InFlight Entertainment systems security: a brief analysis

Nowadays it is becoming more and more common for airlines to adopt IFE (In Flight Entertainment)/ IFC (In Flight Connectivity) solutions to “entertain” passengers, offer free movies, music, games, information about the flights (altitude, speed, temperature outside, temperature inside etc) and also the possibility to buy products or fast internet using common payment methods such as PayPal or credit cards. IFC solutions offer connectivity with the ground, between passengers, crew, pilots, and transform a normal aircraft in a “E-enabled” one. Users can register with their username and password and buy “internet packets” to work, exchange emails, using IM (Instant Messaging) services while flying. But IFE are much more than a touch screen and video players. IFC are often the bridge between passengers, cabin crew and pilots. Personnel from the crew can login on the IFE systems to modify information about the flight, the weather at destination, the products that are available for sale during the flight, and chat with the passengers, in order to get requests and provide faster and more efficient support. Cameras can be mounted on the back and the front of the aircraft to offer a “pilot experience” to passengers especially during take-off and landing. An IFE system can be a very important factor for in-flight shopping, and surveys can be filled by passengers to improve the offered services. All these services are provided by a complete ecosystem that is well represented from the APEX (Airline Passenger Experience Association) 0415 reference document, describing "minimum security requirements, format constraints, workflow recommendations and a single unifying file format.”[1]

A possible representation of how an IFE/IFC is “embedded” in an aircraft to offer communications and services can be seen in the picture below

Different wireless access points are distributed in the aircraft to guarantee complete coverage to the passengers. A central server is used to distribute content and offer connection between the departments. A more detailed representation can be the following:

The server is directly connected to the CMS (Content Management System), that is responsible to deliver content to the IFE. The CSP (Content Service Provider) delivers media and any other compatible content to the system, using standard encryption mechanism to protect copyright. Once the media ends on the IFE, it is completely decrypted and can be played/streamed by the users.

The On-board server is the main target of our analysis, and it’s where the PII and user credentials are stored together with the decrypted media content. The server offers also e-commerce and advertising services.

All the stakeholders can access the functionalities of the server, through different or unique interfaces.

Although the IFE systems offer complete connection between passenger, crew, pilots and airports, they are completely separated from critical systems inside the aircraft. This does not mean that the IFE systems are allowed to be insecure. These systems carry out so much sensitive information that can attract the attention of malicious users:

• Media protected by copyright.

• Usernames and password of the users

• Credit cards used to purchase goods, contents or faster connections

• Personal information of the passengers

  • Name

  • Surname

  • Date of birth

  • Address

  • Email

  • Phone numbers

  • Device in use (in case of BYOD)

• Private information shared by the passengers with the cabin crew:

  • Health problems

  • Allergies

• Private messages shared between passengers

• Internal IPs of other devices in the aircraft

• Communication with the air traffic controllers

The list can be expanded depending on the type of the IFE and how much interconnectivity is offered. So how could we attack an IFE system?

IFE systems offer different entry point to a malicious actor, that could be exploited to gain more privileges and access to the information listed. In this blog post we only consider attacks carried from the following entry points:

• Web panel

Every IFE offers the possibility to connect your own device, such as laptops, tablets or phone, and register an account via the website deployed on the web server. The web panel is exposed to every issue that affects web applications, such as the OWASP Top 10.

• Wi-Fi network

The wi-fi network allows users to connect their own devices to the network and get access to internet.

• Web sockets

Web sockets are mostly used to provide real time information about the flight, status of the devices (battery level, CPU level etc)

• USB port on the screen

The USB port on the seat’s screen is easily accessible by any customer on the aircraft and can be used to carry on fuzzing black-box testing.

• Debug port

The debug port is used to get information about the system and /or get access to the IFE for maintenance. It is marked as low risk, because is not accessible from the screen of the passengers but it is only accessible from the IFE servers.

Web server

Our research shows that the top vulnerabilities that affect the web portal can be categorised as the following.

• Authentication bypass

In most of the analysed IFE systems we were able to bypass the authentication, impersonating admin users.

• Cross-site scripting (stored, DOM based, reflected)

Input sanitisation is most of the time missing, and this will lead in XSS attacks.

• Username disclosure through error messages

Error messages show that a particular username exists or not in the system, helping the attacker in fine tuning brute force attacks.

• Unauthenticated endpoint that lead to customer info stealing

Not all the endpoints are protected from session validation checks. Many endpoints used to retrieve users’ info based on the username, were not protected and could be exploited through brute-force attacks, to retrieve info about passengers.

• Escalation of privileges (from user to crew member to maintenance)

Sessions are not properly validated, relying on client side validation. Admin usernames are always available and used by maintenance or crew members with higher privileges.

• Credit Card information disclosure

Credit cards stored in the system, can be used to purchase goods or internet connection. A user’s credit card could be used multiple times. Communication over websocket could leak credit card transactions. During our testing we were able to retrieve passengers' CC information and purchase history.

• User Private information disclosure (Name, surname, username, city, country, address, phone number for every passenger)

Passenger data could be retrieved without any form of authentication. Unprotected endpoint could be used to retrieve crew members and passenger’s private info

• Flight data manipulation

IFE systems offer information about the current flight, and enable the cabin crew to modify data such as:

• Departure Airport

• Arrival Airport

• Number of passengers

• Weather at destination

• Routes

Once the attacker is able to bypass authentication mechanisms and escalate his/her privileges to a cabin crew member, he/she can manipulate the data and impact the user experience, creating disorientation between passengers.

Wi-Fi network

• No network isolation

Passively listening on the network, it is possible to receive and retrieve information about passengers and device installed in the aircraft

Websockets

• Internal IP disclosure

The IFE systems are composed of different devices distributed around the plane. Every device communicates its status (battery level, CPU level, in use/not in use etc), as a keep-alive information. The problem is that every device communicates also its IP (ex. 10.X.X.X) and its MAC address, allowing attackers to expand their scope.

Practical examples

At DCODX we love to explore new technologies, and IFE systems are pretty interesting ones. Recently we analysed one of the new player in the market, and discovered few vulnerabilities, such as:

• Authentication and Authorization bypass

• Passenger information stealing

• Plaintext information over the network

Authentication and Authorization bypass

During our test, we were able to bypass the login panel and access the IFE as a cabin crew member, without using any stolen credential. From the panel we were able to check the status of the devices (2), check statistics and modify the information about the flight shown to the passengers. One interesting feature was the possibility to shutdown the IFE and create a DoS for every passenger.

Internal IP disclosure

Conclusions

IFE/IFC are becoming more and more a standard part of aircrafts, and represent the connection between the passengers, the crew and the plane itself. Security standards for these type of systems must be pretty high, because, although most of the times they are not directly connected to critical aircraft assets, they contain passenger sensitive information, copyrighted content, financial data and flight information shown to the passengers.

References

[1] https://cdn.ymaws.com/connect.apex.aero/resource/resmgr/techspec_docs/APEX_0415-v1.0_RC1_2017-06-0.pdf

[2] https://www.rtca.org/sites/default/files/symposium_2017_cybersecurity_white_paper_digital.pdf