February 5, 2024 at 06:06PM
Pen Test Partners discovered a security issue in the Flysmart+ suite of applications for pilot electronic flight bags developed by Airbus-owned Navblue. The iOS app had an important security feature disabled, making it vulnerable to potential attacks, which could have resulted in severe consequences for aircraft safety. Airbus confirmed the issue and implemented a mitigation measure in the next version of the app by May 2023.
From the meeting notes, it is clear that there was a security vulnerability in the Flysmart+ Manager iOS application that posed a risk to aircraft safety. The disabling of App Transport Security (ATS) allowed for potential man-in-the-middle (MitM) attacks, enabling an attacker to view and potentially modify critical aircraft performance data. The issue was reported to Airbus and confirmed by the manufacturer, leading to a resolution in the next version of Flysmart+. A mitigation measure has been communicated to customers. The implications of this vulnerability highlight the importance of robust cybersecurity measures in aviation software to ensure the safety and integrity of flight operations.