Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aircraft Entertainment Systems Hacks Are Back (threatpost.com)

Posted by msmash on from the security-woes dept.

Reader msm1267 writes: Researchers at IOActive today disclosed vulnerabilities in Panasonic Avionics In-Flight Entertainment Systems that were reported to the manufacturer close to two years ago. The flaws could be abused to manipulate in-flight data shown to passengers, or access personal information and credit card data swiped at the seat for premium entertainment or Internet access. Given that the firmware is customizable and used by dozens airlines in hundreds of aircraft models, the researchers said it's almost impossible to determine whether the vulnerabilities no longer exist across the board. IOActive said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, IOActive said, given that a physical path could exist that connects those systems through satellite communications terminals that provide in-flight updates to critical systems. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems. As for the vulnerabilities in passenger systems, IOActive said there is a lack of authentication and encryption between an on-board server and clients at passenger seats. This could allow an attacker on board to send commands to the IFE system to manipulate what's displayed to passengers, or read payment card data swiped at seats.

1 of 56 comments (clear)

  1. Re: Scary, scary stuff. by Anonymous Coward · · Score: 4, Informative

    Whilst I've worked with Panasonic Avionics , and they are not the info section "A" team...

    The IFE systems are essentially air gapped already as a mandatory requirement by regulatory agencies - ACARS is basically an RSS feed to the IFE system and anything other than that is separate again. IFE has no in the air satellite connection on any deployments I've seen .

    This is the digital equivalent of hacking a highway sign to say rude words.