A mobile app used by many airline pilots for crucial flight planning purposes was exposed to attacks that could interfere with safe takeoff and landing procedures due to a disabled security feature in it.
NAVBLUEan IT services company owned by Airbus that developed the app, fixed the problem last year after researchers from UK-based Pen Test Partners (PTP) informed the company of the problem.
And this week, PTP has released details of its findings following the successful resolution of the request by Airbus.
Electronic flight bag app
The vulnerability was present in Flysmart+ Manager, an app that is part of a larger suite of Flysmart+ apps for so-called Electronic Flight Bag (EFB) platforms. Basically an EFB device, usually an iPad or other tablet hosts apps that flight crews use for flight planning calculations and to access a variety of digital documents such as operating manuals, navigation charts and aircraft checklists. Some EFBs are directly integrated into the avionics systems of modern aircraft and provide a number of other more complex capabilities, such as providing real-time weather information and tracking the aircraft’s position on navigation systems.
Flysmart+ in particular it is a suite of iOS apps that assists in calculations relating to the performance, weight and balance of the aircraft according to NAVBLUE. It can be fully integrated with Airbus standard operating procedures, can be used during all phases of a flight and provides pilots with access to a range of avionics parameters. Flysmart+ Manager, the app in which Pen Test Partners found the security flaw, is an app that allows data synchronization in the Flysmart+ suite.
Security setting disabled
Researchers at Pen Test Partners discovered that an App Transport Security (ATS) feature in Flysmart+ Manager that would have forced the app to use HTTPS had not been enabled. The app also lacked any form of certificate validation, leaving it open to interception on open, untrusted networks. “An attacker could exploit this weakness to intercept and decrypt potentially sensitive information in transit,” PTP said in its report this week.
Ken Munro, a partner at the pen-testing firm, says the biggest concern was the potential for attacks on the app that could cause so-called runway excursions — or turns and overshoots — and potential tail strikes on takeoff. “The EFB is used to calculate the power required by the engines for departure, as well as the braking required for landing,” explains Munro. “We have shown that, due to the lack of the ATS setting, one could potentially tamper with the data that is then provided to the pilots. This data is used during these ‘performance’ calculations, so pilots could apply insufficient power or insufficient braking action,” he says.
The ATS issue in Flysmart+ Manager is just one of several vulnerabilities PTP has discovered in EFBs in recent years. In May 2023, for example, the company reported a integrity check bypass defect in a Lufthansa EFB app called Lido eRouteManual that provided attackers with a way to modify flight planning data received from pilots using the app. In July 2022, PTP researchers showed how they could edit manuals on an EFB relating to the effectiveness of de-icing procedures on aircraft wings.
Difficult to exploit
From a practical point of view, the ATS disabled issue identified by the PTP in the Airbus EFB was not particularly easy to exploit. To pull this off, an attacker would first have to be within Wi-Fi range of an EFB with the vulnerable app. Even more significantly, the attack would only have been possible while the app was updating, meaning the threat actor would have had to know when the update was occurring so they could insert their own malicious code during the process .
According to PTP, such conditions can occur during pilot stops. “Airline EFBs may be exposed to eavesdropping on untrusted networks as pilot airport hotels are well known and used consistently every night,” the company said.
Pilots typically carry their EFBs with them on stopovers because the devices also contain their electronic roster, Munro says. Therefore, if an attacker were within range of the device’s Wi-Fi in a hotel, they could potentially initiate an attack. “The lack of an ATS would allow a man-in-the-middle attack over Wi-Fi, at which point the attacker could send a tampered database update to the EFB,” she says.
While an attack can only happen during an app update, such updates need to happen on a regular basis, he adds. This increases the odds of a successful attack, Munro notes. “A quirk of the aviation industry means that software MUST be updated once every 30 days to remain legal,” she says. “Given that airport layover hotels are well-known and numerous pilots will be staying at each of them each night, the likelihood and convenience begins to increase.”