The aviation industry has been put on high alert after it was revealed that an essential mobile app used by many airline pilots was found to have security vulnerabilities that could have compromised safe takeoff and landing procedures. The issues were discovered by researchers at UK-based Pen Test Partners (PTP), who conducted an analysis of the Flysmart+ Manager app developed by NAVBLUE, an IT services company owned by Airbus.
A spokesperson from PTP informed the public that the vulnerability in the Flysmart+ Manager app raised major concerns as it posed a threat to the safety and security of flight operations. The app is a fundamental part of the Electronic Flight Bag (EFB) used by pilots for flight planning calculations and accessing digital documents such as operating manuals, navigational charts, and aircraft checklists.
Upon analyzing the app, researchers identified a disabled App Transport Security (ATS) feature, which would have mandated the use of HTTPS for secure data transmission. Additionally, the app did not have any form of certificate validation, leaving it open to exploitation on open and untrusted networks. As a result, an attacker could potentially intercept and decrypt sensitive information transmitted through the app.
“The EFB is used to calculate the required power from the engines for departure, also the required braking on landing,” explained Ken Munro, a partner at PTP. “We showed that, as a result of the missing ATS setting, one could potentially tamper with the data that is then given to pilots. That data is used during these ‘performance’ calculations, so pilots could apply insufficient power or not enough braking action.”
While the disabled ATS setting posed serious security risks, researchers noted that exploiting the vulnerability was not a straightforward task. An attacker would need to be within Wi-Fi range of the EFB with the vulnerable app, and the attack would only be feasible during an app update. This means the threat actor would need to know when the update was occurring to insert malicious code during the process.
PTP highlighted the fact that conditions for such an attack could occur during pilot layovers, especially since airline EFBs can be exposed to interception on untrusted networks. This is due to the fact that pilots usually bring their EFBs with them during layovers, which makes the devices vulnerable to attacks initiated within the hotel’s Wi-Fi range.
While the specific vulnerability in the Flysmart+ Manager app has been patched, it serves as a reminder of the potential security risks associated with EFBs in the aviation industry. PTP has previously uncovered other vulnerabilities in EFBs, including an integrity check bypass flaw in a Lufthansa EFB app and the ability to modify manuals on an EFB regarding the effectiveness of de-icing procedures on aircraft wings.
With the aviation industry relying heavily on technological advancements, it is crucial for companies to prioritize security and take proactive measures to address potential vulnerabilities in critical applications used for flight operations. The incident serves as a wake-up call for the industry to strengthen security measures and enhance resilience against potential cyber threats that could impact flight safety and security.