A US government audit has found more than 760 high-risk vulnerabilities in web applications used to support Air Traffic Control operations around the country.
The flaws, which were discovered in 70 web applications tied to ATC operations, give attackers a way to gain access not just to underlying web servers but potentially to other more critical backend systems, the report from the US Department of Transportation's Office of Inspector General noted.
The report stemmed from a request by US Reps John Mica (R-Fla) and Tom Petri (R-Wis.), ranking minority members of the Aviation Subcommittee of the House Committee on Transportation and Infrastructure. It is based on an audit of web application security controls and intrusion detection capabilities in air traffic control systems.
The audit identified more than 3,850 vulnerabilities in 70 web applications, half of which were public facing, such as applications used to disseminate information to the public over the Internet, including communications frequencies for pilots and controllers.
More than 760 of the vulnerabilities were identified as high risk and could allow attackers to access data and remotely execute malicious code and commands on critical systems.
About 500 of the vulnerabilities were rated as medium risk and the rest were rated as low risk. According to the OIG, medium and low risk vulnerabilities could allow attackers to glean important information, such as system or network configuration data, that could later be used in crafting an attack.
The audit was conducted under contract for the office of Inspector General Calvin Scovel by consulting firm KPMG.