US Drone Fleet Hit By Computer Virus

New submitter Golgafrinchan passes along this quote from an article at Wired: "A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other warzones. The virus, first detected nearly two weeks ago by the military's Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military's most important weapons system.'"

duh

[Aighearach]

Don't run windoze on bombs!

Or aircraft carriers!

Will we never learn??

Re:duh

[Pentium100]

Why? Windows crash and burn all the time, isn't that what a bomb is supposed to do?

Also, I doubt that this virus is just a random one, it most likely was created with the target in mind, so if Linux was used then the virus would have been created for Linux.

Re:duh

[fuzzyfuzzyfungus]

While your general point is valid: against targeted attackers the ratios for "desktops cracked, by platform" are pretty irrelevant"; there is more to it:

A game console, many smartphones, tivos, etc. do checks of the OSes they run. If the signature doesn't check, the device doesn't boot. Better implemenations(newer xbox360s, for instance, pretty much have to be voltage glitched to get past that.

If you are going to be strapping some hellfire missiles to something, you really, really shouldn't be running an OS/architecture so stock that desktop or corporate penetration and bug numbers are terribly relevant...

Re:duh

[Culture20]

Hell, in Linux a simple rootkit can work just by editing the system commands like ls.

That is as simple to detect as installing TripWire.

And keeping your checksum values on non-writable disks (like CDs), and using another computer to regularly scan your computer offline, and maybe throw some known changes in occasionally. Because if tripwire is replaced with a program that just says "yup, checksum's good. no need to worry", then it's no better than a sleeping security guard.

Re:duh

[BitZtream]

No, its really not. A rootkit would make TripWire thing the binaries had not been modified. Thats what rootkits do, they hide every trace of themselves so that they are undetectable. Or at least thats the theory, theres always a way to detect them but it usually (for good ones) requires scanning the data in a known clean machine.

IDS systems don't work with the kernel tells the IDS that the file is the original and even delivers the original bytes to the IDS in order to fool it. The kernel returns the original data for any read of the file, any memory mapping attempt, anything you try to do to get it at the data other than what the rootkit wants you to do.

Root kits make the kernel lie to an IDS, making it useless. You can't scan an infected machine by asking it for data (local app or network share, doesn't matter). You have to ask another known clean machine to do the scanning on the data directly without any other untrusted code in the process.

Finally, the rootkit can also just make tripwire pretend to return ALL GOOD MASTER!.

Please don't ever claim you know about security.

Re:duh

[Nefarious+Wheel]

If you were serious about platform security, you wouldn't be running on an OS at all. You'd have one single application that included its own device drivers. Costly, yes -- but also very secure if you write the lot yourself. Just don't open any doors at all.

No anti-virus?

[Jeng]

Ok, so I understand that these computers are to never be connected to the internet, but why does that mean that they don't put security software on them?

Yes, they would have to do updates manually, and it's a low risk situation, but it is a prime target for foreign adversaries and allies alike.

Re:No anti-virus?

[Nom+du+Keyboard]

Ok, so I understand that these computers are to never be connected to the internet, but why does that mean that they don't put security software on them?

If these computers are never connected to the Internet, then how are they sending out the results of their logging?

Re:No anti-virus?

[MozeeToby]

Unless someone really screwed the pooch, the results are never getting back to the virus writers. These computers are classified, that means no connection to the net, no writable media drives, many places even epoxy the USB ports so at least it's obvious if someone tries to use it. Specific steps are taken when moving data off them to prevent any data except what was requested is removed. At least, that is how it is in the private world working on classified material. Cases like Manning being able to get a dump of the entire international cable DB would indicate that the government holds itself to a much lower standard than it holds contractors.

Talk about clueless IT

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

If someone this incompetent was running a corporate network they'd have their ass on the street faster than they could say "network traffic analysis."

Just to clarify

[Baloroth]

When they say the drones were infected, what they mean is that the computers controlling the drones (located in the US and which are, apparently, running Windows...) were infected with a keylogger, probably spread through flash drives. Whether this actually compromises security at all is unknown (keyloggers generally assume you are connected to the Internet, which these computers aren't.) They don't have much security on the drone computers because they aren't hooked up to the Internet, and they would (apparently) rather educate their users than bother with antivirus, for whatever reason (although they do have a security system on the network which detected the virus. I would imagine it also should have stopped the virus).

Best comment in TFA

[arielCo]

The big problem is that the drones keep ordering refueling boom enlargement kits, and four of them tried to fly to Nigeria to collect on a half-million gallons of jet fuel that was left there by a former Minister of Aviation.

Other way around

[Toe,+The]

No, I sincerely doubt this is some mysterious computer intelligence taking over our military.

BUT... this is clearly the path to skynet. What we are seeing is what pretty much all of us already understood: when you have increasingly autonomous killbots, disaster becomes a question of "when" not "if."

Re:Other way around

[Nadaka]

There is no more autonomous a kill bot than a human being.

Spread by removable drives? How hard is this?

[bradley13]

This isn't exactly a new attack vector. Banks don't let people plug removable drives into sensitive systems - why does the US government?

You know what happened - either Joe private plugged his private pr0n collection into a classified computer, or else he took a classified drive home to use privately. Either was, really bad news.

If you've just got to have removable storage, then you pay for special connectors, so they are incompatible with anything else. Then you cast the guts in epoxy, so no solder jockey can change out the connector. This is not rocket science.

Re:Spread by removable drives? How hard is this?

[mclearn]

Actually, TFA believes that the vector was a removable drive by which they periodically update their map collections.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

Re:Military Intelligence

[Jeng]

They are not hacking the control software, all they are doing is receiving an unencrypted video feed.

You do not get anywhere close to being able to hack a drone just because you receive something similar to a TV station. You wouldn't be able to hack a TV station though a TV signal and you can't hack a drone though it's video feed.

Can't resist:

[Dunbal]

box of Kleenex $4

USB key $5

Satellite military uplink $150/hr

Hellfire missile $68,000

Predator MQ-1 Drone, $40 million

Being able to rain firey death from 10,000km away onto unsuspecting Afghan targets while a the same time masturbating on the internet: priceless

Re:Iran Payback ?

[jd]

I'm not sure it matters who it is. What matters is that if you can intercept a keystroke, you can inject one, and that if you log sequences you know command sequences. That knowledge never needs to go anywhere outside the virus - if the virus catalogs how to do X, Y and Z then an unauthorized user merely needs to tell the virus that it is to replay the sequence to do X, Y or Z. The user doesn't need to know anything other than what macro does what.

For most nations, it just doesn't make sense to do this with any current mission - that we know of, at least. Scripting a drone attack only makes sense if the drone has attacked a point that the person who wrote the virus will want to attack in the future. This is great if you're a nation defending against an attacker overrunning your positions, since you can get the attacker's weapons to attack the attacker. But no current target nation has the capacity for such a strategy and even if they did it would be pointless. It wouldn't be useful at all in Libya, for example, and the draw-down in Afghanistan means the probability of there ever being a meaningful target is next to zero.

Israel is a remote possibility - they've the knowledge - and there are doubtless drone surveillance missions that the Israelies could turn into attacks and keep plausible denial. However, it's exceedingly remote. Most of their threats don't distinguish between the US and Israel, so plausible denial is pointless, and they've enough support to be able to obtain all the US-made drones they want. There's no obvious added value.

The Mexican drug cartels are hampered by drones, but not usually by the high-end military ones, and being able to launch a replay would be absolutely pointless. If they were to have the kind of savvy needed, it would more likely go into a logic bomb that would cripple the drone. It's just possible they'd want to divert a drone to some site of theirs so that they could use it for their own purposes, but you'd not want a logger for that. Makes no sense. Besides which, if they had that kind of skill, they wouldn't need cheap cop drones.

China? Maybe, but again if they wanted a Predator they'd be better off with a logic bomb that disabled the radios and landed the UAV somewhere they could pick it up from. They wouldn't use loggers because there'd be nothing worth logging.

This isn't making sense. The story so far is too illogical. Those with the skills would be doing something different, those who want to do what is claimed don't have the skills.