| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to taking control of an airplane in flight due to security flaws in the FAA's communications software has happened again within the same organization. Brad Haines, a hacker, made similar claims about the flaws in the FAA's software almost a year before the Spanish researcher, Hugo Teso, claimed to have control of an airplane using an Android app [18282].
(b) The software failure incident related to potential hacker attacks on the NextGen air traffic control system has raised concerns about similar flaws existing in the new system being built to replace the old one. Brad Haines, in his presentation at the Infiltrate hacker conference, revealed that the NextGen system may have the same flaw as Teso's Android app, where location data between planes and control towers is unencrypted and unauthenticated, making them vulnerable to potential attacks [18282]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the article. The NextGen system, which is being developed to replace the current air traffic control system, may contain flaws similar to those exposed by the Spanish researcher's Android app. Specifically, the location data being passed between planes and control towers in the NextGen system is unencrypted and unauthenticated, leaving it vulnerable to potential hacker attacks [18282].
(b) The software failure incident related to the operation phase is also highlighted in the article. The article mentions that anyone with inexpensive gear can influence the data that shows up on screens, adding false flights and creating chaos. This indicates a failure in the operation of the system, allowing external entities to manipulate the information being transmitted [18282]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident discussed in the articles is primarily within the system. The security flaws in the FAA's 25-year-old communications software, as well as potential flaws in the NextGen system being built to replace it, are highlighted as contributing factors to the vulnerability of the air traffic control system [18282]. The unencrypted and unauthenticated location data being passed between planes and control towers is a key aspect of the software failure incident, indicating internal system weaknesses that could be exploited by hackers [18282]. The ease with which the researchers were able to influence the data and create chaos further emphasizes the internal system vulnerabilities [18282]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident related to non-human actions:
The software failure incident discussed in the articles is primarily due to security flaws in the FAA's 25-year-old communications software and potential vulnerabilities in the NextGen air traffic control system. These flaws include unencrypted and unauthenticated location data being passed between planes and control towers, leaving them open to potential hacker attacks [18282].
(b) The software failure incident related to human actions:
Human actions also play a role in this software failure incident. The article mentions a Spanish researcher, Hugo Teso, who claimed that a simple Android app could take control of an airplane in flight due to security flaws in the FAA's communications software. Additionally, hacker Brad Haines highlighted potential vulnerabilities in the NextGen air traffic control system, indicating that human actions in designing and implementing these systems could contribute to the failure [18282]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The article mentions that the NextGen system, which is intended to help the FAA keep tabs on every plane in flight, uses GPS data rather than traditional radar. This shift to GPS data is a hardware-related change as it involves the use of new technology for tracking planes [18282].
(b) The software failure incident related to software:
- The software failure incident in this case is primarily related to security flaws in the FAA's 25-year-old communications software, as highlighted by the Spanish researcher and the hacker. The flaws in the software allowed for potential hacker attacks and manipulation of location data between planes and control towers [18282]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident discussed in the articles is related to a malicious objective. The incident involves security flaws in the FAA's communications software that could potentially allow individuals to take control of an airplane in flight. The Spanish researcher, Hugo Teso, and hacker Brad Haines highlighted vulnerabilities in the system that could be exploited for malicious purposes. Haines demonstrated how the NextGen air traffic control system, intended to replace the existing system, may also be vulnerable to attacks that could lead to chaos and potential harm [18282]. The focus is on identifying and exploiting weaknesses in the system for unauthorized access and manipulation, indicating a malicious intent behind the software failure incident. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident related to poor_decisions:
- The software failure incident related to poor decisions is highlighted in the article where it discusses the security flaws in the FAA's 25-year-old communications software that could potentially allow someone to take control of an airplane in flight [18282].
- The article mentions that the NextGen system, intended to replace the old software, may also have similar flaws, indicating a poor decision in the design and implementation of the new software [18282].
(b) The intent of the software failure incident related to accidental_decisions:
- The software failure incident does not seem to be related to accidental decisions or unintended mistakes. Instead, it primarily focuses on the deliberate actions of hackers exploiting security flaws in the software [18282].
- The actions taken by the hacker and the researcher were intentional and aimed at demonstrating vulnerabilities in the software rather than accidental decisions leading to the failure [18282]. |
| Capability (Incompetence/Accidental) |
development_incompetence, unknown |
(a) The software failure incident related to development incompetence is evident in the article as it discusses security flaws in the FAA's 25-year-old communications software that could potentially allow a hacker to take control of an airplane in flight [18282]. Additionally, the article highlights concerns raised by hacker Brad Haines regarding the next-generation air traffic control system being built to replace the old software, suggesting that the new system may also be flawed due to lack of proper mitigation strategies by the FAA [18282].
(b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article. |
| Duration |
permanent |
(a) The software failure incident discussed in the articles seems to be more of a permanent nature. The articles highlight security flaws in the FAA's communications software that have been present for 25 years and are still being addressed in the next-generation software like the NextGen system. The vulnerabilities in the software, such as unencrypted and unauthenticated location data being passed between planes and control towers, indicate a long-standing issue that requires significant changes to mitigate. Additionally, the concerns raised by the hacker about the potential for attacks and chaos due to these flaws suggest a persistent and ongoing risk ([18282]). |
| Behaviour |
omission, byzantine, other |
(a) crash: The articles do not mention a specific instance of the software crashing and losing state, resulting in the system not performing any of its intended functions.
(b) omission: The articles discuss potential failures where the system omits to perform its intended functions, particularly in terms of unencrypted and unauthenticated location data being passed between planes and control towers, leaving them open to potential hacker attacks [18282].
(c) timing: There is no specific mention of a failure related to the system performing its intended functions correctly but at the wrong time.
(d) value: The articles do not provide information about the system performing its intended functions incorrectly in terms of providing incorrect values.
(e) byzantine: The potential failure discussed in the articles relates to the system behaving erroneously with inconsistent responses and interactions, particularly in terms of allowing anyone with inexpensive gear to influence data, adding false flights to screens, and creating chaos [18282].
(f) other: The behavior of the software failure incident described in the articles includes vulnerabilities in the system that could potentially lead to unauthorized access and manipulation of critical flight data, posing significant risks to air traffic control systems [18282]. |