To overcome his anxiety with flying, IOActive’s researcher/author, Ruben Santamarta, began “spending some flights hacking stuff.” In his December 20, 2016 blog post, “In Flight Hacking Systems,” Santamarta describes how he tried to gain a better understanding of the In-Flight Entertainment Systems (IFE) manufactured by Panasonic Avionics and installed in major airline carriers such as Virgin, KLM and American Airlines. After learning how the IFE operates, other reports indicate Santamarta was able “to hijack in-flight displays to change information such as altitude and location, control cabin lighting and hack into the announcements systems.” Santamarta also claimed he could access the credit card information of frequent flyers’ information stored in the in-flight automatic payment system.
Santamarta’s hacking activities prompt the question of whether he could have hacked the aircraft controls using the IFE as “an attack vector.” Santamarta claims that, depending on the hacker’s abilities, it would be “totally feasible” to take over an aircraft’s controls using the IFE systems as an access point. Santamarta advises airlines to isolate or segregate systems controlling airplane from the IFE systems.
Santamarta’s blog post indicates that many commercial aircraft’s networks are divided into the following “four domains” based on the type of data they handle: (1) passenger entertainment; (2) passenger owned devices; (3) airline information services; and (4) aircraft control. Based on his findings, Santamarta believes the best solution to reduce the chances that hackers take control over an aircraft’s controls involves physically isolating these systems from each other; “this means that as long as there is a physical path that connects both domains, we can’t disregard the potential for attack.”
Santamarta concludes the blog post with the following advice, “the responsibility for security does not solely rests with an IFE manufacturer, an aircraft manufacturer or the fleet operator. Each plays an important role in assuring a secure environment.”
In its December 20, 2016 statement, Panasonic disagreed with Santamarta’s findings and has called them “inaccurate and misleading” and further claims the blog post “mixed hypothetical vulnerabilities with specifics about Panasonic’s systems to come up with its results.” Panasonic’s statement also rejects the portion of the report stating that access can be gained to credit card information. Panasonic further offered the reminder that hackers could be criminally charged for trying to access any system on an aircraft.
Regardless of whether Santamarta or Panasonic are correct about the security of IFE systems, Santamarta’s point that the various systems of the aircraft should be completely isolated from each other cannot be overlooked. While common sense tells us that we should not keep the crown jewels in the garage with the gardening tools, it is easy to abandon this common sense approach when it comes to cyber security. In the same way you don’t want the IFE systems providing “an attack vector” to get to an aircraft’s controls, our businesses and homes should not only try to completely avoid a cyber incident, but should limit the amount of damage if a cyber incident takes place.