A critical vulnerability has been discovered in the Airbus Navblue Flysmart+ Manager, exposing a potential security breach. The Flysmart+ Manager, designed to enhance the efficiency and safety of flight departures and arrivals, was found to have a flaw that allows attackers to tamper with engine performance calculations and intercept data. Security researchers from Pen Test Partners noted that the intentional disabling of App Transport Security (ATS) in one of the iOS apps makes insecure communication possible, leaving the app susceptible to interception and manipulation of data.
By exploiting this vulnerability, the researchers were able to view data downloaded from NAVBLUE Servers, primarily SQLite databases containing aircraft-specific information and take-off performance data. The ability to modify aircraft performance data or adjust airport information could lead to severe consequences, especially during crucial phases of flight. In a potential attack scenario, threat actors could tamper with app traffic when pilots update Flysmart+ EFB apps over insecure networks, posing a risk to flight safety. Airbus has been informed about the issue and confirmed that the upcoming software version will address the vulnerability. In the meantime, a mitigation measure has been provided to customers in May 2023.
