Panasonic Avionics has pushed back against research released Tuesday by IOActive suggesting that in-flight entertainment system firmware used by more than a dozen airlines contains vulnerabilities that allow a local attacker to manipulate data displayed to passengers, or put their personal data at risk.
A statement provided to Threatpost by Panasonic calls the IOActive research inaccurate and misleading. Researcher Ruben Santamarta analyzed firmware built by Panasonic and used by at least 13 airlines in hundreds of aircraft models. He said that architectural segmentation between critical avionics and operational systems should keep these flaws isolated to passenger entertainment domains. However, depending on specific devices and configurations, a physical path connecting these systems could pave the way for an attacker to cross these domains.
Panasonic rejected these findings, calling them inflammatory.
“Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference,” the company said in its statement.
“IOActive has presented no evidence that its examination of Panasonic’s systems would support any such suggestion,” Panasonic continued. “And its statement that its ‘research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain,’ will only serve to falsely alarm the flying public.”
Santamarta pointed to previous IOActive research into satellite communication device vulnerabilities as a possible link. SATCOM terminals are used in aircraft for in-flight updates from the ground. Santamarta said there is a concern that in some configurations where an IFE may share access with a SATCOM terminal, a physical path would be created that would allow an attacker to reach critical systems.
“We can’t say that if we break into one system in the passenger entertainment domain that we would end up in the avionics domain because that’s extremely difficult and in certain cases totally impossible,” Santamarta said. “There is a small chance to jump between different domains.”
Panasonic said it had remediated the vulnerabilities identified and privately disclosed by IOActive in 2015.
“The basis for many of these conclusions would first necessitate that an attacker gained a physical connection within the IFE network,” Panasonic said. “During the unauthorized testing, network penetration, or even network connection to Pansonic’s product, did not occur.
“The conclusions suggested by IOActive to the press are not based on any actual findings or facts,” Panasonic said. “The implied potential impacts should be interpreted as theoretical at best, sensationalizing at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive.”
IOActive defended Santamarta’s research, the processes by which it validates research, and it said it stands by the accuracy and integrity of the results. IOActive said in a statement:
“Quite simply, if an attacker is able to exploit vulnerabilities acknowledged to be resident (and claimed to be subsequently addressed) by the manufacturer in a technology component within a connected ecosystem (i.e., say an IFE on board a plane), and the ecosystem is not configured appropriately to segment and isolate the respective domains as they should be, then exploiting the vulnerabilities in that component to gain access to other domains in the ecosystem is technically feasible and ‘theoretically’ quite possible. So not only are the theoretical statements in the research technically feasible and relevant to the topic of the research, but they are important in explaining the potential extent and possible implications of vulnerabilities within a component in such an ecosystem and the need for a holistic approach to managing and maintaining the highest security measures at all levels throughout that ecosystem.”
Santamarta also alleged that the vulnerabilities, including a lack of authentication and encryption, exposed passengers’ personal information and payment card data to attack. This is another point that Panasonic refutes, saying that Santamarta made incorrect assumptions about where that data is stored and encrypted.
“IOActive, in statements to the press, inappropriately mixed a discussion of hypothetical vulnerabilities inherent to all aircraft electronics systems with specific findings regarding Panasonic’s systems, creating a highly misleading impression that Panasonic’s systems have been found to be a source of insecurity to aircraft operation,” Panasonic said.