Source: Matus Duda via Shutterstock
A mobile app that many airline pilots use for crucial flight planning purposes was open to attacks that could have interfered with safe takeoff and landing procedures due to a disabled security feature it contained.
NAVBLUE, an Airbus-owned IT services company that developed the app, fixed the issue last year after researchers at UK-based Pen Test Partners (PTP) informed the company about the issue.
And this week, PTP released details of its findings following Airbus' successful remediation of the application.
Electronic Flight Bag Apps
The vulnerability was present in Flysmart+ Manager, an app that is part of a broader suite of Flysmart+ apps for so-called Electronic Flight Bag (EFB) platforms. An EFB device — usually an iPad or other tablet computer — basically hosts apps that flight crews use for flight planning calculations and for accessing a variety of digital documents such as operating manuals, navigational charts, and aircraft checklists. Some EFBs are directly integrated into the avionics systems of modern aircraft and provide an array of other more complex features, such as providing real-time weather information and tracking the aircraft's position on navigational systems.
Flysmart+ specifically is a suite of iOS apps that assists with aircraft performance, weight, and balance-related calculations according to NAVBLUE. It can be fully integrated with Airbus' standard operating procedures, can be used during all phases of a flight, and provides pilots with access to a range of avionics parameters. Flysmart+ Manager, the app in which Pen Test Partners found the security issue, is an app that enables synchronization of data across the Flysmart+ suite.
Disabled Security Setting
Researchers from Pen Test Partners found that an App Transport Security (ATS) feature in Flysmart+ Manager that would have forced the app to use HTTPS had not been enabled. The app did not have any form of certificate validation either, leaving it exposed to interception on open and untrusted networks. "An attacker could use this weakness to intercept and decrypt potentially sensitive information in transit," PTP said in its report this week.
Ken Munro, a partner at the pen testing firm, says the biggest concern had to do with the potential for attacks on the app that could cause so called runway excursions — or veer-offs and overruns — and potential tail strikes on takeoff. "The EFB is used to calculate the required power from the engines for departure, also the required braking on landing," Munro says. "We showed that, as a result of the missing ATS setting, one could potentially tamper with the data that is then given to pilots. That data is used during these 'performance' calculations, so pilots could apply insufficient power or not enough braking action," he says.
The ATS issue in Flysmart+ Manager is just one of several vulnerabilities that PTP has uncovered in EFBs in recent years. In May 2023, for instance, the firm reported an integrity check bypass flaw in a Lufthansa EFB app called Lido eRouteManual that gave attackers a way to modify flight planning data that pilots using the app received. In July 2022, researchers at PTP showed how they could modify manuals on an EFB pertaining to the effectiveness of de-icing procedures on aircraft wings.
Hard to Exploit
From a practical standpoint the disabled ATS setting issue that PTP identified in the Airbus EFB was not especially easy to exploit. To pull it off, an attacker would have first needed to be within Wi-Fi range of an EFB with the vulnerable app. More significantly, the attack would have been possible only during an app update — meaning the threat actor would need to know when the update was happening so they could insert their malicious code during the process.
According to PTP, those conditions can occur during pilot layovers. "Airline EFBs can be exposed to interception on untrusted networks given pilot layover hotels are well known and used consistently each night," the firm said.
Pilots usually bring their EFBs with them during layovers because the devices contain their electronic roster as well, Munro says. So, if an attacker was within Wi-Fi range of the device at a hotel they could potentially initiate an attack. "Missing ATS would allow a man-in-the-middle attack over Wi-Fi, at which point the attacker could push a tampered database update to the EFB," he says.
While an attack can only happen during an app update, such updates need to happen on a regular basis, he adds. That improves the odds for a successful attack, Munro notes. "A quirk of the aviation industry means that the software MUST be updated once every 30 days to remain legal," he says. "Given airport layover hotels are known and numerous pilots will be staying at each one every night, the odds and practicality start to add up."