Audit finds 700 big vulnerabilities in air traffic systems

Flaws could make air traffic control susceptible to cyberattacks, DOT report says

A government audit has found more than 760 high-risk vulnerabilities in Web applications used to support Air Traffic Control (ATC) operations around the U.S.

The flaws, which were discovered in 70 Web applications tied to ATC operations, give attackers a way to gain access not just to underlying Web servers but potentially to other more critical backend systems, the report from the U.S. Department of Transportation's Office of Inspector General (OIG) noted.

The report was released Wednesday and stemmed from a request by U.S. Reps. John Mica (R-Fla) and Tom Petri (R-Wis.), ranking minority members of the Aviation Subcommittee of the House Committee on Transportation and Infrastructure. It is based on an audit of Web application security controls and intrusion detection capabilities in air traffic control systems.

The audit identified more than 3,850 vulnerabilities in 70 Web applications, half of which were public facing, such as applications used to disseminate information to the public over the Internet, including communications frequencies for pilots and controllers. More than 760 of the vulnerabilities were identified as high risk and could allow attackers to access data and remotely execute malicious code and commands on critical systems.

About 500 of the vulnerabilities were rated as medium risk and the rest were rated as low risk. According to the OIG, medium and low risk vulnerabilities could allow attackers to glean important information, such as system or network configuration data, that could later be used in crafting an attack.

The audit was conducted under contract for the office of Inspector General Calvin Scovel by consulting firm KPMG LLP.

During the audit, testers gained unauthorized access to several Web application systems. In one case, testers were able to access program source code and other information stored on a Web application server associated with air traffic flow management. In another instance, Web application vulnerabilities allowed KPMG staff to gain access to critical power monitoring systems at ATC centers in Boston, Anchorage, Denver and three other cities. The access allowed the testers to generate power condition reports that could have been used for planning an attack.

Security auditors also found that a vast majority of ATC facilities had insufficient controls for detecting and monitoring security intrusions. The audit found adequate intrusion-detection capabilities in 11 "out of hundreds" of ATC facilities.

The vulnerabilities are significant because the Federal Aviation Administration has begun increasingly using commercial software and IP-based technologies to modernize ATC systems, the report noted. Such technology "inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software," the report added.

The report comes less than three months after a breach at the FAA in which the personal data of about 45,000 employees and retirees was apparently stolen from an agency server. The FAA said the compromise resulted from an intrusion into the system that was storing the data, but did not elaborate. At that time, the FAA stated that there were no indications that any of the servers used for air traffic control or other operation systems had been compromised.

The OIG report noted that the February breach was caused by a Web application vulnerability used by the attackers to gain access to the system containing the personal identity data. In another incident last August, hackers planted malicious code on a Web application server to gain access take control of the FAA's domain control servers, which they could have shut down, the report warned.

The results of the audit, while troubling, are not entirely unexpected, said Barmak Meftah, vice president of products and technology at Fortify Software Inc., a San Mateo, Calif.-based vendor of application security products. Fortify, which has several government agencies as customers including the U.S. Department of Defense, released a report in March highlighting some of the dangers faced by these agencies from vulnerable Web applications.

"What is disconcerting is that there are so many high-risk vulnerabilities," Mafteh said. "We all expect to see some vulnerabilities in Web applications. But on FAA and ATC systems, one would hope more attention is paid to them."

Many of the Web applications deployed across government agencies and the private sector are rife with vulnerabilities that are often hard to detect and hard to mitigate, Meftah said.

However, there are tools for monitoring Web applications for suspicious activity and for "hardening" them against malicious attacks, he said. Fortify, for instance, is one among several vendors that sells a product capable of detecting and blocking suspicious activity on a Web application server. Web application firewalls that are capable of detecting some of the more commonly known attacks are another option. But over the longer term, more attention needs to be paid to ensuring that security is baked into Web applications during the development process itself as opposed to bolting it on after products have been deployed, he said.

The FAA, which received the report in March, concurred with all of the findings and recommendations, the auditors noted. In its response, the FAA said the audit involved only administrative and mission support systems and not operational systems. The memo stressed that the FAA would "treat vulnerabilities identified in the OIG report with the utmost diligence." It also noted that immediate attention would be paid to mitigating the high and moderate risk vulnerabilities uncovered in the audit.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags USA governmentair traffic control

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?