Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/17/2009
09:09 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Security Reminders From "Hacked" Predator Drones

The Wall Street Journal reported today that Iraqi militants are able to intercept live feeds from U.S. military predator drones with standard hardware equipment and a $30 software application.

The Wall Street Journal reported today that Iraqi militants are able to intercept live feeds from U.S. military predator drones with standard hardware equipment and a $30 software application.Having the enemy be able to see where you are watching and spying is not usually a good thing, unless it's part of a trick or campaign to confuse. Such as letting the enemy snoop on the wrong things, so they miss what you're really up to. But when it comes to the ability for anyone with a satellite dish, modem, and $30, to snoop on the U.S. military's unmanned drones - I doubt that's what's going on.

According to the Wall Street Journal story the Department of Defense knew that the video feeds were being sent unencrypted:

The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said.

It's a cliché in the IT security community, and it's true: you can't rely on security by obscurity and argue that a system is secure. And you don't ever want to underestimate the skills of an IT adversary. But that's exactly what the Pentagon seems to have done if they "assumed adversaries wouldn't know how to exploit it."

Besides: what is the exploit, Really? Grabbing live video-streams broadcast unencrypted over the air?

If you want a system to be secure, a good path to choose is to make it inherently secure. So maybe the video feed service from the UAVs should have of been threat-modeled years ago when the system was being designed. If it had of been done properly, threats would had of been identified and the ones deemed important would had of been mitigated.

Another lesson: it tends to be considerably more expensive to retrofit security into a system, than design it to be secure from the jump. Now, in order to encrypt the feeds retroactively, the government (through its contractor) is going to have to find a way to encrypt the video feeds. Perhaps that encryption will require some form of hardware update for all of the UAVs. It's also likely going to require an update on all of the vehicles that use these feeds, as well as portable troop receivers in order to work. None of this is usually cheap to add after the fact.

The encryption method will require some form of key management. To be of any use, those keys will have to be able to be quickly updated, in the event the enemy is able to get hold of them. In fact, they'll probably have to be updated frequently, because the safest assumption is that the keys are breached from time to time.

All of this would had of probably been easier to initially design and build. Which takes us to another lesson in IT security from this incident.

Building secure systems is not fast or convenient. In the rush to get some capability out on the street, no one wants to hear that the system has to wait for a few hours, days, weeks, or months while it is being "threat-modeled" and security controls are being built-in.

The usual response goes like this: "Wait? What? We ain't got time to wait. We'll deal with those problems later."

The problem is that "later" is also usually when the problem is exponentially more expensive to fix, and you've already been hacked.

It's true of software, and apparently true of UAVs, too.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27180
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
CVE-2021-27181
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
CVE-2021-27182
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
CVE-2021-27183
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
CVE-2021-29449
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.