The U.S.’s fleet of unmanned aerial vehicles may not have been poisoned, after all. Maybe the drones – or those flying them with joysticks from air-conditioned trailers at Creech Air Force Base in rural Nevada – are just really into online gambling or gaming.
When a virus concentrating on American Predator and Reaper drone cockpits was detected by some of the U.S. Air Force’s cybersecurity analysts on Sept. 15, the bug was thought to be logging pilots’ keystrokes at Creech, some 7,000 miles removed from the craggy tribal areas in Afghanistan, Pakistan and Yemen. Turns out it’s just the sort of malware routinely dropped in gaming circles to lift unsuspecting users’ log-ins and passwords, and now it has latched onto portable hard drives cleared to transfer information between Creech’s systems.
As the USAF said in a statement (.docx), the bug (which they won’t name) is only a “credential stealer”: "The malware was detected on a stand-alone mission support network using a Windows-based operating system … It is not designed to transmit data or video, nor is it designed to corrupt data, files or programs on the infected computer."
The statement insists that the infection – already notorious for materializing again and again after repeated network wipes – has since been “properly and easily contained,” according to Wired ’s Noah Shachtman, who broke the story. Shachtman’s initial reporting, together with the recent killing of American-born Anwar al-Awlaki by Hellfire missile, set off a droning media orgy, continued debates over how robots should be held to the letter and spirit of international law and apparently was news to the 24th Air Force, the air service unit specifically tasked with cybersecurity.
Capabilities of those operating the remotely piloted aircraft “remained secure throughout the incident,” the USAF adds. The bug was an annoyance, if anything, not a clear and present threat to live operations. “There’s nothing particularly exciting about it,” George Smith, senior fellow and cybersecurity expert with globalsecurity.org, tells me. “And they deal with it the same as everyone else does.”
Only they do so with extreme haste: Sure enough, just days later a U.S. drone cruising over northern Pakistan took out seven militants, including Janbaz Zadran, a top leader of the al-Qaeda-affiliated Haqqani cell.
And yet not unlike America’s falling drone syndrome, cybersecurity breeches are a nagging, if not sobering, motif along the Pentagon’s zig-zagging cybersecurity front. Malware and spyware, Smith argues, have probably been found wherever the U.S. has networked computers involved in killing people.
Smith, who wrote one of the first books on computer viruses in 1994, speaks of Windows viruses in Yugoslavia and Serbia around that time; a virus that burrowed into two laptops on board the International Space Station in 2008; and of course Stuxnet, arguably the most sophisticated computer worm ever written that lead to the U.S. military banning discs and thumb drives outright. (This is to say nothing of the damage inflicted by a military operative copying hundreds of thousands of documents off a secret network onto a fake Lady Gaga CD and sending it to Wikileaks.)
Is this something similar? Are there unauthorized, bad storage devices circulating in the hands of personnel who are straight ignoring the ban? “I have no idea,” admits Peter Asaro, a professor of digital warfare at the New School and co-founder of the International Committee for Robot Arms Control. “If I did, this would all be classified.”
The idea behind secure military networks, he continues, is that they live offline. They have no physical linkage – in theory, at least – to the internet or other domestic communication networks, so what you get is a moat effect. But in the drones’ case, it’s not “completely separated.” He speculates that there’s likely a flood of imagery being scrutinized by intelligence analysts who must transfer files and feeds from the field, over the moat and into the offline, classified castle. When this information makes the jump from on to off, so to speak, viruses and image files can be embedded. And if, in fact, Creech was using a new universal-cockpit system by Raytheon, which Asaro claims runs on a PC using over-the-counter video game controllers, one vulnerability is clear: open USB ports.
“Maybe somebody did plug in a USB even though they shouldn’t have," he says. "Maybe there’s a Bluetooth or a wi-fi connection that was opened at some point. Who knows?”
Be it a dirty USB or Mafia Wars, all this simply underscores the fact that what should be one of the most fortified systems within the military isn’t immune to viruses and attacks – even unintentional attacks by typical consumer, non-military, non-cyber-war sorts of malware. “They are susceptible systems,” Asaro says.
And the hardest reality is that holes in these systems can’t be patched over. Ever.
Anti-virus scanning software writ large, Smith tells me, is signature-based. Programs collect known samples of computer viruses, analyze them and extract their signatures to then be programmed into the software. From there the software can flag any bugs.
“But that also ensures that there’s always going to be some new badness that slips through,” Smith says. “Fighting viruses, by very definition, is reactive. It can never eliminate the problem entirely. There’s always a window.”
So for all the USAF’s it’s-just-credential-stealing-malware damage control, then, there’s still the grim prospect of earth-shaking political destabilization and military instability. For those nefarious and willing enough to hack into the U.S.‘s (or China’s or Israel’s) secure drone-operating systems, intrusions like this will encourage attempts to “exploit antivirus defense,” in Smith’s words.
The great fear, of course, is an organization or lone-wolf crazy seizing control of, say, American drones, and then redirecting the robot’s missiles at unintended targets. If and when that happens, who should be held responsible? And perhaps more importantly, what are we going to do about it?
A version of this piece originally ran October 14, 2011, on Motherboard.