Inflight Security is more than just a life vest

Are you afraid of flying? The following information won’t make you feel any safer.

Inflight Entertainment systems (IFE) have evolved significantly over the years. Nowadays you can actually connect via your own mobile device to the IFE system and watch TV series, movies or just listen to music and see the flight status. Sounds good, right?

flight

Well, yes and no. We all agree that flights should include some kind of entertainment to “survive” these hours of boredom on the flying metal box. However should airlines risk flight security for the latest Box office blockbuster?

 

According to the FBI, Chris Roberts (cyber security consultant) has hacked computer systems aboard airliners approximately 20 different times in the past 5 years. Roberts said that in one case he was able to hack the systems and issue a “climb” command instructing the plain to increase altitude. According to Roberts three Boeing and one Airbus aircraft have been hacked by exploiting vulnerabilities in the IFE systems.  The allegedly exploited systems were Thales and Panasonic IFEs.

 

Roberts physically accessed the Seat Electronic Box (SEB) installed under his seat. Access to the SEB allowed Roberts to hack into additional aircraft network systems to control engines and view network traffic accessible in the cockpit.

 

Roberts studied the IFE and performed Pen tests on the IFE. He found that the using the default IDs and passwords got him into the systems.

 

A few questions to take away –

 

  1. Why was Roberts able to access the flight controls from the IFE? The only way to do so was if there was some kind of communication channel between the IFE and the flight control systems. Seems just natural to completely separate these two networks.
  2. Do IFE systems go through any vulnerability testing before being implemented? Have Panasonic and Thales gone through a full security analysis of their code and systems?
  3. Why did the airline not change the default credentials to access the IFE? Basic Security Best Practices would have probably been able to either completely block this attack or maybe make it more difficult.

 

Full details of the FBI search warrant – http://aptn.ca/news/wp-content/uploads/sites/4/2015/05/warrant-for-Roberts-electronics.pdf

The following two tabs change content below.

Amit Ashbel

Cyber Security Evangelist at Checkmarx
Amit Ashbel has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and familiarity with emerging threats. Amit also speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.

Jump to Category