A government audit has found more than 3,800 vulnerabilities were reportedly found in the Federal Aviation Administration's (FAA's) web-based air traffic control system applications. 763 of the vulnerabilities are high-risk and some could put air travelers at risk.

Congress requested the audit of air traffic control (ATC) computer systems in order to ensure air travelers were safe. (Source: cgisecurity.com)

The FAA has been using commercial software and Internet Protocol-based technologies in order to modernize ATC systems, moving away from the proprietary software the systems were originally developed for.

The report determined that the ATC's web-based applications aren't secured from attacks or unauthorized access and pose a higher risk to the FAA's ATC system.

763 High-Risk Vulnerabilities Identified

70 web applications were tested. 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities were identified as a result of the audit. High-risk vulnerabilities provide an attacker with immediate access to a computer system. Medium and Low-risk vulnerabilities may provide an attacker with useful information that can be used to compromise a computer system.

Auditors were able to gain unauthorized access to information stored on web application computers and an ATC system, and were able to confirm system vulnerabilities to malicious code attacks.

Exploiting those vulnerabilities could allow someone to gain unauthorized access to information stored on web application computers. Internal FAA users could gain unauthorized access to ATC systems because the web applications often serve as front-end interfaces to ATC systems. As a result, FAA user computers could be injected with malicious code.

Current Security Systems Inadequate

The Traffic Flow Management Infrastructure system, the Juneau Aviation Weather System and the Albuquerque Air Traffic Control Tower were all infiltrated and unauthorized access was gained to information stored on web application computers. Other examples of unauthorized access are in the report (PDF).

Unauthorized access was gained because web applications were not adequately configured to prevent unauthorized access and software with known vulnerabilities was not updated with readily available security patches.

The report makes several recommendations for correcting the vulnerabilities and for implementing an intrusion-detection-system (IDS) at various critical network points. Current intrusion-detection capabilities are not adequate to protect ATC systems.

FAA ATC System Have a History of Vulnerability

More than 800 cyber alerts were issued to the Air Traffic Organization (ATO) during Fiscal Year (FY) 2008. As of the end of FY 2008, over 150 incidents, including those where hackers may have taken over control of ATO computers, had not been fully addressed.

ATC systems in Alaska had to be shut down by the FAA after a viral attack in 2006. In 2008 hackers took control of FAA's critical network servers and gained the power to shut down the servers. In February 2009, an FAA public-facing web application computer was compromised by hackers and used to gain unauthorized access to personally identifiable information on 48,000 current and former FAA employees.

The complete report (PDF) is available from The Office of The Inspector General.

Visit Bill's Links and More for more great tips, just like this one!