Researchers have discovered flaws in Panasonic’s in-flight entertainment system that could grant hackers access to a plane’s passenger displays, cabin lighting, and PA system. In some cases, they could even hijack an aircraft’s controls.

IOActive’s Ruben Santamarta found the vulnerabilities in the Panasonic Avionics system, which is currently found in planes from 13 different airlines: United, American Airlines, Virgin, Emirates, Etihad, FinnAir, KML, Iberia, Qatar, Scandinavian, Singapore, Aerolineas Argentinas, and Air France.

Worryingly, it was discovered that the security issues could theoretically act as an access point to the plane's wider network, including the aircraft’s controls.  

“I discovered I could access debug codes directly from a Panasonic inflight display,” said Santamarta. “A subsequent internet search allowed me to discover hundreds of publicly available firmware updates for multiple major airlines, which was quite alarming. Upon analyzing backend source code for these airlines and reverse engineering the main binary, I’ve found several interesting functionalities and exploits.”

Hackers could scare passengers by altering what they see on their in-flight screens, such altitude and flight path. They could also manipulate the cabin’s lights and the recliners in the first-class seats, send out messages over the PA system, and potentially steal credit card details from frequent flyers/VIP members.   

Taking over a plane’s controls is, of course, the worst case scenario. Santamarta said that the Aircraft Control domain should always be physically isolated from the passenger entertainment domains, but this doesn’t always happen. He stressed that the airlines should be "incredibly vigilant" when it comes to segregating in-flight systems.

IOActive reported the flaws to Panasonic Avionics back in March 2015. The researchers waited this long to go public so the company had “enough time to produce and deploy patches, at least for the most prominent vulnerabilities.”

IOActive has been down this path before. The consultancy group hit the headlines a few years ago when it was able to take control of a Jeep Cherokee’s primary functions by remotely accessing its infotainment system.

Taking control of a plane’s controls from a passenger seat may sound unlikely, but Santamarta is convinced that it is possible. "I don't believe these systems can resist solid attacks from skilled malicious actors," he said. "This only depends on the attacker's determination and intentions, from a technical perspective it's totally feasible."