Offenders may remotely tamper with the data that apps utilized by airplane pilots depend on to advise secure takeoff and landing processes, based on recent research.
In a case that evokes strong recollections of that nerve-wracking flight scene from Die Hard 2, researchers who examined electronic flight bags (EFBs) discovered that the app employed by Airbus pilots was susceptible to manipulation of data from a distance, under certain circumstances.
In reality, that Die Hard sequence was filled with plot gaps – the researchers verified that a few months earlier – but showing the potential for something similar always generates excitement.
An EFB generally comprises a tablet or similar portable computer that runs aviation-specific apps for an assortment of flight deck or cabin duties, like making computations to enhance aircraft performance.
The susceptibility was found in Flysmart+ Manager, one among many apps within the Flysmart+ set used by Airbus pilots to harmonize data to other Flysmart+ apps that provide information to pilots for secure takeoffs and landings.
Developed by Airbus-owned NAVBLUE, Flysmart+ Manager was found to have deactivated app transport security (ATS) by setting the NSAllowsArbitraryLoads property list key to “true.” ATS is a crucial security measure responsible for safeguarding communications between the app and the app’s update server.
“ATS is a security mechanism that obliges the application to use HTTPS, preventing unencrypted communications,” wrote Antonio Cassidy, partner at Pen Test Partners, who conducted the research. “An attacker could exploit this vulnerability to intercept and decrypt potentially sensitive information during transit.”
A viable assault would need to involve the interception of data transmitted to the app, and a variety of highly particular conditions would need to be satisfied. Even Ken Munro, another partner at Pen Test Partners, conceded that a real-world exploitation would be improbable.
Ah, that familiar airline hotel….
First, a perpetrator would have to be within Wi-Fi range of the EFB loaded with Flysmart+ Manager. Seems improbable, but Munro pointed out that airlines often utilize the same hotels to house their pilots between flights, and you can easily identify them and the airline they work for.
Secondly, and perhaps the greatest impediment to practical exploitability, is the fact that a perpetrator would need to be monitoring the device’s traffic at the time of the EFB handler initiating an app update.
The update cycle is established by the Aeronautical Information Regulation and Control (AIRAC) database. The AIRAC database can be updated with crucial information such as when new runways are installed or made temporarily unavailable, or when significant changes are made to the runway environment, like the installation of a crane.
When the database is updated with new data, the app must download it to provide pilots with precise and punctual information. This is usually done once a month.
The research’s attack scenario involved targeting a pilot seated at a hotel bar – therefore within Wi-Fi range – and conducting directional Wi-Fi hunts while targeting a particular endpoint known to the perpetrator as they are familiar with the target app.
“Given that airlines commonly use the same hotel for pilots who are on a layover, an attacker could focus on the hotel’s Wi-Fi networks with the objective of modifying aircraft performance data,” explained Cassidy.
Developing a proof-of-concept for an exploit, the researchers were able to access data being downloaded from update servers. Most of it came in the form of SQLite databases, some of which included weight balance data of an aircraft and the minimal equipment list – information on which systems can be inoperative for a flight.
Cassidy mentioned that potential repercussions of a successful exploit could include an airplane tailstrike or a failed takeoff, resulting in runway excursions.
“Do I think this is likely? No, absolutely not,” stated Munro. “But, the point is there is a vulnerability. There are issues with flight systems and the good news is we’re finding them and manufacturers are fixing it.”
Airbus was praised by the researchers for addressing the problem within 19 months, which falls within the anticipated timeframe for aviation technology, they reported.
A 19-month window would be entirely unacceptable in regular IT patching, but in aviation, an update like this typically takes about 12 months, so it’s not too far off. A longer duration is necessary for it to undergo certification processes in the aviation industry, we’re told.
Munro stated: “Could that have been a bit swifter? Yes, I think it could have been a bit faster, but they fixed it – that’s the essential thing, and it was done in a reasonable amount of time for aviation software.”
One active commercial pilot told The Register that the discovery was a “worry,” particularly in relation to takeoff performance speeds, since the Airbus performance program is known for generating various speeds and flap settings to optimize takeoffs. They mentioned that due to this frequent variation, a pilot probably wouldn’t detect a manipulated dataset if it appeared in the EFB app, potentially leading to hazardous takeoff procedures.
Several airlines have comprehensive error checks that evaluate the connection between the calculated speed and actual aircraft speed, based on the aircraft’s weight and balance data, the type examined by the researchers while investigating Flysmart+ Manager.
“I assume [these checks] would detect a hack… but I couldn’t say that definitively,” stated the pilot.
In response to the research, a spokesperson for Airbus stated: “We found a potential vulnerability in a specific version of the NAVBLUE FlySmart+ EFB product in 2022.
“Our analysis, confirmed by EASA, demonstrated that there was no safety issue thanks to the security measures in place to validate flight-relevant data. Product improvements have resolved this potential vulnerability in subsequent versions of NAVBLUE EFBs.” ®