iStock/Thinkstock(NEW YORK) — A new report released Tuesday by security research firm IOActive says in-flight entertainment systems on some major airlines may be susceptible to hacking, including those on American carriers American Airlines and United Airlines.
The research claims that in-flight entertainment (IFE) systems made by Panasonic could ultimately be “hijacked” so that the hacker could control what a passenger sees, hears or experiences on a flight. This could include a false altitude or speed of the plane on the IFE’s display, an incorrect route on the IFE’s interactive map, illicit use of the PA system, or the ability of the hacker to control lighting in the cabin or reclining seats in first class.
The attacker could potentially access credit card information as well, the report stated. According to the author of the report, passengers who swipe their credit cards using a handset located on their seats to pay for entertainment transmit this information to the IFE’s display unit on the seat. From there, the report says hackers could possibly control the binary system running there and steal the passenger’s credit card information.
“I don’t believe these systems can resist solid attacks from skilled malicious actors,” explained IOActive Principal Security Consultant Ruben Santamarta, who researched what he says is the IFE’s vulnerability.
“As such, airlines must be incredibly vigilant when it comes to their IFE systems, ensuring that these and other systems are properly segregated and each aircraft’s security posture is carefully analyzed case by case,” he added.
IOActive is also known for its successful hack of a 2014 Jeep Grand Cherokee, where two of its experts remotely hijacked the vehicle from the comfort of their living room. Hackers Charlie Miller and Chris Valasek say they were able to access the SUV’s computer system via the Internet and rewrite firmware that allowed them to control the car’s steering, brakes and transmission.
IOActive, which told ABC News it funded this IFE study, explained it cannot rule out that hijacking an IFE could potentially give a hacker access to an aircraft’s avionic controls. However, it’s not the first time the question has been raised.
Just last year, the FBI investigated a computer security expert Chris Roberts, who alleged that he hacked into an aircraft’s IFE and made the plane turn sideways. At the time, law enforcement sources told ABC News there was no evidence a hacker could gain control of an plane’s controls in the way that Roberts claimed, which included breaking into the IFE through “boxes under the seat.”
“While we will not comment on specific allegations, there is no credible information to suggest an airplane’s flight control system can be accessed or manipulated from its in-flight entertainment system,” one senior law enforcement official told ABC News in 2015. “Nevertheless, attempting to tamper with the flight control systems of aircraft is illegal and any such attempts will be taken seriously by law enforcement.”
IOActive told ABC News it disclosed its findings to Panasonic in March 2015, and said it was told by the tech company that it would notify its airline customers. IOActive said it has been unable to verify if the problem has been completely resolved.
“The access to the systems we looked at to identify the vulnerabilities has been shut down since we disclosed the findings to them,” IOActive told ABC News.
Panasonic did not immediately respond to an ABC News request for comment.
American Airlines, one of the carriers that uses Panasonic IFEs, told ABC News it has seen no evidence that flight control systems or passenger credit card data has been accessed through Panasonic’s IFE.
“American is one of many carriers worldwide that uses in-flight entertainment (IFE) provided by Panasonic Avionics. American works with its IFE manufacturers, like Panasonic, to include the latest security improvements in our systems,” American Airlines spokesperson Ross Feinstein told ABC News.
“Our IFE team has been collaborating with Panasonic to ensure that our IFE systems are not susceptible to the theoretical risk described in the blog post,” Feinstein added.
United Airlines also released a statement to ABC News in response to IOActive’s report.
“At United, we take all security matters very seriously and regularly add new safeguards to ensure our systems are protected,” the statement said. “We support the responsible disclosure of potential security issues and will work with our technology partners, outside experts and the aviation community to carefully examine these claims.”
Copyright © 2016, ABC Radio. All rights reserved.
