Obscurity is not Security: Insurgents Hack U.S. Drones

A word of caution to my fellow developers: if you think your software is secure because it's obscure enough that nobody would bother to hack it, then you might be in for an unhappy surprise.

Case In Point

According to the Wall Street Journal, Department of Defense officials have admitted that video feeds from Predator surveillance drones were routinely intercepted by insurgents/terrorists/disgruntled public servants in Iraq.

Perhaps it would all make for a better story if I could tell you that it involved a vast conspiracy with ex-KGB agents using supercomputers hidden in bunkers under the Urals to crack the video's NSA-level COSMIC Top Secret encryption while George Clooney ran interference with the press... but unfortunately, real life is slightly less dramatic. The UAVs streamed the video in unencrypted form which required a farcical level of effort/skill to steal (think grade 6 computer class).

From the WSJ article:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said. (emphasis added)

This amateurish blunder made it possible for a rag-tag assemblage of battle-weary Islamists to intercept the feeds using a "commercial off the shelf" (COTS) satellite video capture tool, SkyGrabber (MSRP: $25 US) and laptops. The minimal effort it took probably didn't even distract them from their day job manufacturing IEDs and blowing up innocents.

The military remained unaware of the practice up until a laptop was captured and Military Intelligence discovered intercepted video on the hard drive. (I'm frankly surprised it didn't show up on YouTube.)

The Lesson: Obscurity is not Security

I'm making a little light of this since it is unlikely that the video was of much use to the jihadists, but it really isn't a laughing matter. If you're ever tasked with developing software for a $3+ million unmanned aerial vehicle (AUV), please pay attention to details because somebody very dangerous surely is. When that happens, people usually die.

Here's hoping some heads will roll because "incompetence" isn't strong enough a word.

Further reading

• The original piece from the Wall Street Journal
• Wikipedia article on Security through Obscurity

(P.S. Am I the only one thinking that the ChiComms are laughing their butts off over this?)

[Cross-posted at http:/blogs.4point.com/taylor.bastien]

VacuumTube: The YouTube downloader

A couple of months ago, I was given an iPod Touch. It is, quite simply, an amazing device (posts on that surely to follow). Part of the coolness of an iDevice is that it allows you to stream YouTube video in h.264 format (and not the usual FLV/FlashVideo format that other browsers see). Unfortunately, if you don't want to run up your iPhone data plan costs or, like me, ride the bus a lot, then being able to download YouTube vids while on WiFi for viewing later would be a godsend.

Enter VacuumTube

Well, I saw a need and filled it. Here is VacuumTube, a YouTube browser/downloader written in Flex and run in AIR, the Adobe Integrated Runtime.

The main part of this exercise was to allow me to watch videos on my long and tedious bus treks, the other was to demonstrate just how quickly I could create an Internets-aware application in AIR that provides a usable (if simple) interface. It took me, all told, around 5 hours to make, including subsequent bug fixes.

Be forewarned

Using this tool will contravene YouTube's "Terms of Service" agreement, which states that you may access User Submissions solely for Streaming.

I wrote this as an experiment more than anything, so please don't abuse it. In fact, I debated whether or not to even post it to the public for this very reason. I provide no warranty, express or implied that VacuumTube will still be working by the time you download it. YouTube already changed their code once on me, making VacuumTube useless (a fix was ready after maybe an hour of coding).

How Was it Done?

AIR provides UI components that leverage the open source WebKit for rendering HTML and handling JavaScript (see here). I basically leveraged that provided foundation to create a custom browser that provides special functionality that invokes the existing YouTube scripting.

For those who are paying attention/care, vanilla Flex provides a means of interacting with the HTML document that wraps around the Flash plug-in in which the executable SWF is running. AIR, on the other hand, provides a means of rendering HTML inside the actual application (there is no wrapper for AIR, it is a desktop app, after all).

What does it prove?

That Flex/AIR are indeed incredibly well suited for developing networked RIAs with rich UIs in very little time (like I said previously: around 5 hours total). Also, that they interact well with Javascript outside (Flex) or inside (AIR) the application.

Enjoy the app and please leave a comment with your impressions.

Download VacuumTube. Right-click and select "Save Link As" or equivalent. When I have time, I'll create an AIR installer badge to make this simpler and prettier...

First things first...

Well, after much procrastination, here is my personal blog. It's been a long tine coming, so it's a relief getting it out of the way. What's fun is that I can post to this using my iPod, which exponentially increases the probability of pointless posts and other brain spam.

At minimum, I know that my sister Alison and mom will be proud.

So please stay tuned, there'll surely be more to come.

- Posted using my iPod Touch