Back to Home

Hacking on board an airplane

avionics · security · hacking

Hacking on board an airplane

Original author: Ruben Santamarta
  • Transfer

Over the 5 years that I have been working at IOActive, I have been to many interesting places thousands of kilometers from home. Therefore, flight has become commonplace for me. You might think that this is nothing special, but not for me, as a person who is afraid to fly. Not to say that I managed to get rid of this phobia; after a dozen flights, the palms still sweat on take-off, but I put up with it, I can even say I sometimes like to fly ... and hack systems right from the side.

Studying the functionality of the aircraft and getting used to noise, jumps and turbulence helped me in overcoming my fear. This article will tell you how on-board systems work, and in particular, on-board Entertainment Information System (BRIS), developed by Panasonic Avionics.

Two years ago, while I was flying from Warsaw to Dubai, I decided to play a little with BRIS. And when I clicked on a specific place in one of the upper corners of the screen, I saw the following debugger data:

----
Interactive: ek_seatappbase_1280x768_01.01.18.01.cram
Content: ek_seatappcontent_1280x768.01.01.8.01.cram
Engine: qtengine_01.14.0.01.squash
LRU Type: 196 2
IP: 172.17.148.48
Media Player Auto Popup Enabled: false
-----


After arriving in Dubai and searching for keywords on Google, I found hundreds of firmware for various airlines in the public domain.


Obviously, the firmware is being actively updated, so it will be possible to access the actual one that is installed on board. To date, the files are still there, but access to the list of directories is closed.

Below is a list of airlines for which I managed to find firmware:

  • Emirates
  • Airrance
  • Aerolineas argentinas
  • United
  • Virgin
  • Singapore
  • Finnair
  • Iberia
  • Etihad
  • Qatar
  • Klm
  • American airlines
  • Scandinavian

The basic architecture of BRIS is as follows:



System Control Unit (BUS)


This is a certified on-board server. Passengers, as a rule, can monitor in real time the current flight parameters, such as wind speed, latitude, longitude, altitude and temperature overboard. The BUS will receive all this information through the avionics bus (usually ARINC 429) and then the Chair Information Terminals (ITC) can access it via Ethernet.

Armchair Information Terminal (ITC)


This is a removable linear unit and with it passengers have access to the passive and active BRIS functionality, such as watching movies, buying goods, reading articles or accessing the Internet. Simply put, this is a built-in device with a touch screen. Newer models use Android, while outdated, mostly Linux.


TEC removal is a Rave AIX, not a Panasonic Avionics model ( source )

Personal Management Device (PUU)


This is an optional device. With the help of PUCs, it is possible to manage ITCs and, as will be shown below, it can also work as a terminal for credit cards.

Cabin crew panel


With the help of this panel, flight attendants and other crew members can control such aircraft functions as light, drives (including beds), passenger announcements, on-board purchases, or the personnel call system. The Cabin Management System is usually integrated with BRIS. Panasonic Avionics does this with the help of Global Communications Services, providing common functionality for simple operations from the cockpit (see here ). The CrewApp crew app is available from the cabin crew panel.

BRIS from Panasonic


Panasonic BRIS: Legacy 3000 / 3000i and the new XSeries eFX, eX2 and eX3 (on Android). The hardware component may vary, but they are similar in architecture and they have common characteristics.

More information on Panasonic's BRIS can be found on their website .

These systems can be customized, which allows airlines to set the BRIS in accordance with the airline’s policy, while the code base is almost the same.

After analyzing the firmware, I was not quite able to find out how to load data on the ground. Typically, content is updated via Wi-Fi ad-hoc networks, or via a high-speed mobile connection as soon as the plane lands. Panasonic's BRIS is mostly updated via Floppinet". In-flight communications with satellites or mobile networks are available, but in most cases, BRIS works autonomously, with preloaded content. Typically, BRIS does not even check credit cards in real time.

Panasonic Avionics BRIS adheres to a client-server architecture with three main components :

  • Crrewapp
  • Seatapp
  • Backend  


I found several versions of CrewApp and SeatApp from the above page. When I google keywords, I also managed to find a backend in the public domain on different .aero sites. Despite the fact that they have branded and unique data from airlines, the code base in them is from the Panasonic backend.

It is impossible to cover all the options of BRIS in one article, since airlines expand and adapt the framework, so we will focus on specific functions later on.


Rebooting SeatApp on Linux Firmware

files (in this case, a program that runs on a device not supported by the user) that I analyzed did not contain the entire system, but only the parts that need to be updated. This is sad because we could find out more information about the operation of these devices, but still some interesting points can be clarified with the help of the available files.

Scripts


Panasonic Avionics has developed its declarative scripting programming language to interact with the user interface and features of the main application. It supports dozens of teams and has good functionality.


Sample core / startup.txt code

Reverse engineering the main binary file (airsurf) will let you know how the parser of such scripts works. For a demonstration, let's look at #define .

The script is processed line by line and when the parser sees the #define construct , it tries to parse it into sub_80C2690 .


Five types can be defined in this function: flash, text, draw, timer, and value.


The first line of the script contains #define with the value [value], let's see how it is processed.

First of all, the string is parsed and the name define is retrieved. Then the parser checks whether the number (after the green block) is below the number (below the blue block).


If the value is not a number, then it is compared with various variables and if a match is found, then it is replaced by its value.


If the value is a number, then the name / value pair is added to the define global array (blue block below)


For the cmd command , the binary calls the desired function from the cmd table and passes the arguments.


Here you can find some interesting functions, for example, the one that reads credit card information after activating it in the terminal.



Data received from the card reader (/ dev / ccr) is parsed, printed and verified.


You can find ordinary files, such as shell scripts, configuration files (containing embedded credentials), databases, resources and libraries.

In one of the tweets where the Panasonic BRIS reset was shot, I saw the following information. The files of the SeatAppBase application are the same that we are considering.


loadlru.h

In new versions of BRIS X, Panasonic switched to Android and, accordingly, the old .txt scripts are replaced with an approach using QT QML:


The backend uses PHP. Vulnerabilities are immediately apparent.


The image above refers to the chat functionality between the seats, where passengers can send messages to each other. It will not be difficult for you to guess what is wrong here, and this is not the only problem.

The following videos demonstrate exploitation of vulnerabilities, but without prejudice.

  1. Credit Card Check Bypass


  2. File Access (e.g. / dev / random)


  3. SQL injection



Potential threats


So how far can an attacker go by exploiting such vulnerabilities in BRIS? There is no definite answer to this question, but we will try to consider some general cases that are not specific to a particular system manufacturer, and we will do this by considering more aspects of the system.

According to the DO-178B standard, which defines the specifications of real-time operating systems in aviation, BRIS must be between levels D and E. Panasonic Avionics BRIS is certified at level E. This means that even if the entire system fails, it either doesn’t change or create some inconvenience to passengers.

I would also like to note that the information network of the aircraft is divided into 4 parts, according to the type of data that they are processed: passenger entertainment, passenger devices, airline information services and aircraft control.

Aircraft control should belong to the same part of the network, which should be physically separated from the passenger part, but this is not always the case. Some vessels use optical information diodes, while others prefer network gateway modules. This means that a potential threat cannot be excluded as long as the connection between the two parts exists.

BSID may turn out to be an attack vector. In some cases, this type of attack will not be possible due to the isolation of systems, but in others, the potential threat remains due to the physical connection of the systems. IOActive successfully compromised the gateways of other vehicles. The line between the passenger and control systems is strongly defined thanks to the specific devices, software and settings of the aircraft.

In 2014, we published a series of vulnerabilities in satellite communications devices (SATCOM), including airborne terminals. Most of all, these devices are used in various areas of the system, which allows an attacker to use equipment to gain access to avionics through a compromised BRIS.

From the IT side, hacking BRIS means that an attacker can control the information that passengers on board receive. For example, you can change flight data such as altitude or speed and show the dummy route of the aircraft on the map. An attacker could compromise the CrewApp application for personnel and control the light or drives in the classes above. If these threats are combined, then passengers can be confused.

Getting personal information, including credit card information, also takes place if the backend, which sometimes provides specific information about the frequency of flights or VIP membership, is not configured properly.

On the other hand, a Wi-Fi network can be configured reliably, without any security risks.

I would like to say that, in our opinion, such systems will not be able to withstand a serious attack from an experienced attacker. Airlines should be vigilant when it comes to their BRIS, providing carefully separated systems and testing every aspect of security in phases. Responsibility for safety does not rest solely with the BRIS developer, vessel manufacturer or operator. Everyone plays an important role in the safety of the environment.

Disclosure Responsibility


We reported Panasonic Avionics vulnerabilities in March 2015. We hope that there was enough time to close the vulnerabilities found, at least the most obvious ones. However, we think it’s hard to say that all these problems have been resolved in an area where different airlines and hundreds of product versions are involved.

Read Next