A government audit has found more than 760 high-risk vulnerabilities in Web applications used to support Air Traffic Control (ATC) operations around the country.
The flaws, which were discovered in 70 Web applications tied to ATC operations, give attackers a way to gain access not just to underlying Web servers but potentially to other more critical backend systems, the report ( download PDF) from the U.S. Department of Transportation's Office of Inspector General (OIG) noted.
The report was released Wednesday and stemmed from a request by U.S. Reps. John Mica (R-Fla) and Tom Petri (R-Wis.), ranking minority members of the Aviation Subcommittee of the House Committee on Transportation and Infrastructure. It is based on an audit of Web application security controls and intrusion detection capabilities in air traffic control systems.
The audit identified more than 3,850 vulnerabilities in 70 Web applications, half of which were public facing, such as applications used to disseminate information to the public over the Internet, including communications frequencies for pilots and controllers. More than 760 of the vulnerabilities were identified as high risk and could allow attackers to access data and remotely execute malicious code and commands on critical systems.
About 500 of the vulnerabilities were rated as medium risk and the rest were rated as low risk. According to the OIG, medium and low risk vulnerabilities could allow attackers to glean important information, such as system or network configuration data, that could later be used in crafting an attack.
The audit was conducted under contract for the office of Inspector General Calvin Scovel by consulting firm KPMG LLP.
During the audit, testers gained unauthorized access to several Web application systems. In one case, testers were able to access program source code and other information stored on a Web application server associated with air traffic flow management. In another instance, Web application vulnerabilities allowed KPMG staff to gain access to critical power monitoring systems at ATC centers in Boston, Anchorage, Denver and three other cities. The access allowed the testers to generate power condition reports that could have been used for planning an attack.
Security auditors also found that a vast majority of ATC facilities had insufficient controls for detecting and monitoring security intrusions. The audit found adequate intrusion-detection capabilities in 11 "out of hundreds" of ATC facilities.
The vulnerabilities are significant because the Federal Aviation Administration has begun increasingly using commercial software and IP-based technologies to modernize ATC systems, the report noted. Such technology "inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software," the report added.
The report comes less than three months after a breach at the FAA in which the personal data of about 45,000 employees and retirees was apparently stolen from an agency server. The FAA said the compromise resulted from an intrusion into the system that was storing the data, but did not elaborate. At that time, the FAA stated that there were no indications that any of the servers used for air traffic control or other operation systems had been compromised.
The OIG report noted that the February breach was caused by a Web application vulnerability used by the attackers to gain access to the system containing the personal identity data. In another incident last August, hackers planted malicious code on a Web application server to gain access take control of the FAA's domain control servers, which they could have shut down, the report warned.
The results of the audit, while troubling, are not entirely unexpected, said Barmak Meftah, vice president of products and technology at Fortify Software Inc., a San Mateo, Calif.-based vendor of application security products. Fortify, which has several government agencies as customers including the U.S. Department of Defense, released a report in March highlighting some of the dangers faced by these agencies from vulnerable Web applications.
"What is disconcerting is that there are so many high-risk vulnerabilities," Mafteh said. "We all expect to see some vulnerabilities in Web applications. But on FAA and ATC systems, one would hope more attention is paid to them."
Many of the Web applications deployed across government agencies and the private sector are rife with vulnerabilities that are often hard to detect and hard to mitigate, Meftah said.
However, there are tools for monitoring Web applications for suspicious activity and for "hardening" them against malicious attacks, he said. Fortify, for instance, is one among several vendors that sells a product capable of detecting and blocking suspicious activity on a Web application server. Web application firewalls that are capable of detecting some of the more commonly known attacks are another option. But over the longer term, more attention needs to be paid to ensuring that security is baked into Web applications during the development process itself as opposed to bolting it on after products have been deployed, he said.
The FAA, which received the report in March, concurred with all of the findings and recommendations, the auditors noted. In its response, the FAA said the audit involved only administrative and mission support systems and not operational systems. The memo stressed that the FAA would "treat vulnerabilities identified in the OIG report with the utmost diligence." It also noted that immediate attention would be paid to mitigating the high and moderate risk vulnerabilities uncovered in the audit.