US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

Most alarming discovery:

[Gravis+Zero]

(10) Data stored on USB thumb drives was not encrypted.

I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.

The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.

I hope they are using 40 year old tech

[aberglas]

Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.

The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".

Last I'd heard, they were using floppies

[Spy+Handler]

and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.

Re:Why would the DOyou're D need a report?

you're not totally wrong.

But the Paul Ryan shutdowns have wreaked havok on program budgets over the past 10 years, and yeah, that led to a LOT of chaos and turnover in these kinds of programs. I'm not at all s yearurprised there's a problem like this. Doing security RIGHT: in the context of a DoD framework like RMF, is very expensive. And just as you get a team that understands one process, it gets changed. And the requirements are laden with REALLY fucking expensive software licenses. WHich is an additional financial drain. You add to that - a product lifecycle that is expected to last decades: you won't really find a closed-source commercial solution that has that kind of longevity without some marketing goon on a rebranding spree, coming along and obsoleting one crucial part of the stack, and forcing significant rework.

But no: a lot of us who work (or have worked ) in that space, LOVE the work, and love the people they work with - it's filled with a lot of exciting challenges and problem solving, and it does pay well - except that it's hard to find a program that doesn't force you to relocate every 5 years.

Re: Why would the DOD need a report?

Omg then it was true!

That nefarious hacker Kevin Mitnick could have hacked and launched nukes by using a phone and whistling... Thank God he was kept in solitary and denied a phone for 6 months.

Haha

The MItnick hysteria was interesting, but ultimately just an example of uninformed people not knowing what was possible and assuming the worst, perhaps due to television.

AI, on the other hand, seems the real threat, not because I believe your getting real intelligence, but because I believe it will be good enough to act as a lever for powerful people to manipulate the world. Imagine a world, similar to today's, but with everyone having say 50 years of AI tech developed. If you didn't see it in person, perhaps while using a certified recording device, could you tell whether or not an event occurred?

Can the world survive it becoming impossible to tell truth from fiction? The optimistic view is we will somehow get better at detecting the lies, perhaps using more AI. I'm needless to say skeptical.

You can understand why

[petes_PoV]

Old software that isn't patched has some advantages. You know that what you are running is what was tested.

Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.