Bugs, Hackers, Panasonic… and More!


Panasonic Avionics Corporation is engaging with elite ‘white hat’ hackers through leading bug bounty provider HackerOne to ensure the security of its inflight entertainment systems. HackerOne has helped major companies such as General Motors, Uber, Twitter, Airbnb, DropBox and Adobe identify and fix security vulnerabilities as part of authorized bug bounty and vulnerability coordination programs. “Panasonic Avionics has always taken a proactive approach to security,” said Michael Dierickx, Director of Security Engineering and Information Security Officer at Panasonic Avionics Corporation.“We have extensive processes in place to identify potential and emerging vulnerabilities, and we also engage with security consultation firms who provide penetration testing and other services. Still, these teams bring a fresh perspective and innovative ways to search for potential issues. We want to harness this out-of-the-box thinking and create a win-win scenario that rewards both Panasonic and this community for our hard work and dedication.” With the HackerOne platform Panasonic Avionics has access to the world’s most powerful external security team, the global hacker community, to continue enhancing the security of their internet-connected systems,”said HackerOne CEO Marten Mickos. “Inviting white hat or ethical hackers to hunt for bugs is a powerful method for making connected technology safer for everyone.” Having noted the release, we asked a few questions:

1. “Panasonic Avionics Corporation is engaging with elite ‘white hat’ hackers through leading bug bounty provider HackerOne to ensure the security of its inflight entertainment systems.” Does this NOT include inflight connectivity? If not, what are the sources of hacker data inputs only for IFE?

ANSWER: Our focus at Def Con was on our eXW system, which uses our inflight API (IFAPI) software architecture. Our decision to prioritize the eXW system was due to customer demand. More and more, airlines want the opportunity to interface with our IFE system, and IFAPI is our gateway. While our program’s initial focus is on IFAPI, and our ultimate goal is to include all of our systems.

2. What OS’s are included in the Panasonic Entertainment systems, and are they typically, or ever been, hacked?

ANSWER: Panasonic Avionics uses a variety of operating systems based on the configuration. As we’ve moved into open platform architectures, we’ve responded by enhancing our own internal processes to ensure the security of the systems.

While we can’t comment on systems that have been delivered to our airline customers, we can say that stories in the press about someone’s ability to take control of the aircraft using the IFE system is almost always theoretical. Remember that our IFE system software is certified at Level-E per DO-178B, with ‘No Effect’ to aircraft safety for any failure. We do not expect that classification to change.

3. We assume some receipt of transmitted data is involved in the IFE systems? Correct? If so, what onboard/off-board data streams are involved.

ANSWER: Panasonic Avionics reviews and protects all required data streams as determined in the review.

4. Is Panasonic looking at data sent from IFE systems to the aircraft? What type of data? Is the reverse true as well? What kind of data, if so?

ANSWER: Panasonic Avionics works with the various OEMs, other suppliers, and in the associated standards and regulatory forums to align on the necessary security measures and means to protect the interfaces and data.

5. Is loaded content today checked for malicious code that a hacker would induce at a ground station after being created in California?

ANSWER: Panasonic Avionics adheres to the MPAA security standards for media and conducts internal and independent third party security audits.

(Editor’s Note: IFExpress should mention, that Panasonic’s inflight entertainment data content facilities in California are some of the best and most secure we have ever seen. Check out this link for an earlier story by IFExpress on the Media Content Service operations and interview with Julie Lichty.)

6. Will the ‘Bug Bounty’ program include passenger messaging, connectivity engagement signals, airborne RFI (hacker), onboard radiation, etc.?

ANSWER: The bug bounty program will eventually be opened up to the entirety of the Panasonic Avionics product portfolio.

7. Does Panasonic have a ‘brick wall’ between the connectivity systems and the IFE, and the aircraft, or are there places that might be in question? If so, please give us an example of where such an external infection might cross over into the IFE or aircraft.

ANSWER: Panasonic Avionics deploys the necessary security practices to protect the assets.

8. What hardware/software did Panasonic provide at DefCon? Will there be a similar effort at the California IFE data facility? If not, why not?

ANSWER: Our focus at DefCon event was on our wireless eXW platform, which uses our In-Flight (IFAPI) software architecture. Our customers want more opportunities to interface with our IFE system, and IFAPI is our gateway. While our program’s initial focus is on IFAPI, our ultimate goal is to include all of our systems.

9. Who is Panasonic’s head of IFEC hardware security?

ANSWER: Panasonic Avionics addresses security from many vectors and does have a dedicated Director of Security Engineering.

10. Please describe any hacks, if any, in today’s IFEC or aircraft that Panasonic has found… ?

ANSWER: While we can’t comment on systems that have been delivered to our airline customers, we can share that Panasonic Avionics security practices includes secure code reviews, penetration testing, and vulnerability scanning as part of the product life cycle. Carrying out these processes is intended to discover quality issues (aka: Hacks) early on and convert these into security improvements in our products.

11. Has Panasonic attempted under test conditions to induce ‘bad data’ or hacker data into Panasonic modules in the lab? Does Panasonic have any ‘hacker testing’ today?

ANSWER: Panasonic Avionics has put in place extensive best practice processes to identify potential and emerging threats and vulnerabilities. Panasonic engages in both internal and 3rd party based, vulnerability scanning and penetration testing.

12. Are Boeing and/or Airbus into this as well with you…will they be advised if issues are found?

ANSWER: Panasonic Avionics actively engages with both Airbus and Boeing Security to share information and discuss issues that impact product security,as well as our participation in the A-ISAC.

13. Please describe how Panasonic will handle issues if discovered… and there will be issues!

ANSWER: Panasonic Avionics follows its security incident response standards for monitoring, alerting, prioritization, and remediation.

(Editor’s Note: HackerOne is the world’s most popular bug bounty platform, connecting organizations with the world’s largest community of highly-qualified security researchers. More than 550 organizations, including The U.S. Department of Defense, General Motors, Uber, Twitter, Yahoo!, GitHub, Square, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne is headquartered in San Francisco with a development office in the Netherlands. Visit this website for more information.)

Inmarsat, provider of global mobile satellite communications services, has signed an agreement with Beijing Marine Communication & Navigation Company (MCN) and Aviation Data Communication Corporation (ADCC) to provide aviation safety services to Air Navigation Service Providers (ANSPs) and Operators. The Memorandum of Understanding (MoU) was unveiled at ATC Global 2016, which is taking place in Beijing this week, and outlines MCN/ADCC’s intention to offer cockpit communication services, including Inmarsat’s Classic Aero and next generation SwiftBroadband-Safety services, in the People’s Republic of China (PRC).

Classic Aero is a high-quality voice and data safety service currently used by most of the world’s airlines. It offers reliable and secure satellite surveillance and communications (FANS/ACARS) that meet International Civil Aviation Organization (ICAO) global flight tracking requirements.

SwiftBroadband-Safety utilizes secure IP-based broadband capabilities that far exceed those of other connectivity alternatives. It offers global, high speed, connectivity for cockpit and aircraft operations, with airlines benefitting from greater efficiency, reliability and capacity at a lower cost. The solution is always on and always secure, delivering next-generation applications, including flight data streaming (‘Black Box in the Cloud’) and real-time Electronic Flight Bag applications such as graphical weather. Inmarsat’s partnership with MCN and ADCC is expected to be finalized later this year and fits with the announcement made earlier this year of plans for a MCN and Inmarsat joint venture to provide comprehensive aircraft cabin and connectivity solutions across the PRC.

Global aeronautical communications provider, Satcom Direct (SD), announced today it has acquired AircraftLogs (“Stewart-Ratliff Aviation Services, Inc”), a company based in Columbus, OH, that offers the latest technology in aircraft flight scheduling software and tax reporting tools for corporate and private flight departments. With the purchase of AircraftLogs, SD adds scheduling and tax capabilities to its Integrated Flight Operations Management portfolio.

VTS (Video Technology Services) today announced that it is employing cutting edge technology to launch its latest SKY-SIS II Program for older Seatback IFE replacement and upgrade. This new product involves bridging thirty years of experience, combining traditional IFE systems with the latest new technologies and is an answer to requests from VTS client airlines, which is where all of VTS innovations have originated. According to Philip LaPierre, VP Engineering, “The long list of engineering and successful product developments have come from airline requests and over the last 30 years there have been many VTS firsts including; the first LCD (Liquid Crystal Display) IFE Video Projector, first LCD monitors for IFE applications, first VOD Systems, first Digital Video Player (DVP) to replace conventional videotape, first affordable old seatback retrofit and upgrade solution and others. Stop by their booth 219 at APEX Expo, Singapore, Oct 24-27, 2016 and see for yourself.


Comments are closed.