During the recent Defcon hacker conference held in Las Vegas, a security researcher explained how’s the FAA (Federal Aviation Administration) air traffic control system is vulnerable to hackers attacks. Even though he did not show how to that, Righter Kunkel explained a sort of workflow that could be used to compromise the ATC system by submitting fake FPLs (Flight PLans). The process is linked to the possibility of submitting your own FPL provided that you have obtained a student pilot’s certificate number that gives you access to the pilot registration page on the FAA’s website. Since, theoretically, a user can submit a large number of FPL, a certain number of fake pilots could create a Distributed Denial of Service (DDoS) as FAA admitted that some of its networks are not properly separated and systems not completely hardened (for instance, Kunkel said Telnet is still widely used within FAA’s networks). An internal report issued in May 2009, claims that 763 vulnerabilities affect 70 FAA’s internal web applications. Even if before understanding the security level of the network, I would like to see the type of vulnerability listed in the report (there could be some minor ones of course), basing on the current details, it is obvious that, despite being a valuable asset for the FAA, a critical system (we can consider it “mission critical”) is not properly defended. This is something that happens in both Aviation, Industry, Telco, Finance sectors, where the lack of security countermeasures can be caused by lack of budget, lack of knowledge, lack of resources, lack of security awareness, or simply because security was a requirement that came later, when the system was already operative.
