In a scary presentation at the Defcon hacker conference, a security researcher showed how easy it is to compromise the Federal Aviation Administration’s air traffic control system.
Righter Kunkel was careful not to show exactly how to bring aircraft out of the sky. But he showed how easy it is to shut down information going into an air traffic control tower, jam radar, submit a fake aircraft flight plan, get recognized as a pilot even if you aren’t a pilot, and stop planes from taking off at an airport.
Kunkel laid out the process. You could get a fake identification (which is illegal). Go to the doctor and get an aviation medical certificate which shows you are fit to fly. With that, you can get a student pilot’s certificate number. Then you can log into the FAA’s pilot registration site. Then you can submit your own flight plans.
You would think this stuff would be impossible in the age after 9/11. But then, it’s easy to believe, considering the plodding pace at which the government is embracing new technologies, such as those that make government computer systems more secure. And the FAA’s priority has been keeping planes safe in the sky, not necessarily shoring up its network security.
Each tower prints every submitted flight plan. The system essentially treats you as a trusted user, but that user could theoretically submit an extremely large number of flight plans that could overwhelm the system — essentially a denial of service attack. That could bog down the whole system. Kunkel said the FAA itself has said that some of its networks are improperly linked. He found that one system uses Telnet. Kunkel said he wouldn’t talk about the significance of that fact, but the implication was it could be used to launch a cyber attack.
The FAA found in its own report, issued in May, that there were 763 vulnerabilities in 70 web applications that are used internally at the FAA. It’s a damning report, Kunkel said, but the FAA says it is working on fixing some problems, including some fixes that will go into place by February, 2010.
Kunkel said he wasn’t encouraging people to take down the system. He is a pilot himself and realizes the FAA is under-funded. Rather, he was pointing out that the system needs fixing. The next-generation system for air traffic control is coming soon and is being tested in Alaska. But Kunkel is concerned that the system has been designed without enough computer safeguards. He said he hasn’t heard from the FAA yet.
“I’m on their side,” he said.