09 October 2011

Computer virus affecting U.S. military drones

From a story at Wired:
A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.
More at the link.  One's knee-jerk reaction is to imagine drone control being taken over remotely by an enemy and then turned around to use against the U.S.  That doesn't appear to be a concern at present.  And how could such a problem have developed?
...time and time again, the so-called “air gaps” between classified and public networks have been bridged, largely through the use of discs and removable drives... Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another... 
Well, duh...


  1. Common "crimeware" keyloggers are designed to capture your login & password pairs to banking/e-commerce/brokerage accounts and send them back to the evildoers so they can clean out your account (or buy themselves a new TV using your amazon account).

    In general they do not include functionality that would allow them to send keystrokes the other direction to be received and processed by the infected machine.

    So if the machines have this type of keylogger that is common "in the wild" there is no concern about the drones being turned back on the US. However it is known that intelligence agencies do write their own viruses [1]. If this is a specialized keylogger written by a foreign government there may be some danger.

    This is mitigated by the fact that we are told the machines are kept on a separate network from the public internet with an "air gap" between them.

    This would mean that commands could not come from the internet in real time. An attacker would have to program a pre-set series of commands that could not change, send those commands across the network to one of the internet connected machines on Creech Air Force Base, and then wait for someone to carry an infected flash drive or portable disk drive across to the secure drone command computers where the commands could be executed.

  2. I don't think our real concern here is that there is a keylogger on these drones. More worrying is that we are seeing that in spite of security protocols and the limited access to these planes and their network, they are not invulnerable to software tampering.


Related Posts Plugin for WordPress, Blogger...