Hackers could hijack in-flight entertainment system, says cyber researcher

Ruben Santamarta believes major airlines could be vulnerable to hacking

Airbus A380

An in-flight entertainment system used by some of the world's biggest airlines, including Emirates, Qatar Airways and Virgin Atlantic, could be vulnerable to hacking, according to cyber researchers at IOActive.

SEE ALSO: Hacker claims he made plane fly sideways

SEE ALSO: Drone in near-miss with plane over London

They say that a flaw in the Panasonic Avionics in-flight system could allow hackers to potentially hijack passengers' in-flight entertainment and access their credit card information.

Ruben Santamarta, a principal security consultant at IOActive, told Computer Business Review: "It might sound like a sick cure to some but, as a hacker, learning everything I could about how planes work, from the aerodynamics to electronics, has reduced the fear significantly.

"On a flight from Warsaw to Dubai, I discovered I could access debug codes directly from a Panasonic in-flight display."

He added that once in-flight entertainment systems' vulnerabilities have been exploited, hackers can take control of what passengers see, compromise the PA systems and lighting controlled by cabin crew and more.

Speaking to the Daily Telegraph, Santamarta said airlines should be "incredibly vigilant" with in-flight systems and ensure they are separate from the aircraft's controls.

But in a statement, Panasonic Avionics Corporation said that it "strenuously disagrees with any suggestion by IOActive that such an attack is possible".

It says: "IOActive employee Ruben Santamarta's statement regarding credit card theft is simply not true. Mr. Santamarta makes incorrect assumptions about where credit card data is stored and encrypted within Panasonic's systems.

"It is important to note that, during the course of this unauthorised, in-service testing, the safety, security and comfort of passengers of the aircraft were never in danger or compromised due to the system segregation and robust security design of our inflight entertainment and communications (IFEC) product, and of all commercial aircraft as well.

"His exploit itself was limited to a single seat and information gathering; control override of the IFEC seat and system did not occur."

It adds: "Like any responsible business, Panasonic continually tests the robustness of its systems, and reviewed all of the claims made by Mr. Santamarta. It subsequently engaged Attack Research (AR) to conduct validation testing in May 2015 and again in 2016 to ensure that the few minor concerns (in no way linked to the control of an aircraft) identified by Mr. Santamarta had been fully remediated."

In 2014, Santamarta said he had figured out how to hack the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems.

"These devices are wide open," he told Reuters.

He said that he had discovered that it was possible to "reverse engineer" the software.

15 flights from hell

15 flights from hell