In March 2015, IOActive's Ruben Santamarta privately disclosed his findings on the major bugs in Panasonic's Avionics IFE in-flight entertainment systems; 18 months later, it's not clear whether all airlines have patched these bugs.
Using in-seat USB ports, attackers can capture other passengers' credit-card data when it is entered into in-flight system for access to wifi or premium movies; attackers can also spoof the data sent to seat-back screens, changing maps and other displays, hijacking the PA and lighting system, as well as "actuators for upper classes" (forcing seats to recline or sit up).
It's the latest vulnerability identified in in-flight systems, which have been a frequent source of significant vulnerabilities. IFE's are theoretically on separate networks from critical aviation systems, but this convention isn't always rigorously followed (as is often the case with airgapped networks, the immediate value of cross-connecting them often overrides the theoretical, down-the-road risks of doing so).
Most airlines modify their IFE setups, so the presence of a Panasonic system doesn't guarantee that all these vulnerabilities will be present.
So how far can an attacker go by chaining and exploiting vulnerabilities in an In-Flight Enterntainment system? There’s no generic response to this, but let's try to dissect some potential general case scenarios by introducing some additional context (nonspecific to a particular company or system unless stated).
Relying exclusively on the DO-178B standard that defines Software Considerations in Airborne Systems and Equipment Certification, the IFE would technically lie within the D and E levels. Panasonic Avionics’ IFE in particular is certified at Level E. This basically means that even if the entire system fails, the impact would be something between no effect at all and passenger discomfort.
Also, I should mention that an aircraft's data networks are divided into four domains, depending on the kind of data they process: passenger entertainment, passenger owned devices, airline information services, and finally aircraft control.
Physical control systems should be located in the Aircraft Control domain, which should be physically isolated from the passenger domains; however, this doesn’t always happen. Some aircraft use optical data diodes, while others rely upon electronic gateway modules. This means that as long as there is a physical path that connects both domains, we can’t disregard the potential for attack.
In-flight entertainment systems may be an attack vector. In some scenarios such an attack would be physically impossible due to the isolation of these systems, while in others an attack remains theoretically feasible due to the physical connectivity. IOActive has successfully compromised other electronic gateway modules in non-airborne vehicles. The ability to cross the “red line” between the passenger entertainment and owned devices domain and the aircraft control domain relies heavily on the specific devices, software and configuration deployed on the target aircraft.
In Flight Hacking System [Ruben Santamarta/IO Active]
IN-FLIGHT ENTERTAINMENT SYSTEM FLAWS PUT PASSENGER DATA AT RISK [Michael Mimoso/Threatpost]
(via /.)