Aerospace & Aeronautics

The firmware that flies can’t have flaws.

ADS-B with no authentication, FADEC on 20-year-old architectures, military satellites targeted by 7 documented APT groups. Avionics security is not a regulatory option — Quarkslab audits it where no one else goes.

APT groups actively targeting the sector

DO- 326 A

EASA avionics cybersecurity standard, mandatory

$ 1 K/hr

Cost of halting an Airbus assembly line

1 years

Average lifespan of a certified avionics system

AN ATTACK SURFACE FROM THE COCKPIT TO ORBIT

FADEC, FMS, ACARS: 20-year-old code, open interfaces

Avionics systems run on RTOS (VxWorks, LynxOS, Green Hills) never patched since their certification. JTAG/UART maintenance interfaces remain active in production. ARINC 429/664 buses transmit flight data with no cryptographic authentication.

ADS-B & GPS: protocols with no native authentication

ADS-B broadcasts aircraft positions without any authentication — spoofing costs €200 of hardware. In 2024-2025, incidents were documented over the Mediterranean and the Baltic Sea. ACARS can be injected to falsify ATC instructions.

APT40, Volt Typhoon: F-35, FCAS, military satellites

APT40 (MSS) is documented on the F-35 and FCAS programs. Volt Typhoon is pre-positioning on US ATM infrastructure. APT29 has exfiltrated data from NATO aviation programs via compromised software supply chains.

DO-326A: cyber certification is not a checklist

DO-326A requires a documented Security Risk Assessment (SeRA) on avionics systems — not a network scan dressed up as a report. EASA/FAA certification dossiers must include structured security assessments performed by qualified providers.

OUR SERVICES

QREDTEAM

ADVERSARY SIMULATION

APT Red Team (APT40, Volt Typhoon) on OEM and MRO networks
Pentest of embedded avionics interfaces (EFB, maintenance ports, ACARS)
GPS/ADS-B spoofing simulation and CPDLC command injection
Supply-chain Red Team via aeronautics PLM/CAD/ERP portals.

Discover QRedTeam

QLAB

DEEP SECURITY RESEARCH

Avionics firmware reverse engineering (VxWorks, LynxOS, Green Hills) without sources
SATCOM terminal audit — firmware extraction, proprietary protocols
0-day research on ARINC 429/664 buses and proprietary avionics protocols
Structured DO-326A / PART-IS deliverables, integrable into EASA/FAA dossiers.

Discover QLab

QSHIELD

SOFTWARE PROTECTION

Protection of military-drone autopilot firmware against adversary reverse engineering
Anti-RE of the embedded code of exported military and commercial satellites
IP protection of navigation and guidance algorithms delivered abroad
Anti-tamper compatible with DO-326A certification.

Discover QShield

QUARKSLAB DIFFERENTIATOR

Quarkslab is the only independent player in Europe combining reverse engineering of certified avionics RTOS, native DO-326A/PART-IS deliverables, and QShield to protect the firmware of drones and satellites delivered abroad. A combination that exists nowhere else.

WHAT WOULD WE SAY TO EACH OTHER, FACE TO FACE

Can your security provider read a VxWorks binary on ARM without source access?

DO-326A is not a form to fill in. It is an assessment that requires genuinely understanding what runs in your systems. A network scan doesn’t see the vulnerabilities in the FADEC. The certification you spent years obtaining doesn’t guarantee that the code is free of flaws exploitable today.

VxWorks, LynxOS, Green Hills — we read the binaries

No black box, no assumptions. We analyze what actually runs in your certified embedded systems.

Deliverables integrable into your EASA/FAA dossiers

Our reports are structured for certification. You don't adapt a pentest — you get a certifiable deliverable.

Independence

Quarkslab has no relationship with avionics suppliers. Our only interest is finding the real vulnerabilities.

Drones & satellites delivered abroad

QShield protects your systems' firmware against adversary reverse engineering in the event of capture or interception.

Our publications & CVEs

Request a confidential briefing