Panasonic Avionics Corporation is engaging with elite ‘white hat’ hackers through leading bug bounty provider HackerOne to ensure the security of its inflight entertainment systems. HackerOne has helped major companies such as General Motors, Uber, Twitter, Airbnb, DropBox and Adobe identify and fix security vulnerabilities as part of authorized bug bounty and vulnerability coordination programs. “Panasonic Avionics has always taken a proactive approach to security,” said Michael Dierickx, Director of Security Engineering and Information Security Officer at Panasonic Avionics Corporation.“We have extensive processes in place to identify potential and emerging vulnerabilities, and we also engage with security consultation firms who provide penetration testing and other services. Still, these teams bring a fresh perspective and innovative ways to search for potential issues. We want to harness this out-of-the-box thinking and create a win-win scenario that rewards both Panasonic and this community for our hard work and dedication.” With the HackerOne platform Panasonic Avionics has access to the world’s most powerful external security team, the global hacker community, to continue enhancing the security of their internet-connected systems,”said HackerOne CEO Marten Mickos. “Inviting white hat or ethical hackers to hunt for bugs is a powerful method for making connected technology safer for everyone.” Having noted the release, we asked a few questions:
1. “Panasonic Avionics Corporation is engaging with elite ‘white hat’ hackers through leading bug bounty provider HackerOne to ensure the security of its inflight entertainment systems.” Does this NOT include inflight connectivity? If not, what are the sources of hacker data inputs only for IFE?
ANSWER: Our focus at Def Con was on our eXW system, which uses our inflight API (IFAPI) software architecture. Our decision to prioritize the eXW system was due to customer demand. More and more, airlines want the opportunity to interface with our IFE system, and IFAPI is our gateway. While our program’s initial focus is on IFAPI, and our ultimate goal is to include all of our systems.
2. What OS’s are included in the Panasonic Entertainment systems, and are they typically, or ever been, hacked?
ANSWER: Panasonic Avionics uses a variety of operating systems based on the configuration. As we’ve moved into open platform architectures, we’ve responded by enhancing our own internal processes to ensure the security of the systems.
While we can’t comment on systems that have been delivered to our airline customers, we can say that stories in the press about someone’s ability to take control of the aircraft using the IFE system is almost always theoretical. Remember that our IFE system software is certified at Level-E per DO-178B, with ‘No Effect’ to aircraft safety for any failure. We do not expect that classification to change.
3. We assume some receipt of transmitted data is involved in the IFE systems? Correct? If so, what onboard/off-board data streams are involved.
ANSWER: Panasonic Avionics reviews and protects all required data streams as determined in the review.
4. Is Panasonic looking at data sent from IFE systems to the aircraft? What type of data? Is the reverse true as well? What kind of data, if so?
ANSWER: Panasonic Avionics works with the various OEMs, other suppliers, and in the associated standards and regulatory forums to align on the necessary security measures and means to protect the interfaces and data.
5. Is loaded content today checked for malicious code that a hacker would induce at a ground station after being created in California?
ANSWER: Panasonic Avionics adheres to the MPAA security standards for media and conducts internal and independent third party security audits.
(Editor’s Note: IFExpress should mention, that Panasonic’s inflight entertainment data content facilities in California are some of the best and most secure we have ever seen. Check out this link for an earlier story by IFExpress on the Media Content Service operations and interview with Julie Lichty.)
6. Will the ‘Bug Bounty’ program include passenger messaging, connectivity engagement signals, airborne RFI (hacker), onboard radiation, etc.?
ANSWER: The bug bounty program will eventually be opened up to the entirety of the Panasonic Avionics product portfolio.
7. Does Panasonic have a ‘brick wall’ between the connectivity systems and the IFE, and the aircraft, or are there places that might be in question? If so, please give us an example of where such an external infection might cross over into the IFE or aircraft.
ANSWER: Panasonic Avionics deploys the necessary security practices to protect the assets.
8. What hardware/software did Panasonic provide at DefCon? Will there be a similar effort at the California IFE data facility? If not, why not?
ANSWER: Our focus at DefCon event was on our wireless eXW platform, which uses our In-Flight (IFAPI) software architecture. Our customers want more opportunities to interface with our IFE system, and IFAPI is our gateway. While our program’s initial focus is on IFAPI, our ultimate goal is to include all of our systems.
9. Who is Panasonic’s head of IFEC hardware security?
ANSWER: Panasonic Avionics addresses security from many vectors and does have a dedicated Director of Security Engineering.
10. Please describe any hacks, if any, in today’s IFEC or aircraft that Panasonic has found… ?
ANSWER: While we can’t comment on systems that have been delivered to our airline customers, we can share that Panasonic Avionics security practices includes secure code reviews, penetration testing, and vulnerability scanning as part of the product life cycle. Carrying out these processes is intended to discover quality issues (aka: Hacks) early on and convert these into security improvements in our products.
11. Has Panasonic attempted under test conditions to induce ‘bad data’ or hacker data into Panasonic modules in the lab? Does Panasonic have any ‘hacker testing’ today?
ANSWER: Panasonic Avionics has put in place extensive best practice processes to identify potential and emerging threats and vulnerabilities. Panasonic engages in both internal and 3rd party based, vulnerability scanning and penetration testing.
12. Are Boeing and/or Airbus into this as well with you…will they be advised if issues are found?
ANSWER: Panasonic Avionics actively engages with both Airbus and Boeing Security to share information and discuss issues that impact product security,as well as our participation in the A-ISAC.
13. Please describe how Panasonic will handle issues if discovered… and there will be issues!
ANSWER: Panasonic Avionics follows its security incident response standards for monitoring, alerting, prioritization, and remediation.
(Editor’s Note: HackerOne is the world’s most popular bug bounty platform, connecting organizations with the world’s largest community of highly-qualified security researchers. More than 550 organizations, including The U.S. Department of Defense, General Motors, Uber, Twitter, Yahoo!, GitHub, Square, Dropbox and the CERT Coordination Center trust HackerOne to find critical software vulnerabilities before criminals can exploit them. HackerOne is headquartered in San Francisco with a development office in the Netherlands. Visit this website for more information.)
INMARSAT:
Inmarsat, provider of global mobile satellite communications services, has signed an agreement with Beijing Marine Communication & Navigation Company (MCN) and Aviation Data Communication Corporation (ADCC) to provide aviation safety services to Air Navigation Service Providers (ANSPs) and Operators. The Memorandum of Understanding (MoU) was unveiled at ATC Global 2016, which is taking place in Beijing this week, and outlines MCN/ADCC’s intention to offer cockpit communication services, including Inmarsat’s Classic Aero and next generation SwiftBroadband-Safety services, in the People’s Republic of China (PRC).
Classic Aero is a high-quality voice and data safety service currently used by most of the world’s airlines. It offers reliable and secure satellite surveillance and communications (FANS/ACARS) that meet International Civil Aviation Organization (ICAO) global flight tracking requirements.
SwiftBroadband-Safety utilizes secure IP-based broadband capabilities that far exceed those of other connectivity alternatives. It offers global, high speed, connectivity for cockpit and aircraft operations, with airlines benefitting from greater efficiency, reliability and capacity at a lower cost. The solution is always on and always secure, delivering next-generation applications, including flight data streaming (‘Black Box in the Cloud’) and real-time Electronic Flight Bag applications such as graphical weather. Inmarsat’s partnership with MCN and ADCC is expected to be finalized later this year and fits with the announcement made earlier this year of plans for a MCN and Inmarsat joint venture to provide comprehensive aircraft cabin and connectivity solutions across the PRC.
SATCOM DIRECT:
Global aeronautical communications provider, Satcom Direct (SD), announced today it has acquired AircraftLogs (“Stewart-Ratliff Aviation Services, Inc”), a company based in Columbus, OH, that offers the latest technology in aircraft flight scheduling software and tax reporting tools for corporate and private flight departments. With the purchase of AircraftLogs, SD adds scheduling and tax capabilities to its Integrated Flight Operations Management portfolio.
VTS:
VTS (Video Technology Services) today announced that it is employing cutting edge technology to launch its latest SKY-SIS II Program for older Seatback IFE replacement and upgrade. This new product involves bridging thirty years of experience, combining traditional IFE systems with the latest new technologies and is an answer to requests from VTS client airlines, which is where all of VTS innovations have originated. According to Philip LaPierre, VP Engineering, “The long list of engineering and successful product developments have come from airline requests and over the last 30 years there have been many VTS firsts including; the first LCD (Liquid Crystal Display) IFE Video Projector, first LCD monitors for IFE applications, first VOD Systems, first Digital Video Player (DVP) to replace conventional videotape, first affordable old seatback retrofit and upgrade solution and others. Stop by their booth 219 at APEX Expo, Singapore, Oct 24-27, 2016 and see for yourself.
OTHER:
- There is a lot going on in the 14 GHz spectrum, specifically 500 MHz of spectrum for air-to-ground connectivity wireless services and you can read more about it here: Qualcomm, Gogo, others continue to push for FCC’s 14 GHz ATG spectrum auction despite moves to satellite services | FierceWireless
- Here’s another good wireless article we found: The crazy economics of inflight Wi-Fi
- And speaking of Singapore, here is the link to the APEX signup: 6 weeks to go, take advantage of our discounted hotel rates
IFPL:
OK, AS9100 Certification may not seem like a big deal to you (and we had to look it up) but it turns out that in aviation, quality management is a very big deal… with every airplane part! So, you might ask, what can be so difficult about setting up a Quality Assurance program? Plenty, in fact we counted well over 200 action items, systems, documents, records, developments, implements and more actions need to complete the certification. In fact, if you want to finally see what all this “quality” certification means, check out this “easy” outline of the cert actions
Notes IFPL: “IFPL are delighted to have achieved certification to AS9100C. This is a key stage in the develop- ment of IFPL and demonstrates that our Management Systems are mature and robust. IFPL recognizes that compliance with quality accreditations forms the foundations of their business success. Quality is in the DNA of the company culture, engaging employees to continually improve systems and products to benefit our customer satisfaction.
IFPL’s facility is based on the Isle of Wight, just off the south coast of the UK. The leadership team at IFPL ensures that the management system activities are carried out in accordance with the Quality Management System, the European Aviation Safety Agency requirements of EASA Part 21G and the newly awarded International Aerospace Standard AS9100C.”
They went on to say, “Quality, reliability, and safety are critical values for the aerospace industry. The BSI only award the certificate once their rigorous and stringent criteria has been met. Both of these certifications high- light IFPL’s commitment to meeting and exceeding the increasingly stringent industry requirements for aerospace related products and assures our manufacturing processes consistently meet or exceed the requirements and expectations of customers presenting the most challenging of applications.” And, in case you didn’t know, CEO Geoff Underwood founded IFPL almost 20 years ago and it has the largest portfolio of proven IFEC products and services in its sector. They are proud to supply the world’s leading inline manufacturers and airlines, who have come to rely on them to provide inspiration to the enhancement of their passengers’ experience; delivered through their innovative product design and proven reputation for reliability. For more information on the IFPL products check out the following link: IFPL – Connecting Your Passengers
Gogo:
1. 2Ku is now up and flying across three airline partners – Aeromexico, Delta and Virgin Atlantic
2. 2Ku is installed on about a dozen aircraft
3. Gogo has now received six STCs to install the technology on various aircraft types
4. By the end of 2016 Gogo expects to have 75-100 2Ku installations. For 2017 that number increases to 350-450 and in 2018 increases again to 500-700 install.
5.Gogo was selected by Delta Private Jets to equip its feet of >70 business jets with Gogo Biz 4G inflight connectivity for 2Q17.
6. Want see something cool? Watch this Gogo 2Ku hardware installation on a GOL B737-800 – Gogo Inflight Internet Video: Behind the scenes with the first Gogo 2Ku installation on GOL – Gogo Concourse
Inmarsat:
At the end of June, Inmarsat has announced that its advanced Global Xpress (GX) Aviation in-flight connectivity service has been certified by the European Aviation Safety Agency (EASA) for the Airbus A320 aircraft family, bringing it a step closer to being available as line-fit or retrofit on every major Airbus and Boeing airframe. Here is a link for more information – GX Aviation certified for Airbus A320 aircraft – Inmarsat
OTHER (somewhat related) NEWS
1. We have to thank Bill Baltra for this one. Have you heard about ModoBag. Yep, you ride your bag now, and if you don’t believe it, check out this video – Modobag: World’s First Motorized, Rideable Luggage! – YouTube We contacted them but there was no response. you be the judge of their product if it achieves acceptability; besides, it might not look too cool in a skirt! Cruise the airport on top of a piece of motorized luggage
2. This may explain today’s aircraft Wi-Fi usage: Major study links low internet usage to slow broadband – BBC News
3. IFExpress recently asked Rich Salter (Engineering Consultant) about issues involved with security and IFEC and he had 3 points for your consideration:
a. There is an ARINC group addressing onboard cyber-security, and see the presentation made by Boeing’s Derek Schatz at a recent ARINC CSS meeting.
b. Panasonic has begun a partnership with hackers: Continuing what its Director of Security Engineering and Information Security Officer Michael Dierickx called a proactive approach to security, Panasonic Avionics Corporation developed a bug bounty program through HackerOne. The program is aimed at bolstering security of Panasonic’s inflight entertainment systems.
While the announcement coincided with the start of the Black Hat conference in Las Vegas, the company will kick off the bug bounty program at the DefCon Conference later this week and will extend an invitation to participate to what Dierickx referred to as a select group of hackers.”We have extensive processes in place to identify potential and emerging vulnerabilities, and we also engage with security consultation firms who provide penetration testing and other services,” Dierickx said in a release. “Still, these teams bring a fresh perspective and innovative ways to search for potential issues.” (Editor’s Note: More on this next week.)
c. And we had an FAA man present on security at the last Tech Conference.
Finally, We should mention what the feds say about aviation security – this may be VERY timely: Securing the NextGen aviation network
4. If you are Traveling to the US, you might have to cough up your online presence! – Traveling to US? Agencies want to Spy on your Social Media activities right from Airport and Attention US-bound tourists: Social media accounts subject to inspection
5. SpeedNews reports: INMARSAT conducted survey that found 92% of airline pax would like to access onboard connectivity; 54% over inflight meals.
6. See if you are getting old by analyzing your travel messaging:
What is the impact of text and messaging apps on travel? | Hotel Management
7. Go ahead, spend the money on a good set of headphones: On airplanes, good headphones make good neighbors – Elliott
And lastly, we want to tell you about a publication that we think is really useful and incredibly data rich – it’s called Airline Weekly and it is delivered by the internet each Monday. The Weekly is usually 12 pages long and covers airline/airport happenings worldwide. The Weekly is a subscriber-supported publication, paid for by readers who want a more interesting, more valuable read about the airline business. Each Monday, Airline Weekly reports who’s flying where, new marketing approaches, fleet, finance and key airline and airport data. And most importantly, Airline Weekly readers will enjoy insightful analysis and new ideas found nowhere else. For example, the weekly sections include: Weekly News Review, Fleet Info, Finance, Marketing, Airports, Environment, Routes & Networks, and Around the World. If you want worldwide airline info, this publication is the one… and, they will give you a few free publications for your evaluation. Get it! Airline Weekly – Shouldn’t a publication about an interesting industry be, well, interesting?
Also, you might want to check out their weekly podcast. It is a great weekly update.
Lake Forest, California | August 3, 2016– Panasonic Avionics Corporation is engaging with elite “white hat” hackers through leading bug bounty provider HackerOne to ensure the security of its inflight entertainment systems.
HackerOne has helped major companies such as General Motors, Uber, Twitter, Airbnb, DropBox and Adobe identify and fix security vulnerabilities as part of authorised bug bounty and vulnerability coordination programs.
Panasonic, the world’s largest provider of inflight entertainment and communications systems, is taking part in the program as it is acknowledged as best practice for effective security by identifying any weaknesses in internet-connected systems.
The bug bounty program will begin by inviting a select group of hackers to participate and will launch at the upcoming DefCon Conference which takes place August 4-7, 2016 in Las Vegas.
“Panasonic Avionics has always taken a proactive approach to security,” said Michael Dierickx, Director of Security Engineering and Information Security Officer at Panasonic Avionics Corporation. “We have extensive processes in place to identify potential and emerging vulnerabilities, and we also engage with security consultation firms who provide penetration testing and other services.
“Still, these teams bring a fresh perspective and innovative ways to search for potential issues. We want to harness this out-of-the-box thinking and create a win-win scenario that rewards both Panasonic and this community for our hard work and dedication.”
HackerOne partnered with the Department of Defence earlier this year for the U.S. Federal Government’s first ever bug bounty program “Hack The Pentagon,” which helped resolve 138 valid vulnerabilities identified by the ethical hackers.
“With the HackerOne platform Panasonic Avionics has access to the world’s most powerful external security team, the global hacker community, to continue enhancing the security of their internet-connected systems,” said HackerOne CEO Marten Mickos. “Inviting white hat or ethical hackers to hunt for bugs is a powerful method for making connected technology safer for everyone.”
Power, Power, Power... it used to be location, location, location, but with the recent airline announcements to expand off-aircraft data services (internet, mobile phone, SMS, etc), Astronics is excited about the complementary nature of these systems with our world leading EmPower® in-seat PED power systems. Most airlines installing new data services on their aircraft are also expanding EmPower® into all seats on their fleet because they realize depleted passenger batteries do not make money.”