An Amazon Web Services (AWS) object format file storage container was not properly secured, resulting in the leak of millions of data from Pegasus Airlines.
The teams of the cyber Safety Detectives specialist discovered that an AWS S3 “bucket”, that is to say a container which makes it possible to store in the Cloud, in object format, numerous data and files, had remained accessible online. , because left unprotected, without a password. This clumsiness is all the more serious as the bucket in question hosted critical data from the Turkish airline Pegasus Airlines, owned by the private equity firm of the same country, Esas Holding AS. Let’s see what it is.
6.5 TB of critical data left exposed
AWS S3 (Amazon Simple Storage Service), which is none other than the American giant’s cloud storage service, is accessible via a web interface. It allows you to store data and files from what are called buckets. Thanks to the Cloud, these are then accessible, for their owners, from any device connected to the Internet.
It turns out that the bucket in question contained information of the Electronic Flight Bag (EFB) type from the low-cost company Pegasus Airlines. More specifically, it weighed about 6.5 TB of data and hosted 23 million documents. 3.2 million of them contained sensitive flight data.
This information therefore came from EFB software developed by Pegasus. Electronic Flight Bag type data is particularly critical and sensitive. In fact, we are talking here about a device that allows the crew of an airplane to carry out more easily the tasks of flight management, navigation, take-off, landing, refueling or security.
Consequent risks for the company, its staff and its passengers
The bucket, which was discovered fully open on February 28, 2022, without any password, also contained data such as flight maps, revision cards, navigation documents, information on problems related to pre-flight checks , insurance documents… There was also identifiable personal data belonging to the crew of the company, with photos and signatures.
All this freely leaked information relates to Pegasus EFB, software whose source code was also exposed, with plain text passwords and secret keys contained in some 400 files in exe, apk, dll formats. , msi and others. In the wrong hands, this information could be used to modify extremely sensitive files. And this flaw could also affect affiliated airlines, which also use Pegasus EFB, such as IZair and Air Manas.
Pegasus Airlines quickly secured the AWS S3 bucket, but it is impossible to know at this time whether hackers or other malicious individuals were able to access the AWS S3 bucket, which was not protected. If this is the case, the consequences could be serious, even endangering company personnel, including crew members, and passengers.
” A bad actor could identify plane personnel via photos, signatures and crew changes, and force them to smuggle goods, weapons or drugs across borders “says Safety Detectives. In addition, the security instructions that were available could help identify weak points in the security of an aircraft or an airport.
On the same subject :
Data theft: there has never been as much as today, according to the CNIL
Source : Safety Detectives
2