A low-cost Turkish airline accidentally exposed around 6.5 TB of data, including sensitive flight data, source code, and personal information of flight crews due to an unsecured AWS bucket.
The discovery was made on February 28, 2022, when a research team from security comparison site SafetyDetectives found a misconfigured AWS S3 bucket containing Pegasus Airlines’ “Electronic Flight Bag” (EFB).
The said bucket contained almost 23 million files including flight charts, navigation materials, and crew personal identifiable information (PII), including photos and signatures, available to anyone without password. The bucket also exposed the EFB software’s source code, which contained plain-text passwords and secret keys that a malicious actor could use to modify extra-sensitive files.
“Bad actors could tamper with sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB’s bucket. While we can’t be certain that pilots will use the bucket’s files for upcoming flights, changing the contents of files could potentially block important EFB information from reaching airline personnel and place passengers and crew members at risk,” the researchers wrote in a blog post.
“Pegasus’ open bucket could facilitate other crimes. A bad actor could identify airplane staff via pictures, signatures, and crew shifts and force them to smuggle goods, weapons, or drugs across borders. What’s more, attackers could use security guidelines to identify weak points in an airport or airplane’s security,” they added.
On March 1, the team contacted Pegasus Airlines over the issue, but it took the company nearly a month to secure the open bucket. It’s not clear whether the exposed database had been accessed by anyone besides the researchers.