It was a shortage of computer memory in the $2.4 billion air traffic control system while a U-2 spy plane flew over southwestern US that caused LAX computers to crash and hundreds of flights to be delayed on April 30. “In theory, the same vulnerability could have been used by an attacker in a deliberate shut-down,” security experts told Reuters. Now that the “very basic limitation of the system” is known, experts expressed concerns about aviation cyber attacks.
Lockheed Martin, which created the En Route Automation Modernization (ERAM) air traffic control system, claims it conducts “robust testing” on all its systems, yet the lack of altitude information in the U-2’s flight plan caused the automated system to cycle off and on trying to fix the error. After an air traffic controller entered an estimated 60,000 feet as the U-2’s altitude, the system attempted to calculate all possible flight paths in order to ensure the U-2 wasn’t on a crash course with other aircraft at much lower altitudes. That process, according to the FAA, “used a large amount of available memory and interrupted the computer’s other flight-processing functions.”
Lockheed Martin should have identified the “routine programming mistake” in testing before ERAM was deployed. “That’s when you put in values anywhere that a human could put in a number, like minus one [foot], or a million feet, to see what that would do,” explained Jeff Moss, founder of Def Con and Black Hat security conferences and advisor to DHS. While it may seem “logical to limit the amount of data associated with one flight plan, anything exceeding that amount should not be able to render the system useless.”
The “new $40 billion air traffic control system, known as NextGen, which encompasses ERAM, including its reliance on Global Positioning System data that could be faked” is “very over-budget and behind schedule,” Moss told Reuters. It “doesn’t surprise me that it’s got some bugs – it’s the way it presented itself’ that’s alarming.” You can expect at least two upcoming Def Con talks to delve into exploiting weaknesses in the system.