US air traffic control computer system vulnerable to terrorist hackers

http://arstechnica.com/tech-policy/2015/03/us-air-traffic-control-computer-system-vulnerable-to-terrorist-hackers/


The US system for guiding airplanes is open to vulnerabilities from outside hackers, the Government Accountability Office said Monday. The weaknesses that threaten the Federal Aviation Administration's ability to ensure the safety of flights include the failure to patch known three-year-old security holes, the transmission and storage of unencrypted passwords, and the continued use of "end-of-life" key servers.

The GAO said that deficiencies in the system that monitors some 2,850 flights at a time has positioned the air traffic system into an "increased and unnecessary risk of unauthorized access, use or modification that could disrupt air traffic control operations." What's more, the report said the FAA "did not always ensure that sensitive data were encrypted when transmitted or stored." That information included stored passwords and "authentication data."

Among the findings:

While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing
and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.


The flying public's safety is in jeopardy until there's a fix to the system used at some 500 airport control towers, the GAO said. (PDF)

Snip