Flight App Vulnerability Could Enable Skyjacking

Uploaded on 2024-02-14 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Modern aircraft have sometimes been called computers with wings, and as far back as 1994, long before hacking became high on society’s list of everyday concerns.

Today, the avionics equipment that runs many aircraft is considered  resistant to hacking, although not bulletproof. However, the inflight Internet access systems that connect passengers to the web are as vulnerable as any ground-based network to hackers.

Now, new concerns are being raised over aviation security as a critical problem with the potential to enable inflight hacking. 

Cyber security researchers at Pen Test Partners report that that Flysmart+, which is an iOS app for pilots to calculate aircraft takeoff performance, weight, and balance, developed by the Airbus subsidiary Navblue, that it is significantly vulnerable to practical attacks that could result in a cyber attack on departure. 

According to Cybernews, the Flysmart+ app had a security feature called App Transport Security (ATS) intentionally disabled. The feature enforces secure connections, and having it and any form of certificate validation disabled exposed the app to interception attacks over Wi-Fi. 

The ATS feature forces an app to use the HTTPS communication protocol, and when it is disabled, the app communicates with servers using insecure methods without encryption. This weakness can be used by attackers to intercept and decrypt potentially sensitive information in transit. This issue, though now fixed, could “enable tampering with, for example, the engine performance calculations, potentially resulting in a tailstrike or runway excursion on departure,” Pen Test Partners said. 

The researchers further demonstrated that a middleman could access data downloaded from Navblue servers, including SQLite databases containing information on specific aircraft, as well as take-off performance data. 
The researchers gave the example that with that control disabled, an attacker could potentially modify aircraft performance data or adjust airport information, like the length of the runway. 

Furthermore, since the app is constantly updated with aeronautical information (like procedures, how to safely depart from an airport, standard arrival routes, runway and taxiway information changes), attackers could target the Wi-Fi at a hotel where pilots typically stay and modify aircraft performance data.

After the vulnerability was disclosed in June 2022, Airbus released a public disclosure 19 months after the initial discovery. Nevertheless, the researchers mention that such changes could take a long time to fix.

Hackers have previously claimed to have been able to access the cockpit network through communication with the in-flight network. Many in-flight entertainment systems now have USB ports and some airlines run Wi-Fi. Both are potential entry points for the determined hacker to access all the plane’s computer systems.

Pen Test Partners:     Cybernews:    The Conversation:      Smithsonian:     I-HLS:    CSO Online:     

Aviation Stackexchange:      ZDNet:     Image: Kristopher Allison

You Might Also Read:

Ransomware Trends In The Aviation & Maritime Industries:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Prioritising Data Privacy & Security
Build an Effective Endpoint Detection and Response Strategy »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Ilex International

Ilex International

Ilex International is a European software vendor which specialises in Identity & Access Management solutions.

Mastercard

Mastercard

MasterCard is a leading global payments solutions company that serves consumers and businesses in over 210 countries and territories worldwide.

Genua

Genua

Genua is a specialist in IT security services and solutions ranging from network and infrastructure security to encrypted comms and industrial automation.

Cybertekpro

Cybertekpro

Cybertekpro is a specialist insurance broker providing Cyber Liability insurance and cyber risk assessment services.

CyberOne

CyberOne

CyberOne (formerly Comtact) offer a full stack cybersecurity service to ensure our customers understand the cyber maturity of their organisation.

Crossmatch

Crossmatch

Crossmatch is a world leader in risk-based composite authentication and biometric identity management.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

Finnish Accreditation Service (FINAS)

Finnish Accreditation Service (FINAS)

FINAS is the national accreditation body for Finland. The directory of members provides details of organisations offering certification services for ISO 27001.

White & Black

White & Black

White & Black are specialist corporate & technology lawyers based in London & Oxford.

Gorodissky IP Security

Gorodissky IP Security

Gorodissky IP Security is a comprehensive approach to protecting your intellectual property on the Internet and beyond.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

Melius Cyber Security

Melius Cyber Security

Melius Cyber Security has developed a world-leading SaaS platform, Cyber Safe Plus, built around continuous assessment and improvement through vulnerability scanning and penetration testing

Methods

Methods

Methods is the leading digital transformation partner for the UK public sector. We care deeply about making our public services better and have been doing this for over 28 years.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.