FAA Employees Describe Security Flaws
Oct. 16, 2000 -- Federal officials have criticized security at the Federal Aviation Administration, but former and current FAA systems administrators tell ABCNEWS.com the problem is even worse than has been admitted, and almost anyone with a little technical savvy could break into the system and shut down radar at major air hubs around the nation.
The administrators say that with an ordinary home computer, a few freely available programs and the right password, anyone could dial into a secure FAA maintenance system. Once inside, they would have access to the computers that are used to control airport radar systems.
What’s more, thousands of unsecured laptops used by FAA employees, some pre-programmed with important passwords, could provide the wrong people with shortcuts into the system if they were lost or stolen, the administrators said.
“If this thing fell into the wrong hands, a terrorist could really do some damage,” retired FAA administrator Norm Haase said.
A report from the congressional General Accounting Office, released Sept. 27, condemned the FAA for having lousy security and hinted at the potential for computer break-ins. The administrators gave clear details — and explained how easy it really is to wreak havoc on FAA systems.
Security experts, including notorious reformed computer criminal Kevin Mitnick, agreed with the administrators’ assessment and said they could probably break into an air traffic Maintenance Control System in anywhere from five minutes to a week, given the security structure the administrators described.
An FAA spokeswoman said the agency couldn’t talk about specifics, but that it was aware of the security flaws and was working to fix them.
“Potential areas of vulnerability in the MCS … have been identified, with the appropriate security countermeasures implemented,” Tammy Jones said.
But the GAO report said the FAA has a poor track record on following its own security policies, saying the agency has made “little progress” swatting “known, exploitable bugs” and that two out of three systems tested for hack-ability a year ago have yet to be fixed.
And the system is vulnerable from the inside as well. The agency never updated its security regime after a 1996 reorganization, leaving many employees with greater access than they should have, administrators said.
Open Access
Administrators need to get to their maintenance systems 24 hours a day, often from home — for instance, to fix urgent system problems that come up in the middle of the night. If the remote access was secure, it wouldn’t be a problem, experts said.
But the systems use unencrypted connections over public phone lines. That means any hacker can get in with a “war dialer” (an early-1980s piece of software that dials a lot of phone numbers, searching for computer modem tones), the right passwords, and an obscure but free program for connecting to mainframes. It would be the same sort of attack that hackers have used repeatedly to compromise numerous corporate computer systems, as well as some in government.
The laptops make break-ins even easier, and more than 3,700 have been distributed nationwide, according to Haase. Some have pre-programmed phone numbers and passwords for various FAA systems, many with passwords for the MCS. Some, he said, have already been lost.
The laptops don’t have to be stolen, said Jim Jones, director of response services for computer security firm Global Integrity. As they’re also used for private e-mail, a Trojan Horse program could be sent through e-mail, which would redirect passwords and phone numbers into the wrong hands.
Gaining Control
The maintenance systems, known as the Maintenance Management System and the Monitor Control System, allow administrators to shut down, restart and reorient the radars and instruments that feed into air traffic controllers’ screens.
“You can’t access ATC command stations remotely, but you can screw up the data going into them,” Haase said.
The dial-up systems don’t encrypt their data, which would prevent passwords from being stolen through wiretaps. Encrypting the laptop hard drives would make them useless to unauthorized users, and the FAA had a plan to do that but hasn’t followed through, Haase said.
The systems aren’t classified, either, so they don’t have to conform to regulations on classified data.
The agency owns “dialback” modems which only accept calls from pre-screened phone numbers, but doesn’t use them much.
“I won’t say that they used them, but they were there,” another retired FAA administrator said.
Fortunately, there’s no firm evidence that hackers have ever broken into critical FAA systems, though a Colorado teenager hacked into agency mail and Web servers last year. Few hackers are familiar with the FAA’s mainframes, and administrators said fewer are interested in breaking into a low-profile system that isn’t connected to the Internet.
Hack Attacks
Mitnick, a reformed ex-computer criminal who now speaks on computer security issues, said someone with his skills would have no problem breaking into the FAA’s system.
A break-in artist could use a war dialer to find the right phone number and smooth talk to trick users into revealing passwords, or could reroute the phone number to a decoy system which would appear to be the real one, but would just capture passwords.
“I could have a valid user name and password in less than five minutes,” he said.
The central problem is that the systems are accessible through public phone lines, he said.
Bob Miller, deputy director of the federal Critical Infrastructure Assurance Center, said the FAA’s security was no worse than that of many major corporations.
Personnel Problems
Even if outsiders don’t crack into FAA systems, security within the agency is lax, administrators said.
“It’s the insider threat that worries most of the security people” in government, said Miller.
The GAO report said the FAA hadn’t done background checks on many employees and contractors — including Chinese nationals hired as part of the effort to head off the Y2K bug, and “penetration testers” who were assigned to break into sensitive systems and diagnose security flaws.
A current FAA computer system administrator who did not want to be identified said that after a reorganization in 1996, many employees were left with security levels much higher than necessary — levels that could allow them to access personal data about other employees, or systems they don’t necessarily supervise.
“They can look at personnel records for anybody across the whole maintenance organization,” he said.
The administrator also backed up the GAO report’s conclusion that FAA employees haven’t been properly trained on computer security, violating an FAA policy.
“Security varies widely from one place to another,” he said.
Denying Knowledge
At a hearing before the House Science Committee last week, FAA head Jane Garvey said she hadn’t known about the agency’s security problems until the GAO brought them up, and that the agency was working on them.
But the FAA adminstrators disagreed: they said they’d brought various concerns to higher-ups as far back as 1996.
“I specifically, for the last four years or more, have been screaming and hollering about computer security and the access problems,” Haase said.
Science committee chairman Jim Sensenbrenner, R-Wis., said the FAA has had to be brought into security awareness “kicking and screaming” — but that the final responsibility for safety lies with the agency.
“It is your job to be proactive on this,” he told Garvey.
FAA spokeswoman Jones said the agency is fixing the security holes. But one current FAA system administrator is still worried.
“The FAA has this wonderful mentality of not reacting to something until it’s already happened,” he said. “Until there is some kind of incident, they don’t tend to be genuinely proactive.”