The U.S. Department of Transportation report, with the help of auditors from KPMG, determined that the ATC's Web-based applications aren't secured from attacks or unauthorized access, and that the FAA hasn't set up the necessary intrusion-detection functions to catch security incidents at ATC locations.
And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, "including critical incidents in which hackers may have taken over control of ATO computers," the report says.
The auditors tested 70 of the FAA's ATC Web applications, including ones that provide information to the general public, as well as to pilots and controllers, and some internal apps. Of the vulnerabilities they discovered, nearly 2,600 were considered low-risk threats, such as unprotected folders of sensitive data and weak passwords.
While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. "Our average is about seven per Website," Grossman says.
The vulnerabilities in the FAA's Web applications could allow an attacker to access information stored on the Web servers, and unauthorized internal FAA users could also access back-end air traffic control servers. "In addition, these vulnerabilities could allow attackers to compromise FAA user computers by injecting malicious code onto the computers," the report said.
Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report.
Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection.
The FAA's Web applications were improperly configured to prevent unauthorized access and had not been patched to fix known vulnerabilities from software vendors, the report says.
Auditors recommended that the FAA improve its patch management strategy, expand intrusion detection tools to all ATC facilities, and speed up remediation of application flaws. The good news from the audit is that no attacks have actually hit the operational air traffic control system -- just the back-end, support applications. "However, it is important to understand that attacks can spread from the mission-support network to the operational network -- where real-time surveillance, communications, and flight information is processed to separate aircraft -- because of network connections," the report says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.