People love stories they envision playing out on a movie screenand on Tuesday, a smattering of media outlets thought they had a great one to deliver their readers.
But the report on which these headlines were based didn’t exactly come to that same conclusion.
The stories all ostensibly came from a report published Tuesday by IOActive that details the potential problems with the security of in-flight entertainment systems provided to airlines by Panasonic Avionics.
The author of the report, Ruben Santamarta, details a few hypothetical hacking scenarios wherein a hacker could tamper with the on-screen flight tracker or the lights that illuminate the walkways, and might even be able to steal credit card information from anyone who’s paid for some sort of in-flight entertainment.
But while any in-flight hacking scenario isn’t pleasant to think about, it requires several canyon-wide logical leaps to conclude that the author said hackers could bring down a plane by breaking into the same device on which you watch your in-flight movies.
These are the two paragraphs that presumably caused the hysteria:
Physical control systems should be located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesnt always happen. Some aircraft use optical data diodes, while others rely upon electronic gateway modules. This means that as long as there is a physical path that connects both domains, we cant disregard the potential for attack.
The ability to cross the red line between the passenger entertainment and owned devices domain and the aircraft control domain relies heavily on the specific devices, software and configuration deployed on the target aircraft.
That might seem scary to someone like me who doesn’t know much about how to hack an in-flight entertainment system, but I’ll take it from the report’s author himself that we don’t have to worry about someone piloting the plane from somewhere in the back.
No, you’re not bringing down a plane by hacking the fucking IFE.
Ruben Santamarta (@reversemode) December 20, 2016
In response, and perhaps in a bid to secure better press out of all of this, Panasonic used its post-research press release to go after IOActive and not the media:
IOActive has presented no evidence that its examination of Panasonics systems would support any such suggestion, and its statement that its ‘research revealed it would also theoretically be possible that such a vulnerability could present an entry point to the wider network, including the aircraft controls domain’ will only serve to falsely alarm the flying public.
And Panasonic went after other suggestions as well, even though IOActive said they brought these concerns to the company more than a year ago. The company panned the idea that customer credit card information might be extracted from its entertainment systems, and it dismissed other theoretical ideas such as how a hacker might mess with lights on the plane by referring to Santamarta’s findings as “hypothetical” vulnerabilities, as they did in this part of their press release:
The conclusions suggested by IOActive to the press are not based on any actual findings or facts. The implied potential impacts should be interpreted as theoretical at best, sensationalizing at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive.
IOActive, in response, seemed puzzled that Panasonic was attacking all this as “hypothetical,” since hypothetical is not a synonym for impossible. Here’s what they said in part of their counter-statement:
“…not only are the theoretical statements in the research technically feasible and relevant to the topic of the research, but they are important in explaining the potential extent and possible implications of vulnerabilities within a component in such an ecosystem and the need for a holistic approach to managing and maintaining the highest security measures at all levels throughout that ecosystem.”
As IOActive alluded to in another part of their statement, Panasonic claims to have addressed the vulnerabilities outlined by the IOActive report, which IOActive said they told Panasonic about back in March 2015. But if that’s true, and they’ve known about these vulnerabilities for well over a year, then…
“It’s really peculiar to me that Panasonic would respond the way that they did, given that IOActive gave them sufficient time,” Zach Lanier, director of research at Cylance, a cybersecurity firm, told Mashable. “You knew this was coming down the pipe, potentially, so why didn’t you have your PR people deal with it a little bit better?”
Lanier thinks Santamarta’s report is solid, but in a way, he gets why Panasonic would issue a blanket refutation. Any type of in-flight vulnerability has, as we’ve seen, the potential to generate all kinds of apocalyptic headlines and frighten flyers, and could potentially lead to some kind of investigation that Panasonic would want no part of.
In the future, though, Lanier’s “very optimistic” hope is that this kind of research leads companies to realize that perhaps they should be better about talking to security researchers regarding their “hypothetical vulnerabilities.”