Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pentagon's New Next-Gen Weapons Systems Are Laughably Easy To Hack (zdnet.com)

Posted by BeauHD on from the easy-as-1-2-3 dept.

An anonymous reader quotes a report from ZDNet: New computerized weapons systems currently under development by the U.S. Department of Defense (DOD) can be easily hacked, according to a new report published today. The report was put together by the U.S. Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress. The report detailed some of the most eye-catching hacks GAO testers performed during their analysis: "In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing. Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded. Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."

The report claims the DOD documented many of these "mission-critical cyber vulnerabilities," but Pentagon officials who met with GAO testers claimed their systems were secure, and "discounted some test results as unrealistic." GAO said all tests were performed on computerized weapons systems that are still under development. GAO officials highlighted that hackers can't yet take control over current weapons systems and turn them against the U.S. But if these new weapons systems go live, the threat is more than real, GAO said.

26 of 93 comments (clear)

  1. What? by TimMD909 · · Score: 4, Insightful

    This smells like the result of MBAs ignoring engineers...

    1. Re:What? by ShanghaiBill · · Score: 5, Interesting

      This smells like the result of MBAs ignoring engineers...

      It is worse in the military, because communication is inherently unidirectional, and they can go years between real world validations (i.e. wars).

      "War games" are setup by the same people that are being tested, so if they fail the test, they can just change the rules and have a do-over. This famously happened during the run up to the 2003 Iraqi invasions, when opfor was repeatedly banned from using unconventional tactics, such as underage bicycle messengers and roadside bombs, because that was "unrealistic".

      I had personal experience with this nonsense when I was a young lieutenant. I was part of the Red Team (opfor), and we were hopelessly out numbered and out gunned since we were playing "insurgents". So we decided to go asymmetric ... and cut off the Blue Team's water supply. I was told that wasn't allowed, and to turn it back on immediately. So then we set up road blocks that targeted their chow trucks. Nope, that wasn't allowed either.

      But we were permitted to launch a hopeless frontal attack directly into their entrenchments, which we did on the last day of the exercise so we could go home early. In the after-action critique, I can remember the colonel getting up and congratulating everyone on a job well done. That's when I decided a military career was not for me, and I am not surprised that America proceeded to lose several wars.

      Semper Fi.

    2. Re:What? by 1369IC · · Score: 2

      >It is worse in the military, because communication is inherently unidirectional, and they can go years between real world validations (i.e. wars). This is not as true, if true at all, on the R&D side. I work in one R&D command and we have almost 14,000 people and fewer than 200 military personnel. So you don't see the classic military structure you see in uniform. Also, in the Army, at least, if you're working on an actual system you're probably working for a Program Manager. PMs can have whoever they want do their engineering for them, buy technology from Army labs, Federal labs, industry or international entities. So again, it's not a military structure as the rest of the Army understands it (I'm a retired NCO, so I've been around a pair chunk of the Army). And the Army Futures Command is going to change a lot of these relationships.

    3. Re:What? by Anonymous Coward · · Score: 4, Insightful

      "That's because the purpose of wargames is to test systems and get people used to doing their jobs under stress"

      Im genuinly curious, why do they call it war games then and not system testing?
      Why do they not provide a procedure for the Red team to follow?
      If not a procedure, why do they not provide limitations for the Red team?

      I mean if the purpose is to test the systems under specific circumstances then why not lay those circumstances out ahead of time? If they do, then yes the previous poster that you replied to is an idiot for not following the rules of the game. If not, then isnt it someone else's fault that they didn't define the rules properly in the first place?

      I mean if you go and tell me to perform action X (like attack a base) and then i perform action X, how can anyone call me an IYI if they didn't specify how they want action X done? wouldn't that mean that someone higher up the food-chain is the IYI by assuming that someone else would perform action X in a specific manner? To me it sounds like there were several IYI's in the scenario mentioned.

      note: I do not actually know anything about war-games in the us military, so i am curious how these things are supposed to work.

  2. Re:Not vulnerabilities at all by K.+S.+Kyosuke · · Score: 2

    Unless they're using SuperMicro boards. ;)

    --
    Ezekiel 23:20
  3. Security as an afterthought by phantomfive · · Score: 5, Insightful

    GAO said all tests were performed on computerized weapons systems that are still under development.

    You can't add security on as an afterthought. It needs to be a core feature.

    --
    "First they came for the slanderers and i said nothing."
    1. Re: Security as an afterthought by phantomfive · · Score: 2

      If they were at the "hello world" stage no one would bother doing penetration testing.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Security as an afterthought by jeff4747 · · Score: 2

      You can't add security on as an afterthought. It needs to be a core feature.

      Adding security in and of itself is dangerous. If the operator can't fire the weapon because he's locked out of the terminal, it is worse than not having that weapon there at all. Because you make your plans assuming the weapon is present, and when it won't work then your plans are fucked.

      Military security comes from people walking around with guns and not plugging everything into the Internet.

    3. Re: Security as an afterthought by phantomfive · · Score: 2

      And next will you argue that guns shouldn't have safeties?

      --
      "First they came for the slanderers and i said nothing."
  4. Rational risk/reward calculations by Tablizer · · Score: 5, Insightful

    To be fair, managers are more likely to be rewarded for delivering a sufficient product on time than ensuring proper safeguards. A missed deadline will almost surely be noticed and put on them, while slipshod security has roughly a 1 in 10 chance of showing its head during a manager's actual reign. (The marketing people negotiated the contract, not the project manager, and the marketers often under-bid to win.)

    They are behaving "rationally" in terms of their OWN risks versus rewards. The managers are following the carrots and sticks which are actually applied to them like donkeys would.

    It's kind of like debt and pensions versus politicians: they won't likely be in office anymore if they muck either of those up bad enough for the public to notice, so they give short-term handouts instead, dumping the long term problem onto the future. In the future, you will hear, "I didn't do it, my predecessors did."

    --
    Table-ized A.I.
    1. Re:Rational risk/reward calculations by Tablizer · · Score: 2

      There's only so much inspection-by-checkbox can do. The actual source-code would have be carefully read (and understood) for a good inspection, and that cost is probably more than most want to pay. (A compromise might be random spot checking.)

      --
      Table-ized A.I.
    2. Re:Rational risk/reward calculations by Tablizer · · Score: 2

      Seasoned veterans, of the kind that consistently deliver well-secured and high-quality code, are expensive and tend to hold up projects with their insistence that things be done right.

      I can personally vouch for that, except I'm not expensive, just ignored. People in general do NOT like accurate news. They prefer hearing what they want to hear. It's partly why the country is polarized: it's easier to find sources now that tell you what you want to hear.

      People actually like fake news:       they just kvetch about others' fake news.

      --
      Table-ized A.I.
    3. Re: Rational risk/reward calculations by cyber-vandal · · Score: 2

      The foundations of Trump's rise to power were laid by both parties. Taking people's futures from them and telling them it's their own fault was never going to end well.

    4. Re:Rational risk/reward calculations by Archtech · · Score: 2

      The managers are following the carrots and sticks which are actually applied to them like donkeys would.

      That says it all, really.

      For better results, a good start would be appointing managers who are smarter (and more moral) than donkeys.

      If they can find any.

      --
      I am sure that there are many other solipsists out there.
  5. unit conversion help by n3r0.m4dski11z · · Score: 4, Funny

    "including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data."

    Not archaic enough. I'm gonna need that in number of baskets of scrolls please.

    --
    -
    1. Re:unit conversion help by ImprovOmega · · Score: 2

      *deep breath in*

      So lets assume a bushel basket as that is fairly easily hand-held and a Torah scroll as a standard (still in use!) scroll. Well in that case your bushel (2150-2219 cu. in.) can hold right at two Torah scrolls (roughly 1100 cu. in. per scroll). Now the Torah scroll contains exactly 304,805 characters. If we use a standard 7-bit ASCII character set that's ((304805 * 7) / 8)/1024 = 260.453 KB per scroll, or 520.91 KB per basket.

      Now 100GB is 104,857,600 KB so you would need 104,857,600 / (520.91) = 201,299 baskets of scroll for 100GB of data. Admittedly the 201,299th basket would only have one scroll in it, partially completed, but it would still be part of your basket count.

      TLDR: 100 gigabytes is 201,299 baskets of scrolls.

  6. Something Something by Greyfox · · Score: 2

    Something Something government contractors something something lowest bidder.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  7. Re:Rational risk/reward calculations [correction] by Tablizer · · Score: 2

    Correction re: "they won't likely be in office anymore if...

    Corrected version: ...they won't likely be in office down the road. If they muck either of those up bad enough for the public to notice, it will probably be after their reign. Therefore, they give short-term handouts instead, dumping the long term problem onto the future.

    --
    Table-ized A.I.
  8. Target audience detected by stealth_finger · · Score: 2, Funny

    "100 gigabytes, approximately 142 compact discs, of data."

    Probably the same type of people that call the internet AOL.

    --
    Wanna buy a shirt?
    https://www.redbubble.com/people/stealthfinger/shop?asc=u
  9. Insiders though? by Gilgaron · · Score: 4, Insightful

    Not that they shouldn't do better, but, say, if someone can only hack a Phalanx system from inside the aircraft carrier from a secure access terminal then it is probably not going to end up exploited, since if you can get a mole in that deep they can probably do more damage throwing a wrench into the right place.

    1. Re:Insiders though? by jeff4747 · · Score: 2

      That's really the dumb part of this story. These systems are air-gapped.

      At that point, you have to decide if the air gap is enough or if you want to add more security. When making that decision, you have to consider things like "If we can't fire this when we need to because a certificate expired, we will die".

      And "an operator could sabotage this" doesn't require hacking the computer. As you say, throw a wrench in it. Or unplug it. Or fill the operator's station with bullets.

  10. Dangers of faith in any weapons tech by Glasswire · · Score: 2

    Blind faith in systems and strategy, just because you are heavily invested in it, will not necessarily save you

  11. Re: Gee, good thing they didn't open source any of by Sarten-X · · Score: 4, Interesting

    No, no, fuck you, and no.

    This is a horribly bad approach to security. You're making assumptions about the external environment, and using them to excuse system vulnerabilities. That's not realistic or intelligent. It's just lazy.

    Lets not forget the anti hacking. A bullet in the head of the traitor.

    That's assuming you can find a traitor. If the system logs aren't secure, or if their integrity is questionable, or if they don't uniquely identify an individual, you have no hope of identifying exactly who attacked the system.

    Systems in development are not complete

    So? Security isn't something to be bolted-on late in the development process. Systems should be secured first, then the functionality is applied on top of that. If that means you have to use more-costly (but more secure) solutions in your design, so be it. When functionality comes before security, management is far too justified in saying "but we've spent too much already developing this insecure system!" and refuse to reimplement it securely.

    For a related example in the public sector, we're almost done implementing HTTPS, after only 10 years or so...

    Systems are in very high security locations, especially when deployed

    At first, maybe... then a truck gets ambushed, or a base is overrun, or we get an impulsive politician who promises an arbitrary date to get out of an unpopular conflict area. Then those systems fall into enemy hands, and you just have to hope that it's a useless pile of hardware by then.

    Systems are surrounded by many soldiers

    Soldiers are underpaid, overworked, and usually focused on things other than countering highly-technical intelligence techniques. If an attacker walks onto a base, steals classified data (or even whole systems), and tries to leave, they'll be saluted at the gate as long as their paperwork looks right.

    There is no valid excuse for leaving a system insecure by design. Every layer of the system should be built securely, with the functionality added afterward.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  12. Most of the Responsibility Falls on the Pentagon by Koreantoast · · Score: 2

    Most of the responsibility of this falls on the Pentagon. The government insists on tightly controlling all the requirements, and so in an environment where cost is king, if the customer doesn't properly write in cyber as a requirement, there isn't any incentive by the contractors to go beyond what is written. That is what the GAO report is primarily criticizing: that the DoD did not take cyber seriously until recently and that they are still trying to figure out how to architect a secure environment and write requirements for it. So even if a contractor says, "Hey, government Contracting Officer, you should tighten security around this system," the government Contracting Officer, if they understand even what's going on, will probably say, "I dunno, does that change the requirements? We're not going to pay you for it."

  13. Re: Gee, good thing they didn't open source any of by G00F · · Score: 2

    If an attacker walks onto a base, steals classified data (or even whole systems), and tries to leave, they'll be saluted at the gate as long as their paperwork looks right.

    This!, even a moderate physical secure systems need to be secured. Everyone assumes everyone else is doing what they are suppose to, and question only when they are suppose to, and wouldn't know otherwise.

    --
    The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
  14. Re: Gee, good thing they didn't open source any of by arglebargle_xiv · · Score: 2

    Friend of mine was part of a team that did a security assessment on an automatic 5in gun used for naval purposes. It was pretty much a tour de force of how not to do it, everything connected and enabled by default, little to no security/encryption, ancient insecure libraries, terrible coding practices, you name it, it was there. Apart from the direct security implications that anyone who gets access to the ship network, e.g. while berthed, has full control of an automatic 5in gun turret, it said really bad things about the rest of the software controlling the thing. They were limited in scope with what they were allowed to do, but said it responded in very unexpected ways to garbled control messages sent to it. In other words just normal, non-malicious operation in the presence of errors would cause it to do God knows what. Their recommendation was to disable as much computer-controlled automation on it as possible and run things under human control.