Iraqi insurgents hack US drones with $26 software
Iraqi militants are intercepting sensitive video feeds from US predator drones using $26 off-the-shelf software, and the same technique leaves feeds from most military aircraft vulnerable to snooping, according to published reports. Insurgents backed by Iran have regularly accessed the unencrypted video feeds of the unmanned …
...Something for our IT security czar to work on! Never mind the position has no authority or oversight over anything but hey... thank god the plebeian taxpayers made sure someone was there just in case the need arose!
...who claimed that these drones were invulnerable to hacking due to their top-flight military standard encryption last time they were discussed in here? Of course the military is still saying that the command and control links are safe from meddling, but do we believe them?
They can monitor the video feed, not control the plane.
Thats next weeks project.
they could be getting them from the Iraqui military, if we share with them.
Dontcha know if the vidlink is unencrypted, the C&C link is likely 48-bit blowfish session keys or DES, or something else equally ridiculous that you can crack on an abacus. If any government or "interested amateur" gets a sniff of the protocol, there'll be a rather nasty object lesson in taste of own medicine delivered at the taxpayer's expense.
"...that you can crack on an abacus."
That is too funny
"...that you can crack on an abacus."
It would need at least a slide rule.
"...that you can crack on an abacus"
You Sir, owe me a new abacus!
"To access the feeds, the militants have been using SkyGrabber, a publicly available program that pulls movies and music off satellites and sells for $26."
Ah, but have they PAID for the software? If not, surely the thing to do would be to send a bunch of US lawyers to Iraq armed with DMCA claims.
Everybody wins: Those lawyers are specialized in finding people wherever they hide out, making a perfect replacement for the now obviously defunct drones. And if one or two should be lost due to urgent leaden skull surgery, there's more than enough replacements to drop down behind enemy lines.
As a side benefit, it will help get rid of some of the lawyers.
Firstly, LOL at the silly yank military (again).
During the last or first gulf war, when the US was flogging its patriot system there was supposedly issues with it being able to recognise non-US planes and therefore possibly targeting friendly aircraft.
The result was that allies of the US, namely us pussy whipped Brits, were made to keep quiet about it, in case it damaged sales.
Perhaps this time since it is actually their 'enemies' who have discovered the flaw in the system something might be done about it. The US have a very large standing military force and i would be careful to criticise it, but as dependency on technology goes, they are tied to it for everything!
You forget. it downed a British jet.
Let's take a little plane, fly it over, have it take pictures that are military secrets, but have it wirelessly transmit them - unencrypted - halfway around the world. Real swift. Thank you, US Military, for providing our laugh of the day!
You mean this one:
http://news.bbc.co.uk/1/hi/uk/2877349.stm
RIP guys...
Before the FUD starts flying in this forum too, lets keep a few facts on the table.
1) this is only a video feed from an onboard camera, not telemetry video with the overlays that someone at the drone's remote console sees.
2) the drone is not hacked. This is a man-in-the middle reception only process. In no way are they ineracting with the drone.
3) the control frequencies are not interfered with. Those are highly secure, and come from multiple redundant points. Even if they could interfere with those bands and jam the drone's reception, it has a flight and return plan based on waypoints and GPS guidance, it can't be remotely crashed.
4) hacking a drone, even if you could decrypt the signal, not only would rely on getting it to respond, but you'd have to know intimate details of the control signals. You can't just plug a joystick into a laptop and expect it to turn left when you do.
5) if its anything like other flight computers I've seen, and worked on code for, it's not one computer, but 3, running on different hardware platforms and running on different OS. ALL THREE have to generate the same response at the same time in order for it to accept input. If one system goes rogue because it's been hacked, the other two ignore it, and the operator is informed a computer is down.
6) being close enough to get this feed, if it's coming for you, is simply notification you have a few minutes to live. When the drone(s) do arrive, as they did on a village early yesterday, they come in packs, and drop 10 or more missles in numberous runs. If you got the feed, and fled, the pilots watching the feed could simply take out your truck too.
7) even if you knew one was coming, and were ready with a shoulder launchable surface to air missle, odds of you hitting this drone are real small, and you're dead anyway. They're expendible, likely you don't think you are yourself. It's why we designed them...
8) the "predator" HAS been redesigned. The feeds are from older birds we still use, but there's already a 3rd generation shipping to the military, and a 4th generation in the works, as well as hardware overhauls on older units, no differnt than the F16 has had numerous computer replacements over decades.
Honestly, this is not a big deal. The video is crucial for manual operation that it be smooth and digital error free. Back in the 90s, encrypting in real time a video feed like that in such a way that dirty frequncy bands would still produce clean video (lots and lots of ECC on top of the encryption), would have added rediculous computational requirements to both the bird and the pilot station equipment, and would likely have led to video feed processing delays of a second or two, we simply did not have the tech to do it.
> 3) the control frequencies are not interfered with. Those are highly secure, and come from multiple redundant points.
Maybe you have inside information, but we're left to assume this is the case. For all we know it could be just as insecure.
> 4) hacking a drone, even if you could decrypt the signal, not only would rely on getting it to respond, but you'd have to know intimate details of the control signals.
Nobody should make this mistake, especially not the military. It's called security by obscurity. It doesn't work, just ask Skype.
> 5) it's not one computer, but 3, running on different hardware platforms and running on different OS. ALL THREE have to generate the same response at the same time in order for it to accept input. If one system goes rogue because it's been hacked, the other two ignore it, and the operator is informed a computer is down.
Again, maybe you have inside information, but this is presumptuous. And your paragraph contradicts itself internally. In your scenario, only two would need to be hacked. If it's the same application software being run on various platforms, it is likely that the application is equally vulnerable on each platform. If it's three separate application implementations, though not impossible, it would be incredibly difficult to ensure that each generates the exact same responses at the same time. This added complexity could actually increase the failure modes should the applications behave differently during a hack.
Besides, unless there are three separate control channels, it only needs to be hacked once to control all three implementations.
> Honestly, this is not a big deal.
I'm not panicking, but it is at the very least an embarrassment to have such a trivial vulnerability.
Michael C. wrote...
> 5) if its anything like other flight computers I've seen, and worked on code for, it's not one computer, but 3, running on different hardware platforms and running on different OS.
So is this the inspiration for Culture Minds?
Hacking this is orders of magnitude harder than hacking Skype or another app, for the basic reason that with Skype you have access to one of the endpoints (executables, etc) on a system that you know and can monitor very closely. The insurgents can only eavesdrop on the encrypted traffic, or possibly try a man-in-the-middle attack with a sufficiently powerful transmitter - at which point the drone gets confused, takes its ball and goes home.
If the insurgents shot one down then they would have a much better chance, but I'd imagine any drone crash site becomes the target for a whole lot of ordnance very quickly.
Taking control of the drones would be complicated, quite useless and frankly stupid; so the Iraqis might be able to do it but never wanted to. One can hope that the command link is somewhat more secure than the data link, and you would need a full-time pilot; to do what? Crash the thing on a merkin base and instantly lose all these handy, free sources of intel? It is much more useful to let the yanks pilot the things: half the gain is the free info feed, the other half is the ability to see which regions the merkins are monitoring. Priceless.
everyone knows the average iraqi salary is $6 per month... ipso facto............
I keep telling people that half of the problem with technology is linguistic, at root. In this case we're dealing with three entirely different senses of the word "intelligence" - as meant by engineers, where it means simply software control; soldiers, where it means tactically or strategically useful information; and the vulgar tongue, where it means the ability to make sound decisions.
So what's happened here is that nobody had the intelligence to realise that the comms link was to carry intelligence, and thus the system has less intelligence than needed.
What's plain is that intelligence, in the military sense, becomes worthless if it is in the public domain and thus these drones are an enormously expensive waste of time.
First news story that's made me laugh out loud for ages.
Talk about putting blood in the water, ever hacker out there is going to try and take over one of these drones.
Anyone know if you can keep one if it should erm "crash" into your own back yard?
FAIL for obvious reasons
I think the fail is on you. Predator I believe is what you were going for.
Now ask yourselves what's missing. Why, if it was discovered a year ago that insurgents were getting this data, it's only *now* being said that the feed will soon be encrypted?
Tie that to the rash of Predator strikes over past year and you might have the start of a clue ;)
What's missing was a need to implicate iran.
Notice how many times the link to iran is mentioned, I don't see any evidence presented just someone saying the laptops were funded by Iran.
Jesus H Christ why the fuck did they not just use an SSH tunnel to send the video feeds around? Honestly, that would be so incredibly easy and cheap (free) to do i cant believe they didnt do it.
I hate bring up Mr Gary Mckinnon again but they are about to nail him to the wall for exposing their extremely poor and irresponsible security and oh look, some flipflop wearing insurgents with a laptop and $26 have now rendered Predator useless.
my god.
The WSJ has this little gem: "The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s ... assumed local adversaries wouldn't know how to exploit it"
They don't... they just need to spend some bucks on eBay.
"compatible with infidel robot planes. AAA++++ would buy from Russians again"
The other gem was: "Some of [General Atomics'] communications technology is proprietary, so widely used encryption systems aren't readily compatible"
Meaning GA can't be arsed to learn that complex encryption stuff. They probably outsourced it.
done with the Pro upgrade.
SSH, well just need to let a Debian Dev loose on that.
... just extradite the insurgents to the USA and charge them with doing $70,000 worth of damage to US property...?
Because the insurgents will just claim they have aspergers, I don't understand why Osama has made this claim already (if he's still alive of course).
Good thing the command and control channel is properly encrypted or the USAF would have to start shooting them down.
http://www.popsci.com/military-aviation-amp-space/article/2009-09/when-drones-go-wild-air-force-shoots-them-down
Um, never mind. Carry on.
It rather sounds like they are catching the Satellite relay feeds, not the bird-view direct.
Yes expect some changes, and why not transmit some bogus vids, too.
What idiot doesn't encrypt military signals... Oh, hang on, you answered that.
I'm unsure how useful being able to view the feed is. Oh so you can see if the drone is coming for you without having to look up at the sky, big deal. If it's heading for you you're f*cked. If you run it just draws attention to you and you're f*cked.
Having a collection of recording from previous missions just sounds like a macabre youtube... Link?
...that laughed out loud. Unencrypted?! REALLY??!? Come on boys, for fucks sake. If I didn't know better I'd think they were trying to drag this whole 'war' thing out....
...any need for a financial 'stimulus' package is there!...
For the muppets who keep babbling inanley "It's only a vid feed", "If you can see it in real time your too late your dead", "It's all FUD", "It's no real use"
It's called data leakage and compromised by inference.
The vid tells you, amongst other stuff
What Blue Force are discretely interested in on a case by case basis
What Blue Force are interested in strategically
What Blue Force thinks from its own HUMINT intelligence is generally and specifically worth watching
What Blue Force DOESN'T think is interesting
How Good/Bad/Indifferent OpFor's masking or hiding of "Stuff" is
A way for OpFor to see how to test various ways to IMPROVE masking or hiding
Etc
Etc
Other than that no worries at all.
Now we have the insurgents attention, swap the video feed to images of their bases being pwned, their leaders being killed and, just for sng's, pictures of mohammed.
Might as well get some use out of this snafu.
Naked women.... that'll teach 'em to intercept our video feeds.
Got to agree with Genius... # "What idiot doesn't encrypt military signals.."?
Any idiot know that you should encrypt military signals, even if it is only your pizza order.
The problem here isn't so much electronics, but the kind of military mind that always underestimates their enemy (hopefully not all). Despite centuries of military writers and historians cautioning that this is always a road to failure.
Whatever your weapon, whatever your surveillance, whatever your technical advantage - sooner or later the enemy is going to hack it. The problem then not just being that your ordnance is now compromised, but that you may end up facing your own weapons or variant versions of them. This has happened ever since the spear was invented, but there seems to be a certain kind of military mind that never ever grasps this. Give us new weapons and we'll cream the opposition. Sure you will - until the next time.
It may be comforting to label enemies as idiots, lunatics, fundamentalists, towelheads, etc - but in the long run it's no help. The modern guerrilla fighter - whether Muslim or anything else - is committed, determined and - above all - smart. That isn't defeatist talk - it's plain common sense and should be a given for any military strategy. What is perhaps of more concern is that what some rural 'terrorist' can eventually suss out, you can depend more traditional national enemies may well have - very quietly - figured out a long time ago.
From Roman times to the present - conflicts are rarely won by the most able but by the least incompetent. Ask any old soldier.
But not a hack, the video feeds are open, which I think anyone would agree is rather foolish
I suspect the technologically advanced US saw the Afghans and thought them stone age because they didn't live in condiments* (apartments to the rest of the world) and don't have blackberrys and broadband. So naturally they assumed that they had no capability of intercepting the satellite feed to view the video. With a bit more work I'm sure they can monitor the control signals which are sent via satellite too and so can be picked up anywhere in Afghanistan (Michael C of Don't Panic you don't need to be near the plane to "hack" it) and with a bit of reverse engineering (DCMA won't stop them) work out some of the controls. They don't need to fully control it, just enough to cause a loss of control to crash it.
Mobile phone conversation-
Insurgent A- 'Good Morning Omar, you will be pleased to know that I'm watching you on a Predator video feed'
Insurgent B- 'Thank you. I shall move immediately to the nearest location containing significant potential co-lateral carnage. Fortunately for me there is a school/mosque/hospital/crowded souk nearby. Have a nice day.'
Insurgent A- 'OK, see you tomorrow.'
All the people pointing out the obvious here aren't offering their services to the governments. My God, failing that, all said governments need to do is read The Register now and then. Its readers know how to fix all the world's ills! To hear them talk, at least. Of course, someone piping up, "I knew that" is generally ignored, given that most people have good hindsight.
@joespr : post full, verifiable details before making anonymous digs. There's a good lad. As for the pizza comment - tacky. Get a little class.
...is to think that stuff like SSL/TLS actually secures a link and you can chatter freely. There is only one method that can provably do that, and it is very simple, yet takes some logistical effort to implement. The bearded guys have a number of governments on their side who want the west to fail and are happy to supply ready-made intel from their decryption organizations.
Also, electronic emissions are always like a flashlight in the night and opponents will be happy to do radio-location. Drones are not so good, actually. The Raptor is a much better concept that the Reaper. It can operate in electronic silence.
It’s doubtful the US Military would simply forget to encrypt this data. It’s more likely this story has been leaked on purpose to encourage insurgents to use the interception software and connect a satellite dish. This could be a plan to locate insurgents and flag them up as targets. I hope this plan works and my comment doesn’t tip the naughty boys off.
Correct.
Old ladies watching trains go past full/empty were used during WW2 to figure out where troops and ordinance were being assembled.
Knowing which bunkers/guns have been seen by drones helps you know which ones haven't and how to plan deceptive games.
Again it would seem that drones have been cast as some magic technology, but don't do what their PR claims. Same happened for Patriot missiles broken system clock etc.
I have a FEMA trailer full of damp toilet paper left over from the Hurricane Katrina rescue operation that I can offer for $500,000 to be deliveded by Haliburton that can be used to perform a ROT13 data encryption on the video feeds.
QUOTE: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."
What ARROGANT TWADDLE... It doesn't take the NSA and a super computer to recover an unencrypted video feed. And all the PRO-IT-DOESN'T-MATTER FUD is yet another arrogant extension of the above. You don't leak intelligence, no matter how insignificant... some of the worst military disasters have hinged on insignificant details.
> Insurgents backed by Iran [...] that groups tied to Iran [...]
Is there a non-US sourced proof for this?
Just asking since the US officials lost some credibility over this "weapons of mass destruction"-incident.
Sign up, sign up for The Register's weekly IT security newsletter - click here
