December 2009 Archives

Obscurity is not Security: Insurgents Hack U.S. Drones

| No Comments
[Update:The security vulnerability has been fixed]

A word of caution to my fellow developers: if you think your software is secure because it's obscure enough that nobody would bother to hack it, then you might be in for an unhappy surprise.

Case In Point
Predator drone firing a Hellfire missile
(source: US Air Force)

According to the Wall Street Journal and a follow-up report from l'Agence France Presse, Department of Defense officials have admitted that video feeds from Predator surveillance drones were routinely intercepted by "Iranian-backed insurgents" in Iraq and Al-Qaeda members in Afghanistan.

Perhaps it would all make for a better story if I could tell you that it required a vast conspiracy of ex-KGB agents using supercomputers hidden in bunkers under the Urals to crack the video's NSA-level COSMIC Top Secret encryption, but unfortunately, real life is slightly less dramatic (and much more deadly). The UAVs streamed the video in an unencrypted form, making it possible for a rag-tag assemblage of insurgents often with no access to the Internet to intercept the feeds using a "commercial off the shelf" (COTS) satellite video capture tool, SkyGrabber (MSRP: $25 US) and laptops. The minimal effort it took probably didn't even distract them from their day job manufacturing IEDs and blowing up innocents.

From the WSJ article:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said. (emphasis added)

The military remained unaware of the practice up until a laptop belonging to an "Iranian-backed Shiite militant" was captured on which Military Intelligence discovered intercepted video footage. (I'm frankly surprised it didn't show up on YouTube.)

The Lesson: Obscurity is not Security

It is supposedly unlikely that the video was of much use to the extremists and while the whole story seems a little ridiculous, it surely is no laughing matter. Here's hoping some heads will roll because "incompetence" isn't strong enough a word.

As software developers, we're usually required to think about security as a key requirement of any system. However, when you're tasked with developing software for a $3+ million unmanned aerial vehicle (UAV), you'd better pay attention to these "details" because somebody very dangerous surely is. When that happens, it's a whole lot more than just data you're protecting.

Further reading

About this Archive

This page is an archive of entries from December 2009 listed from newest to oldest.

November 2009 is the previous archive.

January 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.