Pilot companion app vulnerable to flight performance manipulations

The iOS app Flysmart+, which pilots use to calculate aircraft takeoff performance, weight, and balance, was vulnerable to practical attacks that could result in a tailstrike or runway excursion on departure, cybersecurity researchers at Pen Test Partners have discovered.

Flysmart+ is an app for pilots developed by the Airbus subsidiary Navblue. This solution is for the so-called electronic flight bag.

The app had App Transport Security (ATS), a privacy feature that enforces secure connections, intentionally disabled, together with any form of certificate validation. That exposed the app to interception attacks over Wi-Fi.

The now remediated issue “could enable tampering with, for example, the engine performance calculations, potentially resulting in a tailstrike or runway excursion on departure,” Pen Test Partners said.

ATS forces an app to use the HTTPS communication protocol. When ATS is disabled, the app communicates with servers using insecure methods without encryption. Attackers can use this weakness to intercept and decrypt potentially sensitive information in transit.

Researchers demonstrated that a middleman could access data downloaded from Navblue servers, including SQLite databases containing information on specific aircraft, as well as take-off performance data.

“With that control disabled, an attacker could potentially modify aircraft performance data or adjust airport information, e.g., runway lengths,” researchers added.

Apple guidelines suggest that developers always leave ATS enabled. Otherwise, “it significantly reduces the security” of the app.

The researchers also provided a potential attack scenario. Attackers could target the Wi-Fi at a hotel where pilots typically stay, and then modify aircraft performance data. The app is constantly updated with aeronautical information, such as procedures, how to safely depart from an airport, standard arrival routes, runway and taxiway information changes.

“It’s quite easy to identify pilots in layover hotels. It’s also fairly easy to identify the airline and therefore the suite of electronic flight bag apps they are likely to be using,” researchers warned.

The vulnerability was disclosed back on the 28th of June, 2022. Airbus later released the ‘mitigation measure’ to the customers. Airbus declined to comment on the findings in the researchers’ blog post.

The public disclosure comes 19 months after the initial disclosure to Airbus.

“Given the challenges of aviation cyber we’re sympathetic to long remediation times. For this reason it’s important to understand the nuances of the industry and avoid hasty public disclosure,” Pen Test Partners explained and added that Airbus quickly responded and resolved the issue.