Control panels for lights placed on tall structures to warn airplanes not to hit them were exposed to the open internet, meaning hackers could have turned the lights off.
The news highlights how sensitive systems intended only for internal use by a certain team of people can accidentally be exposed to the wider internet, including those with malicious intent.
"I was thinking that this is something that can impact directly [lives] of people, by interfering with air traffic," Amitay Dan, an independent security researcher who discovered the issue, said in an online chat.
The issue was with "obstruction lighting" designed to alert aircraft to obstacles. Dan found at least 46 control panels online for light systems, including in Baltimore; Tuscola, IL; Decatur, TX; as well as Ontario in Canada, according to a list of IP addresses and other details he provided to Motherboard. The names of the systems' locations suggest some of the systems could have controlled lighting on tall cell phone towers.
One panel Dan showed Motherboard included controls such as "Force Day, "Force Twilight," and "Force Night."
Dan used a computer search engine to find the exposed systems, according to the original Federal Aviation Administration (FAA) disclosure email that Dan sent to the agency. Dan shared some of his correspondence with the FAA and the company that makes the light systems, called Dialight, with Motherboard.
"It appears that this vulnerability allows users to access the control panel of the Obstruction Light Control system, and provides controls to change the intensity of the light fixtures, turn them on, and turn them off," an FAA official wrote in a letter as part of the vulnerability disclosure process.
Do you know about another security incident? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Dan said he warned the FAA and Dialight of the issue in May and August.
Motherboard first approached the FAA for comment on August 22. At the time, the FAA said that the agency's tall-structure lighting and marking guidance were only recommendations, and that the FAA does not have the authority to require operators of the structures to mark them. The FAA said it was looking into the reports, though.
The agency, seeing a serious issue, did take the problem under its wing, according to a letter sent by the FAA to Dan dated November 18.
"The FAA does not generally govern accessibility and the security of non-federal obstruction lighting systems, however, this vulnerability does create a safety concern that the FAA agrees should be addressed," the letter reads. The letter says a senior FAA employee replicated the issue and warned a contact at Dialight, who then assembled a team to address the problem. Dialight identified all of their impacted customers, and are assisting with fixes, the letter adds.
"They have also implemented security credentials for all new products so that problem does not happen again," the letter reads. A second letter, this time written by Dialight itself and addressed to Dan, corroborated that product update.
A Dialight spokesperson told Motherboard in an email, "Dialight can confirm that we have been made aware of the issue of certain customers not using our tower monitoring hardware within their secure networks by the FAA. This is an isolated situation affecting only the tower monitoring system. At this time we can report that the issue is contained. We have notified these customers and helped guide them on properly securing their systems."
The FAA responded to a new request for comment sent this week, but did not provide a statement in time for publication.
Subscribe to our cybersecurity podcast, CYBER.