[Update:The security vulnerability has been fixed]
A word of caution to my fellow developers: if you think your software is secure because it's obscure enough that nobody would bother to hack it, then you might be in for an unhappy surprise.
Case In Point
 |
Predator drone firing a Hellfire missile (source: US Air Force) |
According to the Wall Street Journal and a follow-up report from l'Agence France Presse, Department of Defense officials have admitted that video feeds from Predator surveillance drones were routinely intercepted by "Iranian-backed insurgents" in Iraq and Al-Qaeda members in Afghanistan.
Perhaps it would all make for a better story if I could tell you that it required a vast conspiracy of ex-KGB agents using supercomputers hidden in bunkers under the Urals to crack the video's NSA-level COSMIC Top Secret encryption, but unfortunately, real life is slightly less dramatic (and much more deadly). The UAVs streamed the video in an unencrypted form, making it possible for a rag-tag assemblage of insurgents often with no access to the Internet to intercept the feeds using a "commercial off the shelf" (COTS) satellite video capture tool, SkyGrabber (MSRP: $25 US) and laptops. The minimal effort it took probably didn't even distract them from their day job manufacturing IEDs and blowing up innocents.
From the WSJ article:
The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said. (emphasis added)
The military remained unaware of the practice up until a laptop belonging to an "Iranian-backed Shiite militant" was captured on which Military Intelligence discovered intercepted video footage. (I'm frankly surprised it didn't show up on YouTube.)
The Lesson: Obscurity is not Security
It is supposedly unlikely that the video was of much use to the extremists and while the whole story seems a little ridiculous, it surely is no laughing matter. Here's hoping some heads will roll because "incompetence" isn't strong enough a word.
As software developers, we're usually required to think about security as a key requirement of any system. However, when you're tasked with developing software for a $3+ million unmanned aerial vehicle (UAV), you'd better pay attention to these "details" because somebody very dangerous surely is. When that happens, it's a whole lot more than just data you're protecting.
Further reading
- The original piece from the Wall Street Journal
- Wikipedia article on Security through Obscurity
