Skip the navigation

Audit finds 700 high-risk vulnerabilities in air traffic systems

Flaws could make air traffic control susceptible to cyberattacks, DOT report says

May 7, 2009 12:00 PM ET

Computerworld - A government audit has found more than 760 high-risk vulnerabilities in Web applications used to support Air Traffic Control (ATC) operations around the country.

The flaws, which were discovered in 70 Web applications tied to ATC operations, give attackers a way to gain access not just to underlying Web servers but potentially to other more critical backend systems, the report ( download PDF) from the U.S. Department of Transportation's Office of Inspector General (OIG) noted.

The report was released Wednesday and stemmed from a request by U.S. Reps. John Mica (R-Fla) and Tom Petri (R-Wis.), ranking minority members of the Aviation Subcommittee of the House Committee on Transportation and Infrastructure. It is based on an audit of Web application security controls and intrusion detection capabilities in air traffic control systems.

The audit identified more than 3,850 vulnerabilities in 70 Web applications, half of which were public facing, such as applications used to disseminate information to the public over the Internet, including communications frequencies for pilots and controllers. More than 760 of the vulnerabilities were identified as high risk and could allow attackers to access data and remotely execute malicious code and commands on critical systems.

About 500 of the vulnerabilities were rated as medium risk and the rest were rated as low risk. According to the OIG, medium and low risk vulnerabilities could allow attackers to glean important information, such as system or network configuration data, that could later be used in crafting an attack.

The audit was conducted under contract for the office of Inspector General Calvin Scovel by consulting firm KPMG LLP.

During the audit, testers gained unauthorized access to several Web application systems. In one case, testers were able to access program source code and other information stored on a Web application server associated with air traffic flow management. In another instance, Web application vulnerabilities allowed KPMG staff to gain access to critical power monitoring systems at ATC centers in Boston, Anchorage, Denver and three other cities. The access allowed the testers to generate power condition reports that could have been used for planning an attack.

Security auditors also found that a vast majority of ATC facilities had insufficient controls for detecting and monitoring security intrusions. The audit found adequate intrusion-detection capabilities in 11 "out of hundreds" of ATC facilities.

The vulnerabilities are significant because the Federal Aviation Administration has begun increasingly using commercial software and IP-based technologies to modernize ATC systems, the report noted. Such technology "inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software," the report added.



Our Commenting Policies