Iraqi insurgents hack US drones with $26 software Iraqi militants are intercepting sensitive video feeds from US predator drones using $26 off-the-shelf software, and the same technique leaves feeds from most military aircraft vulnerable to snooping, according to published reports. Insurgents backed by Iran have regularly accessed the unencrypted video feeds of the unmanned …
...who claimed that these drones were invulnerable to hacking due to their top-flight military standard encryption last time they were discussed in here? Of course the military is still saying that the command and control links are safe from meddling, but do we believe them?
Dontcha know if the vidlink is unencrypted, the C&C link is likely 48-bit blowfish session keys or DES, or something else equally ridiculous that you can crack on an abacus. If any government or "interested amateur" gets a sniff of the protocol, there'll be a rather nasty object lesson in taste of own medicine delivered at the taxpayer's expense.
"To access the feeds, the militants have been using SkyGrabber, a publicly available program that pulls movies and music off satellites and sells for $26."
Ah, but have they PAID for the software? If not, surely the thing to do would be to send a bunch of US lawyers to Iraq armed with DMCA claims.
Everybody wins: Those lawyers are specialized in finding people wherever they hide out, making a perfect replacement for the now obviously defunct drones. And if one or two should be lost due to urgent leaden skull surgery, there's more than enough replacements to drop down behind enemy lines.
Firstly, LOL at the silly yank military (again).
During the last or first gulf war, when the US was flogging its patriot system there was supposedly issues with it being able to recognise non-US planes and therefore possibly targeting friendly aircraft.
The result was that allies of the US, namely us pussy whipped Brits, were made to keep quiet about it, in case it damaged sales.
Perhaps this time since it is actually their 'enemies' who have discovered the flaw in the system something might be done about it. The US have a very large standing military force and i would be careful to criticise it, but as dependency on technology goes, they are tied to it for everything!
Before the FUD starts flying in this forum too, lets keep a few facts on the table.
1) this is only a video feed from an onboard camera, not telemetry video with the overlays that someone at the drone's remote console sees.
2) the drone is not hacked. This is a man-in-the middle reception only process. In no way are they ineracting with the drone.
3) the control frequencies are not interfered with. Those are highly secure, and come from multiple redundant points. Even if they could interfere with those bands and jam the drone's reception, it has a flight and return plan based on waypoints and GPS guidance, it can't be remotely crashed.
4) hacking a drone, even if you could decrypt the signal, not only would rely on getting it to respond, but you'd have to know intimate details of the control signals. You can't just plug a joystick into a laptop and expect it to turn left when you do.
5) if its anything like other flight computers I've seen, and worked on code for, it's not one computer, but 3, running on different hardware platforms and running on different OS. ALL THREE have to generate the same response at the same time in order for it to accept input. If one system goes rogue because it's been hacked, the other two ignore it, and the operator is informed a computer is down.
6) being close enough to get this feed, if it's coming for you, is simply notification you have a few minutes to live. When the drone(s) do arrive, as they did on a village early yesterday, they come in packs, and drop 10 or more missles in numberous runs. If you got the feed, and fled, the pilots watching the feed could simply take out your truck too.
7) even if you knew one was coming, and were ready with a shoulder launchable surface to air missle, odds of you hitting this drone are real small, and you're dead anyway. They're expendible, likely you don't think you are yourself. It's why we designed them...
8) the "predator" HAS been redesigned. The feeds are from older birds we still use, but there's already a 3rd generation shipping to the military, and a 4th generation in the works, as well as hardware overhauls on older units, no differnt than the F16 has had numerous computer replacements over decades.
Honestly, this is not a big deal. The video is crucial for manual operation that it be smooth and digital error free. Back in the 90s, encrypting in real time a video feed like that in such a way that dirty frequncy bands would still produce clean video (lots and lots of ECC on top of the encryption), would have added rediculous computational requirements to both the bird and the pilot station equipment, and would likely have led to video feed processing delays of a second or two, we simply did not have the tech to do it.
> 3) the control frequencies are not interfered with. Those are highly secure, and come from multiple redundant points.
Maybe you have inside information, but we're left to assume this is the case. For all we know it could be just as insecure.
> 4) hacking a drone, even if you could decrypt the signal, not only would rely on getting it to respond, but you'd have to know intimate details of the control signals.
Nobody should make this mistake, especially not the military. It's called security by obscurity. It doesn't work, just ask Skype.
> 5) it's not one computer, but 3, running on different hardware platforms and running on different OS. ALL THREE have to generate the same response at the same time in order for it to accept input. If one system goes rogue because it's been hacked, the other two ignore it, and the operator is informed a computer is down.
Again, maybe you have inside information, but this is presumptuous. And your paragraph contradicts itself internally. In your scenario, only two would need to be hacked. If it's the same application software being run on various platforms, it is likely that the application is equally vulnerable on each platform. If it's three separate application implementations, though not impossible, it would be incredibly difficult to ensure that each generates the exact same responses at the same time. This added complexity could actually increase the failure modes should the applications behave differently during a hack.
Besides, unless there are three separate control channels, it only needs to be hacked once to control all three implementations.
> Honestly, this is not a big deal.
I'm not panicking, but it is at the very least an embarrassment to have such a trivial vulnerability.
Hacking this is orders of magnitude harder than hacking Skype or another app, for the basic reason that with Skype you have access to one of the endpoints (executables, etc) on a system that you know and can monitor very closely. The insurgents can only eavesdrop on the encrypted traffic, or possibly try a man-in-the-middle attack with a sufficiently powerful transmitter - at which point the drone gets confused, takes its ball and goes home.
If the insurgents shot one down then they would have a much better chance, but I'd imagine any drone crash site becomes the target for a whole lot of ordnance very quickly.
Taking control of the drones would be complicated, quite useless and frankly stupid; so the Iraqis might be able to do it but never wanted to. One can hope that the command link is somewhat more secure than the data link, and you would need a full-time pilot; to do what? Crash the thing on a merkin base and instantly lose all these handy, free sources of intel? It is much more useful to let the yanks pilot the things: half the gain is the free info feed, the other half is the ability to see which regions the merkins are monitoring. Priceless.
I keep telling people that half of the problem with technology is linguistic, at root. In this case we're dealing with three entirely different senses of the word "intelligence" - as meant by engineers, where it means simply software control; soldiers, where it means tactically or strategically useful information; and the vulgar tongue, where it means the ability to make sound decisions.
So what's happened here is that nobody had the intelligence to realise that the comms link was to carry intelligence, and thus the system has less intelligence than needed.
What's plain is that intelligence, in the military sense, becomes worthless if it is in the public domain and thus these drones are an enormously expensive waste of time.
First news story that's made me laugh out loud for ages.
Jesus H Christ why the fuck did they not just use an SSH tunnel to send the video feeds around? Honestly, that would be so incredibly easy and cheap (free) to do i cant believe they didnt do it.
I hate bring up Mr Gary Mckinnon again but they are about to nail him to the wall for exposing their extremely poor and irresponsible security and oh look, some flipflop wearing insurgents with a laptop and $26 have now rendered Predator useless.
my god.
The WSJ has this little gem: "The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s ... assumed local adversaries wouldn't know how to exploit it"
They don't... they just need to spend some bucks on eBay.
"compatible with infidel robot planes. AAA++++ would buy from Russians again"
The other gem was: "Some of [General Atomics'] communications technology is proprietary, so widely used encryption systems aren't readily compatible"
Meaning GA can't be arsed to learn that complex encryption stuff. They probably outsourced it.
What idiot doesn't encrypt military signals... Oh, hang on, you answered that.
I'm unsure how useful being able to view the feed is. Oh so you can see if the drone is coming for you without having to look up at the sky, big deal. If it's heading for you you're f*cked. If you run it just draws attention to you and you're f*cked.
Having a collection of recording from previous missions just sounds like a macabre youtube... Link?
For the muppets who keep babbling inanley "It's only a vid feed", "If you can see it in real time your too late your dead", "It's all FUD", "It's no real use"
It's called data leakage and compromised by inference.
The vid tells you, amongst other stuff
What Blue Force are discretely interested in on a case by case basis
What Blue Force are interested in strategically
What Blue Force thinks from its own HUMINT intelligence is generally and specifically worth watching
What Blue Force DOESN'T think is interesting
How Good/Bad/Indifferent OpFor's masking or hiding of "Stuff" is
A way for OpFor to see how to test various ways to IMPROVE masking or hiding
Etc
Etc
Other than that no worries at all.
The problem here isn't so much electronics, but the kind of military mind that always underestimates their enemy (hopefully not all). Despite centuries of military writers and historians cautioning that this is always a road to failure.
Whatever your weapon, whatever your surveillance, whatever your technical advantage - sooner or later the enemy is going to hack it. The problem then not just being that your ordnance is now compromised, but that you may end up facing your own weapons or variant versions of them. This has happened ever since the spear was invented, but there seems to be a certain kind of military mind that never ever grasps this. Give us new weapons and we'll cream the opposition. Sure you will - until the next time.
It may be comforting to label enemies as idiots, lunatics, fundamentalists, towelheads, etc - but in the long run it's no help. The modern guerrilla fighter - whether Muslim or anything else - is committed, determined and - above all - smart. That isn't defeatist talk - it's plain common sense and should be a given for any military strategy. What is perhaps of more concern is that what some rural 'terrorist' can eventually suss out, you can depend more traditional national enemies may well have - very quietly - figured out a long time ago.
From Roman times to the present - conflicts are rarely won by the most able but by the least incompetent. Ask any old soldier.
I suspect the technologically advanced US saw the Afghans and thought them stone age because they didn't live in condiments* (apartments to the rest of the world) and don't have blackberrys and broadband. So naturally they assumed that they had no capability of intercepting the satellite feed to view the video. With a bit more work I'm sure they can monitor the control signals which are sent via satellite too and so can be picked up anywhere in Afghanistan (Michael C of Don't Panic you don't need to be near the plane to "hack" it) and with a bit of reverse engineering (DCMA won't stop them) work out some of the controls. They don't need to fully control it, just enough to cause a loss of control to crash it.
Mobile phone conversation-
Insurgent A- 'Good Morning Omar, you will be pleased to know that I'm watching you on a Predator video feed'
Insurgent B- 'Thank you. I shall move immediately to the nearest location containing significant potential co-lateral carnage. Fortunately for me there is a school/mosque/hospital/crowded souk nearby. Have a nice day.'
Insurgent A- 'OK, see you tomorrow.'
All the people pointing out the obvious here aren't offering their services to the governments. My God, failing that, all said governments need to do is read The Register now and then. Its readers know how to fix all the world's ills! To hear them talk, at least. Of course, someone piping up, "I knew that" is generally ignored, given that most people have good hindsight.
@joespr : post full, verifiable details before making anonymous digs. There's a good lad. As for the pizza comment - tacky. Get a little class.
...is to think that stuff like SSL/TLS actually secures a link and you can chatter freely. There is only one method that can provably do that, and it is very simple, yet takes some logistical effort to implement. The bearded guys have a number of governments on their side who want the west to fail and are happy to supply ready-made intel from their decryption organizations.
Also, electronic emissions are always like a flashlight in the night and opponents will be happy to do radio-location. Drones are not so good, actually. The Raptor is a much better concept that the Reaper. It can operate in electronic silence.
It’s doubtful the US Military would simply forget to encrypt this data. It’s more likely this story has been leaked on purpose to encourage insurgents to use the interception software and connect a satellite dish. This could be a plan to locate insurgents and flag them up as targets. I hope this plan works and my comment doesn’t tip the naughty boys off.
Correct.
Old ladies watching trains go past full/empty were used during WW2 to figure out where troops and ordinance were being assembled.
Knowing which bunkers/guns have been seen by drones helps you know which ones haven't and how to plan deceptive games.
Again it would seem that drones have been cast as some magic technology, but don't do what their PR claims. Same happened for Patriot missiles broken system clock etc.
I have a FEMA trailer full of damp toilet paper left over from the Hurricane Katrina rescue operation that I can offer for $500,000 to be deliveded by Haliburton that can be used to perform a ROT13 data encryption on the video feeds.
QUOTE: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."
What ARROGANT TWADDLE... It doesn't take the NSA and a super computer to recover an unencrypted video feed. And all the PRO-IT-DOESN'T-MATTER FUD is yet another arrogant extension of the above. You don't leak intelligence, no matter how insignificant... some of the worst military disasters have hinged on insignificant details.
Just another reason to convince the population that war with Iran is paramount to win the War on Terror. What a pile of bollocks we have no evidence that any of this actually occurred, It's easily conceivable that the US have manufactured this whole story to show that A) The Enemy is a REAL threat and B) Iran are the real bad guys. Next we'll be hearing that Osama has been spotted in Tehran. I really wouldn't trust anything leaked by the military about "Secruity issues" or "Underfunding"... It's like trusting MP's to deal with their own expenses or wages... Oh wait.... FAIL.
Dave the insurgent : Alah akbar Trevor, they are watching the market place at the moment so dont going there to blow yourself up, i can see that they have company size strength on the ground and an Abrams.
Trevor the insurgent : Are they watching the gas works?
Dave the insurgent : a bit, they have a section sized force guarding it, and a humvee, it's much less protected and it looks as though they are just filming themselves dancing for a youtube video so they are not really paying attention
Trevor the insurgent : OK Dave, i'll go the the GAS works and blow myself up there instead.
Dave the insurgent ; Ala akbar
To see what your enemy is doing is invaluable hence the Americans extensive use of UAV. If you can see what they are interested in it makes the task of feeding them false intel all the easier not to mention that finding and unguarded target is much easier.
There is no excuse for not encrypting data feeds from miitary intel gather devices, it is not difficult or expensive.
I even watch my movies and share my files via an ssh tunnel, not because i'm scared of anyone intercepting my data, it's just so easy to do it i thought why not?
As Whisky_35_Alpha says, in a very geeky military way, is very true.
Admittedly its not the best intel in the world but time is on their side, they can sit their and watch the feeds all day long. They can then find out if their little hideout is found and if so, move on.
Its quite embarassing since it is not that hard to encrypt the feeds but it is a very military thing, just bolt on more to what you already have until you realise there is a problem then it is realy hard to fix!
You would have thought somebody may have questioned this.
Every news article on this story makes a big deal out of "$26 software", including The Reg, which put it in the headline. Why is the list price such an important fact? Would it be less a problem if the software retailed for $500? Or was free? I'm not sure. I am pretty sure that the "insurgents" didn't use Paypal to pay the $26 in any case. Any idiot can find a download with a with one Google search (Google even helpfully suggests such terms as "crack", "keygen"). The point surely is that it can be downloaded by anyone anywhere. Not that trying to restrict downloads would make any sense, I get tired of the ludicrous checkboxes "No, I am not a member of the Axis of Evil and am not plotting jihad" one sometimes has to go through to download some trivial piece of freeware.
.
AC@21:38
"The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s ... assumed local adversaries wouldn't know how to exploit it"
And what do we know about people who assume?
@Whisky_35_Alpha
Lots of excellent points. Knowing who you are looking at (and *not* looking at) right now can be very handy.
If a "Blue" force unit is on its way and using the feed to to provided early warning to avoid/identify enemy units those same units (if they have a hacked feed) will likely be able to see them coming.
Historically video has been a high bandwidth subsystem seperated from the regular Telemetry & Control channels. In this case it has been *much* easier to tap into than most lay people would have expected from a military system. What is *staggering* is the claim this is not confined to drones (where the weight/power penalty of an encoder *might* be a reasonable tradeoff) but could be service wide.
Moving from passive reception to active takeover is likely to be a *lot* harder. Changing the settings on some COTS gear (which is what this more or less sounds like) could be done by anyone. Active seisure is likely to need quite a bit more hardware and special software. Having the drone be controlled by satellite puts the aerial on top, needing something flying *above* drone height to override the channel.
That assumes control by a satellite uplink and an aerial which could not be swamped by a high power close range signal from the ground.
It's not an assumption I'd like to bet my life on.
@John 186
I think the phrase is "Force majeur." The idea that *this* weapon will give us *everlasting* victory against all opponents. To date I think only deep diving nuclear submarines and ballistic missiles have continued to remain difficult enough to either guard against or find to make an opponent state think twice.
However if you're a guerilla force you cannot be threatened by such weapons.
All enemies learn and evolve. If a conflict lasts long enough they will find your weaknesses whearther or not they can or will exploit them.
"It may be comforting to label enemies as idiots, lunatics, fundamentalists, towelheads, etc - but in the long run it's no help. "
And US forces abroad frequently has. IIRC Sun Tzu made the point the point that you should *never* disrespect your enemy. Their standard of living is only relevant if it can help you find them or work out how they are likely to attack you.
We may think their ideology insane but by thinking them stupid you underestimate their cunning, setting your self up for a trap. The WSJ quote earlier was stunningly arrogant. This was also the conflict that saw Bosnians shoot down a stealth bomber with anti aircraft fire, because the stealth coating used broke down under exposure to the humidity and temperatures common on the European battlefield.
I doubt the EOD techs currently serving abroad think their opponents stupid. Cunning, devious, determined but not stupid.
How many times have I laughed at an episode of 24 or Spooks when the bad guys have trivially intercepted military or government signals in order to advance the plot? Too many to count, I'd guess.
Well I take it all back. Sorry guys, it looks as though you were spot on.
"Wouldn't having the video feed mean the "bad guys" could track it backward to find the source of the little plane? Having a nice video layout of the base and its guard positions would be an added benefit prior to tossing in a few IEDs. See any troop positions along the way?"
Yes the list of benefits to an attacking force being able to see throught the eyes of their enemy just keeps getting longer.
I'm just guessing but I suspect Israel does not have this problem with its drones.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
