Scroll Top

Whitehat hackers reported an extensive flaw in the Airbus EFB

WHY THIS MATTERS IN BRIEF

Industry needs pen testers and white hats to help them find bugs in their systems, and this one has since been fixed by Airbus.

 

Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trendsconnect, watch a keynote, or browse my blog.

Whitehat hackers from Pen Test Partners identified a critical issue in Airbus’ Flysmart+ Manager suite, which was remediated 19 months after the initial disclosure. Cybersecurity researchers at penetration testing firm Pen Test Partners have been testing the security of various Electronic Flight Bag (EFB), IoT, and vehicle applications for several years. Due to their extensive research, a crucial issue was identified in the Flysmart+ Manager suite from Airbus and remediated 19 months after initial disclosure.

 

RELATED
After decades in the shadows Flying Whales is bringing back the mighty airship

 

NAVBLUE, an Airbus-owned IT services company, developed the Flysmart+ Manager app for iPad, which synchronises and installs airline data into other apps, including EFBs. According to a report from Pen Test Partners, this app has a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information.

 

The Future of Aviation, by keynote Futurist Matthew Griffin

 

For your information, Flysmart+ is a suite of apps for pilot EFBs. EFBs are crucial for storing critical flight data and information, but they can be exploited to disrupt operations or compromise aircraft systems. Airline EFBs can be exposed to untrusted networks due to known pilot layover hotels, and standard operating procedures may not detect tampering.

Research published on February 1, 2024, reveals that one of the suite’s iOS apps has intentionally got the App Transport Security (ATS) feature disabled. This issue exposes it to Wi-Fi interception attacks, potentially tampering with engine performance calculations, leading to tail strike or runway excursion.

 

RELATED
First fake regulatory filing sent Blackrock's XRP crypto to the moon

 

The app, Flysmart+, was previously disabled due to a lack of ATS protection, which prevents unencrypted communications. This vulnerability allows attackers to intercept and decrypt sensitive information in transit. Due to disabled ATS, insecure communication occurs, making the app susceptible to interception. An entry in the info.plist file allows insecure HTTP loads to any domain.

Airlines often use the same hotel for layover pilots, allowing attackers to modify aircraft performance data through targeted Wi-Fi networks. That’s because pilots in layover hotels can be easily identified, along with the airline and the suite of EFB apps they will likely use.

This helped Pen Test Partners to access data from NAVBLUE Servers, including SQLite databases containing aircraft information and take-off performance data (PERF), with specific table names.

 

RELATED
NASA's green rocket fuel is less harmful to the environment, and can be FedEx'd

 

It is worth noting that database tables are crucial for aircraft performance, including the Minimum Equipment List (MEL) and Standard Instrument Departure (SID). Misunderstandings in MEL and SID can lead to safety issues, such as fuel starvation in the Gimli Glider. Confusion between units like US gallons, imperial gallons, litres, kilograms, and pounds can also cause safety problems.

The researchers shared the vulnerability report with Airbus on 28 June 2022 and the next day Airbus confirmed the issue. By 25th July 2022, the company had replicated the issue and promised a fix for the next version of Flysmart+ by the end of 2022.

 

RELATED
From flying aircraft carriers to submarine motherships, the US military draws up plans

 

On 22 February 2023, the Airbus VDP team confirmed fixing the issue in the latest version of Flysmart+, and the mitigation measure was communicated to customers on 26th May 2023. The findings were presented at DEF CON 31 in Las Vegas in 2023, as well as at the Aerospace Village and Aviation ISAC in Dublin.

Related Posts

Leave a comment

EXPLORE MORE!

1000's of articles about the exponential future, 1000's of pages of insights, 1000's of videos, and 100's of exponential technologies: Get The Email from 311, your no-nonsense briefing on all the biggest stories in exponential technology and science.

You have Successfully Subscribed!

Pin It on Pinterest

Share This