The F-35's Greatest Vulnerability Isn't Enemy Weapons. It's Being Hacked.

schwit1 shares a report: Every F-35 squadron, no matter the country, has a 13-server ALIS package that is connected to the worldwide ALIS network. Individual jets send logistical data back to their nation's Central Point of Entry, which then passes it on to Lockheed's central server hub in Fort Worth, Texas. In fact, ALIS sends back so much data that some countries are worried it could give away too much information about their F-35 operations. Another networking system is the Joint Reprogramming Enterprise, or JRE. The JRE maintains a shared library of potential adversary sensors and weapon systems that is distributed to the worldwide F-35 fleet. For example, the JRE will seek out and share information on enemy radar and electronic warfare signals so that individual air forces will not have to track down the information themselves. This allows countries with the F-35 to tailor the mission around anticipated threats -- and fly one step ahead of them.

Although the networks have serious cybersecurity protections, they will undoubtedly be targets for hackers in times of peace, and war. Hackers might try to bring down the networks entirely, snarling the worldwide logistics system and even endangering the ability of individual aircraft to get much-needed spare parts. Alternately, it might be possible to compromise the integrity of the ALIS data -- by, say, reporting a worldwide shortage of F-35 engines. Hackers could conceivably introduce bad data in the JRE that could compromise the safety of a mission, shortening the range of a weapon system so that a pilot thinks she is safely outside the engagement zone when she is most certainly not. Even the F-35 simulators that train pilots could conceivably leak data to an adversary. Flight simulators are programmed to mirror flying a real aircraft as much as possible, so data retrieved from a simulator will closely follow the data from a real F-35.

Greatest?

[mi]

The F-35's Greatest Vulnerability Isn't Enemy Weapons. It's Being Hacked.

Although we should not discount the danger of such hacks, I doubt, it is the greatest vulnerability of the weapon.

TFA goes to great length explaining the potential dangers, but offers no justification for using "the greatest" in the title... Seems like a cheap sensationalism...

A non-story

[Sarten-X]

TFA reads like FUD. If I were trying to sell my services as a cybersecurity contractor, this is the kind of crap I'd write. Essentially, it boils down to "complexity is bad", and "wireless is scary".

I've worked defense contracts. They're always trying to "shore up vulnerabilities", and always making a big deal about every tiny detail that isn't perfectly in compliance with a rule written for an entirely-different scenario. Exceptions are the norm. That doesn't mean the system is actually vulnerable to any attack, or even that a possible attack would be successful.

Now, I'm not suggesting that anyone stop looking at security, especially in such important systems... I'm just saying that shouting about generic insecurity doesn't improve anything, and in fact makes things worse by encouraging a checklist-based approach to compliance.

Re:A non-story

[Drethon]

TFA reads like FUD. If I were trying to sell my services as a cybersecurity contractor, this is the kind of crap I'd write. Essentially, it boils down to "complexity is bad", and "wireless is scary".

I've worked defense contracts. They're always trying to "shore up vulnerabilities", and always making a big deal about every tiny detail that isn't perfectly in compliance with a rule written for an entirely-different scenario. Exceptions are the norm. That doesn't mean the system is actually vulnerable to any attack, or even that a possible attack would be successful.

Now, I'm not suggesting that anyone stop looking at security, especially in such important systems... I'm just saying that shouting about generic insecurity doesn't improve anything, and in fact makes things worse by encouraging a checklist-based approach to compliance.

I don't know how the F-35 handles network security, but I found this a fascinating read for network security for a military UAV prototype helicopter: https://journals.plos.org/plos...

I wonder if I can use Shodan to find F-35s

[sinij]

I wonder if I can use Shodan to find F-35s?

Re:That's two wring guesses. Try again

[Sarten-X]

Considering the size of the program, I'd be more surprised if any language wasn't involved somewhere.

When I worked in defense, the only rules on languages for one component (a sub-contract to a sub-contract) was that it had to be more than 10 years old, with compilers still supported. I suggested INTERCAL. The engineers laughed, and my boss was pissed, but he couldn't object. I suggested Java. He was happier, but the engineers weren't. I think we settled on Perl for that component...

Re:That's two wring guesses. Try again

[Ksevio]

I'm guessing Ada - defense contractors love that

Power Mac G4s in the Sky.

[0100010001010011]

It's more or less a PowerPC G4 right down to the Firewire bus.

Components were billed as "COTS". However those chips were still back when they were Motorola/Freescale

The system departed from the historical use of low speed Mil-Std-1553B busses, using the high speed Fibre Channel-Avionics Environment (FC-AE) serial bus for high speed internal interconnects.

built around PowerPC RISC processors - essentially a bigger and faster cousin to the 6U VME packaged PowerPC processors now being used in F-15E, F/A-18E/F and F-111C Block C-4.

"So we have designed for technology refresh, so at the appropriate time we can stop putting in the 1 GHz processor board and swap out to the 2 GHz board without having to go back and do any redesign. We were once required to use a MIL-STD-1760 processor with Ada or other military languages; now we use commercial PowerPC with C++."

http://www.ausairpower.net/APA...

https://www.militaryaerospace....

Re:I am a little suspicious of this

[PPH]

Not constantly. This is a ground maintenance function. But if it can be monitored, an enemy can gain some valuable information about the status of your forces. And if it can be hacked, that enemy could effectively ground all your planes pending unneeded maintenance*.

*"I've just picked up a fault in the AE-35 unit. It is going to go 100 percent failure within 72 hours."

Give me an A-10 anyday

[neo-mkrey]

"It Just Works"

Re:That's two wring guesses. Try again

[sconeu]

Mulitple languages... Ada for sure, and also C++, and probably others.

C++ coding standards for JSF. http://www.stroustrup.com/JSF-AV-rules.pdf