Panasonic Avionics has hit back at cybersecurity experts who purportedly released "inaccurate and misleading" research suggesting its in-flight entertainment (IFE) technology installed in at least 13 major airlines could be used by hackers to potentially access a plane's control systems.
On 12 December, security firm IOActive released research discussing vulnerabilities in Panasonic products that could allegedly give hackers the ability to alter how information on seat displays is shown to plane passengers, tamper with lighting and possibly access credit card data.
"The allegations made to the press by IOActive regarding in-flight entertainment (IFE) systems manufactured by Panasonic Avionics contain a number of inaccurate and misleading statements about Panasonic's systems," the firm said in a statement sent to IBTimes UK.
"These misstatements and inaccuracies call into question many of the assertions made by IOActive.
"IOActive has chosen to make highly misleading and inflammatory statements suggesting that hackers could 'theoretically' gain access to flight controls by hacking into Panasonic's IFE systems.
"Panasonic strenuously disagrees with any suggestion by IOActive that such an attack is possible, and calls upon IOActive to clarify that its research does not support any such inference."
When it was made public, the research caused an immediate stir. This was largely thanks to an article published in The Telegraph which sensationalised the paper's findings by indicating planes could soon be falling out the sky because of the flaws found by IOActive.
The alarmist reporting stemmed from one line of the research paper, when security expert Ruben Santamarta said it could "theoretically be possible that such a vulnerability could present an entry point to the wider network depending on system configurations."
He said access to aircraft control was also "feasibly possible." While many outlets rushed out reports asserting plane passengers may be in jeoprody, a closer look into the actual research quickly established this was overblown and, in many cases, simply untrue.
Addressing this, Ruben remained somewhat vague. He told IBTimes UK: "We cannot definitively say if an attacker could or could not get to the aircraft controls domain as a result of the vulnerabilities identified, as it would depend on the specific configuration of the system on a plane."
Yet in its damning statement, Panasonic resolutely disputed the claim about plane control access, saying the suggestion could "falsely alarm the flying public." The firm said it tested the issues in May 2015 and again in 2016 to "ensure the few minor concerns had been fully remediated."
Panasonic said IOActive had presented "no evidence" that its analysis into the IFE product would support the conclusion it could be "feasibly possible" to get access an aircraft's controls. It added any claims credit-card data could be access was "simply not true."
A spokesperson said: "In statements to the press [the firm] inappropriately mixed a discussion of hypothetical vulnerabilities inherent to all aircraft electronics systems with specific findings regarding Panasonic's systems.
"[This created] a highly misleading impression that Panasonic's systems have been found to be a source of insecurity to aircraft operation.
"The conclusions suggested by IOActive to the press are not based on any actual findings or facts. The implied potential impacts should be interpreted as theoretical at best, sensationalising at worst, and absolutely not justified by any hypothetical vulnerability findings discovered by IOActive."
On Twitter, just after Panasonic responded to the research, Santamarta said: "No, you're not bringing down a plane by hacking the f**king IFE."