Lights placed on tall structures so that planes see them – and don’t hit them – are vulnerable to hacking. They can be turned off. Remotely. Via the internet.
There hasn’t been an incident, but the vulnerability was uncovered by security researcher Amitay Dan and confirmed by an FAA official.
The issue was with “obstruction lighting” designed to alert aircraft to obstacles. Dan found at least 46 control panels online for light systems, including in Baltimore; Tuscola, IL; Decatur, TX; as well as Ontario in Canada, according to a list of IP addresses and other details he provided to Motherboard. The names of the systems’ locations suggest some of the systems could have controlled lighting on tall cell phone towers.
Credit: steven earnshaw via Wikimedia Commons
The FAA and Dialight, which manufactures systems that were discovered to be accessible via the open internet, were informed of the issue over the summer. According to the FAA, while they do “not generally govern accessibility and the security of non-federal obstruction lighting systems” they’ve taken on the issue because “this vulnerability does create a safety concern that the FAA agrees should be addressed.”
The FAA has worked with Dialight, which has identified customers that have their lights and they’re “assisting with fixes.” In addition, their new lights now require ‘security credentials’ which – while presumably hackable – at least require hacking to turn off maliciously.
(HT: David H.)
No need to worry, John McClane will save us if the lights go out.
Few pilots would plan to see and avoid structures solely based on their obstruction lighting. All visual and instrument charts include sector info that informs safe flying altitudes. Enroute, approach, and terminal radar controllers also deliver instructions that that keep pilots away from terrain or obstruction dangers (yes, errors and exceptions can occur…but are unusual). Modern avionics suites also contain terrain and obstruction databases that will alert pilots if they’re at risk of collision with *known* hazards.
This is a safety issue for sure, but pales in comparison to say…hacking into and messing with the FAA’s digital systems or more clandestinely, hijacking radio frequencies and spoofing false ATC clearances.