UPDATE: Detailed results of the ATC web security audit

CNET posted a link to the Office of Inspector General’s report that lays out the vulnerabilities found in the recent audit of ATC systems security.  (See our previous post on this story.) There’s quite a lot of sobering content, here a small sample:

We tested 70 Web applications, some of which are used to disseminate information to the public over the Internet, such as communications frequencies for pilots and controllers; others are used internally within FAA to support eight ATC systems.3 Our test identified a total of 763 high-risk, 504 medium-risk, and 2,590 low-risk vulnerabilities,4 such as weak passwords and unprotected critical file folders.
By exploiting these vulnerabilities, the public could gain unauthorized access to information stored on Web application computers. Further, through these vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces (providing front-door access) to ATC systems. In addition, these vulnerabilities could allow attackers to compromise FAA user
computers by injecting malicious code onto the computers. During the audit, KPMG and OIG staff gained unauthorized access to information stored on Web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks.

  • Unauthorized access was gained to information stored on Web application computers  associated with the Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower;
  • Unauthorized access was gained to an ATC system used to monitor critical power supply at six en route centers; and
  • Vulnerability found on Web applications associated with the Traffic Flow Management Infrastructure system was confirmed, which could allow attackers to install malicious codes on FAA users’ computers.

This occurred because (1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known  vulnerabilities was not corrected in a timely matter by installing readily available security software patches released to the public by software vendors. [..]

In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations.

Advertisements

Leave a comment

Filed under news

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s