Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including sensitive information such as source code, crew and staff data, and flight details.
A team of security researchers at SafetyDetectives have shared details of an unprotected cloud data storage discovered on February 28th, 2022. The details of the incident have only been shared this week.
According to researchers, the data belonged to a low-cost domestic and international flight operator known as Pegasus Airlines. Part of the data leak is the personal information of the airline’s flight crew, source code, and flight data. The database was left open in an AWS S3 bucket.
Details of Leaked Data
In a blog post published by SafetyDetectives, around 23 million documents were stored in the unprotected AWS S3 bucket, which equated to about 6.5TB of data. The exposed data included more than 3 million sensitive flight data files, including flight charts/revisions, pre-flight checks-related issues’ details, insurance documents, and crew shift information.
Furthermore, more than 1.6 million files contained the airline crew’s PII (personally identifiable information). This included their photos and signatures.
Pegasus Airlines’ EFB Software Leaked the Data
Reportedly, parts of the leaked data were tracked to the EFB (Electronic Flight Bag) software. This software, PegasusEFB, is developed by Pegasus Airlines and acts as an information management tool for the airline. EFBs help optimize the crew’s productivity by offering vital reference materials for the flight.
According to the SafetyDetectives research team, the source code of the EFB software was also included in the exposed database, including secret keys and plain text passwords. Pilots use PegasusEFB for various functions like take-off/landing, aircraft navigation, refueling, safety procedures, and other in-flight operations.
The data leak has jeopardized the safety and privacy of the Pegasus Airline’s crew members. Researchers noted that the leak would allow threat actors to access sensitive flight details. Organized crime groups can coerce crew members, and bad actors may identify security loopholes in the airline and airport security.
Cybercriminals can tamper with “sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB bucket.” Though researchers further claimed that there’s no certainty that pilots would use this bucket’s files for future flights, their contents may block vital EFB data from reaching the airline staff and risk the passengers and crew members.
“With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
SafetyDetectives Cybersecurity Team
SafetyDetectives researchers stated that at the moment, there’s no evidence threat actors detected the trove before they did. The team notified Pegasus Airlines on 1 March 2022, and three weeks later, the leak was remediated.