Crucial Airline Flight Planning App Open to Interception Risks

A mobile app that many airline pilots use for crucial flight planning purposes was open to attacks that could have interfered with safe takeoff and landing procedures due to a disabled security feature it contained.
NAVBLUE, an Airbus-owned IT services company that developed the app, fixed the issue last year after researchers at UK-based Pen Test Partners informed the company about the issue.
Electronic Flight Bag Apps The vulnerability was present in Flysmart+ Manager, an app that is part of a broader suite of Flysmart+ apps for so-called Electronic Flight Bag platforms.
An EFB device - usually an iPad or other tablet computer - basically hosts apps that flight crews use for flight planning calculations and for accessing a variety of digital documents such as operating manuals, navigational charts, and aircraft checklists.
Some EFBs are directly integrated into the avionics systems of modern aircraft and provide an array of other more complex features, such as providing real-time weather information and tracking the aircraft's position on navigational systems.
Flysmart+ specifically is a suite of iOS apps that assists with aircraft performance, weight, and balance-related calculations according to NAVBLUE. It can be fully integrated with Airbus' standard operating procedures, can be used during all phases of a flight, and provides pilots with access to a range of avionics parameters.
Flysmart+ Manager, the app in which Pen Test Partners found the security issue, is an app that enables synchronization of data across the Flysmart+ suite.
Disabled Security Setting Researchers from Pen Test Partners found that an App Transport Security feature in Flysmart+ Manager that would have forced the app to use HTTPS had not been enabled.
The app did not have any form of certificate validation either, leaving it exposed to interception on open and untrusted networks.
Ken Munro, a partner at the pen testing firm, says the biggest concern had to do with the potential for attacks on the app that could cause so called runway excursions - or veer-offs and overruns - and potential tail strikes on takeoff.
The ATS issue in Flysmart+ Manager is just one of several vulnerabilities that PTP has uncovered in EFBs in recent years.
In May 2023 the firm reported an integrity check bypass flaw in a Lufthansa EFB app called Lido eRouteManual that gave attackers a way to modify flight planning data that pilots using the app received.
In July 2022, researchers at PTP showed how they could modify manuals on an EFB pertaining to the effectiveness of de-icing procedures on aircraft wings.
Hard to Exploit From a practical standpoint the disabled ATS setting issue that PTP identified in the Airbus EFB was not especially easy to exploit.
To pull it off, an attacker would have first needed to be within Wi-Fi range of an EFB with the vulnerable app.
More significantly, the attack would have been possible only during an app update - meaning the threat actor would need to know when the update was happening so they could insert their malicious code during the process.
According to PTP, those conditions can occur during pilot layovers.
Pilots usually bring their EFBs with them during layovers because the devices contain their electronic roster as well, Munro says.
If an attacker was within Wi-Fi range of the device at a hotel they could potentially initiate an attack.
While an attack can only happen during an app update, such updates need to happen on a regular basis, he adds.


This Cyber News was published on www.darkreading.com. Publication date: Tue, 06 Feb 2024 20:10:15 +0000


Cyber News related to Crucial Airline Flight Planning App Open to Interception Risks

Crucial Airline Flight Planning App Open to Interception Risks - A mobile app that many airline pilots use for crucial flight planning purposes was open to attacks that could have interfered with safe takeoff and landing procedures due to a disabled security feature it contained. NAVBLUE, an Airbus-owned IT ...
10 months ago Darkreading.com
Business Data Backup and Recovery Planning - Data backup and recovery planning is essential in today's interconnected and data-driven business landscape. By understanding the significance of data backup and recovery planning, businesses can effectively protect their critical information and ...
9 months ago Securityzap.com
Data in apps used for aircraft safety remotely tampered with The Register - Criminals could remotely tamper with the data that apps used by airplane pilots rely on to inform safe takeoff and landing procedures, according to fresh research. In a scenario that elicits strong memories of that nail-biting flight scene from Die ...
10 months ago Go.theregister.com
From Implicit to Authorization Code With PKCE, BFF - Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse. The Implicit Flow had several security vulnerabilities, such as token ...
5 months ago Feeds.dzone.com
Fake app impersonating LastPass spotted in Apple's App Store The Register - LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install. A screenshot of the fake LastPass app in the Apple App ...
10 months ago Go.theregister.com
Lost in Translation: Mitigating Cybersecurity Risks in Multilingual Environments - With increased connectivity and linguistic diversity comes a new set of cybersecurity risks. This article will delve into the unique cybersecurity challenges in multilingual environments, focusing on solutions and best practices to mitigate such ...
1 year ago Cyberdefensemagazine.com
How to Keep Cyberattacks From Taking Off - COMMENTARY. Over the last three years, the global aviation industry has been left reeling by a post-pandemic sucker punch that hit the sector with over $185 billion in losses. Once a bastion of American prosperity, airlines were forced into survival ...
1 year ago Darkreading.com
Australian charged for 'Evil Twin' WiFi attack on plane - An Australian man was charged by Australia's Federal Police for allegedly conducting an 'evil twin' WiFi attack on various domestic flights and airports in Perth, Melbourne, and Adelaide to steal other people's email or social media credentials. The ...
5 months ago Bleepingcomputer.com
The Art of Securing Cloud-Native Mobile Applications - We will explore the dynamic intersection of cloud-native architecture and mobile application security, delving into the strategies and best practices essential for safeguarding sensitive data, ensuring user privacy, and fortifying against emerging ...
1 year ago Feeds.dzone.com
Fake LastPass password manager spotted on Apple's App Store - LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface ...
10 months ago Bleepingcomputer.com
Role of Parents in Teaching Online Safety - In today's digital landscape, where children are increasingly exposed to the vast world of the internet, the role of parents in teaching online safety has become paramount. Parents should have regular conversations with their kids about the ...
1 year ago Securityzap.com
How to Do a Risk Analysis Service in a Software Project - Software projects are vulnerable to countless attacks, from the leak of confidential data to exposure to computer viruses, so any development team must work on an effective risk analysis that exposes any vulnerabilities in the software product. A ...
1 year ago Feeds.dzone.com
Ushering in the Next Phase of Mobile App Adoption: Bolstering Growth with Unyielding Security - In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life's pleasures such as shopping, sports, and gaming. With the popularity ...
1 year ago Cyberdefensemagazine.com
Product showcase: Apiiro unifies AppSec and SSCS in a deep ASPM - With the rapidly evolving threat landscape and complexity of interconnected applications, identifying real, business-critical application risks is more challenging than ever. Application security teams need a better solution than their current siloed ...
1 year ago Helpnetsecurity.com
CVE-2020-26212 - GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user ...
4 years ago
Data In-Flight: Applying Zero Trust to Airline Travel and Content Security - No matter which airport you travel through or how many times you travel through it, one element remains the same - the security check(s). Whether you're asked to take off your shoes, put your laptop in a separate bin, or leave it all together and ...
11 months ago Securityboulevard.com
Enhancing Organisational Security: A Comprehensive Guide to Insider Risk Management Courses - In a world increasingly aware of internal security threats, the necessity for comprehensive insider risk management courses has never been more crucial. Astonishingly, up to 90% of organisations acknowledge their vulnerability to insider attacks, ...
11 months ago Securityboulevard.com
Cybersecurity Awareness Campaigns in Education - Cybersecurity awareness campaigns in education are essential to protect digital systems and information. The target audience for cybersecurity awareness campaigns in education includes students, teachers, administrators, and other staff members. ...
1 year ago Securityzap.com
Secure Financial Apps: Proactive Measures - People are using multiple apps to transfer, invest, and save money as per their requirements. These are some of the scenarios within a financial app where cybersecurity can play a key role in averting fraudulent transactions. Of late, a lot of ...
1 year ago Feeds.dzone.com
Teaching Digital Literacy and Online Safety - It is crucial for educators to prioritize teaching online safety to ensure that students are equipped with the necessary skills to protect themselves online. This article aims to explore the importance of teaching digital literacy and online safety, ...
1 year ago Securityzap.com
IoT Security for Business: Safeguarding Connected Devices - In this discussion, we will explore the significance of IoT security for businesses and effective strategies for safeguarding connected devices. With the increasing number of connected devices in business environments, the need for effective IoT ...
11 months ago Securityzap.com
Stress-Testing Security Assumptions in a World of New & Novel Risks - The most devastating security failures often are the ones that we can't imagine - until they happen. Prior to 9/11, national security and law enforcement planners assumed airline hijackers would land the planes in search of a negotiated settlement - ...
5 months ago Darkreading.com
16 top ERM software vendors to consider in 2024 - Enterprise risk management software helps organizations identify, mitigate and remediate business risks, which can lead to improved business performance. The risk management market is rapidly evolving from separate tools across different risk domains ...
11 months ago Techtarget.com
What Do Apple's EU App Store Changes Mean for App Developers? - In order to comply with the European Union's Digital Markets Act, Apple announced on Jan. 25 changes to its payment system for app sellers in the EU, and that it was letting go of the hold its App Store has over iOS app distribution in the EU. As ...
10 months ago Techrepublic.com
What Are the 6 Types of Risk Assessment and How Do They Work? - Risk assessment is a tool used to help quantify potential risks in a certain situation. It can be used in many different scenarios, including business operations, financial decisions, and also cybersecurity. A risk assessment helps you identify areas ...
1 year ago Thehackernews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)