Slashdot Mirror
$26 of Software Defeats American Military
reporter writes "A computer program that can be easily purchased for $25.95 off the Internet can read and store the data transmitted on an unsecured channel by an unmanned drone. Drones are crucial to American military operations, for these aerial vehicles enable Washington to conduct war with a reduced number of soldiers. '... the intercepts could give America's enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under US surveillance.'"
Counting the cheapest part of the machine is silly.
Software is often free. $26 is a lot for software. The radio reception, etc. and knowing where to aim are all much more expensive and require skill.
excitingthingstodo.blogspot.com
Defeating them would be gaining control of the drones (a really scary proposition)
This seems to be an information leak.. something that ought to be fixable by using some sort of encryption.
Or even by making slight changes to the stream format, since SkyGrabber seems to just be off-the-shelf software.
They're flying missions halfway around the world and not even bothering to encrypt the video stream. I can understand that in the rush to get drones in the field they might have had to cut a few corners on the system design -- but for crying out loud they've had 8 years to patch this hole. *Sigh* Your tax dollars at work.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
No, demodulating a signal is not news. But not encrypting it in the first place ought to be. (And TFA had a red herring in its focus on the software used to record the signal--the software is probably the easy part, once you've captured the signal).
.sig withheld by request
Perhaps the smart play would be to quietly encrypt actual data, while continuing to broadcast placebo or manipulated data in the clear.
I'm frankly more worried about "But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said." than I am about this particular security vulnerability.
Security vulnerabilities happen, and are unfortunate and need to be fixed, and we really should spend more time and resources on caring about them; but that is all manageable software/systems engineering stuff.
Making important decisions on the basis of "Eh, our enemies are just ignorant mud farmers anyway, no problem", on the other hand, is colossally arrogant and extremely dangerous. Particularly, since the US currently has the world's highest tech and most expensive military, "Eh, they're just primitives, no problem" is a practically all-purpose dismissal of virtually any problem that you are too lazy to fix. That is a recipe for learning, the hard way, about every new asymmetric warfare trick.
Why are the military so goddam stupid? They have been transmitting video unencrypted ever since the Bosnia conflict. And apperantly they're still happily going on making same mistake as Joe Sixpack, setting up his new home wireless router.
Don't they understand that even the weakest simplest encryption, is 1000 times better than none at all?
why didn't the DoD just start passing a fake feed from the drone? They could have added another encrypted channel for the real feed, which I would assume is trivial given the military's budget. Then pass fake data over the unencrypted channel. Sometimes disinformation to the enemy is far more valuable than real intelligence. I can see a bunch of jihadis sitting around watching a tv screen. "Look at those infidels. They are going to blow up the wrong building! Our secret base is 100 kilometers away! Say, does anyone else hear that noi..." [BOOM]
-Arthur
Cave ne ante ullas catapultas ambules
"U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds." The Germans did not think the Poles could break their codes. The Japanese did not think the US and the Australians would break their codes. The British did not think Argentina would finish assembling the Exocets on their own without the French manuals or use them in a way differently than designed. The Afghan and Iraqi insurgents have the money and the brains to break into Western weapon systems, don't underestimate them (or the probable help from Iran, Syria, Korea, etc...) The prospect of getting killed is a powerful motivator.
Not to be harsh about it, but think back to high school and college and ask yourself if you would describe the people who were planning military careers as the "best and brightest" of your class.
SJW: Someone who has run out of real oppression, and has to fake it.
Yeah because being a computer engineering in the military is some how infinitely easier than in the private sector which allows the stupid kids to do it after school. They let just anyone fly jets too.
From what I could make out, it's just the video stream transmitted by the drone that's unencrypted, not communications that control the drone. The obvious reason this might be done is to save on the computational requirements onboard the drone by not making it encrypt the presumably immense data stream of the video. Decrypting the rest of the communication the drone receives is probably an order of magnitude less processing load, or even two.
If received and understood by the enemy in a timely manner, very useful information. But if it is just the image unencrypted and not GPS coordinates, etc, the enemy would have to have enough people watching the feeds to recognize the terrain that was being photographed... it's easy to see why this might not be considered likely and lead to the poor judgement to leave it unencrypted when the drones were designed, many years ago with less powerful processors available.
If they can prevent me from watching porn on cable and satellite, they should be able to prevent these guys from hijacking the video feeds from the UAVs.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
furthermore, there's nothing to say they still can't do that, or aren't actually doing that already. in fact, a big story in the international press about how dumb the military is on these video feeds is a good cover. one can hope, anyways, that the military is smarter than depicted in this story
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Sensationalist... i would expect this from a tabloid.
Title should have been: Unencrypted data broadcasted everywhere ... can be received by anyone!
The leap from that to "$26 of Software Defeats American Military" is quite a big leap in my opinion.
Sigs are for the weak.
Don't tell the DoD. They've been paying $170,000 per license for that software.
There. Fixed that for you.
This is just my experience but I met some computer engineers with top secret clearance working at the DoD. They are so incompetent that it's scary. Even worse, they were contractors/consultants. I'm not saying all DoD computer engineers are idiots. The problem is the government is so incompetent that they've given much of the work to large consulting companies whose sole purpose is to fill as many seats as possible for the revenue.
Unfortunately there are plenty of assholes out there who will exaggerate anything in order to claim that they are more security conscious than the next person (and perhaps hope to get a contract for their company). But this is surely small war, no-one dead, move along please.
And those same people don't know (or remember) the first rule of intelligence:
Those who know, don't talk. Those who talk, don't know.
I'm a consultant - I convert gibberish into cash-flow.
Not to be harsh about it, but think back to high school and college and ask yourself if you would describe the people who were planning military careers as the "best and brightest" of your class.
Ahh, you are thinking of the one or two guys who were all gung ho but not especially bright and had delusions about being a badass commando. Yeah, my school had some too. See the thing is though that those guys aren't the guys running the military. The guys you are thinking of end up as infantry grunts or something similar and exit the service after a few years. I have a cousin who is one of those guys. Smart but classic ADHD and socially stunted and not someone I'd trust right now to be in charge of anything. But he served two tours in Iraq and now he's in college so I have hope for him.
The guys in the officer corps (commissioned and higher level NCO) are almost invariably bright and hard working and most of them that I've ever met didn't talk much about their interest in the military. I have a classmate who is a major in the US Navy who never gave the slightest hint he was interested in a military career. He was quiet, very smart, and I would have guessed he'd be an engineer but instead he's become a heck of a good officer. I have a number of friends who were graduates of West Point and Annapolis and I've been impressed as hell by each one of them. Smart, incredibly disciplined, and I'd hire any one of them in a heartbeat.
The US military is an incredibly complicated and large organization with huge budgets, difficult goals, and a huge workforce. If you think managing all that is easy and doesn't require tremendous skill, you are delusional. Sure they make mistakes just like any other large organization but their mission is also more complicated than most and if they fail, people die.
Which is the problem with military outsourcing in general. The goal is "make a profit" instead of "protect the country."
Halliburton is not in the defense business to defend. They're in the defense business to make money.
Please do not read this sig. Thank you.
Mods. That comment may be redundant, it may be old and tired, but it is certainly not offtopic. In fact, in the grand scheme of frist psots!, it might be the most on-topic one I've seen in years.
I think this has about as much to do with Army IT as IE vulnerabilities have to do with the Microsoft IT department.
$26 software defeats American military? OMG, we've been beaten?
Oh, wait... you're just saying that insurgents have a tactical advantage in some missions because they've exploited a security vulnerability using $26 software. So maybe $26 software used as weapon aganist US military?
Ah... but the military discovered the problem in the field, and is working to plug the security hole. $26 software annoys American military temporarily.
Is there any real security risk in this? I suspect it is very small.
The risk to this is not a danger to troops. The risk of this is having a completely un-edited video source available to people who would have a field day if the official US proclamation of what happened was visibly different from the recorded video stream
I am Slashdot. Are you Slashdot as well?
Yes, and some linux geek on slashdot has *all* the information and has studied the situation more than the folks who do it for a living. Right. Go back to your room, kid, and watch more movies.
Must be good to live in a world where all life's problems can be solved by OSS software. Sadly, life just isn't that simple.
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
As an engineer in the defense industry you probably also know how long defense systems live and how hard it can be to get upgrades pushed out into the field. It wouldn't surprise me at all if it wasn't technically feasible to encrypt the video stream at the time this system was first deployed and since then upgrading it has never been a priority for anyone with enough clout to make it happen. Now that its on SecDef's radar how long do you think its gonna take before this gets fixed?
And of course these drones have been operating for years, and have to withstand conditions well beyond what any off the shelf parts are rated for. Doing good crypto in a small package wasn't quite as easy twenty years ago when these were in development.
Maybe they're purposefully sending incorrect video feeds unencrypted, and this story has been disseminated to lull the enemy into a false sense of security.
Buckle your ROFL belt, we're in for some LOLs.
...
You are a dangerous fool. Never use a one-time pad more than once, even for "light" security. Doing that turns the whole thing into a Vigenère cipher and destroys all security. You might as well just XOR each byte of the message with 0x42.
"Halliburton is not in the defense business to defend. They're in the defense business to make money"
What?! You mean to tell me that Halliburton, Raytheon, Lockheed Martin, and General Electric are not staffed by monks who've taken a vow of poverty?
People who aren't in business to make money seldom manage to stay in business long enough to do anything at all. And I'd much rather contractors operate at a profit than be perpetual budgetary basket-cases like NASA.
I truly hope this is sarcastic, because the ignorance of this statement baffles me. To say the military is comprised only of self-serving individuals who seek some sort of sick pleasure from killing people is offensive to everyone who served or is currently serving. Military members don't get free food, clothes, or housing more than anyone else with a job does. There are allowances for these necessities that are simply an extension to a member's base pay, which for enlisted members would be terribly low otherwise. If you worked a minimum wage job for the same number of hours per week as an average military member, you would probably make more money than their monthly base pay.
Apparently wizard is not a legitimate career path, so I chose programmer instead.
frequency hopping != encryption
especially if you are the only transmitter in that spectrum nearby.
Never let a mediocre career stand in the way of a good time
As long as you understand thats a generalization and not the rule. Most of the smaller private companies are quite good at what they do and deliver an excellent product.
Well, bear in mind that it's probably sending the video signal compressed in the first place, and compression is just as prone to catastrophic errors as encryption is. It's encoded either way. As others in this thread have mentioned, you just do some error correction and carry on. Encapsulate the encrypted payload with some kind of error handling stream.
Awesome point! And of course, since they've had access to these feeds for over a year, can we then assume that there hasn't been an incident where showing the footage would have disproved the US version of events?
Of course, they would be hestitant to tip thier hand that they've got access to the footage, but if they really caught us in a lie, don't you think they'd show it?
Must be good to live in a world where all life's problems can be solved by OSS software. Sadly, life just isn't that simple.
They didn't have to use OSS.
How about using established standards?
Then the Army can drop in some off the shelf fix instead of having
to pay their sole vendor to custom code/design new software/hardware.
[Fuck Beta]
o0t!
Silly concentration-camp prisoners during WW2, falling for that lie and thinking the Allied forces were the good guys. Man, what a bunch of rubes, when clearly, according to you, they were no different than the Wehrmacht.
Or did you really mean some battlefields, or "the occasional battlefield"?
Some bring out the best in others, some the worst. Some bring out far more.