Teacher
Professional
- Messages
- 2,670
- Reaction score
- 778
- Points
- 113
Using the vulnerability, attackers could distort calculations and flight data via Wi-Fi.
Experts from Pen Test Partners, who have been conducting comprehensive security studies of aviation solutions for several years, have identified a serious vulnerability in the Flysmart+ Manager application package from Airbus Corporation. This problem posed safety risks, but was not resolved until 19 months after its initial detection by experts.
The Flysmart+ Manager app for iPad was developed by NAVBLUE, a division of Airbus. It is designed to synchronize and install up-to-date aviation data on pilots electronic tablets (EFBs), as well as other programs and devices.
As Pen Test Partners specialists found out, one of the main security mechanisms was deliberately disabled in Flysmart+ Manager. Because of this, the application could exchange data with servers via unprotected channels, which opened up wide opportunities for hacker attacks.
Pilots Electronic Tablets (EFBs) are used to store and quickly access important information needed to perform flights. However, during parking at airports and hotels, using the vulnerability, they could be accessed via Wi-Fi networks. In this case, the interference would most likely have gone unnoticed, since standard airline procedures are not designed to detect such threats.
App Transport Security (ATS) has been disabled in the iOS version of Flysmart+ Manager. Thanks to the analysis, Pen Test Partners specialists managed to gain access to confidential data on NAVBLUE servers. Among other things, they were able to study the structure of SQLite databases containing critical information about aircraft characteristics and take-off performance parameters.
The tables are critical for correctly calculating the aircraft's capabilities, especially during takeoff and landing. For example, errors in the minimum equipment list tables or standard departure procedures can lead to dangerous fuel shortage incidents. Distorted calculations of engine performance will trigger, for example, driving off the runway, and this is the most harmless scenario.
"We have already worked with Boeing, Lufthansa and Airbus on vulnerabilities. And we are very happy that the problem was successfully resolved – this is a significant achievement in the field of safety and security in aviation," the researchers say.
Disabling ATS also allowed attackers to intercept and decrypt any confidential information.
After reporting the vulnerability to Airbus on June 28, 2022, the company acknowledged the problem and promised to fix it in the next version of Flysmart+ Manager by the end of 2022.
On February 22, 2023, Airbus experts officially confirmed that the app has been updated and the aircraft are no longer in danger. On May 26 of the same year, detailed information about the solution of the problem was transmitted to the corporation's customers.
The results of the study were presented by Pen Test Partners at major cybersecurity conferences, including DEF CON 31 in Las Vegas. The main topic of the presentation was a detailed analysis of the discovered vulnerability and the chronology of its elimination by Airbus.
Pen Test Partners specialists also presented their results at the Aerospace Village and Aviation ISAC events organized in 2023 in Dublin.
Experts from Pen Test Partners, who have been conducting comprehensive security studies of aviation solutions for several years, have identified a serious vulnerability in the Flysmart+ Manager application package from Airbus Corporation. This problem posed safety risks, but was not resolved until 19 months after its initial detection by experts.
The Flysmart+ Manager app for iPad was developed by NAVBLUE, a division of Airbus. It is designed to synchronize and install up-to-date aviation data on pilots electronic tablets (EFBs), as well as other programs and devices.
As Pen Test Partners specialists found out, one of the main security mechanisms was deliberately disabled in Flysmart+ Manager. Because of this, the application could exchange data with servers via unprotected channels, which opened up wide opportunities for hacker attacks.
Pilots Electronic Tablets (EFBs) are used to store and quickly access important information needed to perform flights. However, during parking at airports and hotels, using the vulnerability, they could be accessed via Wi-Fi networks. In this case, the interference would most likely have gone unnoticed, since standard airline procedures are not designed to detect such threats.
App Transport Security (ATS) has been disabled in the iOS version of Flysmart+ Manager. Thanks to the analysis, Pen Test Partners specialists managed to gain access to confidential data on NAVBLUE servers. Among other things, they were able to study the structure of SQLite databases containing critical information about aircraft characteristics and take-off performance parameters.
The tables are critical for correctly calculating the aircraft's capabilities, especially during takeoff and landing. For example, errors in the minimum equipment list tables or standard departure procedures can lead to dangerous fuel shortage incidents. Distorted calculations of engine performance will trigger, for example, driving off the runway, and this is the most harmless scenario.
"We have already worked with Boeing, Lufthansa and Airbus on vulnerabilities. And we are very happy that the problem was successfully resolved – this is a significant achievement in the field of safety and security in aviation," the researchers say.
Disabling ATS also allowed attackers to intercept and decrypt any confidential information.
After reporting the vulnerability to Airbus on June 28, 2022, the company acknowledged the problem and promised to fix it in the next version of Flysmart+ Manager by the end of 2022.
On February 22, 2023, Airbus experts officially confirmed that the app has been updated and the aircraft are no longer in danger. On May 26 of the same year, detailed information about the solution of the problem was transmitted to the corporation's customers.
The results of the study were presented by Pen Test Partners at major cybersecurity conferences, including DEF CON 31 in Las Vegas. The main topic of the presentation was a detailed analysis of the discovered vulnerability and the chronology of its elimination by Airbus.
Pen Test Partners specialists also presented their results at the Aerospace Village and Aviation ISAC events organized in 2023 in Dublin.
