Breach at Turkey's Pegasus Airlines Exposes 6.5TB of DataThe Misconfigured AWS S3 Bucket That Led to the Breach Has Now Been Secured
A data breach at Turkish firm Pegasus Airlines has put more than 6.5TB of sensitive electronic flight bag data at risk, including sensitive flight details, source code and staff data, cybersecurity researchers at security firm Safety Detectives say.
"An AWS S3 bucket containing Pegasus Airlines' Electronic Flight Bag (EFB) information was left without password protection, leaking a range of sensitive flight data," the Safety Detectives cybersecurity team says, adding: "The bucket's information was linked to an EFB software developed by PegasusEFB that pilots use for aircraft navigation, takeoff/landing, refueling, safety procedures, and various other in-flight processes."
PegasusEFB's open bucket left data in more than 23 million files accessible to anyone, while also exposing EFB software's source code, which contained plain-text passwords and secret keys that could be used to tamper with the sensitive files, the researchers say.
"These files were left accessible and could allow anyone to delete, modify, or upload data to additional encrypted or password-protected databases, files, and folders on the bucket," according to the researchers. "Files on PegasusEFB’s bucket dated from July 19, 2019."
But the researchers could not ascertain if the bad actors were able to access PegasusEFB's unsecured AWS S3 bucket to read or if they were able to download the bucket's files.
The data at risk includes:
- Acceptance forms, detailing minor issues found during preflight checks;
- Flight charts and revisions, used to assist in navigation and landing;
- Spreadsheets, containing information on airports, flights and crew shifts;
- Documents and memorandums, including insurance documents, permits and safety guidelines;
- Safety integrity level logs containing regulations and source code.
The researchers at Safety Detectives say they did not test these credentials, for ethical reasons. The AWS S3 bucket has now been secured, the team says, adding that Amazon was not responsible for the misconfiguration.
Pegasus Airlines did not immediately respond to Information Security Media Group's request for comment.
Timeline of Events
Safety Detectives researchers found the PegasusEFB's open bucket on Feb. 28, 2022, as part its large-scale web-mapping project. They researchers say they used web scanners to find unsecured data stores and upon discovering the bucket, they examined PegasusEFB's exposed data.
"We emailed Pegasus Airlines on March 1, 2022, regarding PegasusEFB's open bucket. On March 20, 2022, we sent a follow-up message to Pegasus and reached out to PegasusEFB. On March 24, 2022, we responsibly disclosed the data exposure to Pegasus EFB after making contact with the company," the researchers say.
Impact of the Exposure
This exposure, the researchers say, could affect the "safety of every Pegasus passenger and crew member around the world." Affiliated airlines that use PegasusEFB could also be affected, they add. PegasusEFB is also used by other companies, such as IZair and Air Manas, but neither has reported any cybersecurity issues yet.
Airline crew enjoy special status when it comes to access to sensitive areas of airports as well as streamlined review at passport control and customs areas, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.
"With the breach reports indicating that accessible data included crew identification data such as photos, signatures and shift operations, this breach goes beyond a simple case of yet another instance of a poorly secured cloud storage system into one where the collateral damage from the breach is much more than just PII," Mackey tells ISMG.
"Bad actors could tamper with sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB's bucket. While we can't be certain that pilots will use the bucket's files for upcoming flights, changing the contents of files could potentially block important EFB information from reaching airline personnel and place passengers and crew members at risk. With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB's bucket," the Safety Detectives researchers say.
They add that Pegasus' open bucket could also facilitate other crimes and could use security guidelines to identify weak points in an airport or airplane's security.
"A bad actor could identify airplane staff via pictures, signatures, and crew shifts and force them to smuggle goods, weapons, or drugs across borders. Staff members should seek assistance from law enforcement if they're approached or contacted by malicious individuals. PegasusEFB may check the accuracy of critical documents, while airlines and airports should change exposed security protocols where possible," the researchers say.
They also say that the PegasusEFB's open bucket has violated the privacy of airplane staff and may have breached Turkey's data protection regulation, the Law on the Protection of Personal Data.
"Turkey's Personal Data Protection Authority could therefore impose a maximum fine of approximately $183,000," the researchers say.