Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Broke Into FAA Air Traffic Control Systems

Posted by CmdrTaco on from the those-pesky-nigerian-royals dept.

PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."

27 of 124 comments (clear)

  1. I guess this is what happens by Anonymous Coward · · Score: 5, Funny

    when 4chan goes down for a week. Seems that keeping that site running is a matter of national security!

  2. Someone call Jack Bauer by Anonymous Coward · · Score: 5, Funny

    They have the CIP device.

    1. Re:Someone call Jack Bauer by PolygamousRanchKid+ · · Score: 2, Interesting

      Sorry, Jack is in the slammer, for head butting some dude "to protect Brooke Shields' honor," or something like that: http://edition.cnn.com/2009/SHOWBIZ/TV/05/07/sutherland.charged/index.html

      Truly bizarre . . . an impromptu alcohol fueled celebrity involuntary nose job.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:Someone call Jack Bauer by Anonymous Coward · · Score: 2, Funny

      I hadn't heard the guy ran Mac.

  3. Question by grassy_knoll · · Score: 3, Funny

    Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

    Seems like from TFA they're not:

    The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.

    --
    A Human Right
    1. Re:Question by Rich0 · · Score: 5, Insightful

      I believe in defense in depth. Even though the guards inside the castle may be trained to password challenge everybody walking around and check coats of arms, it never hurts to raise the drawbridge when there isn't anybody using it and there is a besieging army.

      Sure, have firewalls all over the place, but any route into and out of the network itself needs to be HIGHLY secure. NOTHING goes IN or even OUT without a reason. Nothing wrong with the airport having a flight status board, but you have the ATC central database polled by some central server which generates an xml digest of the important info and have it dump that data across a serial line (transmit only) to another server which then puts it onto a webserver which the airports can parse. Flight plan requests come into some intermediate server on the internet (but well secured). That server validates the requests and sends xml files to some intermediate server (perhaps over serial) which otherwise isn't on any network. That server re-validates the input and then makes it available to a more trusted server that then does the application logic.

      Of course the internal network has a firewall at every WAN connection that only passes the minumum defined data to make the system work. That still doesn't mean that you shouldn't keep the actual traffic on the mission critical network down to the minumum necessary. There shouldn't be a single packet on that ATC network that doesn't originate from an FAA-validated piece of software. Any connection to the outside should be sanitized, and they should be few in number.

      This isn't about being smarter than the hackers - it is about being thorough and having a fully specified architecture.

    2. Re:Question by Anonymous Coward · · Score: 4, Informative

      Trust me, any NAS equipment doesn't remotely come close to the public network. This article is misleading as they are talking about websites that 'aid' in landing aircraft. Trust me, these websites don't land aircraft.

    3. Re:Question by dangle · · Score: 2, Funny

      Posting to delete accidental mod "funny" instead of "informative." I've only had one drink, sorry.

    4. Re:Question by boaworm · · Score: 2, Informative

      Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

      I'm honestly not sure. I work with ATC, although not in the US. The systems I have installed (Europe and Asia) have all been closed systems, there are very few physical connection between the servers and software working on radar- and flight data, and any equipment used to communicate externally.

      Almost all communication is done via VCCS equipment (radio etc), so the controllers have screens with radar- and flight data, and separate screens and terminals for external data, such as flight plan processing terminals.

      But since the US is large, and one authority is in charge of it all, I guess they saw the need for interconnectivity. Still, many things don't need to be interconnected anyway, and the networks are often easily fragmented so that the few systems being exposed to public networks are isolated from the important ones.

      --
      Probable impossibilities are to be preferred to improbable possibilities.
      Aristotele
  4. Then use IPv6. by jd · · Score: 4, Insightful

    It's non-proprietary, the applications should work just fine, but most skript-kiddies don't have any idea on how to set up the necessary tunnels. It's also designed from the start to be secure, IPv4 has had all security back-ported in.

    Also, use Active IDS, not passive. It's no good telling the operators that the last three planes crashed into a mountain because a system cracker decided it would be fun to use the radar computer for a game of Netrek. You're much better off by detecting the intrusions in real-time and countering them right then. Particularly if actual mission-critical systems are being broken into.

    Third, Stop Using Windows! Gaah! The chances are that the software can be modded to work under Linux or OpenBSD just fine.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:Then use IPv6. by raddan · · Score: 4, Insightful

      Air traffic control systems should not be connected to the Internet. Period. Use of IPv4 as a messaging system in that case should be fine-- because all that address space will be private.

      I love OpenBSD. We use it everywhere at work. But our computers do not control airplanes. A general-purpose OS is appropriate in the kind of environment where you have hard real-time limits and where bounds-checking errors have the potential to kill lots of people. This is a case where rolling-your-own is actually a good idea, and worth the money.

      If you're trying to decide what kind of IDS to put on your air-traffic-control net, you need to back up and undo some of your decisions.

  5. Well that would explain by mandark1967 · · Score: 5, Funny

    Why my last 4 flights arrived on time.

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  6. I usually laud hacker hijinks by Taibhsear · · Score: 3, Insightful

    As it tends to enlighten people to the necessity of better computer security... but when it involves things like airport control towers and hospital equipment and files it is totally not cool.

    1. Re:I usually laud hacker hijinks by pjt33 · · Score: 2, Informative

      Hacking into government computers is old hat. I'm more concerned that someone seems to have hacked /. and changed the front page to be an RSS feed.

  7. Ineptitude by s-whs · · Score: 4, Informative

    increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.

    That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

    From what I've read about air-industry people in the US they are no different from in the Netherlands: People who almost invariable have a superiority complex and think they're doing tremendously important work while not having justify why they make so much noise, are so inept at sound calculations (dBA which is pointless for noise as related to annoyance, contrary to Sone for example), produce reports with incorrect units (upper and lower case wrong showing they don't have a proper education in elementary physics) etc.

    Recently small aircraft were prohibited from flying near Schiphol. Reason was transponders are now in all of them, the LVNL (dutch airtraffic control) couldn't handle all those signals. A tremendous display of ineptitude again as they had plenty of time to prepare their systems (software), but being the sort of people they are, this is actually logical. Because they feel superior, they don't actually consider they might be doing things badly or need to change. In other words, despite them feeling they are superior, they are in fact amateurs...

    You can find more on the web on this (in dutch).

    1. Re:Ineptitude by GooberToo · · Score: 2, Informative

      That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

      Their not happy until your not happy! You can't blame them for living their moto.

      In all seriousness, the FAA is in the middle of a huge political game right now, which is actually very complex to explain. They are working overtime trying to get out from under Congressional oversight. I wouldn't be surprised if they're looking the other way in an attempt to juice their lobbying. Obviously they can't secure things if their budget isn't drastically increased. And the only way they can do that is to be empowered to both raises taxes and collect them any means they see fit while endangering the skies for everyone. Basically everyone credible (both Rs and Ds) has stepped forward and stated the FAA's proposal is bad for everyone and they can't even make their current funding with their proposal. Only the FAA and *cough* the major carriers support the FAA's plan.

      http://www.aopa.org/advocacy/articles/2008/081002faa.html
      http://www.aopa.org/advocacy/articles/2009/090507trustfund.html

      Do some searches. Its actually pretty scary. The FAA is working hard to become their own taxing authority, independent of Congressional oversight, while becoming buddy-buddy with the major carriers. Mmmmm....isn't that a good recipe for safety. And did I mention every year they are unable to account for millions even with oversight. Even worse, Obama is demanding legislation be put forward which supports this disastrous model. And worse yet, such legislation would be horrific to our economy; more accidents: fewer fliers; cost to fly, from drastically higher taxes, goes through the roof: less revenue at airports; less revenue at airports means fewer jobs; fewer jobs: loss of up to hundreds of millions to local economies (even loss of hundreds of thousands to millions at smaller airports) all over the country.

  8. Missing Forest for the Trees? by PK+Tech+Guy · · Score: 5, Informative

    from the CNET article "Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said"

    "However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems."

    It's OK everybody, the hacker's have shut down the network but they havent gained any critical access.

    1. Re:Missing Forest for the Trees? by haus · · Score: 2, Interesting

      Air traffic controllers are quick to tell you that they do not care about the ATC system that sit in front of them.

      If they are unreliable, or go down, they will continue to perform their job, by slowing everyone down, increasing the gaps, limiting the number of new plans onto the grid.

      It gums up the works a bit, but everyone gets to walk away.

  9. That was proposed. by Ungrounded+Lightning · · Score: 3, Interesting

    Glad they don't have commercial planes with complete remote control. Or do they?

    That was proposed after 9/11 as a solution to hijacked planes. Remote control devices that could take over a hijacked plane, remotely, locking out control by those on board and allowing it to be landed safely. Remote devices strategically located at all major commercial airports - or at least those near high-value targets (which is pretty much all of 'em).

    When the trial balloon went up it was soon pointed out that, with such a system, hijackers could use it to hijack the planes without even being on board. And the tech would be distributed to many locations (worldwide) from which it could be stolen.

    Haven't heard much about it since. B-) Of course that means that it will fall off the mental horizon for decision makers and they might decide to do it after all. B-(

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  10. Obligatory by plaxion · · Score: 5, Funny

    "Where do you want to go today?"

  11. Yup by mkcmkc · · Score: 2, Funny

    I'm not sure it gets much worse than this. I guess the local nuke plant could install a "whack-a-rod" live webcam game and secure it with DMCA technology...

    --
    "Not an actor, but he plays one on TV."
  12. "The Good Ole Days" by erroneus · · Score: 4, Insightful

    Being a programmer meant you could make a lot of money, not because you could make something that could be sold, but because you make programs that were useful for a purpose. Bill Gates and people like him turned computing into a software industry and this is more or less the result of that.

    There was nothing "wrong" with systems maintained by professional programming teams and for those people to work at the same job for their entire lives earning a good wage. "Industry" has not only weakened systems everywhere with their homogenous nature, but cheapened the industry and lowered wages for everyone in the profession.

    1. Re:"The Good Ole Days" by phantomfive · · Score: 2, Insightful

      You can still make a lot of money. $80k for a programmer is pretty normal, and if you manage to specialize in something you can easily swing a six digit salary.

      If you want to look at it a different way, look at starting salaries for college graduates. Computer Science graduates on average make $49,000 right out of college. This is compared to English majors who make $31,000 right out of college, or psychology majors who make $28,000 right out of college. Ouch. Keep in mind that the per capita GDP in the US is $47,000.

      So I'm not sure where you're getting the idea that programmers don't make a lot of money, and I'm also not sure why you see the software industry as a problem. I have benefited greatly from it, and use software from that industry nearly every day.

      On the other hand if you're thinking about job security, yeah, software is the wrong industry. The best job security as a programmer is developing the ability to find a new job quickly.

      --
      Qxe4
  13. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  14. No, use IBM's SNA . . . by PolygamousRanchKid+ · · Score: 4, Funny

    . . . it's proprietary, so no one, not even IBM, understands how it works.

    The script kiddies will have to learn JCL. Have fun, you little rotten bastards!

    And even if they manage to break into a machine, they will be confronted with z/OS ISPF . . . can they get their tn3270 sessions to work? Hee, hee! Find your PA1 key!

    The best choice for a truly secure system, is to use some weird shit, that nobody else wants to use. And thus, there are not a lot of folks hacking about trying to poke holes in it.

    Wait for a script kiddie post, on how to use nmap to probe for ports on LU6.2.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  15. Event counts for IDS are mostly useless.. by haus · · Score: 3, Interesting

    Anyone who has worked with IDS/IPS systems will realize that unless very carefully managed you will have a large number of events that amount to nothing, even some with some very scary sounding titles.

    I am actually surprised to see the count levels so low, even for systems that are believed to be somewhat out of the way.

    ATC is not actually a single system within the FAA this function is broken up over several different systems, each with their own silo of responsibility. My understanding from talking with traffic controllers is that the systems are not a requirement for controlling traffic. If the systems are down, or are believed to be unreliable the controllers will simply continue with a more conservative approach, although this can have the effect of gumming up the works as everyone is slowed down and larger gaps are used.

    Real danger would be if information was off in some subtle way that was not detected, but as soon as it was determined that something was wrong, the system in question would be taken out of the work flow and further issues with it would not matter.

    Crafting such a problem would take not only the IT info to gain access to the system, but at least some level of ATC understanding on how to alter a situation without tipping your hand. While far from impossible, it is not what I would suspect would be a common skill set.

  16. I'm not suprised. by fhage · · Score: 4, Informative

    I worked as a engineer for NCAR, building and installing high-tech weather systems for the FAA (AWRP) for over a decade in the mid-90's-00's. I found the FAA leadership is filled with bunches of Republican partisan hacks who spent their time telling AL Gore Jokes in their technical meetings rather than getting things done. It literally takes them 10 or more years to get technology to their employees in the trenches. (officially). Because of upper mgt incompetence, the local level tech is a free-for-all, running in the closet. When I installed our sanctioned equipment in the Long Island FAA TRACON, I found a shift supervisor had brought his old PC in and got an AOL account so that the "super secure war room" could see what the weather was like outside as they managed 40% of the air traffic in the US. The FAA literally watches the weather channel with the sound off and competes with all the every day Joes for Nexrad images on accu weather. One of our (NCAR) systems under rigid performance evaluation at the FAA Technical Center (NJ) kept "hanging" several times per week, and we received poor evaluations and threats of funding cuts. I finally discovered that the reason for the failures was one of their staff had opened a shell terminal, ran Mosaic (remember that) and went porn surfing.(up our dedicated 64kbps line back to NCAR in Boulder and out through our .edu POP). The FAA has lots of ad-hoc systems installed everywhere. Can anyone say "Pass your USB key over here Bob - Ya gotta watch this". Maybe Obama's administration will clean the rot out of the FAA. I lost any hope many years ago.