FAA Chooses “Security Through Obscurity” For New Air Traffic Control System, Still Gets Hacked

There’s a fascinating, and deeply troubling, report on NPR today about the FAA’s new air traffic control system:

The new system is called the Next Generation Air Transportation System, or NextGen. It will be highly automated. It will rely on GPS instead of radar to locate planes, and it is designed to allow air traffic controllers and pilots to pack more planes, helicopters and eventually drones into our skies.

The trouble is that NextGen can be (and has been) hacked, even before it’s been formally rolled out.  According to the NPR report, the FAA’s response to this hacking has been quite mild:

Until now the FAA has been reluctant to respond. It hasn’t released data from its own security test, and the agency’s initial response both to the Air Force paper and the more recent hacks has been muted.

Initially the agency released a one-paragraph statement that said in part, “An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available.”

Is the FAA going about this the right way?  Wouldn’t it be more prudent (albeit less conservative) to release a beta version of the system to the public before rolling it out for use and invite hackers to test it, and then roll out an alpha version with patches to fix its holes?  After all, the hackers are going to test it once it’s released.  They’re already hacking GPS.  I’d rather have the security tightened up before it’s guiding my flight from Boston to San Francisco.

Leave a Reply

Your email address will not be published. Required fields are marked *