The independent researcher Amitay Dan discovered that control panels for aircraft warning lights were exposed to the Internet, potentially allowing attackers to control them with unpredictable and catastrophic consequences.
Aircraft warning lights are important components of aviation, they facilitate the airplanes in tracking obstacles and show them the path to follow.
Amitay Dan discovered some vulnerabilities that could be exploited to access the control system of the aircraft warning lights.
The control systems are used to modify the intensity of the light fixtures.
“I was thinking that this is something that can impact directly [lives] of people, by interfering with air traffic,” Amitay Dan told Motherboard.
The vulnerabilities affected the “obstruction lighting” that allows alerting aircraft of the presence of obstacles. The researchers discovered at least 46 control panels exposed online, including in Baltimore; Tuscola, IL; Decatur, TX and Ontario in Canada. The expert believes that some of the lights he discovered exposed online were installed on tall cell phone towers.
“One panel Dan showed Motherboard included controls such as “Force Day, “Force Twilight,” and “Force Night.”” reads the post published by Motherboard.
“Dan used a computer search engine to find the exposed systems, according to the original Federal Aviation Administration (FAA) disclosure email that Dan sent to the agency.”
On May first, and later in August, the expert shared his findings with the FAA and the vendor of aircraft warning lights, the company Dialight.
“It appears that this vulnerability allows users to access the control panel of the Obstruction Light Control system, and provides controls to change the intensity of the light fixtures, turn them on, and turn them off,” reads a statement from the FAA.
When first reported to the FAA on August 22, the organization said that its
“The FAA does not generally govern accessibility and the security of non-federal obstruction lighting systems, however, this vulnerability does create a safety concern that the FAA agrees should be addressed,”
Urged by the FAA, Dialight identified impacted customers and helped them in fixing the issue.
“They have also implemented security credentials for all new products so that problem does not happen again,” the letter reads.
Dialight informed, via email, Dan that it has updated its products to solve the issues.
(SecurityAffairs – aircraft warning lights, hacking)