U.S. Air Force Study Reports Vulnerabilities in Drone C2 Systems

US Air Force Scientific Advisory Board graphic

Interesting timing. At some point after Iran captured a sophisticated RQ-170 RPA (Remotely Piloted Aircraft - UAV is a misnomer), the Public Intelligence website received an FOUO report entitled "Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare" published in April 2011 by the U.S. Air Force Scientific Advisory Board. One of the many issues that the panel was asked to investigate was electronic threats. Its related finding - "Limited communications systems result in communications latency, link vulnerabilities, and lost-link events."

Section 2.4.3 "Threat to Communication Links" expands on the state of vulnerabilities present for RPAs:

1. Jamming of commercial satellite communications (SATCOM) links is a widely available technology. It can provide an effective tool for adversaries against data links or as a way for command and control (C2) denial.
2. Operational needs may require the use of unencrypted data links to provide broadcast services to ground troops without security clearances. Eavesdropping on these links is a known exploit that is available to adversaries for extremely low cost.
3. Spoofing or hijacking links can lead to damaging missions, or even to platform loss.

Section 2.4.4 "Threat to Position, Navigation, and Guidance":

1. Small, simple GPS noise jammers can be easily constructed and employed by an unsophisticated adversary and would be effective over a limited RPA operating area.
2. GPS repeaters are also available for corrupting navigation capabilities of RPAs.
3. Cyber threats represent a major challenge for future RPA operations. Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.

These are just a few of the key findings that impact the mission of RPAs. With this report as background, the capture of the RQ-170 by Iranian forces needs to be evaluated fairly and not dismissed as some kind of Iranian scam for reasons that have more to do with embarrassment than a rational assessment of the facts. Remotely Piloted Aircraft are the future of Air combat, not just for the U.S. but for every military force in the world. Theft of this technology via cyber attacks against the companies doing R&D and manufacture of the aircraft is ongoing. Whether or not the Iranians got lucky or have acquired the ability to attack the C2 of the drone in question, there's obviously some serious errors in judgment being made at very high levels and secrecy about it is only serving the ones guilty of making those bad decisions.

UPDATE (1453 PST 14DEC11): I just confirmed with the Public Intelligence website that the Air Force document was provided to their site about one week ago which would make it the day after the news on the downed RQ-170 was announced. Clearly someone with FOUO access wanted this information to be made public to inform the controversy surrounding the incident.

Related:
Loss of the RQ-170. What Happens Next?
Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran
How Iran May Have Captured an RQ-170 Stealth Drone
Was Iran's Downing of the RQ-170 Related to the Malware Infection at Creech AFB?

Add to Cart View detail

How Iran May Have Captured An RQ-170 Stealth Drone

On December 4th, the Iranian FARS news agency announced that the electronic warfare group of the Iranian military took over the operations of a very sophisticated, un-manned RQ170 Stealth Sentinel drone along the border between Afghanistan and Iran. NATO acknowledged that operators lost control of a drone in that area one week ago but that doesn’t necessarily mean that Iran was responsible. Iran has lied about drone captures before and they may be lying this time, but there are at least four good reasons why they may have succeeded.
Through my company’s work in this area, I know that Un-manned Aerial Vehicle (UAV) technology is actively being targeted and acquired via acts of cyber-espionage. This includes research in the Narrowband spectrum which is how UAVs receive their commands.
It’s not enough to know that Narrowband technology is used. An adversary would need to know the specific frequency in order to assume control of the vehicle. That obstacle may have been solved in October with the discovery of “credential-stealing” malware infecting the Ground Control Stations at Creech AFB. If the UAV operators (or pilots) entered the narrowband frequencies used to control their drones on a keyboard, and that keyboard was infected with a keylogger, that information would be captured and delivered to a command and control server and then collected by whomever was responsible for the attack.
The RQ170 Stealth Sentinel along with the Reaper and Predator drones are all operated by pilots manning ground control stations at Creech AFB. The Air Force has not been forthcoming with details of the malware attack nor its remediation and the information that it has provided has been vague and misleading.
Thanks to Stuxnet, Iran is spending a lot of money to ramp up its cyber warfare capabilities, and it's highly motivated to obtain some "get-back" against the U.S. since it believes that the U.S. and possibly Israel are responsible for the Stuxnet attack.
No one will know for sure if Iran successfully launched a cyber attack against “The Beast of Kandahar” (as the RQ170 is called) unless Iran presents proof, but its intent to do so is real; the theft of related technology is real; the lapse in cyber-security at Creech AFB was very real and the Air Force would be well-advised to take this threat seriously and re-evaluate the vulnerabilities that exist today in its UAV fleet.

RELATED:

Danger Room - Wired.Com: Iran Probably Did Capture A Secret U.S. Drone

Was Iran's Downing of an RQ-170 Related to the Malware Infection at Creech AFB?

U.S. Air Force Demonstrates How Not To Report A Malware Attack

Add to Cart View detail

Words Matter: Dump APT for APA

I've written about my objections to the term Advanced Persistent Threat before, and explained why the term is both inaccurate and illogical, but I didn't propose an alternative term and clearly journalists need one. Therefore, I'd like to propose that we put this abused, over-used, and ill-fitting term to a well-deserved retirement and use in its place "Adaptive Persistent Attack" or APA.

ADAPTIVE
Adaptive should replace "advanced" because advanced malware costs time and money to develop and an adversary crew won't use something expensive and sophisticated if a mundane spear phishing attack crafted by some social engineering will do the trick. In other words, the bad guy's attack profile is adaptive, not advanced.

PERSISTENT
Persistent is exactly the right word. Once they're in, you aren't getting them out. The Fortress defense paradigm needs to die the same death as "APT".

ATTACK
As I pointed out in my post "The APT Logical Fallacy", APT is an oxymoron. A threat is not an attack. You've been attacked. Call it an attack.

But APT is a Who, not a What
Almost everyone who makes this statement believes that APT is a code word for the Peoples Republic of China. Period. Only China. I refuted this argument in my above-referenced post with detailed examples of the same attacks coming from the Russian Federation. Frankly speaking, it's stupid to keep using a code word when the meaning of the code word is widely known. Back in 2006, only other Air Force insiders knew what was mean't by the term APT so it fulfilled its purpose back then. Now the secret is out. There's no reason to keep referring to China as APT when we all now what you're talking about, including China. So either name the State that you're accusing or don't name it, but don't call China APT, APA, or any other code word. It's silly and it doesn't fool anyone.

Conclusion
Today, the Advanced Persistent Threat (APT) has become a huge FAIL, both as a "who" and as a "what" so please, let's all stop using it. I think that APA fits the bill rather nicely. If you've got a better idea, by all means suggest it as a comment. Words matter, and the world of information security has lots of horrible ones. This will be the first of a series of Words Matter posts that I hope to write in the near future with the hope of stimulating discussion and arriving at a more precise terminology for this emerging threat environment. Please contact me in the comments or via email if you have suggestions for a future Words Matter post (like "cyberwar").

Add to Cart View detail

U.S. Air Force Demonstrates How NOT to Report a Malware Attack

I just ended a phone call with Air Force Space Command Public Affairs after reading their press release "Flying operations of remotely piloted aircraft unaffected by malware". I figured that since the malware was "found routinely on computer networks and is considered more of a nuisance than an operational threat" that there would be no problem in telling me the name of the malware involved.

That didn't happen, which is too bad because the press release has some confusing language in it and conflicts with unnamed Air Force sources quoted in the two earlier Wired articles (here and here). For example, the release makes a distinction between a "credential stealer" and a "keylogger". Well, that's a distinction without a difference. What we're really talking about is a trojan that steals credentials by logging key strokes. Zeus and SpyEye are two of the largest but there are lots of trojans out there. Here's one I found on a game forum: "Trojan.KillAV.RS Steals Gamers’ Login Credentials". The other important fact to know about trojans or "credential stealers" as the Air Force likes to call them, is that they transmit their stolen credentials out to a Command & Control site. The Air Force PR statement said that their particular credential stealer wasn't designed to transmit data or video. Video? No. Data? Absolutely. That's the entire point of the malware - to capture data and send it back to the C&C.

I think that what happened here is that the Air Force is focusing on what the malware isn't instead of what it is. It's not designed to take over the controls of a remotely piloted aircraft. It is, however, designed to steal data. If the Air Force wants to put this to bed and stop the speculation, here are two tips for future briefings:

1. Have an engineer from the 24th Air Force write the press release so that the language is precise and accurate.
2. Name the malware.

The only thing that your current press release did was raise more questions.

Add to Cart View detail