Defcon air traffic control hacker: Excuse me while I change your aircraft’s flight plan

August 1, 2009 | Dean Takahashi | Comments | |

faaIn a scary presentation at the Defcon hacker conference, a security researcher showed how easy it is to compromise the Federal Aviation Administration’s air traffic control system.

Righter Kunkel was careful not to show exactly how to bring aircraft out of the sky. But he showed how easy it is to shut down information going into an air traffic control tower, jam radar, submit a fake aircraft flight plan, get recognized as a pilot even if you aren’t a pilot, and stop planes from taking off at an airport.

Kunkel laid out the process. You could get a fake identification (which is illegal). Go to the doctor and get an aviation medical certificate which shows you are fit to fly. With that, you can get a student pilot’s certificate number. Then you can log into the FAA’s pilot registration site. Then you can submit your own flight plans.

You would think this stuff would be impossible in the age after 9/11. But then, it’s easy to believe, considering the plodding pace at which the government is embracing new technologies, such as those that make government computer systems more secure. And the FAA’s priority has been keeping planes safe in the sky, not necessarily shoring up its network security.

Each tower prints every submitted flight plan. The system essentially treats you as a trusted user, but that user could theoretically submit an extremely large number of flight plans that could overwhelm the system — essentially a denial of service attack. That could bog down the whole system. Kunkel said the FAA itself has said that some of its networks are improperly linked. He found that one system uses Telnet. Kunkel said he wouldn’t talk about the significance of that fact, but the implication was it could be used to launch a cyber attack.

The FAA found in its own report, issued in May, that there were 763 vulnerabilities in 70 web applications that are used internally at the FAA. It’s a damning report, Kunkel said, but the FAA says it is working on fixing some problems, including some fixes that will go into place by February, 2010.

Kunkel said he wasn’t encouraging people to take down the system. He is a pilot himself and realizes the FAA is under-funded. Rather, he was pointing out that the system needs fixing. The next-generation system for air traffic control is coming soon and is being tested in Alaska. But Kunkel is concerned that the system has been designed without enough computer safeguards. He said he hasn’t heard from the FAA yet.

“I’m on their side,” he said.

Next Story: Using email tricks to get news into countries that censor it
Previous Story: Calling all entrepreneurs…

Bookmark and Share

Photo of Dean Takahashi

About the Author, Dean Takahashi

Dean is lead writer for GamesBeat at VentureBeat. He covers video games, security, chips and a variety of other subjects. Dean previously worked at the San Jose Mercury News, the Wall Street Journal, the Red Herring, the Los Angeles Times, the Orange County Register and the Dallas Times Herald. He is the author of two books, Opening the Xbox and the Xbox 360 Uncloaked. Follow him on Twitter at @deantak, and follow VentureBeat on Twitter at @venturebeat.

  • E guru
    This is the single worst recap of any defcon talk I've ever read. It's clear you're looking for the sensational headline for the click through, but your article is flat misrepresentation. He started his talk with how this presentation was impossible to use to hurt aircraft. And it was a high level overview about atc, no real technical content. There was no scariness, except anyone treating your article as vetted or accurate.
  • Why is this listed in the "deals" category of the blog?
  • zzdinko
    Wow, now that is pretty scary dude! Wow!

    RT
    www.anon-web-tools.us.tc
  • ssrv4
    As a pilot I find this this hilarious, if you figure out a way to change my flight plan do you really think that's going to prevent me from getting to where I plan to go? Plus this information is verified when I activate the plan, I can terminate and reactivate in the middle of a flight if I feel like it.
  • Name
    What a load of $hit.

    First, it costs a lot of $$$ to get a medical. You'd have to coordinate hundreds and hundreds of people to either spend money on an unnecessary medical certificate (which leaves a paper trail regardless of fake ID usage) to all file flight plans at the same time which will cause nothing other than annoyance to controllers who will just see a bunch of flight strips for planes that don't exist/will never depart.

    They all get pitched once they get 2 hours past their P-time anyway. You aren't going to bring anything down by filing a flight plan, and you certainly aren't going to change any active flight plans like this.
  • test
    I'm a pilot and this doesn't make any sense. How does my being able to submit a flight plan affect your flight plan on file? Other than the possibility of submitting too many flight plans, I suppose, but this certainly wouldn't have any effect at all on aircraft in flight. Even in the event of a flight plan at ATC being lost, a pilot would just continue flying wherever he'd planned to fly. And ATC can continue providing separation services.

    Either this talk or the summary of it is ridiculous.
  • It also costs a lot of money to go to flight school. Yet I recall 4 teams of disgruntled Saudis who did just that, and changed the world on 11/Sept/01. "all" they did was bring box cutters aboard routine commercial flights.

    This chap is exposing a weakness. Saying "it'd be work to exploit it" doesn't mean it isn't a security hole worth closing.
  • Ann Imus
    Let's agree that the article is crapola. Fine, but think broader will you? There are numerous security holes in our system. Many of you know them. The question is how can we help FAA (ATC especially) fix them, understanding that government is woefully slow. I mean upgrades by 2010? More like 2014 after loads of comment periods and glitches.

    I'm glad more specifics weren't given. The Telnet thing for example - and FTP in some cases. These could be extremely problematic if compromised. And recall that the butterfly effect could result in an airline or two going out of business due to extremely thin margins, or passengers being stuck on runways for hours. A small disruption could have long term consequences.

    Would you prefer he talked about the other vulnerabilities like jamming radar or stopping COMs? Give the guy a break - and credit for some restraint.

    - Ann
  • I'm also a pilot and I agree completely with Ann. Dean's article is newsworthy and presents a whole new area of vulnerability. I agree with you guys that the flight plan DOS attack scenario is not an actual threat, but it IS suggestive, as Ann says, of a system slowdown and small disruptions, which shouldn't be tolerated. And that is valuable news.

    Dean, we pilots are a sensitive bunch because the MSM does a lot of sensationalizing of aircraft incidents. You did a great job in this article uncovering an area of potential vulnerability in the FAA infrastructure which I think few people have considered. The other pilots here are worried that this would be perceived by the public as yet another reason to fear small airplanes. Though this has ameliorated over the years, small aircraft were practically considered to be the same public safety issue as walking around with a machine gun.

    FAA is a notoriously inefficient agency, always complaining of a lack of funds even though new systems are so much cheaper than the old stuff. There are many other vulnerable areas within this network that come to mind. But dramatically different are the private firms behind aircraft technology and pilot proficency, like Garmin, FlightSafety etc.; letting small arcraft run navigational systems that are beyond the capabilities of a 747 just a few years ago.

    We all know how quickly a private technology firm responds after getting hacked. Would the FAA?
  • DM
    I'm laughing... and this why.

    A couple of points for everyone to gather:

    1) It would absolutely illegal either by hacking or trying hack (bypass security controls or lack thereof) a government entity (and presenting on it would be kin to full confession of a felony)

    2) It would be violation of NDA and in cases where sensitive information is classified, by broadcasting information unless it's already public (maybe shouldn't be) in some other form (GAO report, or entity specific declassified report)

    3) Regardless of the presenter's understanding of impact of what could be done with various vulnerabilities, he could have missed something, e.g. if it's real and vulnerable, thanks for directing potential threats (organized crime, terrorists and state sanctioned cyber-warfare to these potential vulnerabilities...)

    4) Did the presenter do this on his own time or with "assessment" contract with the FAA? Did they give permission to disclose? Any assessment by any contract results in the same specific truth, the client owns the vulnerability data and release of that data is in violation of any need-to-know.. again the presenter would be in the wrong without a release. Or did the FAA fix them all, already...

    5) Arguably the system could be perfectly secure and the FAA is allowing this presenter to provide disinformation (welcome to the age of Information Warfare)

    6) Since it would be illegal to verify the findings as a third-party without contract to the FAA or oversight agency in regards to security this report is useless by anyone except FAA (and the presenter must know they have red teams doing reviews) and their red teams, or external threats

    This is another example of why even a partial disclosure to the public, more specifically, the vast public that are enemies of the U.S. is not beneficial to this country. By someone "trying to.. do the right thing?".

    The sensationalism that is "we hacked in" being presented only services 3 purposes:

    1) Get the hacker that did the work to speak and get media (which in security means you get money, better jobs, book deals, etc.)

    2) Scares the public for items that may be actually real

    3) Provides valuable FREE intelligence to threats of U.S. security

    Finally, if you had found problems, worked with FAA to fix them and presented on "How we are making the FAA secure, successes and speed bumps." Now that would be a great presentation. The rest of this is either information warfare or the presenter is naive.
  • The Gnome
    DM, I'm laughing at you.
  • Flying Guy
    Some of you guys missed the point of the Defcon talk. The idea is if one could find a way as an authenticated user to the "duat.com" or "duats.com" web sites to submit many many flight plans. Maybe an application vulnerability on one of those two web sites. One could inject many false flight plans into the ATC computer network. These false flight plans could slow down or stop real planes from getting flight plans and stop planes from taking off. Oh, also you need to read "ATC_web_report.pdf" the FAA's review of Web Application Security. The FAA has already found many vulnerability's in the FAA's web applications. The getting a medical cert is just one way to be an authenticated user on the duat or duats site. Maybe, there is some other way to gain access?
  • Schwinkle
    Dude. Forget the web site. We're talking 1983 here -- TELNET.

    How 'bout you just walk into the contractor facility (at the address listed on the page), find a network drop and connect to it, and proceed to capture all telnet traffic to 131.131.7.106, moving from drop to drop until you do get something? Yeah, maybe a slight over-simplification, but not far off. Then you could have some "fun", eh? WTF, OVER!?!?
  • Flying Guy
    Search and read the report. See if you can find the sensitive FAA info that was leaked by the FAA.

    REVIEW OF WEB APPLICATIONS SECURITY
    AND INTRUSION DETECTION
    IN AIR TRAFFIC CONTROL SYSTEMS
    Federal Aviation Administration
    Report Number: FI-2009-049
    Date Issued: May 4, 2009
  • Name
    This report was not issued by FAA. Rather, it was the audit report issued by Office of Inspector General, US Department o Transportation--a watchdog at US DOT.
  • Sounds pretty sensationalist
  • 111shoes
    wholesale supra shoes, buy cheap

    jordan shoes     for free shipping here.

    I am interested in it.....thank you.......

    I really like those ideas...