How do you access some of the most advanced, lethal and expensive weapons systems on the planet?
Simple, you just check the manufacturer’s box for the default username and password.
The use of ludicrously weak passwords is just one of the many embarrassing revelations in the Government Accountability Office’s (GAO) report on the security of Department of Defense’s weapons systems. The findings are a result of an investigation into the military’s cyber-preparedness for Congress, ahead of the approval of a $1.66 trillion DOD budget this week.
On the face of it, the report's findings will terrify many U.S. citizens, especially given the current geopolitical tensions with China, Russia and North Korea and their capabilities in cyberspace. But for security experts, the report is hardly surprising; it's the logical result of decades of ignored warnings combined with the military’s desire to connect everything to the internet.
“Just because we might be able to operate nuclear weapons from an iPad doesn’t mean we should,” Andrew Futter, director of research for politics and international relations at the University of Leicester, told VICE News.
For the past four months, a team of hackers working for the GAO sought to penetrate the most critical weapons systems of the Department of Defense. They succeeded, and discovered that "nearly all" of them could be compromised.
The results, outlined in the GAO’s report published this week, are highly embarrassing for the Pentagon:
- One attack cracked the admin password on a weapons system in nine seconds.
- Multiple systems never changed the default password.
- A two-person test team took just one hour to gain initial access to a weapon system and one day to attain full control.
- One team took control operators' terminals giving them real-time access to what the operators were seeing, and allowing them manipulate the system.
- Intrusion detection alerts were ignored because the systems were always red and users had stopped paying attention to them.
- One team was able to download 100GB of data.
Among the most worrying aspects of the report is the revelation that some systems could be accessed remotely, experts said.
But that finding comes with an important caveat, said Jake Williams, a former member of the NSA's hacking unit. The majority of the U.S. military’s weapons systems are not connected to the internet, and in this case the GAO team would have been given access to privileged networks — a distinction the agency failed to make in its report.
“I'm not trying to downplay [the report], but it is import to contextualize that when they say remotely exploitable, they don't necessarily mean some kid sitting in his garage at home can detonate a bomb or launch a missile,” Jake Williams, a former member of the NSA's hacking unit, told VICE News.
Computer security weaknesses and lax password management are not new concerns for the Pentagon either, experts said. Take for example this warning from a GAO report published in 1991:
“Weaknesses persist because of inadequate attention to computer security, such as password management, and the lack of technical expertise on the part of some system administrators.”
“The safest systems from hackers are those that are simple and isolated — and often old.”
That report found that 34 DOD sites were successfully penetrated by foreign hackers in the space 12 months.
Five years later another report warned “that attackers had seized control of entire defense systems, many of which support critical functions, such as weapons systems, and that the potential for catastrophic damage was great.”
20 years on, the situation has deteriorated rather than improved, said the experts who spoke with VICE News.
The main culprit: the Pentagon’s ambition to connect as much of the military’s weapons system to the internet.
“The safest systems from hackers are those that are simple and isolated — and often old,” Futter said. “However, the trend seems to be in the other direction, even for command and control systems used for nuclear weapons. The US is in a strange position where it is both at the forefront of offensive computer network operations but at the same time, arguably the most vulnerable to attacks on critical infrastructure or military systems.”
The GAO report also raises concerns around the security precautions made in sourcing these systems. In 2014, for example, a Pentagon investigation revealed that Chinese-made components were found in Boeing and Lockheed military planes and in Raytheon missiles.
Today, program managers who oversee the procurement of advanced weapons systems within the military do not have the power to audit the companies who they get to build them, and due to security clearances, they often lack an insight into how their systems fit into the overall network.
“All these program managers are building these systems without really understanding how they interconnect with each other,” Williams said.
The result is that systems that are not connected directly to the internet — such as missile launch systems — but which are part of a bigger network on a ship or aircraft can become vulnerable.
“A lot of the systems are not connected so they have some security through a lack of accessibility, but increasingly you get this sort of hyper-connectivity. You may find a weapons system on board a ship is connected to some other system on board the ship which is connected to yet another system which is then connected externally,” Alan Woodward, a cybersecurity expert at the University of Surrey, told VICE News.
Cover image: U.S. service member passes in front of a MQ-9 Reaper drone, one of a squadron that has arrived to step up the fight against the Taliban, at the Kandahar air base, Afghanistan January 23, 2018. REUTERS/Omar Sobhani