There’s hardly a day without a new vulnerability. CVE-2019-9019 is a security flaw in the British Airways Entertainment System which affects Boeing 777-36N (ER) and perhaps other aircraft, too. The vulnerability’s type is privilege escalation that is located in the component USB Handler.
CVE-2019-9019 Technical Overview
Here’s CVE-2019-9019 official description:
The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft, does not prevent the USB charging/data-transfer feature from interacting with USB keyboard and mouse devices, which allows physically proximate attackers to conduct unanticipated attacks against Entertainment applications, as demonstrated by using mouse copy-and-paste actions to trigger a Chat buffer overflow or possibly have unspecified other impact.
As already mentioned the vulnerable entertainment system is installed on Boeing 777-36N(ER) , but other models may be affected as well. It should be noted that the attack is possible on a local level, with no form of authentication required for exploitation. At the moment, there are neither technical details nor an exploit publicly available, security researchers say.
The current price for an exploit is around $5k-$25k (estimation calculated on 02/23/2019). The CVE-2019-9019 vulnerability is described as having a historic impact due to its background and reception.
Since there are no known countermeasures so far, a good idea may be to replace the affected system with an alternative product.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
It’s important to note that entertainment systems are crucial components in aviation, and they could be used as entry points for attackers in various scenarios. It’s not the first time vulnerabilities affecting aircraft are discovered. A couple of years ago, a security researcher uncovered vulnerabilities in Panasonic Avionics in-flight entertainment, known as IFE systems.
The IFE systems are used by many airlines including United Airlines, American Airlines, Virgin Atlantic, and Air France. The vulnerabilities could allow attackers to control what passengers see and hear on their in-flight display.