Cool Cool Cool Oversight Office Says It's Incredibly Easy To Hack The Defense Dept.'s Weapons Systems

from the just-a-hack-away-from-a-dystopian-hellscape dept

holy_shit(1).pdf [PDF]:

In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications.

Terrified/horrified yet?

In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations.

The Government Accountability Office's report contains nearly no good news. Just bad news on top of bad news with the chilling reminder that these are weapons systems so a malicious attack could do more than damage systems or exfiltrate sensitive data. It could actually kill people.

Why is the Defense Department's… um… defense in such shoddy shape? Well, it didn't get that way overnight. It took literally decades for it to arrive at this nexus point of technological advances and laissez-faire cybersecurity oversight.

Multiple factors contribute to the current state of DOD weapon systems cybersecurity, including: the increasingly computerized and networked nature of DOD weapons, DOD’s past failure to prioritize weapon systems cybersecurity, and DOD’s nascent understanding of how best to develop more cyber secure weapon systems. Specifically, DOD weapon systems are more software and IT dependent and more networked than ever before. This has transformed weapon capabilities and is a fundamental enabler of the United States’ modern military capabilities. Yet this change has come at a cost. More weapon components can now be attacked using cyber capabilities. Furthermore, networks can be used as a pathway to attack other systems. We and others have warned of these risks for decades. Nevertheless, until recently, DOD did not prioritize cybersecurity in weapon systems acquisitions.

The GAO points out the DOD has spent more time locking down its accounting systems than its weapons systems, even as the latter has increasingly relied on computer hardware and software to operate. The systems used by the DOD are a melange of commercial and open-source software, which relies on vendors to provide regular updates and patch vulnerabilities. (Unfortunately for the DOD, some vulnerabilities may not have been disclosed to software/hardware vendors by other government agencies like the NSA.) But the DOD gives itself a 21-day window to apply patches and some remote weapons systems may go months without patching because they often need to return from deployment to be patched properly.

The end result is a network of defense systems riddled with security holes. The GAO says it doesn't take much to commandeer weapons of mass destruction.

Test teams were able to defeat weapon systems cybersecurity controls meant to keep adversaries from gaining unauthorized access to the systems. In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.

Some programs were slightly more resistant to outside attacks. But they couldn't fight off attacks from insiders or contractors.

[O]ne assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.

System data could be easily manipulated, resulting in the exfiltration of 100 GBs of sensitive data. Other data was altered by testers, with the alterations going unmolested and unnoticed.

Ready for more horror?

[I]n some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system

[...]

One test report indicated that the test team was able to guess an administrator password in nine seconds.

[...]

Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software.

And no one at the DOD is learning from their mistakes.

One test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error. Another test report indicated that the test team exploited 10 vulnerabilities that had been identified in previous assessments.

Other tests by the GAO went "undetected for weeks." DOD employees did not see crashes as possible indicators of malicious attacks, stating that "unexplained crashes were normal for the system." Operators had become desensitized to security warnings, thanks in part to one system that always indicated it was under attack.

This isn't to say the DOD isn't try — dear sweet god in heaven:

One test report indicated that operators identified test team intrusion attempts and took steps to block the test team from accessing the system. However, the test team was able to easily circumvent the steps the operators took. In another case, the test team was able to compromise a weapon system and the operators needed outside assistance to restore the system.

Run silent, run deep.

As testers took over systems and escalated privileges, DOD officials interviewed by the GAO were expressing confidence in their cybersecurity programs. What programs the officials couldn't really say, since assessments appear to be a rarity and those that are carried are skin-deep. They admitted many systems had never been comprehensively tested, either due to the late implementation of penetration testing programs or because tests "would interfere with operations."

The only thing surprising about the report is that the systems weren't already crawling with malicious software by the time the GAO got around to engaging in penetration testing. Maybe state-sponsored hackers are just biding their time, waiting for an opportune moment to take control of US weapons systems. Or maybe the thought of turning a cyberwar into a conventional war isn't that appealing. Directly attacking DOD systems would pretty much be the software equivalent of declaring war, and very few countries are willing to escalate from military-sponsored action to boots on the ground.

But if it's only better judgment holding our enemies back, that's not going to last forever. Better judgment isn't exactly the calling card of several world powers, including our own at the present. The DOD has been told it sucks at security several times over the past 30 years. The message has yet to sink in. The GAO will revisit this years down the road. Perhaps the DOD will fare better the next time around. It certainly can't do worse than it is now.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 11 Oct 2018 @ 8:57am

    'Why would it be OUR responsibility to secure OUR systems?'

    If the systems are that poorly secured the question is not 'Are they compromised?' it's 'How much are they compromised, and by how many parties?' With security that bad it's all but a given that the number is well over 'zero'.

    When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error.

    Given we're talking about weapons systems, if they actually cared that should be former contractor error, as any contractor that ignored critical security like that should be swiftly shown the door and replaced with one that gives the matter the serious consideration it deserves.

    The contractors may be at fault for indifference towards the issue, but so is the DOD for their indifference as well.

    Perhaps the DOD will fare better the next time around. It certainly can't do worse than it is now.

    Indeed, as the totally-not-often-said-before-a-disaster saying goes, 'What's the worst that could happen?'

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2018 @ 10:14am

      Re: 'Why would it be OUR responsibility to secure OUR systems?'

      any contractor that ignored critical security like that should be swiftly shown the door and replaced with one that gives the matter the serious consideration it deserves.

      Who? As Tim writes, there's "nearly no good news". In other words, they didn't find a secure system from any contractor. There's not a huge number of military weapons manufacturers to choose from either. If you boot out all the large ones, who's left who can handle that volume?

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 11 Oct 2018 @ 10:32am

        Re: Re: 'Why would it be OUR responsibility to secure OUR systems?'

        'We've got a military contract for several million/hundred million/billion dollars, and our last contractor got canned for incompetence. Who wants to replace them?'

        Pretty sure there would be plenty of companies willing to step up with a possible payday of that size on the table.

        It sounds like most of the problems are on the software side of things, so it's not like they need a company capable of major manufacturing, and if need be they could get the hardware from one company, and then rely on other for the code/support.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 11 Oct 2018 @ 10:58am

          Re: Re: Re: 'Why would it be OUR responsibility to secure OUR systems?'

          if need be they could get the hardware from one company, and then rely on other for the code/support.

          If the hardware company is willing to (or contractually required to) cooperate with someone they might view as a competitor. These aren't exactly open platforms where you just pop in a USB stick, install a new OS, and wait while it downloads your weapon drivers. (Or if they are, add that to the "terrified/horrified" pile.)

          Companies might be willing, but the invitation is unlikely to be as open as you suggest. The bidding company will need security clearances, probably has to know how to navigate military purchasing systems.... nevertheless, you're likely right that a bunch will apply if it's a software-only deal. Would the military have had the foresight to acquire copyrights, or would the replacement have to be written from scratch? If it's this bad, maybe it doesn't matter.

          reply to this | link to this | view in chronology ]

    • icon
      Toom1275 (profile), 11 Oct 2018 @ 11:16am

      Re: 'Why would it be OUR responsibility to secure OUR systems?'

      Perhaps their best hope is that all the hackers in their system start applying security patches to keep each other out?

      reply to this | link to this | view in chronology ]

  • icon
    Ryunosuke (profile), 11 Oct 2018 @ 10:07am

    how are those back doors working out?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2018 @ 10:17am

      Re:

      quiet well, THANKS!!!

      ~Bad People

      reply to this | link to this | view in chronology ]

    • identicon
      Jason, 11 Oct 2018 @ 10:22am

      Re:

      Don't worry, only the good guys will use the all-important, must-have for the sake of law and order backdoor.

      The bad guys won't need to. No one closes/locks/watches the front door, the windows are open, there's a hole in the wall, the flapping dog door is five feet wide, the siding is transparent, the garage door won't close all the way, the walkout basement doesn't even have a door, and the owner keeps all of their keys hanging on a peg by the mailbox with a big neon sign pointing at it so they won't lose them.

      reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 11 Oct 2018 @ 1:21pm

      Re:

      But you don't understand! These were good guys testing the system!

      Bad guys won't be able to use these backdoors, because everyone knows that's how it works!

      That's why everyone knows that no home has ever been broken into by a bad guy who then robbed it or harmed/murdered the residents inside!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2018 @ 10:21am

    Biding time

    The only thing surprising about the report is that the systems weren't already crawling with malicious software by the time the GAO got around to engaging in penetration testing.

    If some foreign government took control, they wouldn't install "malicious software", they'd install patches. To keep other countries out, and keep the government from noticing any insecurity. Of course they'd leave something open for themselves, but nothing that could be identified as malicious software. It might just be a copy of OpenSSH, replacing the telnet that came with the thing.

    There's little benefit to even doing that, while relations are peaceful. Knowing they'll be able to use manufacturer-supplied security holes to fight off an American attack, if the time ever comes, is enough—unless they expect another country might be targeted at the same time and take control first.

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 11 Oct 2018 @ 10:25am

    What about the opponents???

    What makes us think Russian or Chinese systems are any better protected, especially after all the basic opsec fails they have been having lately????????

    But this is a *very strong caution* against a direct shooting war with either of them, and in the future, anyone at all with an educated workforce.

    Power it up, "Hold onto your butts!", no idea what might happen next. Why is the CPU warm??? Cyberbattle going on inside, game of cat and mouse!

    reply to this | link to this | view in chronology ]

  • icon
    stderric (profile), 11 Oct 2018 @ 10:36am

    The only thing surprising about the report is that the systems weren't already crawling with malicious software ... Maybe state-sponsored hackers are just biding their time...

    Or maybe every single intruder that goes near a DoD system backs off, refusing to mess with what appears to be a laughably obvious honeypot.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2018 @ 10:56am

      Re:

      Or may be they hold off from doing something detectable until it is useful to take over the system. As in leave them alone during peacetime so that we can own them during a war.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2018 @ 11:00am

      Re:

      Or writes it in their "longshots to try if we're ever at war with the USA" diary, and backs off to remain undetected. No need to install a backdoor on something with no walls.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2018 @ 10:55am

    Attack of the Rogue Droids

    I wonder if this is the same level of security used on our fleet of attack drones.

    reply to this | link to this | view in chronology ]

  • identicon
    Nick, 11 Oct 2018 @ 11:10am

    We should rename dod to dept of war

    It seems that the old name is better suited as or military is all about attacks with defense being an afterthought.
    Guard duty is not glamorous enough. (Looking at you NSA)

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 11 Oct 2018 @ 12:21pm

      Re: We should rename dod to dept of war

      Didn't they (NSA or the military cyber folks) have an argument over whether to separate offense and defense with regard to cyber warfare? If I remember correctly they decided not to split it. Could this be a consequence of not knowing whether one is playing offense or defense?

      There is a need for separate teams, and new coaches with different sets of plans. One looking at defense and one looking at offense, otherwise they are just offensive (pun intended).

      reply to this | link to this | view in chronology ]

  • icon
    timlash (profile), 11 Oct 2018 @ 12:49pm

    For more in this vein, give Command and Control a read for a horrifying historical look at the security of our nuclear weapons.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 12 Oct 2018 @ 4:05am

    Top men, Top men.

    And somehow the government still loves to haul private companies in for a public beatdown to keep the base riled up while some kid in Finland has operational control over a nuclear missile....

    Before demanding better from others, perhaps they should fix their own damn house & see how hard it is and why their demands everyone else do it perfectly all the time make us laugh.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Oct 2018 @ 6:55am

    we're all safe

    By the time someone does "Press the button", nothing will happen because: wrong decimal places, floating point errors, Melisa virus, etc.

    reply to this | link to this | view in chronology ]

  • icon
    danderbandit (profile), 12 Oct 2018 @ 9:38am

    Does anybody remember Stuxnet?

    reply to this | link to this | view in chronology ]

  • icon
    danderbandit (profile), 12 Oct 2018 @ 9:43am

    Does anybody remember Stuxnet?

    I don't remember if the DOD was involved in Stuxnet or not, but surely they've heard of it.

    How do we/they know that the systems aren't already compromised by hidden backdoors waiting for the right time to be activated and disable the system or use it to attack us?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Close
Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.