Airbus Navblue Flysmart+ Manager has been found to have a vulnerability that allows attackers to tamper with engine performance calculations and intercept data. The app, which is a part of the suite of apps for pilot EFBs, has been discovered to have a security issue that could potentially lead to tailstrike or runway excursion during departure.
Researchers from Pen Test Partners found that the iOS app had intentionally disabled App Transport Security (ATS), a security mechanism that enforces the use of the HTTPS protocol. This disabled ATS could allow attackers to intercept and modify the traffic, potentially leading to serious consequences.
The researchers were able to exploit the vulnerability to view the data being downloaded from NAVBLUE Servers, which included SQLite databases containing information on specific aircraft and take-off performance data. In a practical attack scenario, threat actors could tamper with the traffic from the apps when pilots update Flysmart+ EFB apps over insecure networks, such as hotel Wi-Fi networks.
Airbus was notified of the issue in June 2022, and the company confirmed that the next version of the software would address the problem. In the meantime, a mitigation measure was provided to customers in May 2023.
The discovery of this vulnerability highlights the potential risks associated with using insecure networks for updating critical aviation software. The issue also serves as a reminder of the importance of promptly addressing and mitigating security vulnerabilities in aviation software to ensure the safety and security of air travel.