On Tuesday, IOACtive, a research-driven security company, released a study alleging several cybersecurity vulnerabilities found in Panasonic Avionics In-Flight Entertainment (IFE) systems.
The systems are used by several big carriers including United, Virgin, American Airlines, Emirates, AirFrance, Singapore and Qatar.
According to a company statement detailing the review, the vulnerabilities in these systems could allow hackers to ‘hijack’ passengers’ in-flight displays and, in some instances, potentially access their credit card information. These vulnerabilities could also potentially act as an entry point to the wider network, depending on system configurations on an airplane.
IOActive principal security consultant Ruben Santamarta said the potential effect of the hacking is multi-faceted.
Once IFE system vulnerabilities have been exploited, a hacker could gain control of what passengers see and hear from their in-flight screen, Santmarta said.
For example, an attacker might spoof flight information values, such as altitude or speed, or show a bogus route on the interactive map. An attacker might also compromise the ‘CrewApp’ unit, which controls PA systems, lighting, or even the recliners on first class seating.
Santamarta says he started researching the Panasonic inflight entertainment platform two years ago during a flight to Dubai, reports BBC. He says he “accidentally made the screen for his seat display debug data [information that computer programmers use to fix programs]” and was able to access even more information about the code Panasonic uses to run the back-of-the-seat screens and other airplane computers.
After IOActive released its report, Panasonic rejected the claims, arguing that theyre inaccurate and misleading, according to a CTV News report.
IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could theoretically gain access to flight controls by hacking into Panasonics (in-flight entertainment) systems, the company said in a statement.
Panasonic also alleged that the tests conducted by the IOActive were not permitted and that the subsequent results are unfounded.