February 6, 2024 at 03:09PM
Airbus-owned IT services company NAVBLUE’s Flysmart+ Manager app, used by airline pilots for crucial flight planning, had a disabled App Transport Security feature, making it vulnerable to attacks. Pen Test Partners discovered the issue, which could lead to unsafe takeoff and landing. The exploit was deemed difficult to execute but posed a serious risk during app updates near pilots’ layover hotels.
The meeting notes cover the details of a security vulnerability found in the Flysmart+ Manager app, which is part of a suite of Electronic Flight Bag (EFB) apps used by airline pilots. The disabled App Transport Security (ATS) setting in the Flysmart+ Manager app made it vulnerable to interception and decryption of sensitive information on untrusted networks. This could potentially lead to attacks that could impact flight performance calculations, such as power requirement for departure and braking action on landing. The vulnerability was identified by researchers at Pen Test Partners (PTP) and has since been remediated by NAVBLUE, an Airbus-owned IT services company that developed the app.
The practicality of exploiting this vulnerability was limited due to the need for proximity to the device and timing related to app updates. However, the conditions for exploiting the vulnerability, including pilot layovers and the requirement for regular software updates, increased the potential risk.
Overall, the meeting notes highlight the importance of addressing and remedying security vulnerabilities in critical aviation software to ensure the safety of flight operations.