Whitehat hackers reported an extensive flaw in the Airbus EFB

0 12

By Matthew Griffin Security and Privacy 21st March 2024

WHY THIS MATTERS IN BRIEF

Industry needs pen testers and white hats to help them find bugs in their systems, and this one has since been fixed by Airbus.

Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trends, connect, watch a keynote, or browse my blog.

Whitehat hackers from Pen Test Partners identified a critical issue in Airbus’ Flysmart+ Manager suite, which was remediated 19 months after the initial disclosure. Cybersecurity researchers at penetration testing firm Pen Test Partners have been testing the security of various Electronic Flight Bag (EFB), IoT, and vehicle applications for several years. Due to their extensive research, a crucial issue was identified in the Flysmart+ Manager suite from Airbus and remediated 19 months after initial disclosure.

Inside the Hyperloop, the world's first Mach 1.0 train

NAVBLUE, an Airbus-owned IT services company, developed the Flysmart+ Manager app for iPad, which synchronises and installs airline data into other apps, including EFBs. According to a report from Pen Test Partners, this app has a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information.

The Future of Aviation, by keynote Futurist Matthew Griffin

For your information, Flysmart+ is a suite of apps for pilot EFBs. EFBs are crucial for storing critical flight data and information, but they can be exploited to disrupt operations or compromise aircraft systems. Airline EFBs can be exposed to untrusted networks due to known pilot layover hotels, and standard operating procedures may not detect tampering.

Research published on February 1, 2024, reveals that one of the suite’s iOS apps has intentionally got the App Transport Security (ATS) feature disabled. This issue exposes it to Wi-Fi interception attacks, potentially tampering with engine performance calculations, leading to tail strike or runway excursion.

Researchers warn hackers could sabotage 4D printed products to cause catastrophic failures

The app, Flysmart+, was previously disabled due to a lack of ATS protection, which prevents unencrypted communications. This vulnerability allows attackers to intercept and decrypt sensitive information in transit. Due to disabled ATS, insecure communication occurs, making the app susceptible to interception. An entry in the info.plist file allows insecure HTTP loads to any domain.

Airlines often use the same hotel for layover pilots, allowing attackers to modify aircraft performance data through targeted Wi-Fi networks. That’s because pilots in layover hotels can be easily identified, along with the airline and the suite of EFB apps they will likely use.

This helped Pen Test Partners to access data from NAVBLUE Servers, including SQLite databases containing aircraft information and take-off performance data (PERF), with specific table names.

South China Airlines swaps boarding cards for facial recognition

It is worth noting that database tables are crucial for aircraft performance, including the Minimum Equipment List (MEL) and Standard Instrument Departure (SID). Misunderstandings in MEL and SID can lead to safety issues, such as fuel starvation in the Gimli Glider. Confusion between units like US gallons, imperial gallons, litres, kilograms, and pounds can also cause safety problems.

The researchers shared the vulnerability report with Airbus on 28 June 2022 and the next day Airbus confirmed the issue. By 25th July 2022, the company had replicated the issue and promised a fix for the next version of Flysmart+ by the end of 2022.

Future EV's with 16,000km range and space elevators made possible with new Chinese Nano-Cable

On 22 February 2023, the Airbus VDP team confirmed fixing the issue in the latest version of Flysmart+, and the mitigation measure was communicated to customers on 26th May 2023. The findings were presented at DEF CON 31 in Las Vegas in 2023, as well as at the Aerospace Village and Aviation ISAC in Dublin.

Matthew Griffin / About Author

Matthew Griffin, described as “The Adviser behind the Advisers” and a “Young Kurzweil,” is the founder and CEO of the World Futures Forum and the 311 Institute, a global Futures and Deep Futures consultancy working across the next 50 years, and is an award winning futurist, and author of “Codex of the Future” series.

Regularly featured in the global media, including AP, BBC, Bloomberg, CNBC, Discovery, RT, Viacom, and WIRED, Matthew’s ability to identify, track, and explain the impacts of hundreds of revolutionary emerging technologies on global culture, industry and society, is unparalleled. Recognised for the past six years as one of the world’s foremost futurists, innovation and strategy experts Matthew is an international speaker who helps governments, investors, multi-nationals and regulators around the world envision, build and lead an inclusive, sustainable future.

A rare talent Matthew’s recent work includes mentoring Lunar XPrize teams, re-envisioning global education and training with the G20, and helping the world’s largest organisations envision and ideate the future of their products and services, industries, and countries.

Matthew's clients include three Prime Ministers and several governments, including the G7, Accenture, Aon, Bain & Co, BCG, Credit Suisse, Dell EMC, Dentons, Deloitte, E&Y, GEMS, Huawei, JPMorgan Chase, KPMG, Lego, McKinsey, PWC, Qualcomm, SAP, Samsung, Sopra Steria, T-Mobile, and many more.