US Ballistic Missile Systems Have No Antivirus, No Data Encryption, and No 2FA, DOD Report Finds

An anonymous reader writes from a report via ZDNet: No data encryption, no antivirus programs, no multi-factor authentication mechanisms, and 28-year-old unpatched vulnerabilities are just some of the cyber-security failings described in a security audit of the U.S.' ballistic missile system released on Friday by the U.S. Department of Defense Inspector General (DOD IG). The report [PDF] was put together earlier this year, in April, after DOD IG officials inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles part of the Ballistic Missile Defense System (BMDS) -- a DOD program developed to protect U.S. territories by launching ballistic missiles to intercept enemy nuclear rockets.

Here is a summary of the findings: (1) Multi-factor authentication wasn't used consistently. (2) One base didn't even bother to configure its network to use multifactor authentication. (3) Patches weren't applied consistently. (4) One base didn't patch systems for flaws discovered in 1990. (5) Server racks weren't locked. (6) Security cameras didn't cover the entire base. (7) Door sensors showed doors closed when they were actually open. (8) Base personnel didn't challenge visitors on bases without proper badges, allowing access to secure areas. (9) One base didn't use antivirus or other security software. (10) Data stored on USB thumb drives was not encrypted. (11) IT staff didn't keep a database of who had access to the system and why.

Most alarming discovery:

[Gravis+Zero]

(10) Data stored on USB thumb drives was not encrypted.

I'm not alarmed that it's not encrypted, I'm alarmed that they are using USB FLASH drives. If you are unaware, all of theses have MCUs and almost all of them use an 8051 CPU with re-programmable FLASH memory which makes them their own little computers that someone can hijack. It's also the attack vector used by Stuxnet to infiltrate an air-gapped network in Iran.

The other things have obvious fixes but unless they are using USB devices specifically made so that they cannot be reprogrammed (one-time programmable MCUs) then there is a serious security issue here. I honestly hope that government would manufacture their own USB FLASH drives but the fact that I haven't read about it doesn't inspire hope.

I hope they are using 40 year old tech

[aberglas]

Some very crude 8086 CPU with 16K of RAM is incapable of supporting viruses. And even though the code might be bad, it is small enough that someone understood it. And minimal communication with external world, 40 years ago is pre internet for most things.

The problem starts when they upgrade to modern operating systems. And control it all from Windows desktops. Nobody really understands how they work. Everything is interconnected. And it is only a matter of time before some nasty manages to remotely press "the button".

Last I'd heard, they were using floppies

[Spy+Handler]

and real 5.25 inch floppies (not the newfangled 3.5 inch ones)... formatted for CP/M. This was in a report I saw about 10 years ago. Even 10 years ago, this setup was deemed so obsolete that it was thought to be good security... there was no virus on earth being written for such an ancient system. And of course internet connection was out of the question.

You can understand why

[petes_PoV]

Old software that isn't patched has some advantages. You know that what you are running is what was tested.

Also, how would a missile based explain that it hadn't fired its missiles because the software had received a pushed update and was too busy applying it. And that it was more important to fix a bug in a foreign font than to unleash a nuclear holocaust.