Crucial Airline Flight Planning App Open to Interception Risks

Airbus-owned NAVBLUE fixed the issue after a penetration testing firm disclosed the problem to the company.

A mobile app that many airline pilots use for crucial flight planning purposes was open to attacks that could have interfered with safe takeoff and landing procedures due to a disabled security feature it contained.
NAVBLUE
, an Airbus-owned IT services company that developed the app, fixed the issue last year after researchers at UK-based Pen Test Partners (PTP) informed the company about the issue.
And this week, PTP
released details of its findings
following Airbus successful remediation of the application.
The vulnerability was present in Flysmart+ Manager, an app that is part of a broader suite of Flysmart+ apps for so-called Electronic Flight Bag (EFB) platforms. An EFB device — usually an iPad or other tablet computer — basically
hosts apps that flight crews use for flight planning calculations
and for accessing a variety of digital documents such as operating manuals, navigational charts, and aircraft checklists. Some EFBs are directly integrated into the avionics systems of modern aircraft and provide an array of other more complex features, such as providing real-time weather information and tracking the aircrafts position on navigational systems.
Flysmart+
specifically is a suite of iOS apps that assists with aircraft performance, weight, and balance-related calculations according to NAVBLUE. It can be fully integrated with Airbus standard operating procedures, can be used during all phases of a flight, and provides pilots with access to a range of avionics parameters. Flysmart+ Manager, the app in which Pen Test Partners found the security issue, is an app that enables synchronization of data across the Flysmart+ suite.
Researchers from Pen Test Partners found that an App Transport Security (ATS) feature in Flysmart+ Manager that would have forced the app to use HTTPS had not been enabled. The app did not have any form of certificate validation either, leaving it exposed to interception on open and untrusted networks. An attacker could use this weakness to intercept and decrypt potentially sensitive information in transit, PTP said in its report this week.
Ken Munro, a partner at the pen testing firm, says the biggest concern had to do with the potential for attacks on the app that could cause so called runway excursions — or veer-offs and overruns — and potential tail strikes on takeoff. The EFB is used to calculate the required power from the engines for departure, also the required braking on landing, Munro says. We showed that, as a result of the missing ATS setting, one could potentially tamper with the data that is then given to pilots. That data is used during these performance calculations, so pilots could apply insufficient power or not enough braking action, he says.
The ATS issue in Flysmart+ Manager is just one of several vulnerabilities that PTP has uncovered in EFBs in recent years. In May 2023, for instance, the firm reported an
integrity check bypass flaw
in a Lufthansa EFB app called Lido eRouteManual that gave attackers a way to modify flight planning data that pilots using the app received. In July 2022, researchers at PTP showed how they could
modify manuals on an EFB
pertaining to the effectiveness of de-icing procedures on aircraft wings.
From a practical standpoint the disabled ATS setting issue that PTP identified in the Airbus EFB was not especially easy to exploit. To pull it off, an attacker would have first needed to be within Wi-Fi range of an EFB with the vulnerable app. More significantly, the attack would have been possible only during an app update — meaning the threat actor would need to know when the update was happening so they could insert their malicious code during the process.
According to PTP, those conditions can occur during pilot layovers. Airline EFBs can be exposed to interception on untrusted networks given pilot layover hotels are well known and used consistently each night, the firm said.
Pilots usually bring their EFBs with them during layovers because the devices contain their electronic roster as well, Munro says. So, if an attacker was within Wi-Fi range of the device at a hotel they could potentially initiate an attack. Missing ATS would allow a man-in-the-middle attack over Wi-Fi, at which point the attacker could push a tampered database update to the EFB, he says.
While an attack can only happen during an app update, such updates need to happen on a regular basis, he adds. That improves the odds for a successful attack, Munro notes. A quirk of the aviation industry means that the software MUST be updated once every 30 days to remain legal, he says. Given airport layover hotels are known and numerous pilots will be staying at each one every night, the odds and practicality start to add up.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Crucial Airline Flight Planning App Open to Interception Risks