Buffer overflow vulnerability found in British Airways flight screens

The expert has been criticised for the method he used to discover this flaw

Network security and ethical hacking specialists recently discovered a vulnerability that exposes to denial of service (DoS) attacks to entertainment systems on some airlines. According to experts from the International Institute of Cyber Security, any airline working with these devices, manufactured by the Thales company, could be exposed.

Expert Hector Marco, who discovered the vulnerability, has been criticized for his research method. During a commercial flight, Marco stuck long strings of text in a chat application using a USB mouse.

“I felt the need to do some security checks on the airline’s entertainment systems,” the network security expert said in his LinkedIn profile when the vulnerability (identified as CVE-2019-9109) was revealed.

The expert claims that he was not looking for a vulnerability, but intended to send a message to another seat’s chat system. “After copying and pasting the message several times, the chat application disappeared suddenly”, he added.

In a video of the incident, it shows someone operating the mouse and introducing a long string of characters, then the application freezes, although apparently no other entertainment system on the flight was affected.

According to experts in network security, copying and pasting long text strings into an input field is one of the best known techniques used in penetration testing. It helps the pentesters to verify if it is possible to perform an overflow of buffer (when the software is unable to verify that the amount of data entered fits into the memory buffer). Overloading the buffer with malicious data could lead to arbitrary code execution.

The expert claims that he immediately contacted the stakeholders. While Thales did not respond to Marco’s statements, Boeing spokespersons for Boeing commented: “Each of our protection layers are designed to ensure the safety of all critical flight systems”.

Some of the airlines that are the Thales vulnerable team are British Airlines, Oman Air, Hong Kong Airlines, among others. There is no evidence that these devices are affected by other vulnerabilities.

When being questioned about the criticisms his work received from the airline where he was traveling, the expert stated that the people who criticized him were based on incomplete information.  “I was just trying to make this kind of flaws unnoticed by the airlines and the cybersecurity community, I really think that these drawbacks should be handled by both companies and the suppliers of vulnerable equipments.”