Criminals could remotely tamper with the data that apps used by airplane pilots rely on to inform safe takeoff and landing procedures, according to fresh research.
In a scenario that elicits strong memories of that nail-biting flight scene from Die Hard 2, researchers investigating electronic flight bags (EFBs) found the app used by Airbus pilots was vulnerable to remote data manipulation, given the right conditions.
In reality, that Die Hard scene was, surprise surprise, riddled with plot holes – the researchers proved that a few months ago – but proving the possibility of something similar would always be exciting.
An EFB is usually a tablet or tablet-like portable computer that runs aviation-specific apps used for a variety of flight deck or cabin tasks, such as making calculations to improve aircraft performance.
The vulnerability was found in Flysmart+ Manager, one of many apps within the Flysmart+ suite used by Airbus pilots to synchronize data to other Flysmart+ apps which provide data to pilots informing safe takeoffs and landings.
Developed by Airbus-owned NAVBLUE, Flysmart+ Manager was found to have disabled app transport security (ATS), by setting the NSAllowsArbitraryLoads property list key to “true.” ATS is a key security control responsible for securing communications between the app and the app’s update server.
“ATS is a security mechanism that forces the application to use HTTPS, preventing unencrypted communications,” blogged Antonio Cassidy, partner at Pen Test Partners, who carried out the research. “An attacker could use this weakness to intercept and decrypt potentially sensitive information in transit.”
A feasible attack would have to involve the interception of data flowing to the app, and a number of very specific conditions would need to be met. Even Ken Munro, another partner at Pen Test Partners, admitted exploitation would be unlikely in a real-world scenario.
Oh, yes that hotel the airline always uses….
First, an attacker would need to be within Wi-Fi range of the EFB loaded with Flysmart+ Manager. Sounds unlikely, but Munro said airlines often use the same hotels to accommodate their pilots between flights, and you can spot them, and the airline they work for, fairly easily.
Secondly, and perhaps the biggest blockade to realistic exploitability, is the fact that an attacker would need to be monitoring the device’s traffic at the time of the EFB handler initiating an app update.
The update cycle is determined by the Aeronautical Information Regulation and Control (AIRAC) database. The AIRAC database can be updated with important information such as when new runways are installed or made temporarily unavailable, or when significant changes are made to the runway environment, like the installation of a crane.
When the database is updated with new data, the app must download it to provide pilots with accurate and timely information. This is typically done once a month.
The attack scenario devised by the researchers involved targeting a pilot sitting at a hotel bar – so, within Wi-Fi range – and performing directional Wi-Fi hunting while targeting a specific endpoint that the attacker would be aware of as they know the target app.
“Given that airlines typically use the same hotel for pilots who are down route / on a layover, an attacker could target the hotel’s Wi-Fi networks with the goal of modifying aircraft performance data,” said Cassidy.
In developing a proof-of-concept for an exploit, the researchers were able to access data being downloaded from update servers. Most of it came in the form of SQLite databases, with some including weight balance data of an aircraft and the minimum equipment list – information on what systems can be inoperative for a flight.
Cassidy said the possible consequences of a successful exploit could include an airplane tailstrike or a failed takeoff, leading to runway excursions.
“Do I think this is likely? No, absolutely not,” said Munro. “But, the point is there is a vulnerability. There are issues with flight systems and the good news is we’re finding them and manufacturers are fixing it.”
Airbus was commended by the researchers for fixing the issue within 19 months, which is in the expected range for aviation tech, they said.
A window of 19 months would be entirely unacceptable in regular IT patching, but in aviation, an update like this would typically take around 12 months, so not a million miles away. A longer period of time is required for it to go through certification processes with the aviation industry, we’re told.
Munro said: “Could that be a bit quicker? Yeah, I think it could have been a bit quicker, but they fixed it – that’s the important thing, and it was done in a reasonable amount of time for aviation software.”
One active commercial pilot told The Register the finding was a “concern,” particularly with regard to takeoff performance speeds since the Airbus performance program is known for producing different speeds and flap settings to optimize takeoffs. They said because of this frequent change, a pilot probably wouldn’t spot a manipulated dataset if it appeared in the EFB app, which could lead to dangerous takeoff procedures.
Some airlines have gross error checks that examine the relationship between the calculated speed and actual aircraft speed, based on the aircraft’s weight and balance data, the type which was accessed by the researchers while looking into Flysmart+ Manager.
“I assume [these checks] would pick up a hack… but I couldn’t say that categorically,” the pilot said.
Responding to the research, an Airbus spokesperson said: “We identified a potential vulnerability in a specific version of the NAVBLUE FlySmart+ EFB product in 2022.
“Our analysis, confirmed by EASA, showed that there was no safety issue thanks to the security procedures in place to validate flight-relevant data. Product improvements have addressed this potential vulnerability in subsequent versions of NAVBLUE EFBs.” ®