A mobile app that many airline pilots use for crucial flight planning purposes was open to attacks that could have interfered with safe takeoff and landing procedures due to a disabled security feature it contained.
NAVBLUE, an Airbus-owned IT services company that developed the app, fixed the issue last year after researchers at UK-based Pen Test Partners informed the company about the issue.
Electronic Flight Bag Apps The vulnerability was present in Flysmart+ Manager, an app that is part of a broader suite of Flysmart+ apps for so-called Electronic Flight Bag platforms.
An EFB device - usually an iPad or other tablet computer - basically hosts apps that flight crews use for flight planning calculations and for accessing a variety of digital documents such as operating manuals, navigational charts, and aircraft checklists.
Some EFBs are directly integrated into the avionics systems of modern aircraft and provide an array of other more complex features, such as providing real-time weather information and tracking the aircraft's position on navigational systems.
Flysmart+ specifically is a suite of iOS apps that assists with aircraft performance, weight, and balance-related calculations according to NAVBLUE. It can be fully integrated with Airbus' standard operating procedures, can be used during all phases of a flight, and provides pilots with access to a range of avionics parameters.
Flysmart+ Manager, the app in which Pen Test Partners found the security issue, is an app that enables synchronization of data across the Flysmart+ suite.
Disabled Security Setting Researchers from Pen Test Partners found that an App Transport Security feature in Flysmart+ Manager that would have forced the app to use HTTPS had not been enabled.
The app did not have any form of certificate validation either, leaving it exposed to interception on open and untrusted networks.
Ken Munro, a partner at the pen testing firm, says the biggest concern had to do with the potential for attacks on the app that could cause so called runway excursions - or veer-offs and overruns - and potential tail strikes on takeoff.
The ATS issue in Flysmart+ Manager is just one of several vulnerabilities that PTP has uncovered in EFBs in recent years.
In May 2023 the firm reported an integrity check bypass flaw in a Lufthansa EFB app called Lido eRouteManual that gave attackers a way to modify flight planning data that pilots using the app received.
In July 2022, researchers at PTP showed how they could modify manuals on an EFB pertaining to the effectiveness of de-icing procedures on aircraft wings.
Hard to Exploit From a practical standpoint the disabled ATS setting issue that PTP identified in the Airbus EFB was not especially easy to exploit.
To pull it off, an attacker would have first needed to be within Wi-Fi range of an EFB with the vulnerable app.
More significantly, the attack would have been possible only during an app update - meaning the threat actor would need to know when the update was happening so they could insert their malicious code during the process.
According to PTP, those conditions can occur during pilot layovers.
Pilots usually bring their EFBs with them during layovers because the devices contain their electronic roster as well, Munro says.
If an attacker was within Wi-Fi range of the device at a hotel they could potentially initiate an attack.
While an attack can only happen during an app update, such updates need to happen on a regular basis, he adds.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 06 Feb 2024 20:10:15 +0000