Whitehat hackers from Pen Test Partners identified a critical issue in Airbus’ Flysmart+ Manager suite, which was remediated 19 months after the initial disclosure.
Cybersecurity researchers at penetration testing firm Pen Test Partners have been testing the security of various electronic flight bag (EFB), IoT and vehicle applications for several years. Due to their extensive research, a crucial issue was identified in the Flysmart+ Manager suite from Airbus and remediated 19 months after initial disclosure.
NAVBLUE, an Airbus-owned IT services company, developed the Flysmart+ Manager app for iPad, which synchronizes and installs airline data into other apps, including EFBs. According to a report from Pentestpartners, this app has a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information.
For your information, Flysmart+ is a suite of apps for pilot EFBs. EFBs are crucial for storing critical flight data and information, but they can be exploited to disrupt operations or compromise aircraft systems. Airline EFBs can be exposed to untrusted networks due to known pilot layover hotels, and standard operating procedures may not detect tampering.
Research published on February 1, 2024, reveals that one of the suite’s iOS apps has intentionally got the App Transport Security (ATS) feature disabled. This issue exposes it to Wi-Fi interception attacks, potentially tampering with engine performance calculations, leading to tailstrike or runway excursion.
The app, Flysmart+, was previously disabled due to a lack of ATS protection, which prevents unencrypted communications. This vulnerability allows attackers to intercept and decrypt sensitive information in transit. Due to disabled ATS, insecure communication occurs, making the app susceptible to interception. An entry in the info.plist file allows insecure HTTP loads to any domain.
Airlines often use the same hotel for layover pilots, allowing attackers to modify aircraft performance data through targeted Wi-Fi networks. That’s because pilots in layover hotels can be easily identified, along with the airline and the suite of EFB apps they will likely use.
This helped Pen Test Partners to access data from NAVBLUE Servers, including SQLite databases containing aircraft information and take-off performance data (PERF), with specific table names.
It is worth noting that database tables are crucial for aircraft performance, including the Minimum Equipment List (MEL) and Standard Instrument Departure (SID). Misunderstandings in MEL and SID can lead to safety issues, such as fuel starvation in the Gimli Glider. Confusion between units like US gallons, imperial gallons, litres, kilograms, and pounds can also cause safety problems.
“We’ve now worked on disclosures with Boeing, Lufthansa, and Airbus We’re really pleased that the vulnerability was successfully closed which is a win for aviation safety and security.”Antonio Cassidy – Pen Test Partners
The researchers shared the vulnerability report with Airbus on 28 June 2022 and the next day Airbus confirmed the issue. By 25th July 2022, the company had replicated the issue and promised a fix for the next version of Flysmart+ by the end of 2022.
On 22 February 2023, the Airbus VDP team confirmed fixing the issue in the latest version of Flysmart+, and the mitigation measure was communicated to customers on 26th May 2023. The findings were presented at DEF CON 31 in Las Vegas in 2023, as well as at the Aerospace Village and Aviation ISAC in Dublin.