Criminals could remotely tamper with the data that apps used by airplane pilots rely on to inform safe takeoff and landing procedures, according to fresh research.
In a scenario that elicits strong memories of that nail-biting flight scene from Die Hard 2, researchers investigating electronic flight bags found the app used by Airbus pilots was vulnerable to remote data manipulation, given the right conditions.
In reality, that Die Hard scene was, surprise surprise, riddled with plot holes - the researchers proved that a few months ago - but proving the possibility of something similar would always be exciting.
An EFB is usually a tablet or tablet-like portable computer that runs aviation-specific apps used for a variety of flight deck or cabin tasks, such as making calculations to improve aircraft performance.
The vulnerability was found in Flysmart+ Manager, one of many apps within the Flysmart+ suite used by Airbus pilots to synchronize data to other Flysmart+ apps which provide data to pilots informing safe takeoffs and landings.
A feasible attack would have to involve the interception of data flowing to the app, and a number of very specific conditions would need to be met.
Even Ken Munro, another partner at Pen Test Partners, admitted exploitation would be unlikely in a real-world scenario.
But Munro said airlines often use the same hotels to accommodate their pilots between flights, and you can spot them, and the airline they work for, fairly easily.
Secondly, and perhaps the biggest blockade to realistic exploitability, is the fact that an attacker would need to be monitoring the device's traffic at the time of the EFB handler initiating an app update.
The update cycle is determined by the Aeronautical Information Regulation and Control database.
The AIRAC database can be updated with important information such as when new runways are installed or made temporarily unavailable, or when significant changes are made to the runway environment, like the installation of a crane.
When the database is updated with new data, the app must download it to provide pilots with accurate and timely information.
The attack scenario devised by the researchers involved targeting a pilot sitting at a hotel bar - so, within Wi-Fi range - and performing directional Wi-Fi hunting while targeting a specific endpoint that the attacker would be aware of as they know the target app.
In developing a proof-of-concept for an exploit, the researchers were able to access data being downloaded from update servers.
Most of it came in the form of SQLite databases, with some including weight balance data of an aircraft and the minimum equipment list - information on what systems can be inoperative for a flight.
Cassidy said the possible consequences of a successful exploit could include an airplane tailstrike or a failed takeoff, leading to runway excursions.
Airbus was commended by the researchers for fixing the issue within 19 months, which is in the expected range for aviation tech, they said.
A window of 19 months would be entirely unacceptable in regular IT patching, but in aviation, an update like this would typically take around 12 months, so not a million miles away.
They said because of this frequent change, a pilot probably wouldn't spot a manipulated dataset if it appeared in the EFB app, which could lead to dangerous takeoff procedures.
Some airlines have gross error checks that examine the relationship between the calculated speed and actual aircraft speed, based on the aircraft's weight and balance data, the type which was accessed by the researchers while looking into Flysmart+ Manager.
This Cyber News was published on go.theregister.com. Publication date: Sat, 03 Feb 2024 10:13:05 +0000