Slashdot Mirror
The F-35's Greatest Vulnerability Isn't Enemy Weapons. It's Being Hacked. (popularmechanics.com)
schwit1 shares a report: Every F-35 squadron, no matter the country, has a 13-server ALIS package that is connected to the worldwide ALIS network. Individual jets send logistical data back to their nation's Central Point of Entry, which then passes it on to Lockheed's central server hub in Fort Worth, Texas. In fact, ALIS sends back so much data that some countries are worried it could give away too much information about their F-35 operations. Another networking system is the Joint Reprogramming Enterprise, or JRE. The JRE maintains a shared library of potential adversary sensors and weapon systems that is distributed to the worldwide F-35 fleet. For example, the JRE will seek out and share information on enemy radar and electronic warfare signals so that individual air forces will not have to track down the information themselves. This allows countries with the F-35 to tailor the mission around anticipated threats -- and fly one step ahead of them.
Although the networks have serious cybersecurity protections, they will undoubtedly be targets for hackers in times of peace, and war. Hackers might try to bring down the networks entirely, snarling the worldwide logistics system and even endangering the ability of individual aircraft to get much-needed spare parts. Alternately, it might be possible to compromise the integrity of the ALIS data -- by, say, reporting a worldwide shortage of F-35 engines. Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not. Even the F-35 simulators that train pilots could conceivably leak data to an adversary. Flight simulators are programmed to mirror flying a real aircraft as much as possible, so data retrieved from a simulator will closely follow the data from a real F-35.
Although the networks have serious cybersecurity protections, they will undoubtedly be targets for hackers in times of peace, and war. Hackers might try to bring down the networks entirely, snarling the worldwide logistics system and even endangering the ability of individual aircraft to get much-needed spare parts. Alternately, it might be possible to compromise the integrity of the ALIS data -- by, say, reporting a worldwide shortage of F-35 engines. Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not. Even the F-35 simulators that train pilots could conceivably leak data to an adversary. Flight simulators are programmed to mirror flying a real aircraft as much as possible, so data retrieved from a simulator will closely follow the data from a real F-35.
Neither of those. Care to try again?
Lockheed takes the security of this system, and all of their weapons systems, pretty darn seriously.
Although we should not discount the danger of such hacks, I doubt, it is the greatest vulnerability of the weapon.
TFA goes to great length explaining the potential dangers, but offers no justification for using "the greatest" in the title... Seems like a cheap sensationalism...
In Soviet Washington the swamp drains you.
The only piece of fact in this article is that there are two networks. Everything else is hysteria and buzzwords. Yes, networks are potential hackable. I expect this bullshit from popular mechanics, but doesn't Slashdot have some actual story to post dupes of?
lets make up shit and call it an article. this "could" happen, that "could be done". ffs get some real news. just because you use the word hack in the article, does not automatically make it tech news.
nt
TFA reads like FUD. If I were trying to sell my services as a cybersecurity contractor, this is the kind of crap I'd write. Essentially, it boils down to "complexity is bad", and "wireless is scary".
I've worked defense contracts. They're always trying to "shore up vulnerabilities", and always making a big deal about every tiny detail that isn't perfectly in compliance with a rule written for an entirely-different scenario. Exceptions are the norm. That doesn't mean the system is actually vulnerable to any attack, or even that a possible attack would be successful.
Now, I'm not suggesting that anyone stop looking at security, especially in such important systems... I'm just saying that shouting about generic insecurity doesn't improve anything, and in fact makes things worse by encouraging a checklist-based approach to compliance.
You do not have a moral or legal right to do absolutely anything you want.
I did not know that F35 were considered IOT devices. Any one has a link to live webcam?
NEITH3R OF THOS31!!!!! LOL R 2 TRY AGANE???!? OMG
I wonder if I can use Shodan to find F-35s?
So remember, don't write anything down ever, cause someone could get it and analyze it for flaws.
Everywhere
Digital is, by definition, imperfect. Analog is the way to go.
It's greatest vulnerability? Its own cost.
At $85 million per plane, that probably resulted in several hundred aircraft that were supposed to be purchased, never being bought - far more than will ever be brought down in combat.
-Styopa
What we spent on these stupid fucking planes that we're never going to use would be enough to pay for universal health care AND shore up social security for decades to come.
I mean, as long as we're borrowing the money anyway, can we please invest it in people and not dumb shit?
You are welcome on my lawn.
Some dialect of BASIC maybe?
I'll see your senator, and I'll raise you two judges.
Comment removed based on user account deletion
It's more or less a PowerPC G4 right down to the Firewire bus.
Components were billed as "COTS". However those chips were still back when they were Motorola/Freescale
The system departed from the historical use of low speed Mil-Std-1553B busses, using the high speed Fibre Channel-Avionics Environment (FC-AE) serial bus for high speed internal interconnects.
built around PowerPC RISC processors - essentially a bigger and faster cousin to the 6U VME packaged PowerPC processors now being used in F-15E, F/A-18E/F and F-111C Block C-4.
"So we have designed for technology refresh, so at the appropriate time we can stop putting in the 1 GHz processor board and swap out to the 2 GHz board without having to go back and do any redesign. We were once required to use a MIL-STD-1760 processor with Ada or other military languages; now we use commercial PowerPC with C++."
http://www.ausairpower.net/APA...
https://www.militaryaerospace....
The biggest threat to the F-35 is the F-35.
I find it impossible to believe that this is the first time any of these concerns have been brought up. Lockheed has a lot of very savvy and security-conscious engineers. Yes, the networks might be vulnerable to hacks. The question is whether that risk downside is worth the upside of these highly networked machines (say, avoiding friendly fire). I don't know what those tradeoffs are, but this article lacks any analysis of why these security risks were considered acceptable and what is done to mitigate them. Without that balancing content, this is just FUD and useless blather.
Well shit. That's your problem right there.
The f15 was programmed using Java?????
Not constantly. This is a ground maintenance function. But if it can be monitored, an enemy can gain some valuable information about the status of your forces. And if it can be hacked, that enemy could effectively ground all your planes pending unneeded maintenance*.
*"I've just picked up a fault in the AE-35 unit. It is going to go 100 percent failure within 72 hours."
Have gnu, will travel.
Hint: It transmits UP.
Only after you agree to the EULA.
"It Just Works"
Yeah can't EVER get down to visual range or it will get bagged by a $100 MANPAD or a 12.7 MM machine gun.
So what you're saying is, is that the F-35 program comes with an On-Star, so that its value will diminish (even more) if the servers are ever taken offline by the parent company? Great, you can't even buy a military aeroplane these days without a phone-home program.
When China starts flying their clone, they'll send data to Lockheed/Martin. /s
Win-win.
Payback for the free Chinese VPNs, Chinese smartphones sending data to the home-land, and all the other corporate espionage they do.
I just want someone to get China to stop sending spam to my email servers.
I think were developing stuff that is over teched to a point of being fragile in a way. Especially in military environments you have to wonder how these incredibly technical machines can ever survive a war?
Our military has traditionally accepted "ahead of the curve" jet designs, expecting that manufacturing and technology will eventually catch up. The theory is that you have to stay at least one step ahead of the enemy, otherwise your kill ratio will be close to 1-to-1.
While this philosophy has mostly worked, it has hippucced from time to time. The F-35 may be one of these hiccups.
For example, our planes had difficulty during the early phases of the Vietnam war because it was felt that air-to-air missiles would render dogfights obsolete, and our planes were designed with this assumption in mind. However, the missiles proved buggy, and the Soviet planes used their maneuverability against our planes and the missiles.
A combination of better missiles and improved training in "team based" tactics eventually overcame most of these problems, but we took a beating for a good while.
It could be argued the philosophy pays off more than it doesn't such that we should stick with it. However, we will get occasional expensive duds and/or whippings along the way.
Table-ized A.I.
This is msmash shouting "hacked!" for the clicks.
The problem with the F35 is that it's a giant boondoggle, ment to cost a lot and deliver little. It performs as intended.
With Glassdoor you can see them hiring a lot of experienced security professionals, and see what the pay is, along with the qualifications they expect of everyone working on the system.
That's all from ONE open source intelligence resource, which anyone can see in less than 20 minutes.
If you happen to be a 20-year career veteran in the security space, working 25 minutes Lockheed headquarters and hanging out with their engineers at ISC2 meetings every month, you can really get to know their security culture if you're paying attention.
You can then easily position yourself, over the next 12 months, to have exactly the knowledge and references they'd like to see in a new hire, giving you an excellent backup plan whenever you decide to quit your job at $major_security_company.
"As the plane finally reaches full production, the Air Force is racing to plug holes that could allow hackers to exploit the jet's connected systems—with disastrous results".
Major fail.
Security cannot be added like a bag on the side, as an afterthought. Since Mr Mizokami evidently thinks it can (as far as one can judge from his breathless prose) it's pretty obvious he doesn't know much about software or security.
I am sure that there are many other solipsists out there.
And heres me thinking its greatest vulnerability is reliability, any military machinery which is not in service is useless, whether you have 500 or 1000 aircraft is inconsequential if they are not serviceable.
She? Considering that very few women have the physical aptitudes to become fighter pilots, considering that men will always be the best fighter pilots, I think the pronoun "he" should be used here. Seriously, can feminists stop trying to shove their crap down everyone's throat?
https://www.defenseindustrydai...
New things are always on the horizon
RAY MORRIS IS A LYING NAZI FAGGOT - https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660 - caught DEAD pushing debunked propaganda after being corrected. HANG THIS FAGGOT RAY MORRIS.
Premtive strike to the rescue. Problem solved.
It's written as Emacs and systemd modules. Nothing to worry about here!
In all seriousness, I was actually thinking of a different security contractor in town when I posted that. Lockheed asks F-35 candidates to know some of the following:
Go
Python
Java
Assembly
C / C++
The original post was actually somewhat correct.
I figure management sets the overall tone and priorities, the culture. Management values security.
Their people have the ability and interest to deliver security.
So there is a pretty good chance that they do a good job. Lockheed isn't a customer of ours, so I haven't done a security audit of them. I do have enough information to make an educated prediction or hypothesis.
Of course that's relative to other companies. We do have banks as customers, so I know how bad / good some banks are regarding security. Overall, the software industry sucks at security and reliability. We need about four times as many *engineers* in the roles that have job titles like "senior software engineer". Engineering means designing things to meet known requirements based on proven design methods. Software is often built with little or no engineering involved.
We don't know how that happened, unfortunately. We do know the Iraqi air force had Russian-built fighter jets, so they certainly have the ability to shoot an aircraft down. They have have aerial refueling capability, the ability to fly precisely next to another aircraft and give it fuel, or even drop a cargo net on it.
The primary navigation system is inertial guidance, explicitly because spoofing GPS is pretty easy, so GPS spoofing wouldn't be a possibility that would be expected to work.
It *could* have had programming that said basically "if all your sensors are totally confused and you don't know what to do, land". The hobby version I designed and built does that. Then Iran and their allies would have needed to muck with the onboard gyroscopes and other sensors somehow.
What we I do have evidence of is that years later, Lockheed takes security seriously.
Every time i point out that fighter planes with cockpits are obsolete, someones gotta jump in there with "but drones can be hacked so we'll always need manned fighter planes"
Well thanks to lockheed, our fighter planes are just as vulnerable to hacking as any drone, perhaps more so.
Info-cartoon highlight:
"The system is unique because each user helps improve the system for others."
Wouldn't it be great if you could write messages to other users:
"Hi infidels. So glad we're finally using the same technology as you now. We've submitted so much feedback on the system but we've noticed maybe you need to contribute more. Perhaps we could get together over a coffee sometime? Lots of love, (insert evil dictator here)"
I just love this. It seems like something that was specifically designed by a techie smart enough to know war is stupid and boy, did they do a great job of building bridges. Or maybe life just imitates art with a bit of serendipity.
A blog I run for the wealth
Before they crammed this thing full of hackable components?
sand, and rain, and the sun, and heat.
This plane must be looked as any device that is connected to a network. Network-connected devices are most easily accessible and EXPLOITABLE from within the network. Only those within the death cult running the military's most sacred networks would know best how to exploit the F-35. 1.4 trillion TAX dollars were spent to come up with a plane that can be hacked by the maker only to be blamed on [insert Iran/Russia/China/other bogeyman] Grizzly Steppe-psyop-style.
Who do you think benefits most from that? Of course, Lockheed. Lockheed has gotten "too big to fail" (a euphemism for being integral to the continuity of government that the banksters UN imposed through Dick Cheney). It will get more "contracts" (money stolen from citizens through the tax theft grid) to improve their fuck-ups. History will look back on the people who keep believe in this shit, not the liars who want to rewrite history as they go along.
There are no vulnerabilities. Lockheed used the best Chinese security specialists available to ensure the integrity of its systems.