Pierluigi Paganini February 05, 2024

Airbus Navblue Flysmart+ Manager allowed attackers to tamper with the engine performance calculations and intercept data.

Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights. Researchers from Pen Test Partners discovered a vulnerability in Navblue Flysmart+ Manager that can be exploited to tamper with the engine performance calculations. The experts pointed out that the issue potentially exposes to tailstrike or runway excursion during departure.

Pen Test Partners says the app helps “deliver efficient and safe departure and arrival of flights”.

The researchers noticed that one of the iOS apps had ATS (App Transport Security) intentionally disabled.

The ATS is a security mechanism that forces the use of the HTTPS protocol, which means that disabling it could open to tamper with and decrypt the traffic.

“With ATS disabled, insecure communication happens. It makes the app susceptible to interception where an attacker could force a victim to use the unencrypted HTTP protocol while forwarding the data to the real server, encrypted.” reads the report published by Pen Test Partners. “An entry in the info.plist file alongside the app allows insecure HTTP loads to any domain.”

Pen Test Partners researchers were able to exploit the issue to view the data being downloaded from the NAVBLUE Servers.

Most of the files downloaded by the researchers were SQLite databases containing information on specific aircraft, and many of them included take-off performance data (PERF).

An attacker can modify aircraft performance data included in these files or adjust airport information such as the. runway lengths with serious consequences.

In a practical attack scenario, threat actors have to tamper with the traffic from the apps when pilots update Flysmart+ EFB apps over a potentially insecure network. The apps would likely be updated once a month.

“Given that airlines typically use the same hotel for pilots who are down route / on a layover, an attacker could target the hotel’s Wi-Fi networks with the goal of modifying aircraft performance data.” continues the experts. “It’s quite easy to identify pilots in layover hotels. It’s also fairly easy to identify the airline and therefore the suite of EFB apps they are likely to be using.”

The experts reported the issue to Airbus in June 2022. The company confirmed that the next version of the software would address the issue. The company also added that it has provided a mitigation measure to its customers in May 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Airbus)