Panasonic flaw exposes aircraft operated by 13 airlines

Dec 20, 2016 10:35 GMT  ·  By

A security flaw discovered in an in-flight entertainment system developed by Panasonic could allow a hacker to hijack several flight systems and to even get control of the aircraft, a researcher warns.

Ruben Santamarta of IOActive discovered that the Panasonic Avionics system, which is currently being used on aircraft operated by 13 major airlines, can be used to hack the on-board screens and display all kinds of information, but also to adjust cabin lighting and send announcements to passengers through the aircraft communication channel.

Santamarta told the Telegraph that the affected airlines include Aerolineas Argentinas, Air France, American Airlines, Emirates, Etihad, FinnAir, KML, Iberia, Qatar, Scandinavian, Singapore, United, and Virgin.

“I don't believe these systems can resist solid attacks from skilled malicious actors,” he said. “This only depends on the attacker's determination and intentions, from a technical perspective it's totally feasible.”

Airlines can prevent this from happening

The security researcher explains that it’s up to airlines to limit the access that the hacker can obtain should a breach occur, pointing out that although an attacker could get full control of an aircraft, there are certain protections that should be put in place to prevent this from happening.

The in-flight infotainment system should never be connected to the aircraft controls, he explained, so methods that would isolate critical systems are essential to protect against these breaches.

This isn’t the first time Santamarta warns of security vulnerabilities in systems used by aircraft. Back in 2014, the same researcher discovered that it was possible to reverse engineer a flaw allowing him to connect to the Wi-Fi signal or the in-flight entertainment system to connect to the equipment used by airplanes, including the navigation system.

In today’s report, however, Santamarta says that Panasonic knew about the vulnerabilities since March last year, when the company was first contacted by researchers, but it’s not yet clear if any updates were made to block a potential cyberattack. For the moment, however, it all comes down to airlines to minimize the risks of a hacker gaining full control of an aircraft.

UPDATE, December 21: Panasonic has sent us a statement to explain that IOActive's claims are "inaccurate and inflammatory" and that there is no critical flaw in its products.