This post is also available in: heעברית (Hebrew)

Flysmart+ is an iOS app for pilots to calculate aircraft takeoff performance, weight, and balance, developed by the Airbus subsidiary Navblue. It was recently revealed by cybersecurity researchers at Pen Test Partners to be vulnerable to practical attacks that could result in a tailstrike or runway excursion on departure.

According to Cybernews, the Flysmart+ app had a security feature called App Transport Security (ATS) intentionally disabled. The feature enforces secure connections, and having it and any form of certificate validation disabled exposed the app to interception attacks over Wi-Fi. This issue, though now fixed, could “enable tampering with, for example, the engine performance calculations, potentially resulting in a tailstrike or runway excursion on departure,” Pen Test Partners said.

The ATS feature forces an app to use the HTTPS communication protocol, and when it is disabled, the app communicates with servers using insecure methods without encryption. This weakness can be used by attackers to intercept and decrypt potentially sensitive information in transit.

The researchers further demonstrated that a middleman could access data downloaded from Navblue servers, including SQLite databases containing information on specific aircraft, as well as take-off performance data. The researchers gave the example that with that control disabled, an attacker could potentially modify aircraft performance data or adjust airport information, like the length of the runway.

Furthermore, since the app is constantly updated with aeronautical information (like procedures, how to safely depart from an airport, standard arrival routes, runway and taxiway information changes), attackers could target the Wi-Fi at a hotel where pilots typically stay and modify aircraft performance data.

After the vulnerability was disclosed in June 2022, Airbus released a public disclosure 19 months after the initial discovery. Nevertheless, the researchers mention that such changes could take a long time to fix.

This information was provided by Cybernews.