Cybersecurity & cyberwar

Cyberwar: When the Drones Come To Roost

Summary: Allegedly, US Drone control computers are infected with a persistent piece of malware (a virus) that is logging pilots keystrokes as they fly their missions. So far the Air Force appears to be playing it as “no big deal” but we can imagine some of the consequences of it not being so benign.

“We keep wiping it off, and it keeps coming back”
– Anonymous government source, according to WIRED Magazine

Contents

  1. Malware in places malware shouldn’t be
  2. Data Leaks
  3. Retaliation
  4. Addenda
  5. About the author, including links to other posts in this series
  6. Other chapters in this series

(1)  Malware in places malware shouldn’t be

WIRED Magazine reports that the US drone fleet’s command-and-control systems at Creech Air Force Base are compromised by a piece of malware that appears to be logging keystrokes and otherwise, “We think it’s benign.” If  having a keylogger on a weapons system’s command-and-control console is “benign” we don’t want to know what “malicious” is – though perhaps the operators of the Iranian reactor at Beshehr could share some of their experiences. There is, simply put, no way that malware should be able to get onto competently built control systems. There are plenty of ways it could get onto incompetently built control systems, starting with:

  • Poor configuration management: Airman Bob installs some entertaining game software that happens to be infected with a malware loader.
  • Cross-purpose usage: Airman Bob fires up a browser and surfs the web from the console, then goes to a site that hits the console with a malware loader.
  • Deliberate infection: Airman Bob wants to be the next Bradley Manning and is thinking about how to collect some interesting material for wikileaks.
  • Suborned administration: Contractor Phil, who works for the system integrator that built the console and/or its management network, added a little “extra something” when nobody was looking.
  • Corrupted supply chain: One of the components of the system was deliberately targeted – similarly to the way Stuxnet was ‘aimed’ at Beshehr and Natanz – knowing that it would eventually be incorporated into a command-and-control console.

Those are all obvious possibilities and any information security practitioner with beginner-level expertise would be able to recommend counter-measures for the first three (don’t allow software installs, don’t allow Airman Bob to log in as local administrator, install execution control and system logging on the console, perform system integrity checks, lock down the USB ports and DVD-rw drives, etc.) It is, literally, basic stuff:  my 70+ year-old musicologist mother’s computer is secure against those first three avenues of attack.

The last two of those potential avenues of attack are harder to protect against, but are also fairly typical system security issues that can be addressed by: regression testing and baselining, using a configuration management tool that tracks system changes and who performed them and when and why, bringing critical parts of system construction in-house, and isolating consoles into private or virtualized private networks.

(2)  Data Leaks

We already can guess that the builders of the drones’ software took short-cuts. In 2009, it was discovered that militants were accessing data-feeds from the drones using a $26 piece of software that was developed during NATO’s intervention in Kosovo. The military’s response to these sorts of leaks has typically been “no classified material was leaked.” The lawyerly thinking behind this is apparently that battlefield intelligence – collected real-time by a possibly hostile force – isn’t “classified” it’s just important.

Some people apparently did not absorb the lesson of the leaked video of a BBC Reuters news crew being massacred in Iraq. That was a public relations disaster of the first degree, which could replay itself if keystrokes and who knows what else leak straight from the command console of a drone. These kind of leaks don’t show us anything we don’t already suspect — but the difference between “intelligence” and “suspicion” is being able to confirm your suspicions with data. What we learn is that “misfeatures” of a critical system that were identified in 1999 remain unfixed in 2011. And, apparently, basic information security 101 principles remain “not in effect” in such a critical program (see note #1 below).

(3)  Retaliation

Let’s imagine something unlikely. Let’s imagine that the malware infecting the drone consoles is analyzed and, as the analysis proceeds, it begins to appear that the Government of Iran is behind it. Then, what do we do? The US and Israel have been standing around coyly saying, in effect, “you deserved it” to the Iranians with regards Stuxnet. Nobody from the US Government has publicly decried the Stuxnet attacks or even issued a denial of involvement. On the contrary, William Lynn put a heaping helping of waffle on his plate when asked about Stuxnet.

“[T]his is not something that we’re going to be able to answer at this point”
– William Lynn in response to the question “was the US involved in Stuxnet?”

Now, imagine that a very cramped shoe is on the other foot: how do you suppose we’d react? In ‘a Whole New Quagmire: Part 4“, the story ended with an unknown malware outbreak at Oak Ridge National Labs. At the time, my intent was to point to the question of how the US will respond if we’re served in kind. The Pentagon’s cybersecurity strategy says that acts of war in cyberspace will be treated like acts of war. So the question is, “was Stuxnet an act of war?” and, if the answer is no, then is our response to the Air Force drone-heads, “suck it up”? Or, if we found that it was plausibly the act of another power, with attribution comparable to that which exists for Stuxnet, would we be saber-rattling?

I’m surprised that as of 8:16pm EST, October 7 there haven’t been any fingers in Washington pointed toward Asia. Yet.

(4)  Addenda

(1) “The story as I heard it” from several sources is that encryption was left out of the drone systems because, if it had been incorporated, it would have brought that program under the aegis of the National Security Agency, which specifies, implements, and controls encryption for the DoD. It was felt, probably correctly, that if NSA got involved in drone-building, the  drone would become “gold plated” and would include ‘do not touch!’ classified black boxes that would cause design conflicts, cost overruns, affect battery life, etc. While that may be true, it seems completely absurd that some programmer didn’t take advantage of any number of software encryption approaches that would have inexpensively raised the barrier to entry. Inexpensive hobbyist r/c craft and utility/fire department/police drones use encryption.

(5)  About the author, including links to other posts in this series

See the About the Authors page for information about Marcus J. Ranum

Other publications by Ranum:

The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

  1. The Pentagon Cyberstrategy, 2 September 2011
  2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  3. Conflating Threats, 14 September 2011
  4. About Stuxnet‏, the next generation of warfare?, 29 September 2011
  5. When the Drones Come To Roost, 8 October 2011
  6. About Attribution (identifying your attacker), 21 October 2011

(6)  For More Information

Other posts about UAVs on the FM website

  1. “Filling the skies with Assassins” by Tom Engelhardt, 12 April 2009
  2. America’s dominance of the sky slowly erodes – inevitable or avoidable?, 22 September 2009
  3. The march of technology brings “The Forty-Year Drone War”, 26 January 2010
  4. James Bond is not just our hero, but the model for our geopolitical strategy, on the FM website, 18 May 2010
  5. America plays the Apollo Option: killing from the sky, Chet Richards (Colonel, USAF, retired), 26 August 2010
  6. Killing Machines: Promises and Limits, 17 February 2011
  7. The Psychology of Killer Drones – action against our foes; reaction affecting us, 28 September 2011
  8. Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
Advertisements

20 replies »

  1. “We keep wiping it off, and it keeps coming back”
    – Anonymous government source, according to WIRED Magazine

    Public Institutions and Agencies Weakening the trust of the public.
    […”there haven’t been any fingers in Washington pointed toward Asia”..]

    I can only hope that the National Technical Research Organisation (NTRO) team of ethical hackers will counter the ever-increasing threat of the Red Army — a state-funded group of Chinese hackers — to sensitive Government websites, critical infrastructure and secure the space-based assets from cyber attacks. The Red Army or the Red Team is estimated to have on board 10,000 hackers and poses threat to the entire world, a realization resulting in strengthening of the cyber warfare capabilities by countries like the US and India.

    Wonder how many we have working for the U.S.A. ? Educational CyberPlayGround ® edu-cyberpg.com

    Like

    • What threat does Chinese hacking pose to the world?

      China is going to face a tremendous problem in the next 20 years, as it tries to control its growing middle class’ desire for access to political power. They are undergoing an industrial revolution on an unimaginable scale – similar to the industrial revolution that repeatedly destroyed Europe during the 20th century. The Chinese Government is going to have its hands full and (with the possible exception of some consolidation in the Himalayas and Taiwan) has no territorial adventures that are practical to it.

      There may well be an economic war over the world’s dwindling oil supplies – a war which, we’ve already positioned ourselves to thoroughly lose. The Chinese don’t need to do anything to the US in that arena other than applaud politely.

      Like

  2. I dont know, seems like every other day the Chinese are hacking into the Pentagon stealing our technology. We ignore threats at our own peril.

    Like

    • It sounds like you’ve been accepting the “press release” reality. First off, “hacking into the Pentagon” isn’t the way to “steal our technology” – our technology leaks like water from a sieve all over the place, but not from the Pentagon. I plan to do a couple postings eventually about cyberespionage but for the time being let me point out three things:

      1. Most of the economic and industrial espionage against the US happens when US firms partner with government-sponsored businesses in other countries, in order to gain access to their pools of cheap near-slave labor.
      2. Espionage by insiders remains vastly more effective and damaging than any other avenue
      3. China’s technical espionage process, according to their own documentation and cold war history, is oriented toward open source collection and education. Simply put: they let us teach them how to do it, then they go do it.

      Many of the government and beltway bandits’ hysterical claims about Chinese cyberattacks appear to be budget-generating activities, with the claims remaining either unsubstantiated or outright obvious falsehoods.

      We ignore threats at our own peril, indeed. The question is “what really are the threats?” and my answer is that the greatest threat to our critical infrastructure and our secrets is the incompetence of those that are expected (and failing) to secure them properly. It’s silly to complain about our information being “stolen” when we practically broadcast it.

      Like

    • Americans are like Charlie Brown. Each time Lucy holds the football, we eagerly respond — only to discover that we’ve been fooled again. Each time DoD exaggerates or even manufactures a threat, we eagerly believe it.

      They lie to us so often because we always believe them. Our weakness poses a threat more dangerous to the Republic than any foreign foe in today’s world.

      Like

  3. Assassin Actual on freethought blogs ( http://freethoughtblogs.com/assassin/2011/10/08/u-s-drone-fleet-infected/ ) comments that it appears the infection may have come from a removable hard drive via a corrupted supply chain. That would be a more sophisticated attack than a typical “drive-by” malware infection.

    “Removable hard drive” is still too vague to figure much out from. Is it that the drones’ mission data (which is presumably a lot of data – hundreds of gigabytes of telemetry and video, perhaps terabytes) was being on/offloaded via a USB drive, and that drive became the conduit for infection? If so, that sort of thing is easily preventable – users should not be logged in with system privileges, which prevents device drivers from being installed, and there are programs and configuration options to block execution of programs contained on removable media.

    Like

  4. “Americans are a stupid people, by and large. We pretty much believe whatever we’re told.”
    — Detective Ed Norris, HBO TV series “The Wire,” 2005

    The cyberwar hype has been debunked repeatedly by real security experts: Bruce Schneier has schredded the cyberwar con job.

    1. Cyberwar Or Moral Panic? Beware Of Ex-Politicians Screaming About Cyberthreats“, Ryan Singel (editor the Threat Level blog), Wired, 3 October 2010
    2. Threat of `cyberwar’ has been hugely hyped“, Bruce Schneier (author of “Beyond Fear: Thinking Sensibly About Security in an Uncertain World), CNN, 7 July 2010.
    3. Stuart Fox has pointed out “Why cyberwar is unlikely“, Stuart Fox (Assistant Editor, InnovationNewsDaily), 2 July 2011
    4. And John Leyden has noted that “Cyberwar hype is obscuring real threats“, The Register, 17 January 2011 — “The ill-informed leading the ill-informed”

    Bruce Schneier explains what’s going on. It’s essentially yet another power grab by the military-industrial-terror-police-prison complex, part of the ongoing never-ending miltiarization of American society.

    1. There’s a power struggle going on for control of our nation’s cybersecurity strategy, and the NSA and DoD are winning. If we frame the debate in terms of war, if we accept the military’s expansive cyberspace definition of “war,” we feed our fears.
    2. We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime. (..)
    3. If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it’s done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.

    Bruce Schneier, op. cit.

    Just as the drug problem was militarized by turning into a “war on drugs” and just as digital media are now being militarized by turning copyright issues into a “war on copyright infringement” and just as 19 people flying two airplanes into a couple of skyscrapers was militarized by turning that into a “global war on terror,” now there’s an effort to militarize the internet by turning it into a “cyberwar.”

    In “Cyberwar Hype Intended to Destroy the Open Internet,” Ryan Singer lays out what’s really going on. Yet another power grab by the military-industrial-terror-police-prison complex designed to turn all of American society into an open-air prison where everyone is either a cop or a prisoner or on parole. When former director of National Intelligent says

    1. We need to re-engineer the Internet to make attribution, geo-location, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable
    2. what he really means is “we need to spy on everyone in America all the time.”

    Marcus J. Ranum correctly notes that the likely source of the infection is a USB drive that came from China with malware preloaded on it. This has become increasingly common.

    For extra amusement, check out the article “Malware-infected USB drives distributed at security conference,” which is the sort of thing we expect from the Keystone Kops, not computer security professionals.

    However, Ranum claims:

    If so, that sort of thing is easily preventable – users should not be logged in with system privileges, which prevents device drivers from being installed, and there are programs and configuration options to block execution of programs contained on removable media.

    This is categorically false. The current generation of processors in today’s computers use hardware virtualization. Computer researchers have for several years now delved into the production of rootkits which make use of CPU’s onboard virtualization in such a way that the rootkit is literally undetectable by any ordinary means. Normally, a rootkit hooks into the kernel’s protected memory space by swapping out one or more of the vectors used to access protected memory. This can be detected by running rootkit detection software which logs the vectors used to access protected memory. But by using hardware virtualization (which is now built into all current CPUs) malware can bypass this traditional rootkit method and access a protected kernel in a way which cannot be detected by any known software. See

    1. Researchers create undetectable rootkit“, PC Advisor, 12 May 2008
    2. this pdf titled “Hardware virtualization rootkits“, Dino A. Dai Zovi, {undated, on or before 2006} — The section “Detecting VT-x rootkits” proves particularly sobering: “There is no hardware bit or register that indicates the process is running in VMX non-root mode.

    If Marcus J. Ranum truly is a cyberwar “guru,” he ought to know this stuff. It’s been around for 3 years now and it’s old news.

    Like

    • I’m not sure what a “true cyberwar guru” is or is not; my perspective is based on 25 years working at all levels of the information security profession; different people might draw different conclusions from some of my experiences than I have. It’s rather odd, though, that you point to “real security experts” like my old friend Bruce as having “debunked” cyberwar circa 2010, when I was busy speaking out against cyberwar nonsense long before Bruce, or Howard Schmidt, or damn near anyone else. I won’t be egotistical and claim that I was the trend-setter there, because I think the flaws in cyberwar are so obvious that a child ought to see them — and have been pointing them out since 2007.

      You might enjoy my performance as “designated nay-sayer” on a panel of cyberwar salesmen, video here. Or you can google my keynote talk at Hack in The Box 2008 entitled “Cyberwar is Bullshit” (video here).

      What I’m implying is that I may be the “real security expert” you’re talking about who “shredded the cyberwar con-job” – Bruce’s arguments against cyberwar are strongly influenced by the position I took in my HITB talk and my other papers against cyberwar such as the one I published on rearguardsecurity.com (audio here) You’ve done an impressive job of collecting references, though they’re mostly folks who jumped on the bandwagon after I got it rolling.

      I also emphatically did NOT claim that the likely source of infection is a USB drive from China with malware pre-loaded on it. Unless, by “from China” you take that in the sense that most USB drives come from China to a greater or lesser degree. I was suggesting quite the opposite — that it’s probably NOT a deliberately infected drive and is far more likely to be another instance of a drive that got infected through poor security practices at a system integrator’s. Or, possibly, a drive that was infected during the mastering process.

      Unfortunately, that kind of thing happens all the time – many vendors have had the “oopsie!” experience of shipping a drive that got manufactured with malware that jumped onto the master media while it was being constructed at the factory, and was then duplicated with the malware in place. This happens often and is more a result of bad hygeine than deliberate action for the simple reason that nobody, except a complete beginner at system security, puts a USB drive into service without wiping it first. And nobody except a complete beginner uses a USB drive like a Cruzer that has special CDROM-emulation drivers that load into the operating system whether you want them or not. The reason this whole topic is important with respect to the Drone consoles is because, apparently, they were built, managed, or operated by people who don’t know the basics of system security. That’s a bad sign. It points to a level of incompetence that obviates the need to summon hysterical phantom threats from China.

      I well remember the AusCERT conference that you cite, where the infected drives were handed out by – in fact, I gave a keynote lecture at that conference, in which I debunked cyberwar. You might enjoy the talk, audio of it (“scenes from the 2010 US/China cyberwar”) is here.

      The AusCERT keynote was intended as more of an opinion-piece than a point-by-point deconstruction of cyberwar. If you’re interested in the point-by-point, I reference it in my first posting in this series.

      You claim that my statement regarding blocking execution of media is “categorically false” then follow it with a claim regarding hardware virtualization — which is factually incorrect in turn. The issue is not wheter a rootkit is able to punch through a hardware virtualization layer or not; it’s how does the loader for the rootkit get executed in the first place. It’s a fact of reality that if someone can get code executing in the operating system, there’s a good chance they can penetrate the O/S (at which point the virtual processor layer is irrelevant) Some operating systems don’t auto-load code from USB devices and Windows even can be told not to if you know how to do it (though auto-loadable drivers like the Cruzer are really nasty they do not work on my OpenBSD 2.2 server) Your description of rootkit blocking would be illuminating if it weren’t completely beside the point. Malware has to be executed, in order to execute.

      I do “know this stuff” quite well. It’s definitely tricky material and most people don’t have the time or interest to dig into it with sufficient depth. What concerns me is that the people who built and manage those drone consoles didn’t get it right, when it’s pretty simple to get right. Something like Utimaco’s safeguard enterprise, Bit-9, or even plain old Windows’ excution control would have prevented what will be a fairly expensive face-load of egg for the Air Force.

      Like

  5. Interesting article. What disturbs me most is the way one just patters about the American Empire and its daily work of killing as if that were the most usual thing in the world. Maybe it is becoming so to Americans. But, dear lambs, it is important to remember that someday those conducting “your” foreign policy will learn to blur the line between external enemies and internal foes. Of course there are signs that this has happened already, although it has not yet become endemic and custom. But this killer coolness doesn’t stop at the water’s edge. Already some of the oligarchy’s tools in the US Senate look like the Pro-Counsul’s horse.

    Like

    • I’m trying to build the argument that, if the US wants to go around doing these kind of things to other countries, and asserting that “there’s no law against it” then we’re going to be in a very awkward situation indeed when someone hands us a shovel-ful of our own medicine. That’s why I am concerned that “cyberwar” not become a cover for “state-sponsored terrorism” in the same way that drone-based killings – which I would also argue could be considered “terrorism” – remain the sole privilege of the powerful. Indeed, the fellow who was allegedly trying to fly a small R/C plane into The Pentagon is a “terrorist” while our fellows who fly larger R/C aircraft to shoot missiles in a country we’re not at war with… Well, they’re heroes.

      It the blurring of lines between external and internal foes that helps radicalize those internal foes. Eventually the hypocrisy of power becomes obvious when those lines get so blurred that it’s clear there’s no longer a difference and that unrestrained power has replaced the rule of law.

      Like

  6. I’ve long thought (unfashionably) that drones are going to have a very short life in a contested military space. Except for short range, small, tactical ones. The real future is as a terror weapon against undefended populations (especially your own)… until local hackers disrupt or take them over. Then they will be buried.

    The reasons are simple: too easy to shoot down (there isn’t one that a WW2 Mk 1 Spitfire couldn’t take out), too easy to hack into computer systems, too easy to jam/damage/intercept communications. Can you imagine what a jammer, designed to disrupt AWAC/fighter/missile/etc would do to the delicate ground/sat/etc comms?

    When you examine the tech they are simply more accurate, but far more vulnerable V1’s. Great for taking out wedding parties, but not much else. The day can’t be far off until one (or more) is taken over and sent back to hit its senders. Even just in the recon area, what good does it do to you if you get get great pictures .. which the other side gets at the same time. Bit of an own goal.

    FM, sorry the encryption thing doesn’t actually work with real time video images, the processing overhead is huge. Yeh you can do it .. and see where the enemy was a few hours ago …. Classic cleft stick.

    Like

    • Encrypting video in real-time is straightforward and can be done without increasing battery use by pre-computing a cipher-stream (this can be done at the base while the device is on external power) then xoring with it as it’s about to be sent. It’s basically “free” – but that’s irrelevant. Why is it irrelevant? Because we already know the drones have enough processing power to compress the video before sending it. If it can compress, it can encrypt. The technique of pre-computing cipher-streams is a good one for low-power devices, though, so don’t believe someone when they tell you it’s too hard.

      I doubt very much that hackers will take over drones; they’re pretty straightforward to build and I’d expect the game would be to jam the other guy’s drone while launching one’s own, either at the end-point or the command console. I believe there’d be good money to be made, right now, in developing a low-cost completely autonomous hunter-killer anti-drone drone. The US and Israel are spending a huge amount on drones right now, and other countries are also gearing up. The current state of drones are more like the Gotha Bombers of yore than the V-1 – big and slow and surviving only because there isn’t anything that preys on predators, yet.

      Like

  7. Obama’s Robot Army“, Ta-Nehisi Coates (senior editor), The Atlantic, 28 December 2011

    Drones are a perfect weapon for a democracy. One gains all of the political credit for killing the country’s enemies, and none of the blame for military casualties. The occasional slaughter of a 16-year old boy is surely regrettable, but of almost zero political import. (Please click through that link. To excerpt it is to ruin it.)

    But I wonder about that 16 year old’s younger siblings, about what they think of country they executes children a world away with a joystick. I wonder about their anger. But mostly I wonder about the secrecy here at home. In this business, the American president is the steward of his country’s accounts. But Obama has a stated policy of keeping these sorts of expenses off the books. Some decades from now the bill will surely come due.

    Like

  8. The aviationist blog has a good article about captured drones here

    Three U.S. and four Israeli drones captured in Iran to be put on display soon”: Tehran Times says. Tehran Times reported that Iran is about to put on display “foreign spy drones in Iran’s possession” within an exhibition that will also showcase the “latest domestically manufacture electronic warfare equipment”, and national reporters and foreign ambassadors will be allowed to visit them. According to a source close to the Iranian newspaper, the foreign robots in the hands of the ayatollahs’ regime are three U.S. and four Israeli drones.

    Like

  9. Man! Ranum… I wish I’d seen this thread sooner.

    It’s possible FM or Chet or one of the other old hands tried to give you my email when this came out… Due to circumstances best explained by one of them privately, my old email account (s) are either dead or inactive.

    The email you all currently have for me is good. If you want me to undertake the catch up reading on this issue and to answer very technical questions, drop me an email. I’m not under any security clearance burden or restrictions, nor post-employment requirements (i.e. I don’t have an assigned security officer I have to clear things with), but for obvious reasons I don’t post certain things for public consumption. I can, however, after doing the background work, point you to secondary sites and/or technical sources in the public domain.

    Best,

    A. Scott Crawford

    Like

Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s