Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/8/2009
01:19 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Thousands of Vulnerabilities Detected In FAA's Air Traffic Control Apps

Government audit of 70 Federal Aviation Administration Web-based applications finds flaws that could put air traffic, itself, at risk

A government audit (PDF) has pinpointed more than 3,800 vulnerabilities -- 763 of which are high-risk -- in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk.

The U.S. Department of Transportation report, with the help of auditors from KPMG, determined that the ATC's Web-based applications aren't secured from attacks or unauthorized access, and that the FAA hasn't set up the necessary intrusion-detection functions to catch security incidents at ATC locations.

And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, "including critical incidents in which hackers may have taken over control of ATO computers," the report says.

The auditors tested 70 of the FAA's ATC Web applications, including ones that provide information to the general public, as well as to pilots and controllers, and some internal apps. Of the vulnerabilities they discovered, nearly 2,600 were considered low-risk threats, such as unprotected folders of sensitive data and weak passwords.

While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. "Our average is about seven per Website," Grossman says.

The vulnerabilities in the FAA's Web applications could allow an attacker to access information stored on the Web servers, and unauthorized internal FAA users could also access back-end air traffic control servers. "In addition, these vulnerabilities could allow attackers to compromise FAA user computers by injecting malicious code onto the computers," the report said.

Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report.

Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection.

The FAA's Web applications were improperly configured to prevent unauthorized access and had not been patched to fix known vulnerabilities from software vendors, the report says.

Auditors recommended that the FAA improve its patch management strategy, expand intrusion detection tools to all ATC facilities, and speed up remediation of application flaws. The good news from the audit is that no attacks have actually hit the operational air traffic control system -- just the back-end, support applications. "However, it is important to understand that attacks can spread from the mission-support network to the operational network -- where real-time surveillance, communications, and flight information is processed to separate aircraft -- because of network connections," the report says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27652
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27653
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CVE-2020-27654
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
CVE-2020-27655
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
CVE-2020-27656
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.