War of words after flashy headlines claim hackers can take down a plane
People love stories they envision playing out on a movie screen—and on Tuesday, a smattering of media outlets thought they had a great one to deliver their readers.
"How a hacker could fly a PLANE," screamed The Daily Mail. "Hackers could take control of a plane using in-flight entertainment system," shouted The Telegraph.
But the report on which these headlines were based didn't exactly come to that same conclusion.
SEE ALSO: Netflix's Twitter account hacked by OurMine
The stories all ostensibly came from a report published Tuesday by IOActive that details the potential problems with the security of in-flight entertainment systems provided to airlines by Panasonic Avionics.
The author of the report, Ruben Santamarta, details a few hypothetical hacking scenarios wherein a hacker could tamper with the on-screen flight tracker or the lights that illuminate the walkways, and might even be able to steal credit card information from anyone who's paid for some sort of in-flight entertainment.
But while any in-flight hacking scenario isn't pleasant to think about, it requires several canyon-wide logical leaps to conclude that the author said hackers could bring down a plane by breaking into the same device on which you watch your in-flight movies.
These are the two paragraphs that presumably caused the hysteria:
and:
That might seem scary to someone like me who doesn't know much about how to hack an in-flight entertainment system, but I'll take it from the report's author himself that we don't have to worry about someone piloting the plane from somewhere in the back.
No, you're not bringing down a plane by hacking the fucking IFE.
— Ruben Santamarta (@reversemode) December 20, 2016
In response, and perhaps in a bid to secure better press out of all of this, Panasonic used its post-research press release to go after IOActive and not the media:
And Panasonic went after other suggestions as well, even though IOActive said they brought these concerns to the company more than a year ago. The company panned the idea that customer credit card information might be extracted from its entertainment systems, and it dismissed other theoretical ideas — such as how a hacker might mess with lights on the plane — by referring to Santamarta's findings as "hypothetical" vulnerabilities, as they did in this part of their press release:
IOActive, in response, seemed puzzled that Panasonic was attacking all this as "hypothetical," since hypothetical is not a synonym for impossible. Here's what they said in part of their counter-statement:
As IOActive alluded to in another part of their statement, Panasonic claims to have addressed the vulnerabilities outlined by the IOActive report, which IOActive said they told Panasonic about back in March 2015. But if that's true, and they've known about these vulnerabilities for well over a year, then...
"It's really peculiar to me that Panasonic would respond the way that they did, given that IOActive gave them sufficient time," Zach Lanier, director of research at Cylance, a cybersecurity firm, told Mashable. "You knew this was coming down the pipe, potentially, so why didn't you have your PR people deal with it a little bit better?"
Lanier thinks Santamarta's report is solid, but in a way, he gets why Panasonic would issue a blanket refutation. Any type of in-flight vulnerability has, as we've seen, the potential to generate all kinds of apocalyptic headlines and frighten flyers, and could potentially lead to some kind of investigation that Panasonic would want no part of.
In the future, though, Lanier's "very optimistic" hope is that this kind of research leads companies to realize that perhaps they should be better about talking to security researchers regarding their "hypothetical vulnerabilities."
