Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?
- by 7wData
A cybersecurity professor has insisted he was not hunting for a vulnerability when he found a denial-of-service bug on an in-flight entertainment screen during a long-haul flight. His findings could affect a number of airliners running Thales-made equipment.
But Hector Marco, an associate cybersecurity professor at the University of the West of Scotland, has received a kicking on social media from some in the security industry over his research method.
At the start of a commercial transatlantic flight he took in February, Marco pasted long strings of text into an in-flight chat app using a USB wireless mouse.
"Although I was very tired, and it was a night flight, I couldn't resist to do some basic security checks in the entertainment systems," he originally wrote in a LinkedIn post explaining the in-flight entertainment (IFE) system vuln, which was assigned CVE-2019-9109 by the MITRE Corporation. That blog post was edited shortly after The Register contacted Marco.
In an email to The Register (Marco refused to discuss his findings over the phone), the cybersecurity prof insisted he was "not probing for vulnerabilities", before insisting that during his flight he "wanted to send a long message to another chat seat" and decided to use the mouse. "After copying and pasting many times the chat application surprisingly disappeared in front of me."
A YouTube video Marco published and linked to from his original LinkedIn post shows someone operating the mouse on the IFE screen, repeatedly copying and pasting what appears to be a lengthy and unbroken string of characters including the letters "fdkfdkfdkfdkfdhhhhhhhh". The app later froze but did not appear to affect any other screens aboard the Boeing.
"I didn't know that the application will crash," he said when we asked what he would have done if his actions had crashed the entire IFE system shortly after takeoff on a nine-hour flight, "so I was not probing any vulnerability because I didn't know the existence of any vulnerability at that time."
Copying and pasting long strings of text into an input field is a well-known penetration-testing technique. It is most commonly associated with triggering buffer overflows in software that does not implement memory protections such as address space layout randomisation (ASLR). A few years ago, Marco and a fellow researcher found that it was possible to bypass boot authentication in Linux bootloader Grub2 by pressing backspace 28 times.
Marco appeared to admit he wasn't entirely sure what he found aboard his transatlantic flight, telling us: "The most likely in this case is a buffer overflow but a memory exhaustion or similar can not be discarded. Assigning 'unknown' as vulnerability type [in the CVE notice] will force us to ask for a change for sure. Using the most likely one can give a better context and likely avoid future changes about the kind of issue."
The US NIST entry for CVE-2019-9109 refers to the vulnerability only as affecting "The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft". The Register can reveal that the affected software is in fact made and maintained by Thales Group under the trade name Thales TopSeries i5000. BA is a Thales customer.
Marco told El Reg that he "immediately contacted the affected stakeholders" once he had found the bug. Thales declined to comment.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
Shift Difficult Problems Left with Graph Analysis on Streaming Data
29 April 2024
12 PM ET – 1 PM ET
Read MoreCategories
You Might Be Interested In
6 Ways Artificial Intelligence and Machine Learning Can Improve Your Marketing
16 Sep, 2020Six months ago, bustling cities with flourishing businesses and communities across the globe came to an unprecedented mandatory halt. As …
Expert: The cloud is more secure than on-prem, but the speed of adoption is making it less so
13 May, 2021Companies are accelerating their use of the cloud, but should slow down and make sure security is built in from …
How Digital Transformation Has Impacted Security and How to Minimize Risk
4 Aug, 2018While digital transformation is having a significant impact on technology—from data-driven decision-making to cloud adoption, mobility, and the explosion in …
Recent Jobs
Do You Want to Share Your Story?
Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.