Report: Hackers broke into FAA air traffic control systems

Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to an Inspector General report sent to the FAA this week.

In February, hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, on 48,000 current and former FAA employees, the report said.

Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said. Hackers took over FAA computers in Alaska, becoming "insiders," according to the report dated Monday.

Then, taking advantage of interconnected networks, hackers later stole an administrator's password in Oklahoma, installed "malicious codes" with the stolen password and compromised the FAA domain controller in the Western Pacific Region, giving them the access to more than 40,000 FAA user IDs, passwords, and other data used to control a portion of the mission-support network, the report said.

And in 2006, a virus spread to the air traffic control (ATC) systems, forcing the FAA to shut down a portion of its systems in Alaska, according to the report.

The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.

"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations," the report concluded.

An audit of the FAA's air traffic control cybersecurity protection measures finds them lacking and says there have been several breaches by hackers and a virus.

(Credit: U.S. Department of Transportation, Office of Inspector General)

The breaches were possible because Web applications that support the air traffic control system operations are not properly secured to prevent unauthorized access and network intrusion-detection software is not adequately being used to monitor and detect cyberattacks, the report concluded.

The FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.

"Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the Nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks," the report said.

In general, the nation's critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.

The air traffic control system auditors said they discovered more than 760 high-risk vulnerabilities in the Web applications tested, including holes that provided "front-door access" to the systems and could allow attackers to inject malicious code onto FAA user computers. Web applications were not adequately configured and the applications with known vulnerabilities were not patched in a timely manner, auditors found.

Meanwhile, intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities and none of the IDS sensors is installed to monitor operational systems at those sites, the report said. Cyber incidents are not effectively monitored or fixed quickly, the report concluded.

In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, "including critical incidents in which hackers may have taken over control" of operations computers, the report said.

The FAA is "identifying and fixing weaknesses," FAA spokeswoman Laura Brown told The Wall Street Journal. "We are working on developing security architecture for that whole system."

However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems.

The audit of the air traffic control systems was requested by the ranking minority members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee.

[monkeyfun14]

Seeing alot more of these lately ever since that bill proposed to give Obama power to shut off the internet.

[truthknolies]

what i dont understand is the mentality that our government is looking out for the individuals best interest...i also dont understand how people cant realize that the financial crisis was setup a long time ago after the Kennedy administration in order to 1. get the middle class to invest all of their monies into the stock market (the introduction of 401(k), IRA accounts, etc.) 2. crash the market by forcing banks to push loans to people who cant afford them, which causes banks to write off massive amounts of receivables (assets), which causes stock prices to fall dramatically across all industries, which causes people who invested (middle class) to lose all their money 3. get the same middle class to invest what money they do have left into low stocks, and then crash it again (2010 or 2011). 4. stealing money from the taxpayers in the form of bailout funds that never EVER get accounted for through the direction of the Federal Reserve Bank (which is NOT federal bank or agency and is IN FACT run by the wealthy families in England)...........oh by the way.......the treaty that the US signed with the United Nations undermines the US Constitution thus ending the United States of America........that was in the 90's.........and people thought that Revelations was just a bunch of dreams..........world consolidation has been in process for decades

[getwired]

"Then ... hackers ... installed malicious codes with the stolen password..."

What the hell are "malicious codes"?

[truthknolies]

viruses; tracking software...software is basically a bunch of code, also referred to as code language...one could, with proper password entry, install the "malicious code"....basically a software program...that can do whatever the code is written to do....could be wipe out memory, could be track user activity, could be upload personal information...........whatever the hacker writes to code

should tell you how vulnerable the FAA is.......if you watch the movie Sneakers...it might give you a better idea

[kieranmullen]

Fire the nitwit that thought it would be a "good idea" to have critical systems on the Internet.


[CNET editors' note: Prohibited content deleted.]

[Dalkorian]

BINGO!

[JCPayne]

Uh this is a surprise? I've been hearing air traffic controllers complain from before 9/11 that the control system needed massive overhaulin.

[RobertAPierce]

Why the heck would critical FAA systems even be connected on the open internet? Why would they in any way be connected to the outward facing systems? Who's the idiot in charge of desinging their infrastructure?

[joevt23]

You'd be amazed at the number of IT people at these places that have no clue what they are doing. Everyone dictates to everyone else what should be done, and really at the end of the day, nothing is done.

[aquraishi]

IDSs only installed at a few facilities? No mention of IPSs. Most companies that install IDSs don't even use them effectively as configuration and management of these systems is a full-time task. It really amazes me that such a high-profile and critically important organization has such poor security practices. Modernization is one thing but improvement should never be put ahead of risk management. Really, really sad. I've run IT shops in a number of different companies and industries; all of them have been security audited which includes the use of ethical hacking techniques, and all of them have received good to exceptional grades.

Using Microsoft Windows servers throughout the organization? Are they nuts? I've got nothing against Microsoft but there are far too many hacker/cracker toolkits out there for people to pick up, modify and use. Security through obscurity has some value. Go with an OS like AIX or Solaris and harden it. That's what we did at the last org I ran - using these machines for public-facing (Internet) servers.

[ceejayeight]

This is what you get when non IT bureaucrats are driving the buss.

The FAA in DC has spent the last 2 years either reclassifying or retiring it's IT staff, effectively purging most of the competent IT staff.

The bureaucrats answer: hire contractors. (low bidder)

So we wind up with a 30% increase in the cost and a 30% decrease in performance. The bureaucrats tell us it's a better way of doing business.

[Dick Helm]

The saddest part about all of this is had the government went forth with an identity system I have developed, not only would airport security be secure and identity theft stopped, this kind of attack would not have been successful. In addition to all of that, the system I am talking about protects idividual identity rather than put it at risk.

[Dalkorian]

It'll never sell unless it can add inches to that part of the male anatomy. That's what my program does. It makes the world safe for everyone, makes men more virile and makes women more voluptuous and more promiscuous.

[awkins]

Most of the liberal/democrats on the other, evil side laughed when Sarah Palin's email was hacked. If hackers want to hack into a website, email account or anything else on the website, then they must be thinking: "Yes, we can!". Obama doesn't care about security, except for his own, and this FAA business is only one aspect of it.

[catbutt5]

Pretty much all politicians are clueless when it comes to technology issues.

I'm not quite sure how you've pinned the blame for mistakes that have been going on for years on the administration that just took over the job 3 - 4 months ago. These systems were "modernized" during the Bush years weren't they?

Either way, it's pointless to try and attach a Democrat or Republican label to anything tech related. Attempting to do so only points our your ignorance of the topic being discussed.

[Dalkorian]

Tis better to finish elementary school, then high school, before trying to join in on adult conversations. You're just embarrassing yourself otherwise.

[lumpoco]

I blame Al Gore. He did said he invented the internet. Obama wants 12 high tech copters to provide for his security when only 4 is needed. He claims that Bush ordered them. Yes, that is probably true. I say probably because you can never trust a smooth-talking politician. Anyway. As Commander in Chief, as the most powerful leader of the free world one would think that he can say "you know, I think we only need 4 choppers". Of course the company will have to agree because they still need the government to fund their other projects. One more thing. Pelosi cliams that she was told that "torture was legal". Dude! since how can anyone be so stupid as to think that torture is legal? Wasn't she the same person who claimed that she will rid the Congress of immoral behavior? Seems to me the is just perpetuating the status quo. Obama promised to turn back all of Bush's "no good actions" and yet he decided to do nothing in regards to protecting the polar bear. So Bush AND Obama hate polar bears. I wonder what those bears ever did to them! I say we get rid of air traffic controllers. They are overpaid and are always complaining.

[Godonthewire]

Netspionage! The leet (elite system crackers, hacker is a term used by the media for the lamers) long ago learned it is easier to hack a human via human engineering than waste days running attack code. For those of you who are unfamiliar with human engineering think of it like this; if you want to learn what systems the target is using and their network infrastructure simply read their job ads. If you want Admin access, find the Senior Adman's name and find out all you can about him. Look at the networking sites, since most fools post way too much personal information. Look for a younger person who is married and has young children. He will probably have a wireless setup at home. Go to his house and sit on the patio one night and hit the child's computer. The security will be low, the password will be predictable and his internal network will lack the security of a Domain. Once you get in the child's computer attack the Admin's home machine which will usually have a VPN tunnel to the office with full Admin rights. The rest is just a matter of application. Better yet get yourself a UPS uniform and ....that's enough. You get the idea.

[Dalkorian]

You should write a movie!

[n3td3v]

Malicious codes?

[Dalkorian]

As opposed to peaceful codes, with benign codes in between?

Don't anthropomorphize code - they hate that.

[jimlogas]

Wow...how scary.
At least no one was harmed by their actions!

<a href="http://www.ultimatedefensesystem.com/">Self Defense Moves</a>

[joevt23]

Not a surprise, there are so many incompetent people that work at these government sites. They have no idea had to configure a firewall correctly or an IPS/IDS system. I mean seriously how many times does this have to happen for people to wake up. As always, money is a factor as well. Until the idiots in Washington figure out that this is a major problem, systems will continue to be compromised.

[walkerstempe]

Where is Jack Bauer? Oh.... he didn't stop it either.

[Dalkorian]

Is he still having a bad day?

[kylegas]

I always thought of the government (FAA, etc...) as incompetent. But then I started working with them and realized that they are way (WAY) more motivated, educated and metered than their industry counterparts when it comes to the realities of deployment. Hacking has become a real threat, but don't think for a second the FAA isn't addressing it. Most people have no clue of the complexity and elegance of the FAA systems given their age - and how much the people who work at the FAA care about the safety of people. I've never met a more motivated group of people - naysay all you want, but from someone who's seen it, these people need your support and respect - not your disdain.

[ripa01]

I appreciate your informationKylegas. I would say, thought, that these attacks should have been prevented and forseen. Anything less is not acceptabel.

[Dalkorian]

They don't need our support or respect, they need to get their rear ends booted into next week and be threatened with termination if this doesn't stop today. Coddling the incompetent won't fix the problem, I promise you that. No matter how well intentioned the incompetent are.

[happydale]

This is what happens when government agencies push diversity to equalize the racial/ethnic face of the workforce, irrespective of background, training , know-how and knowledge of the hired. Matters will only continue to deteriorate unless government agencies start to look seriously at job qualifications and less at satisfying some government regulation mandating "fairness."

[Dalkorian]

No, this is what happens when qualification takes a back seat to toeing the line and being the correct party. Cronyism is the problem the FAA is suffering, not racism. Racism is the problem you're suffering.

[happydale]

Dalkorian -
When I was a prison guard, there were always a few wise ***** like you, who stood around and made snotty remarks about what other inmates said and did. It wasn?t long before they got the living s$$t kicked out of them. With 19 comments and counting in one day, you are one sick puppy. You might want to consider counseling before you hurt yourself or some one close to you.

[benderrodriquez]

The question really should be, why is the FAA system on the Internet in the first place? As with all government agencies, the FAA should be on a completely closed Intranet. What does the Internet offer the FAA in the way of flight operations? Porn?

[lyntone]

Don't wory our government will out source it's problems to a third world country that has our interest in mind! Then they will sell it to another country to use it against us!

[jeromeborden]

Ben suggests going to Intranets. Well, I remember how things worked a long time ago. It was all dedicated nets with no interconnectivity. Connections were often manual and sometimes involved sending a messenger from RCA to Hickam. The first attack at Pearl Harbor was over when he arrived. Dedicated nets persisted but improved in speed and security through Vietnam. Then came DARPAnet and the world hasn't been the same since then.

Sanitation is the key whether it is the latest flu outbreak or somebody trying to exploit the system. The "magic key" in the form of the USB memory stick is pretty much gone where I work and it isn't coming back. The problem "jumped hosts" just like the so-called Swine Flu, in this case from camera flash cards carrying an extra package through the computers to the USB sticks and now we are paying the price. I think the IT folks at FAA and other government agencies are doing their job well against some rather huge odds. The intrusion attempts are measured in the millions, each day! However, where I work, spam is rare and reported when it happens. Sanitation means using those strong passwords, avoiding short cuts, and using secure signatures and encryption when appropriate.

Another thing on closed systems: The airliners were in a relatively closed system on 9/11. The only news that went into or out of the cockpit was either via radio with the FAA, the transponder, or messages read on a CDI (Control Display Indicator) from "Dispatch". The crew on Flight 97 was trying to confirm a CDI (or "CDU" for some folks) message when the highjackers broke in. The passengers found out what the game was via an open system, their cell phones, and took action.

[Len Bullard]

"This is what you get when non IT bureaucrats are driving the bus"

Consultant led IT shops pushed hard for the web as critical infrastructure in Washington DC and Silly Valley despite the protests from senior personnel who were intimately involveed with the design of the Internet. Every problem predicted in 1993 has come to pass and they still gave knighthood's and money awards to those who gave them bad advice about the ability of the open market to secure an inherently insecure system.

And predictably, those who did are now blaming others because they cannot face the facts that they had more to do with this than those whom they are blaming.

The Web Generation has failed to realize the depth of their mistakes and likely won't have to grow up any time soon, but everytime they board a passenger jet, they will be uneasy and should be when they fly in "the clouds". It's moronic to read the articles about cloud computing being embraced in the Beltwary and then look at the very same people telling us the critical infrastructure based on it is being hacked daily.

Oh just a few more releases and it will all be fine, right?