In-Flight Entertainment security

With holiday travel around the corner, many news outlets are covering In-Flight Entertainment (IFE) system vulnerabilities. Right before many of us are about to step onto airplanes, the media is rehashing the news from early 2015 about Chris Roberts, who claimed to have broken into an IFE on a United Airlines flight (this was debunked) in relation to recent discussions about more minor IFE vulnerabilities affecting personal financial data.

Many companies operate their own bug bounty programs, or employ experts like those at HackerOne, to conduct this research for them. However, these practices don’t always impede compelled security vigilantes from conducting independent research.

Not only does this behavior skirt the boundaries of legal and illegal, there’s another line that those with good intentions must realize should never be crossed. It is without a doubt unethical for researchers to conduct unsanctioned investigations—especially when said investigations could put lives at risk. This behavior conflicts the basic morality that these researchers are often entrusted to uphold. And if this information somehow goes public, exaggerations and fear mongering will begin.

To ease fears and obtain a better understanding of this situation, let’s take a look at how the IFE actually works. A server located on commercial aircrafts known as the System Control Unit (SCU) maintains an individual connection between it and each passenger’s Seat Display Unit (SDU) throughout the cabin. Modern SDUs are typically touchscreen and often run on Linux or Android operating systems. Credit card reader may be located here or within the Personal Control Unit (PCU) handheld device.

The Cabin Management System (CMS) is what flight attendants use to adjust the atmosphere within the cabin. This system is often connected to the IFE. Because of this, theoretically, elements such as speed, altitude displays, or even cabin lights, could potentially be manipulated in the cabin—not the cockpit. This has yet to happen, and still, all flight control systems are separate.

Pilot communications with the ground are also separate, occurring via the Aircraft Communications Addressing and Reporting System (ACARS). Airbus and Boeing also segregate Satellite Communications (SATCOM) from all other systems and have banned the distribution of SATCOM information. Both companies have also stated that their planes are constructed with flight controls and IFE systems completely isolated (including in-flight wifi), with pilots always acting as physical superusers over flight control systems.

According to a senior federal law enforcement official, no conclusive data exists which indicates a passenger can utilize an IFE system to gain access to any component of flight control mechanisms. In addition, United Airlines has stated that they are confident Roberts’ claims are unfounded.

So sit back, relax, and take the thought of your flight being hijacked by the person next to you rapidly pressing on the IFE off of your mind. They’re probably just playing Candy Crush.

Disclaimer: Never attempt to tamper with an IFE system or claim to have manipulated flight controls unless you’re interested in ending up on the No Fly list. The FAA has a zero-tolerance policy for perceived threats. It’s not worth the risk, just ask Chris Roberts.


Learn more:
https://www.bloomberg.com/news/articles/2015-05-18/hacker-claims-of-plane-takeover-aren-t-credible-official-says
https://abcnews.go.com/US/flight-entertainment-systems-vulnerable-hacking-report-suggests/story?id=44294211
https://threatpost.com/in-flight-entertainment-system-flaws-put-passenger-data-at-risk/122621
https://www.gpo.gov/fdsys/pkg/FR-2008-01-02/html/E7-25467.htm


Previous
Previous

Tesla’s Gigafactory and the Future of Sustainable Energy

Next
Next

Autonomous Ridesharing – Security Concerns