream at once when the announcement is over does disrupt download and playback.
7. Re:Download movies by jrumney · 2016-12-20 16:49 · Score: 1
  
  Some systems seem to manage the bandwidth and disc access by giving you a copy of someone else's stream if they are already watching the movie you select. Many users will just watch the movie from part way through instead of rewinding it to the beginning (which will force the streams to split), so they can cheap out on the resources a bit. Basically they are taking advantage of their users' fear of technology and the fact that at least half the airplane has enough trouble selecting a movie, and isn't going to try anything fancier. On systems like this (which are usually retrofit on older infrastructure), I have seen stuttering after splitting my stream off by rewinding to the beginning, occasionally to the point of being unwatchable. But on newer systems, there seems to be sufficient bandwidth to stream without stuttering.
8. Re:Download movies by Anonymous Coward · 2016-12-21 00:36 · Score: 0
  
  You do realize that they don't stream those movies over the internet, right? All the movies they offer via the seats are stored on the entertainment server. The entire system works offline (with the exception of CC auth, which is an online process).
Entertainment by Anonymous Coward · 2016-12-20 06:37 · Score: 0

They should dump the entertainment systems (and the wifi) and hand out free magazines, snacks, and pillows. Oh, wait, that'd be just like before 9-11. I forgot, now it's best practice to torture everyone, just in case there are any bad actors on the plane.
1. Re:Entertainment by Anonymous Coward · 2016-12-20 06:44 · Score: 0
  
  No you got it wrong. It's not the 9-11, it's the pirates. Less and less people are traveling through airlines and more and more are pirating trips. The pirates are stealing the trips from the airlines and the airlines just can't afford to offer a can of coke or legroom. Poor, poor airlines. Everyone with a vehicle of any kind, car, bike, legs, wheel chair, needs to pay an airline tax to keep the airlines afloat.
2. Re: Entertainment by lokedhs · 2016-12-20 13:38 · Score: 1
  
  I have travelled extensively all over the world, and I haven't seen this degradation of quality of air travel that US people seem to complain about all the time.
  Now, I haven't travelled on a US airline since 2000, and even then they were worse than any other I've travelled with. If they got even worse, I can certainly understand the complaints, but all I can say is perhaps people should try an airline outside the US. They might just regain some hope for air travel.
  I recall seeing the list of best airlines, and if I remember correctly the highest rated US airline was in the 40'th position or something like that. If I wasn't on mobile right now I'd find the link.
Not any more by PPH · 2016-12-20 06:43 · Score: 5, Interesting

IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains.
That may have been true on older models, but Boeing got an exception to the separation rule for the 787. What's worse, the primary authentication method used to provide 'security' is a protocol that filters packets based on MAC addresses. So you can't plug your own gizmo into an avionics bus. But if you can trick the passenger entertainment units into generating bogus air data (for example), bad stuff can happen.

--
Have gnu, will travel.
1. Re:Not any more by MountainLogic · 2016-12-20 08:38 · Score: 1
  
  As even the summary pointed out, Boeing does not supply the IFE system or even deliver the craft with seats installed. IFE is done by vendors like Rockwell and Panasonic.
2. Re:Not any more by PPH · 2016-12-20 09:22 · Score: 1
  
  Boeing does not supply the IFE system
  Boeing is responsible for certification of all aircraft systems. In fact, Boeing doesn't supply anything. It's all built by other vendors. But that's not an excuse for poor systems architecture.
  
  --
  Have gnu, will travel.
3. Re:Not any more by Anonymous Coward · 2016-12-20 11:15 · Score: 1
  
  Not exactly, there's other means than pure physical separation. The switches are not wide open, they are configured to allow specific traffic on specific VLs from and to specific IPs connected to specific switch inputs. You would have to modify the switch configuration and/or change the physical routing of the wiring to make that happen if the unit was not the "normal" sender of that data. You wont be able to spoof an ADAHRS as an IFE, it will get rejected by the switch, as it's not in the allowed message routing. You could send erroneous IFE data within the BAG limits, but that won't be used for much. This also has the added benefit of aiding in prevention of denial of service attacks too.
4. Re:Not any more by MountainLogic · 2016-12-20 11:25 · Score: 1
  
  Air frame makes to not certify IFE. Believe it or not, IFE type approval for each configuration (e.g., 747-400 with xyz Boeing supplied options options and abc non-Boeing certified options) is typically owned by the airline or leasing company. If another airline has that exact configuration then they can piggy back on that cert.
5. Re:Not any more by joe_frisch · 2016-12-20 11:45 · Score: 1
  
  Usually the FAA is very conservative on aircraft design. I'm surprised and dismayed that they would not disallow any connection between entertainment systems and avionics systems. I'm sure that they have carefully designed the firmware in any switches to prevent data from the entertainment system getting into the flight controls, but it seems difficult to prove that the firmware is free of any bugs that could allow such a connection.
  The NSA was unable to prevent a very destructive hack, I have little faith that organizations are able to do so.
6. Re:Not any more by ArylAkamov · 2016-12-20 13:36 · Score: 1
  
  Well that is horrifying. And I thought cars being hijacked and being remotely steered was bad.
  What possible justification could there be for having them connected in any way?
7. Re:Not any more by PPH · 2016-12-20 14:47 · Score: 1
  
  Boeing is the one who installed the network and Boeing is the one who asked the FAA for the exception to existing rules for systems separation.
  They provide customers and IFE vendors with specifications for equipment compatible with the data bus (and any other aircraft systems like power). If that data bus was isolated from the avionics buses, then Boeing could just say there was no safety problem. But that's not the case on the 787 (and perhaps older model derivatives adopting it's data bus architecture).
  
  --
  Have gnu, will travel.
8. Re:Not any more by PPH · 2016-12-20 14:49 · Score: 1
  
  What possible justification
  Cheap. We saved a whole twisted pair of wires. Woo hoo!
  
  --
  Have gnu, will travel.
9. Re:Not any more by PPH · 2016-12-20 14:53 · Score: 0
  
  Usually the FAA is very conservative on aircraft design.
  Regulatory capture
  
  --
  Have gnu, will travel.
Sounds like I should be fine then by damn_registrars · 2016-12-20 06:48 · Score: 2

The majority of planes I fly on seldom even have electric outlets to plug in your laptop. I'm usually on the single-class (cattle-class / steerage-class) flights where nobody has anything. I'm not important enough to be on the long haul flights where people expect more than a bag of peanuts and half a can of soda.

Not saying that I like it that way, just that apparently I have less to worry about as a result.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Sounds like I should be fine then by jrumney · 2016-12-20 16:54 · Score: 1
  
  You get half a can of soda? I get 50ml of orange "juice" spilt in my lap, to go with the bag of peanut crumbs.
2. Re:Sounds like I should be fine then by jrumney · 2016-12-20 16:57 · Score: 1
  
  And the 30 minute flight to the nearest international hub invariably has the latest high tech entertainment system with a vast selection of feature-length movies to choose from (if you bring your own headphones, as they don't supply them on short haul flights), while the 8 hour flight I change onto has a cathode ray tube to bump your head on every 4 rows.
3. Re:Sounds like I should be fine then by mjwx · 2016-12-21 01:09 · Score: 1
  
  The majority of planes I fly on seldom even have electric outlets to plug in your laptop. I'm usually on the single-class (cattle-class / steerage-class) flights where nobody has anything. I'm not important enough to be on the long haul flights where people expect more than a bag of peanuts and half a can of soda.
  
  Not saying that I like it that way, just that apparently I have less to worry about as a result.
  I think you need to start flying better airlines.
  
  Almost all long haul flights I've been on have served meals, drinks (incl alcohol) and had in seat power or at least USB ports where you could charge a mobile device. Hell, even my last flight from LHR-AMS they served a snack and a drink. The only reason that was it was because that was all they had time to do. LHR to AMS is only an hour gate to gate.
  
  BTW, the reason they use the little cans of soda is because weight and space on an aircraft is at a premium. People are demanding cheaper flights and booking using third parties are also not helping..
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
4. Re:Sounds like I should be fine then by damn_registrars · 2016-12-21 03:44 · Score: 1
  
  I think you need to start flying better airlines.
  Better airlines are only an option if they service the airports that I fly in and out of. I used to see commercials for Korean Air all the time on TV and they left me wondering why the hell they even bothered advertising as the closest airport they served relative to my home was hundreds of miles away, and their destinations from there were all distant international locations that I don't have any reason or opportunity to visit.
  
  If there is only one airline that flies from the airport nearest where I live to the place I need / want to go to, guess which airline I'm going to fly? And if all the seats are steerage class, guess what kind of uncomfortable non-reclining seat I'm going to stuff myself into?
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
No Motivation Either Way by Anonymous Coward · 2016-12-20 07:08 · Score: 0

From the article, not much motivation to hack the systems because there isn't much to be gained. So, not much motivation to secure the systems.
In flight wifi is way too easy to use for free, either using a proxy for limited service as long as you want it (until your fellow passengers gang up on the bandwidth and make it unusable) or full service for fifteen minutes at a time if you have an iPhone (and are willing to clear cookies). Why would I be interested in hacking it any further?
So can we drop charges on Chris Roberts already? by nucrash · 2016-12-20 07:30 · Score: 1

He tried to show them they were exploitable, they kicked him off a plane and charged him with a bunch of nonsense and they haven't done anything to really fix the problem.
Get him back to One World Labs where they can stop this nonsense.
Please?

--
Place something witty here
Air gap not big enough by Anonymous Coward · 2016-12-20 08:00 · Score: 0

1 - hack the entertainment systems to show messages to passengers
2 - Show some real-time like plot arcs along the lines of "@copilot #helpterroristshavelockedmeinthetoilet", "@god #ohratswereareallgoingtodie", "@ATC #copilotisintoiletwithmenow #cockpitfullofterrorists", ...
3 - passengers rush the cockpit, killing the real pilot, copilot, plane's cat, etc.
4 - xxxxx
5 - profit!
Who needs Aircraft Entertainement System in by Max_W · 2016-12-20 08:44 · Score: 1

the 21st century in the first place? I have my notebook and my smartphone with me.

Instead a dorky display and a headset provide better a normal WiFi. Besides a WiFi router weighs only about 300 grams, instead of a ton of hundreds of displays, and a WiFi router costs only a couple of hundred instead of millions for this System, which later ends up in the price of our air-tickets.

Add to this the cost of additional fuel to carry these displays. Why would I want to pay for the fuel to carry these displays when I have already three HD screens with me anyway?
1. Re:Who needs Aircraft Entertainement System in by Anonymous Coward · 2016-12-20 08:52 · Score: 0
  
  But do you have the movies?
2. Re:Who needs Aircraft Entertainement System in by Max_W · 2016-12-20 08:57 · Score: 1
  
  Just type in a search engine "how to watch movies on a computer or smartphone offline". But normally I can watch movies over WiFi on a computer or tablet.
3. Re:Who needs Aircraft Entertainement System in by quetwo · 2016-12-21 00:42 · Score: 1
  
  You do realize that providing internet access to a device that is traveling at 300MPH+ is not exactly as simple as upgrading a WiFi access point... The WiFi system in the planes is not the problem -- it's the LMRS that either uses a point-to-point antenna or satellite system to provide internet access.
  The nice thing about having those screens is that you don't have to have your laptop open all the time. Sometimes you want to just sit back and not have to juggle a laptop or ipad on your lap while everything else is going on around you.
4. Re:Who needs Aircraft Entertainement System in by pnutjam · 2016-12-21 02:23 · Score: 1
  
  The planes should just mirror the internet to a local drive. They can rsync it all down while they are fueling. ;)
  
  --
  Cheap storage VM.
No connection to avionics, but... by Megahard · 2016-12-20 11:07 · Score: 2

What about hacking the display of in-flight data to show the plane going a different direction? Maybe a message that the plane has been hijacked? No need to bring down the plane with code if you can get the passengers to break into the cockpit and do it.

--
I eat only the real part of complex carbohydrates.
1. Re:No connection to avionics, but... by Anonymous Coward · 2016-12-20 14:38 · Score: 0
  
  You must enjoy prison food.
Doubtful by Anonymous Coward · 2016-12-20 11:15 · Score: 0

To my knowledge they still kept the mac/ip white listing, meaning in flight avionic is only accepting data from the dedicated link to the center, and not anything else, pretty much any packet not coming from the dedicated link is dropped, there is no rerouting. So far as I can see , even in the 787 , it would immediately be dropped in the direction entertainment center => avionic. Airplane and in flight entertainment engineer are not bloody stupid, they are paranoid from *any* data coming from the outside the avionic network, no matter what reassurance programmer gives: pretty much any packet coming from outside is filtered no matter what it spoof as, if it is not coming from the dedicated links. It isn't a network per see. More like a serie of dedicated links.
1. Re:Doubtful by PPH · 2016-12-20 15:05 · Score: 0
  
  To my knowledge they still kept the mac/ip white listing
  Correct. But the most likely attack would be to inject malicious code into the passenger entertainment system and run it there. Since that equipment is already whitelisted, the bus switch would forward it to it's destination address. The data doesn't originate from 'outside' the network.
  
  --
  Have gnu, will travel.