A simple tap on an in-flight entertainment system touchscreen kicked off an intellectual exercise that resulted in the discovery of a number of firmware vulnerabilities in embedded systems used by at least 13 airlines.

The vulnerabilities in the Panasonic Avionics IFE firmware could allow a local attacker to access passenger IFE systems, display incorrect or misleading information about a flight path, for example, or in other cases, steal personal information and payment card data.

Ruben Santamarta, principal security consultant at IOActive, privately disclosed the issues he discovered to Panasonic in March 2015. Given that the firmware is customizable and used by different airlines in hundreds of aircraft models, the researcher said it’s almost impossible to determine whether the vulnerabilities no longer exist across the board.

Santamarta said that segmentation between aircraft control and information services that oversee avionics and operational control of a plane should isolate these vulnerabilities to just the passenger entertainment domains. Whether an attacker could cross those domains and affect critical avionics systems would depend on specific devices and configurations, Santamarta said, given that a physical path may exist connecting those systems.

“That’s the million-dollar question,” Santamarta said. “There is no generic answer to that question. Each airline manufacturer creates and deploys these systems in different ways. They even have to ask for certain kind of regulation to install these devices (supplemental type certificates). We say in a generic way there is a physical path that connects the different domains.”

IOActive published a report today explaining Santamarta’s findings.

Previous IOActive research into vulnerabilities in satellite communication devices also crossed over to aircrafts, which run SATCOM terminals on board for in-flight updates to critical systems from the ground. The concern is that whether in some configurations, IFEs would share access to these devices and provide the physical path an attacker would need to reach critical systems.

“That’s a physical path that’s connecting all those domains that otherwise should be physically isolated,” Santamarta said. “We can’t say that if we break into one systems in the passenger entertainment domain that we would end up in the avionics domain because that’s extremely difficult and in certain cases totally impossible. There is a small chance to jump between different domains.”

Airbus and Boeing, however, have already taken this into account and mandated not only segregation of these systems, but prohibited sharing of resources such as SATCOM.

Santamarta’s journey to finding these vulnerabilities began three years ago on a long flight from Warsaw to Dubai where he managed to force the IFE in the seat to display debugging information that included firmware file names. Upon landing, he searched for the information and found exposed directories online hosting hundreds of firmware updates for Panasonic IFEs. Santamarta said he downloaded and analyzed more than two dozen and found vulnerabilities that affected IFEs used in aircraft run by huge airlines such as Air France, Emirates, United, Virgin, Iberia and others. These embedded devices are for the most part running Linux, but some are Android as well, Santamarta said.

He studied legacy Panasonic IFEs (3000 and 3000i models that run Linux) and newer XSeries eFX, eX2 and eX3 (Android-based) models. Santamarta said these systems running the backend Panasonic code support a great deal of customization. The architecture on board aircraft includes a backend server the feeds chat features, interactive maps, flight information, on-board shopping and in-flight entertainment to clients, which are in the case of airlines, crew and seat apps in the IFE.

Santamarta said an attacker with access to the USB port at his seat could run commands that would reveal routines that read credit card data from the handset after swiping, for example. Or he could send commands that would display incorrect flight data to passengers.

“What I found was that there is no encryption or authentication in the transmissions between the client side of the system embedded in the seat,” Santamarta said. “So basically you can break into the system and spoof that information. The passenger would see a fake route in the interactive map, or fake altitude or speed. Anything like that is possible.”

Credit card data swiped at the seat for premium movies or Internet access on board is also at risk, Santamarta said, though he said the potential for profit likely isn’t high given the relatively low number of passengers who will swipe a payment card during a flight.

During his research, another publicly exposed website contained the backend code of the Panasonic Avionics system. Some of these systems support connections to a database that includes VIP and frequent flier data (used to provide additional accommodations to first-class passengers, for example.) Vulnerabilities in that code, largely PHP, puts fliers’ personal information at risk through SQL injection flaws that Santamarta discovered. He also found hardcoded credentials that afford access to certain databases and allow an attacker to access other nodes on the aircraft’s network.

“We reported this in 2015. We have no way to verify if all these issues have been fixed or if those fixes were deployed because there are dozens of airlines involved and hundreds of aircraft models,” Santamarta said. “We have not receive that information from Panasonic. Airlines should review case by case their aircraft and setups. We currently don’t have that information.

“We reported some of the issues, but these systems are so complex, the problems are not only the issues we reported. Our hope is to help industry to fix these systems and to implement security into their code. For example, the backend code is PHP, so you can find code that is vulnerable to SQL injection in lot of places, in different files and APIs. The thing is that there’s an underlying problem; the code is not as secure as you expect. There is a lot of work to be done, and we don’t know if that work has already been done or if it is pending.”