Slashdot Mirror
Cracking Military Devices
Kenneth Ng was one of the folks who wrote to us about
an article CNN is running, courtesy of Federal Computer Weekly. The piece talks about scenarios that have caused the Army some consternation -- namely, crackers being able to take the wheel of remote-controlled military weapons systems like tanks, ships and planes. I dunno -- I kinda like the idea of being able to play Grand Theft Auto [?] with an M-1 Abrams tank.
Got 80,000 feet of wire hanging off the back of that F-117?
Actually a sit-in virtual station that relays the aircraft's environment back to you and makes you feel like you're there *is* a good idea. Besides protecting the pilot's life, the pilot can also do 20G air maneuvers that would kill a human being (9Gs max). The fighter plane could be used to maximum efficiency (unlike now) where the human is the limiting performance factor.
So I'm sitting at home the other day, flying an stealth...when the FBI comes knocking at my door...so I answer (first stupid move) and they say, so we hear you have a stealth bomber under your control...I say and....you like your house...so they left...came back with a buch of ATF agents...saying something about what I was doing wrong...they didn't like my comment about who's tax dollars paid for this...jerks
I like the bit in Hacker Crackdown about a h/cracker with the exaggerated reputation of being able to launch WWIII from a pay fone.... :)
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Gee... just think what could have happened if the nutty little gamers behind the Columbine atrocity had gotten their hands on some *serious* weapontry.
Seems to me that it's the big boys in office playing their video games that might be the *real* threat in the years to come...
Your Brain + EEG + LEGO Robots = Brainstorms
The military needs more money to shoot people with. The reason this crap is being addressed now is because the military is moving into a generation of unmanned vehicles as many have already pointed out. They're also making soldiers increasingly electronic from night vision to GPS systems. If someone can hack (crack) into an army's eletronic (C4 infrastructure) they can control the army. I see the "21st century soldier" stuff and just laugh. Instead of making soldiers more independant technology makes them more dependant on a base of operations. The digital soldier's effectiveness only lasts as long as his (her) battery. Eletronic toys will also have to be heavily protected from the environment which adds to their weight and bulkiness. After a while soldiers will be entirely dependant on technology for mobility and survival in the field. Want to cripple a ground unit? Fly over them with bombers releasing lightweight radio reflective chaff with small amounts of radio static causing isotopes. A cheap and easy way to keep your enemies from phoning home. Want to get more complex? Arm your army with a bunch of HERF guns and lay waste to your electronic opponents. The US military's vision of fighting in the future is fundamentally flawed, radio reflective chaff and HERF guns are cheap, with a little bit of cash and know-how you can build some low yield nuclear bombs. You don't use them to obliderate cities, you shoot them up into the ionosphere and detonate them to create one whammy of an EMP. Keep IT Simple Stupid.
I'm a loner Dottie, a Rebel.
Speaking of PC Anywhere, I got the funniest thing in the mail the other day. It was a typical "Free ISP for newbies" CD, with a long list of included software (mostly demos) on the back. The first item on the list, in bold type, was... PC Anywhere. It struck me that distributing such a widely-known vulnerability to the typical audience of this sort of CD is, well, a little reckless.
Hmmm... I guess it was funnier at the time. Oh well.
Your right to not believe: Americans United for Separation of Church and
"Yes it's my gun, but *I* didn't shoot him! This 8 year old friend of my kids did!"
Your analogy is invalid. A gun is final hardware. Source code is information. A correct analogy would be: "Yes, those are plans for my nail gun, but I didn't shoot him..."
"Yes I wrote SATAN, but *I* didn't crack those root nameservers and bring down the net! That evil script kiddie did!"
What tools do you use to secure your machines? SATAN and tools like it are the only reason those root nameservers are still operating.
Just keep on blaming everyone else for what they do with your creations, but someday, you won't be able to pass the buck.
Do you really see no difference between raw information and the intent behind how it is used? Perhaps fire-making knowledge should be hidden, since after all, thats how arsonists burn down buildings...never mind all the other people who will freeze to death.
Can one do arbitrary remote control via that interface? (i.e. any maneouver I want?) First thing after I hijack the control connection, could I pull one of those 20G moves someone mentioned earlier, killing the pilot to prevent him from shutting down?
How about killing the VTOL engines, and dropping the plane on the deck? Perhaps with the bombs armed?
1. GPS creep might work. Sounds like that Bond movie, though, eh? I'm guessing that might be harder than we think, just because you'd have to trick the receiver into hearing your signal while ignoring the actual signal. A system such as GPS has to have some way of throwing out erroneous data (or admitting that it can't determine a valid result). Now if you knock the satellites out of orbit first, you've got it, but then the all around lack of GPS except when you're spoofing would probably be noticed.
2. Fake AWACS might be possible if stuff was transmitted unencrypted over non-voice channels. Which sounds unlikely. I think open voice communications is already vulnerable, and non-voice is likely going to be encrypted (there's a real-time encryption system from the NSA, although I forget the name, that's used for voice, surely you could throw it into a cell modem...)
3. FOF tomfoolery might be possible. Although the other way around, making foes seem friendly, makes more sense. The FOF is a radar transponder system that essentially fiddles with the bounced signal, I'd think in order to change it you'd need physical access to the transponder.
What it sounds like they are looking at is large systems - computers that provide navigation and systems control for planes and boats, like fly-by-wire. Of course, it does make one wonder what the hell the military would be thinking allowing remote access or control of said computers. I mean, really... I don't know, I think it might be mis-information, getting the "bad guys" (whoever they are this week)to waste time looking at something that is irrelevant.
itachi
Well ...
OK, so the example they give is faking the incoming navigation data for a ship. For vessels which depend on downloads of info (such as GPS locators), this might prove useful in that:
A. one could induce systems creep in a MBT so that the tank thinks it's a few hundred feet away from where it is, especially while on the move. "Charlie, I thought you said we were going 70kph, how come we're 20km closer than we should be?"
B. one could give false image info for targets beyond local range (e.g. fake data from an AWACS).
C. one could trick the Friend Or Foe signal data so that friendlies appear to be hostiles.
None of these sound very promising. And none of them "take control" of the system. Now if someone knows of any buffer overflow exploits with these systems, maybe we're talking a nifty hack; but otherwise, it's just smoke and mirrors.
Will in Seattle
Maybe OT but anyway:
A 16 year old Danish boy managed for some hours to control the trains on a major switchyard using only knowledge of the switching system and a stolen radio from the train operator.
He got caught when he by mistake changed the switches so that a high speed passenger train would be led onto the switchyard ! (The Automatic Train Control system set off the alarms)
The boy is in all respects an ordinary and clever boy with a huge interest for trains and how to operate them. In other words - he is by no means nuts.
Never the less he could have caused a disaster if the passenger train was so close that the ATC couldn't stop the train fast enough.
Security is alway an issue with humans!
-- From Denmark
Since when does the USA take their treaties into account? After all.. they are the policemen of the world, those who would protect us from the big bad commies, self-appointed lords of democracy. On one hand, they urge every country to ratify the no-nuclear-weapons-testing document.. but guess who is absent on that list. The US is one of the most hypocritical nations I know. (not necessarily all people in it, before you start flaming me for that)
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
What is stopping the commander in chief from ordering the big toys out to play?
What is stopping anyone from going to the armory and grabbing the big toys?
What is stopping the boy with the toy from pointing it at his buddies, rather than downrange?
What is stopping the makers of the toys from planting 'software bugs'?
The only reason anyone is caring here is digital is seen as invisible...hard to track.
The US Military has wanted smarter toys so they can use lesser trained people. The 'threat' expressed in the article is part of the trade off they accepted when they signed the contract.
Perhaps the military contractors need more money?
If it was said on slashdot, it MUST be true!
Taking control of a ship carrying cruise missiles now qualifies as "random harassment".
I'm gonna get me a script and randomly harass my old High School.
--
Mike Hoye
someone mentioned that "you'd need to have worked with this stuff to hack it"
time and time again this has been shown to be blatantly false. People that design systems are not clairvoyant. Interested parties can and do infiltrate and learn about systems that they've never seen before. Reading old phrack articles should leave you quite convinced of this.
Unmanned military vehicles are no longer an experiment. They are a reality. They were used successfully in the gulf war - in reconassiance roles. However, more traditional aircraft and military systems roles are also being moved to unmanned versions. It is my understanding that the JFX (or is it JSF or JSX ?) is the last planned manned fighter aircraft. Well, this summer they had mated the two halves fo the fuselage. In other words, don't expect too many more manned fighters. Fighter aircraft can already far outperform the limits of their frail human pilots.
The military is and will continue to use unmanned vehciles in an increasingly aggressive/active fashion. Many current generation missiles are "fire and forget" -- this is software driving the missle to the target once it is released. Commercial airliners already more or less fly themselves. Putting all these peices together is all thats left.
Someone else mentioned that taking a machine off a public network insured that it would not be hacked. I can't think of a more foolish statement. Systems were getting hacked -- and much more thoroughly than they are today -- long before everyone "had internet". The mentality which says "private network == unhackable" is the mentality that I don't want near _Any_ computer network with sensitive data. VPN's are just a matter of encryption. Isolated LANs invariably have some private dial-in #. Think of this problem in terms of telco stuff. What telco gear do you know of thats hooked up to the net ? Ask yourself how often that stuff gets completely compromised and understood by cajoling teens.
As far as buffer overruns in military systems, I wouldn't count on it. For instance, the majority of the F-15s software is written in Ada. C typically is _not_ used, and for good reasons.
The facts are clear. The future of the military is software automation. If people take the attitude that they are doing enough to safeguard their software and networks, then they probably really aren't. Paranoia is the only answer.
My opinions are my own, and do not necessarily represent those of my employer.
Highly unlikely scenario....
nah...you should be more afraid of police dressed
up in military gear busting down your door and
shooting you because you moved too fast and
"they were scared" on the word of a junkie paid
informant who told them you were running a crack
house.
(oh wait...that never happens...oops)
"I opened my eyes, and everything went dark again"
> Actually, the scenario you describe might be
> more likely than one might think.
I know. Actually...with a little looking around
a few months back I found anice story. Police in
miami or something paid an informant, who was nice
and very forthcomming about this nice crack house.
They came in armed to the teeth...when an old
lady answered the door, she saw all their guns and
screamed. He husband herd the scream and came
rushing out of his bedroom with a gun to save her.
Needless to say the man was probably dead before
he realized what was going on (much less before
he hit the floor). It was a house owned by an old
retired couple...no crack found.
Another case police busted into a house looking
for drugs, chased a man into the bedroom and
shot him, emptied their clips into him. Coroner
said that most of the bulletts enterd "at a
downwards angle through his back" (ie he was
laying on the floor dead).
No drugs were found. The man was unarmed. The
police were not punished.
So, all in all, I don't think this remote
controlling military gear is too much of a worry.
Frankly....there are worst things that should
keep you up nights.
"I opened my eyes, and everything went dark again"
Any information we considered VITAL we do NOT put on a network where any non military personnel can access it.. We have special networks for that kind of stuff, and I can guarantee that the ability to control a TANK will NOT be on Niprnet (what we call the internet)...
All of our special networks are of course, QUITE encrypted, so good luck if you think you have a chance cracking them...
-Dextius Alphaeus
-- Java is not a Jedi trait... "do, or do not, there is no try" --
...but i just don't buy this at all. Why, if the Army really thinks this could happen, would they advertise it? "Hey, you too can get control of our tanks! Commandeer a APC and take your friends to the Prom in real All-American (tm) style!!!
It could just be more of the government's "cyber-criminal/terrorist" rhetoric aimed at eroding more people's right to hack. Well, not that there is a right to hack....yet.
Am I just crazy? Am I placing to little faith in our military? Can you place too little faith in an organization that practices better ways to kill people?
sig not found
Another thing I think worth mentioning:
I've seen a lot of posts that talk about the fact that the military wouldn't talk about it if they did have tanks and such hooked up to the internet. This is probably true for the most part. See most squadrons, wings(in the AF, for the Army it's probably battalions, companys etc.) have this neat guy called the PR officer. Basically any public statements or talking to the press is done/authorized by him/her. There are often things that are initially classified info, then de-classified, but aren't released to the press. No officer/enlisted personel are going to say a word, unless the PR gives it the okay. That's the cool thing. If the PR person doesn't say anything about it, no one outside the military would ever know. I've been fortunate enough to hear some 'confidential information not released to CNN' breifings. They were interesting to say the least. I once even heard about a hack that accomplished the next best thing to taking over a vehicle.
Wigs
...I was reading this and realized, "Hey, that's ME he's talking about."
Yes...I am a civilian working for the Navy. (I feel like I'm at Defense Contractor's Anonymous...) In fact, I'm with a group of folks responsible for writing the software that is the official NATO test for military communications equipment.
[aside] Do you have any idea what the NDA for this company looks like? How many NDAs did you sign that said, "If you talk about the wrong things to the wrong people, or even to the right people at the wrong time, or even to the right people, at the right time, but in the wrong place, OR EVEN the right people at the right time at the right place but when that other person didn't Need To Know the information, we'll throw you behind bars with your new "husband" for the next 10 to 15 years!"??? *sigh*)
Well, anyhow, what I can talk about and is unclassified is that most of the military communications formats are encrypted, jamproof and in many ways just really dang hard to deal with. There are two exceptions. One of them is used to control airplanes remotely (usually for Automatic Takeoff and Landing, for carriers). It's not encrypted. Granted, the format of these communications isn't something the average joe can get a hold of easily. And there's probably a way for a pilot to shut down the communications.
But the unencrypted nature of this, not to mention the fact that it can be used to control a plane, handled cleverly, could be a risk. It's like the risk in Star Wars..."I've analzyed their attack, sir, and there IS a danger..."
Hmmm, I seem to have wandered off the point of the post I'm responding to...I know I had something relevant to this post to say...oh yeah, it was this: Even the civilians are underfunded. You'd be amazed at the crap our team here has to dig through. Our solution is that we're always having to reuse old code, rather than hacking an off-the-shelf product. But if you've been on a project where you've tried to reuse code and merely update a system over time, you know how nasty things can get...well, we've been updating the same code pretty much since...1993 or so. Seven years makes code fugly.
Okay, I'm going to stop now.
Trouble is they weren't well EMC shielded. So along comes the hacker, with an illegally powerful ham radio.
He gets halfway through filling and: ZAP! - with luck, the pump will stop registering anymore fuel.
Before you rush out to try it, it doesn't work very well anymore. The shielding is much better.
Sure this isn't a software hack, but if it puts a military vehicle out of action it doesn't really matter. Also, theoretically it might in fact be possible to reprogram something remotely (even if the wires to do it have been cut, if you put the right voltages on it, its going to work ;-)
-WolfWithoutAClause
"Gravity is only a theory, not a fact!"I agree with an earlier poster that if you don't want the ability for people to do it remotely, don't put it in there in the first place. This can't be done in all circumstances, of course, but read on.
I hope to God that the arming circuitry requires some kind of hardwire interface at least for the last stage of final go-ahead for launch.
I would have though that with military tech. being, what, 5 years or more in advance of what we civilians get they would be using multiple signal, spread spectrum, 2GB encryption keys and a slew of other technologies that make it at least infeasable to try and crack. And yes I do mean for navigation and indeed all subsystems of any kind of military device or even civillian device which has the possibility for far-reaching or deadly effects if such a system were to be compromised.
<sigh> I guess that's what they mean by "military intelligence".
I've been playing Janes Lonbow a lot lately ;-)
No, lets play Thermonuclear Warfare
WHAT SIDE DO YOU WANT TO PLAY?
1) LINUX ZEALOTS
2) BSD ZEALOTS
3) TROLLS
---> 3
VERY WELL THEN, I WILL PLAY 1) LINUX ZEALOTS
FIRST POST!!!!!
BSD SUCKS!!!!!
LINUX RULZE!
MICRO$~FT SUCKS!
FIRST POST!!!!!
BSD SUCKS!!!!!
LINUX RULZE!
MICRO$~FT SUCKS!
FIRST POST!!!!!
BSD SUCKS!!!!!
LINUX RULZE!
MICRO$~FT SUCKS!
this is my sig.
"The problem for the enemy is that computer security vulnerabilities will almost certainly prove fleeting and unpredictable," said Pike, adding that such tactics would be nearly impossible to employ beyond the random harassment level.
Most security problems that I know of are not fleeting, but are resident in the system. So you have a systematic bug in stead of a fleeting and unpredictable. This problem is real and might be a problem, but that is not what i think is meant here.
So I think that we shouldn't look at the error inside the systems to look at what mister Pike meant. I think that what mister Pike was aiming at is the problem of being able to send a vehicle the wrong data. For that you don't need to access the vehicles systems. You just need to be able to send fake data in such a way that your opponent interprets it as real. Deception in the end is a large part of Warfare.
Use Adsense for Charity
"One character at a time" was an old bug on at least one system (TOPS-20.) The password validation system did a strcmp to check for a password match. You could also get a page fault count on a process. So, you put your trial password across a page boundary with the first character on one page, the rest on the next page. Try each first character in turn until you see a page fault to the rest of the password, shift to two characters on the first page, and repeat until you have the entire password. An elegant attack that reduced the effort from 26^36 to 26*36!
we were military intel. (please hold the jokes), and the equiment we worked on was *almost* a stand alone network, small server that had a single encrypted data feed from outside.
the machines were brand new(we were some of the first trained to use them), but were already antiquated. the contractors spent more time working on them than us analysts. and there were so many holes in the gui that it wasnt funny.
even we, uneducated and unexperienced as we were with unix, were able to find several ways to do interesting stuff. its been too long to tell you the version of solaris running, but was a custom gui, with no command line for non-contractors. somehow, we found that it was easy to create a file with a few commands in it, save as .cshrc, and open a couple windows to execute it... and it didnt take us long to get transferred to another unit.
the point we were trying to make though, is before we got into trouble, we told the contractor what we could do, we reported everything we did to see if he could stop us. and he could never get the authorization. he tried a few things on his own, but we always found ways to circumvent them.
now, we query you, what if we had been malicious? or, for that matter, anything other than curious? we never broke anything, and only got root once (did nothing with it, but let the contractor know). granted we were right there, and that makes a difference, but there are many out there whom are much better than we (though we are still learning - not cracking, losing our job was enough to teach us a lesson), and many systems are not so remote.
just a thought.
Where hast Great OOG gone?
OK, I can only speak with regards to a fighter aircraft here, but I would guess most everything else will be similar. (knowing how uncle sam operates ...)
I hope to God that the arming circuitry requires some kind of hardwire interface at least for the last stage of final go-ahead for launch.
Hell yes!!! I work SMS (stores mgmt system) right now. This is what we do. In order to launch a missile or drop a bomb, the master are switch is required by the hardware to be in the armed position and the weapon release is required by the hardware to be depressed. If either of those interlocks (and a whole mess of software interlocks and other software/hardware interlocks) aren't OK, the missile never comes of the rail. (or isn't ejected)
I would have though that with military tech. being, what, 5 years or more in advance of what we civilians get they would be using multiple signal, spread spectrum, 2GB encryption keys and a slew of other technologies that make it at least infeasable to try and crack. And yes I do mean for navigation and indeed all subsystems of any kind of military device or even civillian device which has the possibility for far-reaching or deadly effects if such a system were to be compromised.
The keys aren't THAT big (on the stuff I know about, which isn't all that much since I'm not with the NAV team) but freaking EVERYTHING is encrypted. The JTIDS shared tactical info, the comms, the datalink to your wingman, nav, gps, etc. And yes most of it is spread spectrum. There is a bunch of anti-spoof stuff built into a lot of it as well.
Basically some cracker hijacking a manned combat vehicle will not happen. Ever. Period. Even if someone got around 1 layer of crypto, they would have more to deal with other stuff. (like the fact that these systems are unbelievably complex, and use some pretty strange hardware.)
The issue is the new UCAVs. (unmannded combat air vehicles) These could be hijacked somehow if the crypto on the link was broken. These are not gonna be deployed for quite some time, and I'm sure the link encryption will be heavy duty. (I would guess to the point of requiring dedicated proprietary hardware on both ends. that's just a guess based on past experience however.)
dv
"There's no secret. You just press the accelerator to the floor and keep turning left." -- Bill Vukovich
You will find, that for most "sensitive and mission critical" operations (that does cover a lot with the military, but not most of their PC LANs), they use the tried-and-true "air gap" firewall: They simply don't connect the internal systems to any external systems. You can't attack what you can't talk to.
Now, the Navy seems to be having trouble with their "smart" ships, but so far, their track record there isn't too hot (remember the whole NT debacle?). That whole program seems to be more like some Star Trek fan's wet dream then your "standard", ultra-paranoid military project. I can only hope it is the exception and not the rule.
You will find the military is very strict with regards to what you connect to what, how you can connect it, and how you have to protect it and shield it. And with good reason.
If you've got a PC with classified data on it, then the entire system is classified. Including the keyboard and monitor. (No, I'm not making that up. I've seen many Air Force PCs with red "SECRET" stickers on the keyboard and monitor.)
If you so much as put a floppy disk in the drive and take it back out, that floppy is now classified as well. You also cannot connect just any hardware to the system; you need to make sure everything is properly shielded for EMSEC (emissions security; what used to be called TEMPEST). This applies all the way down to serial cables connecting to external SDDs (Secure Data Devices).
I'm fairly confident this article is pointing out exceptions in design policy to ensure that the exceptions do not become the norm.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
It is somewhat particularly troubling indeed. The US Military as a whole is farming most of their computer programming out to civillian contractors these days. For example, I believe the Navy has most of the software for their ballistic missle submarines done by GTE. (These are the same folks that use NT4.0 for navigation and damage control routines on Aegis missle cruisers, which have failed more than once, leaving a billion dollar vessle dead in the water)
As opposed to the USAF, which just barely does most of their work in house.
At anyrate, talk to a military programmer, and they'll admitt that quality control can be iffy, budgets are short, and the Brass is always looking for a way to trim budgets. Even if it means going with an off the shelf product, hacked and crammed into working by only one or two enlisted men, who leave a few months later for higher paying civillian jobs.
And now the Military is looking at things like fully autonomous combat vehicles. The next US Army MainBattleTank, in later versions will operate autonomously, Both the Navy and Airforce hope to fly UCAV (unmanned combat air vehicles) that for a large part operate autonomously, if not fully.
Hackability of these systems may not be practical, many of them will operate without external data connections, being solid systems.
What is my concern more than anything, is that these systems need their software to perform at all, and the trend at cutting corners, and having a shrinking qualified personnell base, is what the Military is really in danger of.
Sounds like the military wants to be able to blame someone when they attack unprovoked.
Taiwan: Why did you attack us!!!
US: Wasn't us, someone must have hacked into our computers and done it.
Later that day
US: *snicker* fools