A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight entertainment screen during a long-haul flight. His findings could affect a number of airliners running Thales-made equipment.
But Hector Marco, an associate cybersecurity professor at the University of the West of Scotland, has received a kicking on social media from some in the security industry over his research method.
At the start of a commercial transatlantic flight he took in February, Marco pasted long strings of text into an in-flight chat app using a USB wireless mouse.
"Although I was very tired, and it was a night flight, I couldn't resist to do some basic security checks in the entertainment systems," he originally wrote in a LinkedIn post explaining the in-flight entertainment (IFE) system vuln, which was assigned CVE-2019-9109 by MITRE. That blog post was edited shortly after The Register contacted Marco.
In an email to The Register (Marco refused to discuss his findings over the phone), the cybersecurity prof insisted he was "not probing for vulnerabilities", before insisting that during his flight he "wanted to send a long message to another chat seat" and decided to use the mouse. "After copying and pasting many times the chat application surprisingly disappeared in front of me."
A YouTube video Marco published and linked to from his original LinkedIn post shows someone operating the mouse on the IFE screen, repeatedly copying and pasting what appears to be a lengthy and unbroken string of characters including the letters "fdkfdkfdkfdkfdhhhhhhhh". The app later froze but did not appear to affect any other screens aboard the Boeing jet he was flying in.
"I didn't know that the application will crash," he said when we asked what he would have done if his actions had crashed the entire IFE system shortly after takeoff on a nine-hour flight, "so I was not probing any vulnerability because I didn't know the existence of any vulnerability at that time."
Copying and pasting long strings of text into an input field is a well-known penetration-testing technique. It examines whether or not a buffer overflow is possible, which is when software fails to check that the amount of data supplied by the user can fit within a memory buffer. Overrunning a buffer with malicious data can lead to the execution of attacker's code, stashed within that data, on the system.
A few years ago, Marco and a fellow researcher found that it was possible to bypass boot authentication in Linux bootloader Grub2 by pressing backspace 28 times, triggering an integer underflow.
Marco appeared to admit he wasn't entirely sure what he found aboard his transatlantic flight, telling us: "The most likely in this case is a buffer overflow but a memory exhaustion or similar can not be discarded. Assigning 'unknown' as vulnerability type [in the CVE notice] will force us to ask for a change for sure. Using the most likely one can give a better context and likely avoid future changes about the kind of issue."
The affected vendor here is not British Airways
The US NIST entry for CVE-2019-9109 refers to the vulnerability only as affecting "The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft". The Register can reveal that the affected software is in fact made and maintained by Thales Group under the trade name Thales TopSeries i5000. BA is a Thales customer.
Marco told El Reg that he "immediately contacted the affected stakeholders" once he had found the bug. Thales declined to comment. Boeing told us: "Multiple layers of protection, including software, hardware, and network architecture features, are designed to ensure the security of all critical flight systems. Boeing's cyber-security measures are subjected to rigorous testing, including through the FAA’s certification process, and our airplanes meet or exceed all applicable regulatory requirements."
BA itself told us that the vuln as described would not let anyone get their digital mitts on the aircraft's flight control systems, adding: "We are already aware of this issue and our investigations have not identified any safety or security risk to our operation. IFE systems on board our aircraft are isolated from critical operating systems. The safety and security of our customers is always our priority."
Marco published a blog post showing a picture of the aircraft he used as his vuln-hunting testbed: a British Airways Boeing 777-300 registered G-STBD, which, according to plane-spotters' site The BA Source, was operating flight BA287 from San Francisco to Heathrow on Friday 8 February 2019. This fitted the flight details alluded to in Marco's original LinkedIn post, where he posted on 12 February that he had taken a flight from California to London on the preceding Friday.
The BA Source lists G-STBD's IFE equipment supplier as Thales. A Flickr photo of the IFE fitted in an economy seat (World Traveller, as BA brands its long-haul cattle-class seats) aboard G-STBD can be compared to this video of a Hong Kong Airlines Airbus A330, labelled as featuring a Thales i5000 IFE system, which shows a near-identical handset and screen to the BA IFE gear. It also appears identical to the photos and video published by Marco himself.
Items such as USB ports in IFE equipment are typically specified by airlines themselves and vary in position and fitment, though the handset and screen do not differ significantly.
Vuln has worldwide impact
BA's Boeing 777-300 fleet numbers 12 aircraft, all of which appear to be fitted with Thales i5000 IFE equipment; the airline flies a total of 58 777-200 and 777-300 aircraft. A frequent flyers' website claimed that Thales i5000 gear is installed aboard a number of BA airliners, including its Airbus A321 and A380 fleets, as well as some of the 777s and all of its Boeing 787 Dreamliners.
Some of the other airlines that use Thales TopSeries i5000 IFE equipment include Oman Air, which flies a total of 18 long-haul capable Boeings and Airbuses. Hong Kong Airlines, which also uses Thales i5000 IFE kit, flies 27 Airbus A330 and A350 airliners.
It is unknown whether the vuln affects other IFE equipment produced under the TopSeries brand.
When we asked Marco for his thoughts on the online commentary about his findings and the way in which he presented them, he said that people were commenting based on incomplete information "and part of it describes an hypothetical scenario. Those thoughts aloud were intended to avoid this issue to go unnoticed, that's all, because I really think this should be addressed and we are supporting stakeholders on this."
Infosec industry veteran Ken Munro believed Marco had been a bit thoughtless, saying: "Research is a valuable part of advancing security, but there are important boundaries that separate researchers from hackers. [Marco] knew the potential consequence of his actions and also is hopefully aware of the UK Computer Misuse Act. There are potential safety implications here, so testing an IFE in an airplane with passengers on board is unwise." ®