U.S. air traffic control systems are at high risk of attack due to their links to insecure Web applications run by aviation authorities around the country, according to a U.S. Department of Transportation audit.
Penetration testers found 763 high-risk vulnerabilities in 70 Web applications used for functions such as distributing communications frequencies for pilots and controllers to the public and other applications used for internal air traffic control (ATC) systems within the U.S. Federal Aviation Administration (FAA), the report said.
A high-risk vulnerability is classified as one where an attacker could take control over a computer, modifying systems or stealing data. Testers also found 504 medium-risk and 2,590 low-risk vulnerabilities, such as the use of weak passwords and unprotected critical file folders, the report said.
"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations," the report concluded.
FAA officials could not immediately be reached. But the agency has acknowledged the problems in the report and made plans for more rigorous patching of Web applications and increased use of intrusion-detection systems.
The FAA uses commercial software programs to distribute information over the Internet, but the agency has failed to install enough intrusion-detection systems needed for protection, the report said. Web application systems in use often act as a front door to other sensitive systems and information stored elsewhere.
The nation's ATC systems are spread out at hundreds of facilities, but intrusion-detection systems have been installed at only 11.
"Cyber incidents were not effectively monitored at ATC facilities," the report said. "To identify potential cyber incidents, FAA needs IDS sensors installed at key locations to collect critical information for security analyses."
More than 800 computer-related security incidents were reported in fiscal 2008 to the Air Traffic Organization (ATO), the part of the FAA that handles the management of some 50,000 aircraft moving through U.S. airspace per day. By the end of the year, the problems behind 150 of those incidents had still not been fixed, "including critical incidents in which hackers may have taken over control of ATO computers," the report said.
Hackers have already done damage. In February, attackers gained access through a weak Web application to an internal FAA database, which held names, birth dates, Social Security numbers, pay grades and addresses for some 48,000 current and former agency employees.
In August 2008, hackers compromised critical network servers and could have shut them down, "which could have caused serious disruption to FAA's mission-support network," the report said.
During the audit, officials from consultancy KPMG and the U.S. Department of Transportation's Office of the Inspector General gained unauthorized access to computers associated with the Traffic Flow Management Infrastructure system, the Juneau Aviation Weather System and the Albuquerque Air Traffic Control Tower, the report said.
The access was possible due to misconfigured Web applications, some of which were unpatched despite publicly available fixes from software vendors, it said.