Audit finds 700 big vulnerabilities in air traffic systems

Flaws could make air traffic control susceptible to cyberattacks, DOT report says

A government audit has found more than 760 high-risk vulnerabilities in Web applications used to support Air Traffic Control (ATC) operations around the U.S.

The flaws, which were discovered in 70 Web applications tied to ATC operations, give attackers a way to gain access not just to underlying Web servers but potentially to other more critical backend systems, the report from the U.S. Department of Transportation's Office of Inspector General (OIG) noted.

The report was released Wednesday and stemmed from a request by U.S. Reps. John Mica (R-Fla) and Tom Petri (R-Wis.), ranking minority members of the Aviation Subcommittee of the House Committee on Transportation and Infrastructure. It is based on an audit of Web application security controls and intrusion detection capabilities in air traffic control systems.

The audit identified more than 3,850 vulnerabilities in 70 Web applications, half of which were public facing, such as applications used to disseminate information to the public over the Internet, including communications frequencies for pilots and controllers. More than 760 of the vulnerabilities were identified as high risk and could allow attackers to access data and remotely execute malicious code and commands on critical systems.

About 500 of the vulnerabilities were rated as medium risk and the rest were rated as low risk. According to the OIG, medium and low risk vulnerabilities could allow attackers to glean important information, such as system or network configuration data, that could later be used in crafting an attack.

The audit was conducted under contract for the office of Inspector General Calvin Scovel by consulting firm KPMG LLP.

During the audit, testers gained unauthorized access to several Web application systems. In one case, testers were able to access program source code and other information stored on a Web application server associated with air traffic flow management. In another instance, Web application vulnerabilities allowed KPMG staff to gain access to critical power monitoring systems at ATC centers in Boston, Anchorage, Denver and three other cities. The access allowed the testers to generate power condition reports that could have been used for planning an attack.

Security auditors also found that a vast majority of ATC facilities had insufficient controls for detecting and monitoring security intrusions. The audit found adequate intrusion-detection capabilities in 11 "out of hundreds" of ATC facilities.

The vulnerabilities are significant because the Federal Aviation Administration has begun increasingly using commercial software and IP-based technologies to modernize ATC systems, the report noted. Such technology "inevitably poses a higher security risk to ATC systems than when they were developed primarily with proprietary software," the report added.

The report comes less than three months after a breach at the FAA in which the personal data of about 45,000 employees and retirees was apparently stolen from an agency server. The FAA said the compromise resulted from an intrusion into the system that was storing the data, but did not elaborate. At that time, the FAA stated that there were no indications that any of the servers used for air traffic control or other operation systems had been compromised.

The OIG report noted that the February breach was caused by a Web application vulnerability used by the attackers to gain access to the system containing the personal identity data. In another incident last August, hackers planted malicious code on a Web application server to gain access take control of the FAA's domain control servers, which they could have shut down, the report warned.

The results of the audit, while troubling, are not entirely unexpected, said Barmak Meftah, vice president of products and technology at Fortify Software Inc., a San Mateo, Calif.-based vendor of application security products. Fortify, which has several government agencies as customers including the U.S. Department of Defense, released a report in March highlighting some of the dangers faced by these agencies from vulnerable Web applications.

"What is disconcerting is that there are so many high-risk vulnerabilities," Mafteh said. "We all expect to see some vulnerabilities in Web applications. But on FAA and ATC systems, one would hope more attention is paid to them."

Many of the Web applications deployed across government agencies and the private sector are rife with vulnerabilities that are often hard to detect and hard to mitigate, Meftah said.

However, there are tools for monitoring Web applications for suspicious activity and for "hardening" them against malicious attacks, he said. Fortify, for instance, is one among several vendors that sells a product capable of detecting and blocking suspicious activity on a Web application server. Web application firewalls that are capable of detecting some of the more commonly known attacks are another option. But over the longer term, more attention needs to be paid to ensuring that security is baked into Web applications during the development process itself as opposed to bolting it on after products have been deployed, he said.

The FAA, which received the report in March, concurred with all of the findings and recommendations, the auditors noted. In its response, the FAA said the audit involved only administrative and mission support systems and not operational systems. The memo stressed that the FAA would "treat vulnerabilities identified in the OIG report with the utmost diligence." It also noted that immediate attention would be paid to mitigating the high and moderate risk vulnerabilities uncovered in the audit.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags USA governmentair traffic control

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?