Friday, December 18, 2009

Obscurity is not Security: Insurgents Hack U.S. Drones

A word of caution to my fellow developers: if you think your software is secure because it's obscure enough that nobody would bother to hack it, then you might be in for an unhappy surprise.

Case In Point

According to the Wall Street Journal, Department of Defense officials have admitted that video feeds from Predator surveillance drones were routinely intercepted by insurgents/terrorists/disgruntled public servants in Iraq.

Perhaps it would all make for a better story if I could tell you that it involved a vast conspiracy with ex-KGB agents using supercomputers hidden in bunkers under the Urals to crack the video's NSA-level COSMIC Top Secret encryption while George Clooney ran interference with the press... but unfortunately, real life is slightly less dramatic. The UAVs streamed the video in unencrypted form which required a farcical level of effort/skill to steal (think grade 6 computer class).

From the WSJ article:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said. (emphasis added)

This amateurish blunder made it possible for a rag-tag assemblage of battle-weary Islamists to intercept the feeds using a "commercial off the shelf" (COTS) satellite video capture tool, SkyGrabber (MSRP: $25 US) and laptops. The minimal effort it took probably didn't even distract them from their day job manufacturing IEDs and blowing up innocents.

The military remained unaware of the practice up until a laptop was captured and Military Intelligence discovered intercepted video on the hard drive. (I'm frankly surprised it didn't show up on YouTube.)

The Lesson: Obscurity is not Security

I'm making a little light of this since it is unlikely that the video was of much use to the jihadists, but it really isn't a laughing matter. If you're ever tasked with developing software for a $3+ million unmanned aerial vehicle (AUV), please pay attention to details because somebody very dangerous surely is. When that happens, people usually die.

Here's hoping some heads will roll because "incompetence" isn't strong enough a word.

Further reading

(P.S. Am I the only one thinking that the ChiComms are laughing their butts off over this?)

No comments:

Post a Comment