Your tax dollars at work.

Insurgents Hack U.S. Drones

Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes' systems. Shiite fighters in Iraq used software programs such as SkyGrabber -- available for as little as $25.95 on the Internet -- to regularly capture drone video feeds, according to a person familiar with reports on the matter.

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said.

Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.

Tags: , ,

46 Responses:

  1. ciphergoth says:

    Amazing. The South Africans underestimated the Angolans in a similar way in the 80s - the Angolans succesfully fooled their "identifiation friend-or-foe" system by relaying the challenge to South African aircraft on the ground, and passing back the reply. Security Engineering describes this as the "MiG-in-the-middle" attack.

    But at least the South Africans were using strong enough crypto that the Angolans had to relay it instead of crack it. Unbelievable that this stuff is in plaintext - how hard would it have been to encrypt it?

    • kaseijin says:

      The Security Engineering errata say the basic idea has been used elsewhere, but the South Africa-Angola story is apocryphal.

      • ciphergoth says:

        Ah, damn, that's such a good story too. And I can second the recommendation of R V Jones's "Most Secret War", which is a real mind-bender!

        • Yes, "Most Secret War" is very good. It doesn't go into as much details as books written specifically about the Double Cross System, Enigma, Radar, the V weapons, or other secrets of WWII, but it's much better on the big picture and the process of military intelligence. Jones did something that we're still having to tell security researchers to do today - think like the enemy. Some of the best bits of "Most Secret War" are the excerpts of reports Jones wrote as-if he were his hypothetical opposite number working in German military intelligence.

    • strspn says:

      Thank you for your request to export munitions. Per regulations, it is denied. Should you have any other common sense ideas to improve the efficacy of death machines attacking opium farmers, please contact your local reference desk. Thank you.

  2. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said.

    Someone's so fired right now.

    • lovingboth says:

      Bet they're not. Who could possibly have imagined that the enemies of the US weren't stupid?

      Just as one country's state airline is supposed to have improved its safety record by making the maintenance crews fly in the planes they were responsible for, people who commission military kit should be made to fight with it...

    • jsoursland says:

      In the world of government contractors, someone is so getting paid right now. "Oh, that. Well, pay us millions more and we'll resolve that with version 2.0!"

  3. netsharc says:

    Haha, wonderful! And because this is the military, the problem won't be fixed for another... 5 years at the most optimistic calculation?

    I imagine a military version of jwz, trying to talk to their supplier to patch this thing, running into so much red tape.

    So add another 3 years to that 5!

    Somehow this news delights me. I guess whatever helps the rebel alliance in their fight against the Empire.

    After reading the article.. the $26 is the price of the software? (You still need a PCI card that decodes satellite data). Sheesh, with piracy that cost can drop down to zero.

    • lionsphil says:

      Technically, it says that that's what the program costs, not what they actually paid.

      Given that the drones aren't going to be fixed in time, the best solution is clearly to spread Richard Stallman clones throughout the Shiite ranks, who will quickly veto the use of proprietary software and delay the interception for eight years while someone tries to get video working properly under Linux.

      • loic says:

        from that article:
        Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren't readily compatible, said people familiar with the matter.

        • oletheros says:

          which is why most dod engineering specification documents emphasize that propriatary standards are not preferred in technical solutions. some contracting officer didn't read the acquisition guidance close enough.

          • jsoursland says:

            Better yet! NATO STANAG 4586 specifies this kind of stuff very strictly. And the US armed forces have standardized upon JAUS for all non STANAG 4586 type systems. However, who actually implements these kinds of international standards?

            I should note that neither standard necessitates encryption, however encryption is recommended on the lower level networking. The aircraft in question are complete (non standards compliant) solutions and therefore don't have an underlying networking layer.

            • oletheros says:

              but the information systems should have gone through diacap certification prior to being fielded, especially for something that is slated for in-theater deployment. making sure that the enemy can't intercept your communications is part of the point of information assurance.

              • jsoursland says:

                The Predator predates DITSCAP, the predecessor to DIACAP, and was never subject to certification. And I believe that one of the goals of the Reaper (formerly called Predator B) is to be compatible with the existing system.

                • waider says:

                  Backward Compatibility: because you might upset that one guy who prefers tabs to spaces.

                • oletheros says:

                  i know getting an ato is a pain in the ass, but there's a reason that the security protocols exist. i find it astonishing that disa will chase down mhs applications that nobody uses for fisma violations, but nobody thought to examine the comm channel for a fielded product.

                  • it also bothers me when the fltaa can't get a goddamn contract with mfgs. it's inconceivable to me that nobody would want to embed dpoj in their drmtytujdgswjrdfygehvd.

                  • vanbeast says:

                    thank you. that is what I came here to say.

                  • oletheros says:

                    poke fun if you must, but working in a government environment sometimes sounds just like that. i've heard sentences that are 90% acronyms, held together mostly by little words.

                  • chrisbw says:

                    It makes me more than a little bit sad that I can read your acronym soup and know exactly what it means. Clearly, I need a new career.

                  • oletheros says:

                    why? from the amount of turnover we're experiencing, information assurance is a growth industry.

          • jakenelson says:

            Predators are purchased outside the normal acquisitions system. That's how they get them for $20M (original batch) or $10M (later batches) each. They determined that getting them through the usual channels would result in a cost of $100m+ each. (IIRC, going off memory here.)

            The acquisitions system is broken, but this is evidence that skipping it entirely is suboptimal as well.

            • oletheros says:

              yay military industrial complex!

              • jakenelson says:

                Heh, brings back a memory- at my previous job, doing warranty repair on communications hardware, I once, while taking apart a converter that Lockheed Martin had sent in for repair, joked to my coworkers that I was "disassembling the communications infrastructure of the military-industrial complex". Said coworkers were Lockheed shareholders, and were not terribly amused by this.

        • jwz says:

          I, for one, have complete faith that the control channel is properly encrypted. No really. I'm sure it is. It's proprietary and all.

          "U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights." No evidence they have chosen to declassify, of course.

      • cdavies says:

        So, your solution is to replace "join us now and free Iraq from the infidel invader" with "join us now and free the software"? I think I'd prefer the IEDs.

    • jwz says:

      Yes, I did love the implication that the insurgents ponied up that $26. Plus tax, presumably.

    • fgmr says:

      I imagine a military version of jwz

  4. beerfrick says:

    I wonder how long until they figure out they are controllable via telnet

  5. phoenixredux says:

    Are you frickin' kidding me?


    At this rate, our multi-billion dollar armed forces will be completely undone by a handful of guys with old laptops, a broadband connection, and a dot-matrix printout of the old Anarchist Cookbook.

  6. gfish says:

    If I may quote Hackers: Snoop onto them as they snoop onto us.

  7. edouardp says:

    Not my tax dollars, thankfully. Actually, 375 reapers at $10 million a pop adds up to about 8 times the total military expenditure of my country.

    Remember - it's not just international disputes that can be solved through force; interpersonal disputes can also be solved through violence!

    Also, nice work there on the "Iranian-backed insurgents" - always keep on message, even when describing your fuck-ups. "We have always been at war with Eurasia Iran".

    • strspn says:

      Thank you for your suggestion that it is possible for any country to have a military budget of less than $4 billion dollars. This is incompatible with Martin Lockheed RAND Satan General Dynamics estimates, so we are unable to make us of it at this time. Should you have any further ideas which could serve to limit the size of government spending and/or the military-industrial complex, please contact your local white collar welfare queen union. Thanks for your understanding.

      P.S. We are trapped in here, please send invasion forces.

  8. artkiver says:

    These kinds of things have happened before:

    Maybe it's counterintelligence to throw people off the scent of real operations! I mean, it's certainly counter to intelligent means of transmitting data.

  9. _candide_ says:

    Well, considering that this was reported in the Wall Street Journal, which is now owned by Rupert Murdoch (yes, the same person that owns Faux News), I consider its veracity suspect. I'll believe it when I hear separate, independent verification of it on, say, the BBC or Deutsche Welle.

  10. kou says:

    According to the news articles, the announcement today is that the problem has been fixed. Though in this article the phrasing, "working to encrypt" and "upgrading the encryption" is ambiguous on whether the signal was plaintext or had a bad crypto implementation; an unverifiable public comment by "Normbc9" on the page asserts that "there had to be some serious internal leaks" on this.

    It seems though the "proprietary communications standards" quoted are standard enough to be decoded by off the shelf software. Ironically, a video system that was truly proprietary might have actually offered better obfuscation and slowed attackers down. Mangle the colorspace, encode the video using e.g. CMYK, Adobe RGB, with multichannel DTS and you won't get VideoLAN to play it anytime soon :D.