U.S. Air Force switched drones' ground control operating system after a credential-grabbing malware outbreak. Security expert thinks it's more than coincidence.

Mathew J. Schwartz, Contributor

January 12, 2012

4 Min Read

Did a Windows virus outbreak in systems related to military drones cause the Air Force to switch its control systems from Windows to Linux?

"Last year, U.S. military drone control systems were infected with Windows USB worms. They seem to be moving the control systems to Linux now," said Mikko Hypponen, chief research officer at F-Secure, via Twitter.

As evidence of the apparent shift, he posted pictures of a drone control system from 2009 (the image was originally published by the Air Force), which appears to sport a Windows graphical user interface. (A cropped version of the image also appeared in Air Force Times in 2009.) For comparison, Hypponen then posted an unclassified slide from a 2010 briefing that details Linux as being part of a 2011 upgrade and refit for drone control systems, and which sports a different graphical user interface.

[ Malicious attacks accounted for 40% of disclosed breaches last year. Learn more: Hack Attacks Now Leading Cause Of Data Breaches. ]

Would the operating system switch provide an immediate drone control system security boost? "If I would need to select between Windows XP and a Linux based system while building a military system, I wouldn't doubt a second which one I would take," Hypponen told the Register.

While the timing of the apparent shift from Windows to Linux may be coincidental, it comes in the wake of a malware outbreak involving drone control systems last year. In October 2011, the Air Force acknowledged that malware had been detected on portable hard drives in use at Creech Air Force Base in Nevada. The majority of the country's unmanned military drones are remotely flown from the base, and used for missions in Afghanistan and other war zones. But the Air Force said that the malware, discovered in September 2011, hadn't "affected Remotely Piloted Aircraft (RPA) operations," but rather just ground control systems, which are responsible for drones' weapons and surveillance capabilities.

"The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident," according to a statement released by the Air Force.

The Air Force also downplayed the malware's threat, saying it wasn't a keylogger--as first reported by Wired, which broke the drone malware story--but rather a credential stealer, which is typically designed to capture logon credentials for Webmail, FTP sites, and online games.

"The malware was detected on a stand-alone mission support network using a Windows-based operating system," read the Air Force statement. "It is not designed to transmit data or video, nor is it designed to corrupt data, files, or programs on the infected computer. Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach."

Arguably, however, any intelligence gleaned by a credential stealer might be useful for someone who wanted to compromise a drone, as Iran recently did with a U.S. Sentinel drone, reportedly by jamming its remote-control channel, then feeding it fake GPS coordinates and making it believe it was landing at an American base.

But the Air Force said that the infected computers were part of a ground control system used to support unmanned aircraft operations, and that the malware never infected the aircrafts' flight control systems. Furthermore, those flight control systems are supposed to be protected by an air gap, and never connected to the Internet. But the presence of malware on portable drives--"approved for transferring information between systems," as the Air Force put it--indicates an obvious potential infection vector, should those drives have been plugged into flight control systems.

According to Defense News, the portable drives had been used to load map updates and to transfer surveillance videos between computers. After the malware outbreak, however, the use of such drives was banned.

InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our Enterprise Storage Survey now. Survey ends Jan. 13.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights