Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Airbus App Vulnerability Introduced Aircraft Safety Risk: Security Firm

Navblue Flysmart+ Manager allowed attackers to modify aircraft engine performance calculation, intercept data.

Aircraft hack

Hacking an Airbus suite of applications for pilot electronic flight bag (EFB) could have posed a risk to aircraft safety, security consulting and testing firm Pen Test Partners reports.

Developed by Airbus-owned IT services company Navblue, the Flysmart+ suite of applications helps pilots conduct performance calculations and access flight operations manuals directly on a tablet, such as an iPad. Pen Test Partners says the app helps “deliver efficient and safe departure and arrival of flights”.

While analyzing the Flysmart+ Manager iOS application, which enables users to update the EFB application suite of data from a central solution, Pen Test Partners discovered that it had App Transport Security (ATS) disabled.

A networking feature in applications built for Apple platforms, ATS enforces the use of HTTPS for improved security, and disabling it results in communications over insecure methods, opening the door to man-in-the-middle (MitM) attacks.

The issue, Pen Test Partners explains, allowed an attacker to view data downloaded from the Navblue servers, consisting mostly of SQLite databases containing aircraft information and take-off performance data.

The cybersecurity firm says an attacker may have been able to “modify aircraft performance data or adjust airport information e.g. runway lengths”, which could have resulted in “a tailstrike or runway excursion on departure”, types of incidents that can have severe consequences for an airplane and its passengers.

To mount a successful attack, however, a threat actor would have had to wait for a pilot to update the Flysmart+ EFB apps over a potentially insecure network, such as a hotel’s Wi-Fi network.

That, however, could have been possible because airlines typically use the same hotel for layovers at a destination and because pilots are required to update the EFB applications once a month, to comply with regulations.

Advertisement. Scroll to continue reading.

Identifying a pilot at a layover hotel and their airline to determine the suite of EFB apps they use would have been required as well.

The issue was reported to Airbus in June 2022. The aircraft manufacturer confirmed the issue within a month and informed Pen Test Partners that the next version of Flysmart+ would resolve it. In May 2023, the company said that a mitigation measure was communicated to customers.

Related: Ransomware Group Leaks Files Allegedly Stolen From Boeing

Related: TSA Requires Aviation Sector to Enhance Cybersecurity Resilience

Related: Networking Tech Vulnerability Could Be Used to Hack Spacecraft: Researchers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.