A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight entertainment screen during a long-haul flight. His findings could affect a number of airliners running Thales-made equipment.
But Hector Marco, an associate cybersecurity professor at the University of the West of Scotland, has received a kicking on social media from some in the security industry over his research method.
At the start of a commercial transatlantic flight he took in February, Marco pasted long strings of text into an in-flight chat app using a USB wireless mouse.
"Although I was very tired, and it was a night flight, I couldn't resist to do some basic security checks in the entertainment systems," he originally wrote in a LinkedIn post explaining the in-flight entertainment (IFE) system vuln, which was assigned CVE-2019-9109 by the MITRE Corporation. That blog post was edited shortly after The Register contacted Marco.
In an email to The Register (Marco refused to discuss his findings over the phone), the cybersecurity prof insisted he was "not probing for vulnerabilities", before insisting that during his flight he "wanted to send a long message to another chat seat" and decided to use the mouse. "After copying and pasting many times the chat application surprisingly disappeared in front of me."
A YouTube video Marco published and linked to from his original LinkedIn post shows someone operating the mouse on the IFE screen, repeatedly copying and pasting what appears to be a lengthy and unbroken string of characters including the letters "fdkfdkfdkfdkfdhhhhhhhh". The app later froze but did not appear to affect any other screens aboard the Boeing.
"I didn't know that the application will crash," he said when we asked what he would have done if his actions had crashed the entire IFE system shortly after takeoff on a nine-hour flight, "so I was not probing any vulnerability because I didn't know the existence of any vulnerability at that time."
Copying and pasting long strings of text into an input field is a well-known penetration-testing technique. It is most commonly associated with triggering buffer overflows in software that does not implement memory protections such as address space layout randomisation (ASLR). A few years ago, Marco and a fellow researcher found that it was possible to bypass boot authentication in Linux bootloader Grub2 by pressing backspace 28 times.
Marco appeared to admit he wasn't entirely sure what he found aboard his transatlantic flight, telling us: "The most likely in this case is a buffer overflow but a memory exhaustion or similar can not be discarded. Assigning 'unknown' as vulnerability type [in the CVE notice] will force us to ask for a change for sure. Using the most likely one can give a better context and likely avoid future changes about the kind of issue."
The US NIST entry for CVE-2019-9109 refers to the vulnerability only as affecting "The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft". The Register can reveal that the affected software is in fact made and maintained by Thales Group under the trade name Thales TopSeries i5000. BA is a Thales customer.
Marco told El Reg that he "immediately contacted the affected stakeholders" once he had found the bug. Thales declined to comment.
