Hacking an Airbus suite of applications for pilot electronic flight bag (EFB) could have posed a risk to aircraft safety, security consulting and testing firm Pen Test Partners reports.
Developed by Airbus-owned IT services company Navblue, the Flysmart+ suite of applications helps pilots conduct performance calculations and access flight operations manuals directly on a tablet, such as an iPad. Pen Test Partners says the app helps “deliver efficient and safe departure and arrival of flights”.
While analyzing the Flysmart+ Manager iOS application, which enables users to update the EFB application suite of data from a central solution, Pen Test Partners discovered that it had App Transport Security (ATS) disabled.
A networking feature in applications built for Apple platforms, ATS enforces the use of HTTPS for improved security, and disabling it results in communications over insecure methods, opening the door to man-in-the-middle (MitM) attacks.
The issue, Pen Test Partners explains, allowed an attacker to view data downloaded from the Navblue servers, consisting mostly of SQLite databases containing aircraft information and take-off performance data.
The cybersecurity firm says an attacker may have been able to “modify aircraft performance data or adjust airport information e.g. runway lengths”, which could have resulted in “a tailstrike or runway excursion on departure”, types of incidents that can have severe consequences for an airplane and its passengers.
To mount a successful attack, however, a threat actor would have had to wait for a pilot to update the Flysmart+ EFB apps over a potentially insecure network, such as a hotel’s Wi-Fi network.
That, however, could have been possible because airlines typically use the same hotel for layovers at a destination and because pilots are required to update the EFB applications once a month, to comply with regulations.
Identifying a pilot at a layover hotel and their airline to determine the suite of EFB apps they use would have been required as well.
The issue was reported to Airbus in June 2022. The aircraft manufacturer confirmed the issue within a month and informed Pen Test Partners that the next version of Flysmart+ would resolve it. In May 2023, the company said that a mitigation measure was communicated to customers.