New research has found that data used by apps used to inform airline pilots about safe takeoff and landing procedures can be remotely tampered with by criminals.
In a scenario that evokes strong memories of that painful flight scene, die hard 2researchers investigating electronic flight bags (EFBs) have found that the app used by Airbus pilots is vulnerable to remote data manipulation under the right conditions.
In reality, that Die Hard scene was surprisingly riddled with plot holes – researchers proved it months ago – but it proves something similar can happen. It was always an exciting thing to do.
EFBs are typically tablets or tablet-like portable computers that run aviation-specific apps used for various flight deck and cabin tasks, such as calculations to improve aircraft performance.
The vulnerability was discovered in Flysmart+ Manager, one of many apps in the Flysmart+ suite that Airbus pilots use to sync data to other Flysmart+ apps. Flysmart+ Manager provides data to inform pilots of safe takeoffs and landings.
Flysmart+ Manager, developed by Airbus-owned NAVBLUE, was found to disable App Transport Security (ATS) by setting the NSAllowsArbitraryLoads property list key to ‘true’. ATS is an important security control that protects communication between your app and the app update server.
“ATS is a security mechanism that forces applications to use HTTPS and prevents unencrypted communication,” Antonio Cassidy, partner at Pen Test Partners, which conducted the research, said in a blog post. “An attacker could exploit this weakness to intercept and decrypt potentially sensitive information in transit.”
A viable attack must involve intercepting data flowing into the app and requires a number of very specific conditions to be met. Even Ken Munro, another partner at Pen Test Partners, concedes that the likelihood of exploitation is low in a real-world scenario.
That’s right, this is the hotel that airlines always use…
First, the attacker must be within Wi-Fi range of the EFB with Flysmart+ Manager loaded. It may seem unlikely, but Munro said airlines often use the same hotels to house pilots between flights, and pilots and the airlines they work for are often It is said to be easy to distinguish.
Second, and perhaps the biggest barrier to realistic exploitability, is the fact that an attacker would need to monitor device traffic when the EFB handler initiates an app update.
The update cycle is determined by the Aviation Information and Regulatory Control (AIRAC) database. The AIRAC database can be updated with important information, such as when a new runway is installed or temporarily out of service, or when significant changes are made to the runway environment, such as the installation of a crane.
Once the database is updated with new data, the app must download that data to provide pilots with accurate and timely information. This is usually done once a month.
The attack scenario devised by the researchers targets a pilot sitting in a hotel bar (i.e. within Wi-Fi range) and targets a specific endpoint that the attacker knows about and is aware of the target app. The idea was to perform directional Wi-Fi hunting. .
“Given that airlines typically use the same hotels for outbound and connecting pilots, attackers could potentially target hotel Wi-Fi networks with the intent of tampering with aircraft performance data. “Yes,” Cassidy said.
While developing a proof of concept for the exploit, researchers had access to data downloaded from update servers. Most of these come in the form of SQLite databases, including aircraft weight balance data and a minimum equipment list, which is information about which systems may become inoperable during flight. It was.
Cassidy said possible effects of a successful exploit could include rear-ending an aircraft or a missed takeoff, which could lead to a runway excursion.
“Do you think that’s a possibility? No, absolutely not,” Munro said. “But the important thing is there is a vulnerability. There is a problem with the flight system, but the good news is we found it and the manufacturer is fixing it.”
Airbus was praised by researchers for resolving the problem within 19 months, which they said was within the expected range for aviation technology.
While 19 months is completely unacceptable for regular IT patching, in the airline industry, such updates typically take about 12 months and not a million miles. The certification process with the airline industry is said to take even longer.
Munro said, “Could it have been done a little faster? Yes, I think it could have been done a little faster, but they fixed it, and that’s the important thing. It was done in a reasonable amount of time for aviation software.” I did.”
An active commercial pilot said: register The findings were particularly “concerning” regarding takeoff performance speeds, as Airbus’ performance programs are known to generate different speeds and flap settings to optimize takeoffs. They said that because of this frequent change, if a manipulated dataset appears in the EFB app, pilots likely won’t be able to spot it, which could lead to unsafe takeoff procedures.
Some airlines have significant error checks that examine the relationship between calculated speed and actual aircraft speed based on aircraft weight and balance data. This type was accessed by the researcher while examining his Flysmart + Manager.
“I assumed [these checks] We will find a hack…but we cannot say for sure,” the pilot said.
In response to the investigation, an Airbus spokesperson said, “We have identified a potential vulnerability in certain versions of the NAVBLUE FlySmart+ EFB product in 2022.”
“Our analysis, confirmed by EASA, showed that there were no safety issues thanks to the security procedures put in place to verify flight-related data. This potential vulnerability has been resolved in version “.”®
