Security researchers have discovered a weakness in a suite of apps developed by Navblue, a subsidiary of Airbus, known as Flysmart+. This suite serves as a software solution for Electronic Flight Bags (EFBs), used in tasks such as performance calculations for aircraft takeoffs. The researchers found that in one of the associated iOS apps, both the App Transport Security (ATS) feature and any form of certificate validation were turned off.
This could enable an attacker to tamper with calculations for engine performance, potentially leading to issues like tail strikes and unintended runway departures during aircraft takeoff, as explained by Antonio Cassidy from Pen Test Partners in a blog post.
Manipulating performance data via MitM attack ATS is a security measure that compels apps to use HTTPS, thus preventing unencrypted communication. However, this safeguard was found to be inactive in the examined Flysmart+ app, allowing a potential attacker to intercept, modify, and transmit sensitive data in encrypted form to the legitimate server – a classic Man-in-the-Middle (MitM) attack.
The researchers managed to access data downloaded from Navblue servers, including SQLite databases containing sensitive information about specific aircraft. Cassidy explained, “Many of these database tables are crucial for aircraft performance, weight, and balance.”
Attack via hotel Wi-Fi Nevertheless, the opportunities to exploit the vulnerability effectively seem limited. It appears necessary for an attacker to intercept synchronization with the Aeronautical Information Regulation and Control (Airac) database, which updates occur only approximately once a month.
However, Cassidy cautioned that it is relatively simple to identify pilots in hotels and their corresponding airlines – “and consequently the EFB apps they are likely using.” Since pilots from the same airline are often lodged in the same hotels, an attack could be carried out via the Wi-Fi networks of these accommodations to deliberately manipulate aircraft performance data.
Nevertheless, the vulnerability has since been addressed, nineteen months after the researchers reported it to Airbus. While this timeframe is extensive, according to a report by The Register, such delays are not unusual in the aviation industry due to the certification procedures commonly practiced there.