Researcher Accidentally Discovers In-Flight Entertainment System Vulnerability

Hector Marco, a cybersecurity professor flying via a British Airways Boeing 777-36N has accidentally discovered a buffer overflow vulnerability (CVE-2019-9019) that can affect in-flight entertainment systems in the particular model, as well as other airplanes. According to the researcher’s report, the USB interface of the entertainment system allows devices to be charged and interacted with. This means that using a USB keyboard and mouse is possible, allowing the creation of buffer overflow or other memory error scenarios that can produce a DoS (Denial of Service) on specific applications like the chat app.The chat application is actually the one that the researcher focused on while exploring the possible weaknesses out of boredom, experimenting with long messages and finding a way to crash it. Since the researcher managed to crash his own chat app, it is deduced that it would be fairly easy to do the same across all the entertainment systems of the passengers, by sending them very long messages. Since the USB port allows interaction with the system, it would be possible to write a piece of malicious code and automate the DoS process. The researcher has even recorded the following video, showcasing how this works.