Panasonic Avionics IFE systems: How serious are the vulnerabilities?

A security consultant at IOActive discovered vulnerabilities in the Panasonic Avionics in-flight entertainment system firmware, which would allow an attacker to steal payment card data and display incorrect flight path information on other passengers' systems. How serious are these vulnerabilities? Is it possible for an attacker to gain access to other parts of airplane systems, such as the operational control segment?

Security consultancy firm IOActive Inc. highlighted the dangers of internet-connected, in-car entertainment systems being used as an attack vector in 2015. Its researchers took remote control of a Jeep Cherokee's steering, brakes and transmission by accessing the vehicle's internal network via its multimedia system's controller.

Another IOActive researcher, Ruben Santamarta, has now uncovered flaws in the in-flight entertainment (IFE) and communications systems developed by Panasonic Avionics, which could put passengers' information and safety at risk.

Panasonic Avionics' IFE systems are among the most common components in the aviation industry, and are used in planes operated by 13 major airlines, including American Airlines, Virgin Atlantic and United Airlines. While analyzing the latest firmware updates for the IFE systems, Santamarta found they contained several flaws, including a SQL injection flaw and a bug that allows for bypassing credit card checks.

Though the hardware used in IFE systems can vary, they all have common features and a similar architecture. The main components are the seat display unit, the system control unit and the cabin crew panel. The newer Panasonic Avionics seat display units are based on Android, while legacy devices mainly use Linux. They can be paired with a personal control unit, which can also act as a credit card reader. The system control unit is a certified airborne server that provides the seat display units with real-time flight information through an Ethernet connection. The cabin crew panel provides access to the cabin management systems, and it is used by flight attendants and other crew members to control features of the aircraft, such as the lights, onboard shopping and the PA system.

Panasonic Avionics integrates the cabin management systems and IFE systems with its Global Communications Services, which enables the plane to provide broadband capabilities. The IFE is certified at design assurance Level E based on DO-178B, the effective standard for developing avionics software systems.

DO-178B design assurance Level E states that any failure would have no impact on safety, aircraft operation or crew workload. However, if an attacker can pass commands to the IFE, they could potentially cause panic on the plane by showing false flight information on the interactive route map, turning the lights off or making announcements over the PA system.

IOActive concluded that Panasonic Avionics' IFE systems could be compromised by skilled malicious actors chaining and exploiting various vulnerabilities, though Panasonic denies that this is possible. IOActive first reported Santamarta's findings to Panasonic Avionics in early 2015; after more than a year, IOActive decided to publish its research and disclose the vulnerabilities in December 2016 because there "has been enough time to produce and deploy patches, at least for the most prominent vulnerabilities." IOActive is unable to say whether patches have been installed across the entire user base.

Whether an attacker could pivot from a compromised IFE to access or manipulate an aircraft's critical controls depends very much on how the aircraft's data networks are divided. Physical control systems are located in the aircraft control domain -- the other domains are usually passenger entertainment, passenger-owned devices and airline information services. The aircraft control domain should be physically isolated from the passenger domains. If this is not the case, and the separation is only logical, an attack remains theoretically feasible due to the physical connectivity.

A plane's overall protection from a cyberattack relies on cooperation between the aircraft manufacturer, the fleet operator and the companies that provide equipment with network connectivity to properly segregate the different data domains.

A common control is the ARINC 429 data bus that feeds information from the avionics to the IFE about the plane's latitude, longitude and speed. It's an output-only hub that allows data to flow out from the avionics system, but not back to it. Rules are also programmed into the avionics system to check that data is being received when it should be received, and that it is receiving valid data.

However, IFE systems usually allow for a degree of customization. For example, Panasonic Avionics uses its own declarative script language to extend and interface with the GUI and features of the main IFE application. Such software updates and modifications need to be carefully scrutinized and tested by security experts to ensure that they don't introduce vulnerabilities, like those found by IOActive, which could be exploited and put the passengers, crew and aircraft at risk.

The combination of devices, software and configurations deployed on any aircraft should be fully penetration tested before going live, and after any system changes are made.