Dangerous vulnerabilities in an in-flight entertainment system used by the leading airlines, including Emirates, United, American Airlines, Virgin, and Qatar, could let hackers hijack several flight systems and even take control of the plane.
According to security researchers from IOActive, the security vulnerabilities resides in the Panasonic Avionics In-Flight Entertainment (IFE) system used in planes run by 13 major airlines, providing a gateway for hackers which is absolutely terrifying.
IOActive's Ruben Santamarta managed to "hijack" in-flight displays to change information like altitude and location, control the cabin lighting, as well as hack into the announcements system.
"Chained together this could be an unsettling experience for passengers," said Santamarta. "I don't believe these systems can resist solid attacks from skilled malicious actors. This only depends on the attacker's determination and intentions, from a technical perspective it's totally feasible."Besides these critical issues, the researcher said in some instances; hackers could access credit card details of passengers stored in the automatic payment system and use their frequent flyer membership details to capture personal data.
The vulnerabilities were reported to Panasonic in March last year, and the researcher waited more than a year and a half to go public, so the company had "enough time to produce and deploy patches, at least for the most prominent vulnerabilities."
Emirates is working with Panasonic to resolve these issues and regularly update its systems. "The safety of our passengers and crew on board is a priority and will not be compromised," Emirates said, reported the Telegraph.
Santamarta is the same researcher who warned of security issues in systems used by different aircraft in the past.
Back in 2014, he discovered that it was possible to reverse engineer a bug, which let him connect to the Wi-Fi signal or the in-flight entertainment system to connect to airplanes’ equipment, including the navigation system.
For in-depth technical details about the new vulnerabilities discovered by Santamarta, you can head on to IOActive's official blog post published today.