The Use of Covert Cyber Counter Strikes as Active Defense (and other topics) at Suits and Spooks DC

Waterview Conference Center,  Rosslyn VA

Can the U.S. legally engage in covert cyber counter strikes as a form of active defense against hostile actions by non-state actors in Russia, China or elsewhere? That's one of the forward-looking talks being given at Suits and Spooks DC by Professor Catherine Lotrionte of Georgetown University.

Are tamper-proof chips really tamper proof? Can firmware be extracted from the locked chips such as those used on the captured RQ-170? Travis Goodspeed will show how it can be done on the cheap.

Can a privately funded spy satellite system be used to secure evidence targeting criminal behavior by governments or their officials? Thanks to the work of the Enough Project organization, we know the answer to that question is yes. Jonathan Huston will explain how they did it.

And that's just 3 of our talks. In addition to Catherine, Travis, and Jonathan, Suits and Spooks attendees will interact with:

• Don O'Donnell - Rand Corporation
• Rand Waltzman amd Randy Garrett - DARPA
• Dan Geer - In-Q-Tel
• Anup Ghosh - Invincea

Then from outside of the InfoSec space, reflecting our multi-disciplinary approach, we'll hear talks from:

• Christopher Burgess - Atigeo
• Ben Milne - Dwolla
• Janina Gavankar - Posterous Spaces for Actors
• John Robb - author, Brave New War
• Jodee Rich - CEO, PeopleBrowsr

Every attendee will have an opportunity to ask questions and interact with the speakers in an elegant setting overlooking the Potomac river and the Capital. The entire day will be focused on brain-storming new security solutions that we hope will give birth to a revolution in security affairs. Real-time analysis on a Palantir workspace will be flashed onto a screen behind the speakers and a final report will be issued afterwards to members of Congress and interested agencies.

Pricing includes breakfast, lunch, and a wine reception afterwards:

• Students and academics: $195
• Gov't employees: $295
• Early bird registration: $395
• Standard registration: $495

The early bird registration ends January 6, 2012 and we are capping attendance at no more than 100 individuals, including speakers so reserve your seat today.

Add to Cart View detail

Just How Vulnerable To Attack Are U.S. Drone Operations?

GAO Reports Ongoing U.S. Air Force Vulnerabilities 

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture.  On Saturday another FOUO document appeared on PublicIntelligence.net regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):

• GAO, Defense Critical Infrastructure: DOD’s Evolving Assurance Program Has Made Progress but Leaves Critical Space, Intelligence, and Global Communications Assets at Risk, GAO-08-828NI (Washington, D.C.: Aug. 22, 2008)
• GAO, Defense Critical Infrastructure: Additional Air Force Actions Needed at Creech Air Force Base to Ensure Protection and Continuity of UAS Operations, GAO-08-469RNI (Washington, D.C.: Apr. 23, 2008)

Cyber Attacks Against Unmanned Aerial System Producers and Developers

The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: Boeing, Lockheed Martin, Northrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations. 

Add to Cart View detail

Iran to put 3 U.S. Drones and 4 Israeli Drones on Public Display

Iranian cartoon (FARS)

Here's some disconcerting news from an Israeli news source. FARS has reported that the government of Iran possesses not one but 3 U.S. drones and 4 Israeli drones - all of which will be put on display and open to foreign ambassadors for inspection. The same article reports that an Iranian government official has traveled to Moscow to discuss Russia's request to examine the RQ-170. If Russia gets permission, China's next.

FARS has also been busy running its own Information Operations campaign mocking the U.S. and President Obama for asking Iran to return the drone. I'm not sure who in the White House thought that was a good idea but he needs to be fired.

Add to Cart View detail

U.S. Air Force Study Reports Vulnerabilities in Drone C2 Systems

US Air Force Scientific Advisory Board graphic

Interesting timing. At some point after Iran captured a sophisticated RQ-170 RPA (Remotely Piloted Aircraft - UAV is a misnomer), the Public Intelligence website received an FOUO report entitled "Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare" published in April 2011 by the U.S. Air Force Scientific Advisory Board. One of the many issues that the panel was asked to investigate was electronic threats. Its related finding - "Limited communications systems result in communications latency, link vulnerabilities, and lost-link events."

Section 2.4.3 "Threat to Communication Links" expands on the state of vulnerabilities present for RPAs:

1. Jamming of commercial satellite communications (SATCOM) links is a widely available technology. It can provide an effective tool for adversaries against data links or as a way for command and control (C2) denial.
2. Operational needs may require the use of unencrypted data links to provide broadcast services to ground troops without security clearances. Eavesdropping on these links is a known exploit that is available to adversaries for extremely low cost.
3. Spoofing or hijacking links can lead to damaging missions, or even to platform loss.

Section 2.4.4 "Threat to Position, Navigation, and Guidance":

1. Small, simple GPS noise jammers can be easily constructed and employed by an unsophisticated adversary and would be effective over a limited RPA operating area.
2. GPS repeaters are also available for corrupting navigation capabilities of RPAs.
3. Cyber threats represent a major challenge for future RPA operations. Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.

These are just a few of the key findings that impact the mission of RPAs. With this report as background, the capture of the RQ-170 by Iranian forces needs to be evaluated fairly and not dismissed as some kind of Iranian scam for reasons that have more to do with embarrassment than a rational assessment of the facts. Remotely Piloted Aircraft are the future of Air combat, not just for the U.S. but for every military force in the world. Theft of this technology via cyber attacks against the companies doing R&D and manufacture of the aircraft is ongoing. Whether or not the Iranians got lucky or have acquired the ability to attack the C2 of the drone in question, there's obviously some serious errors in judgment being made at very high levels and secrecy about it is only serving the ones guilty of making those bad decisions.

UPDATE (1453 PST 14DEC11): I just confirmed with the Public Intelligence website that the Air Force document was provided to their site about one week ago which would make it the day after the news on the downed RQ-170 was announced. Clearly someone with FOUO access wanted this information to be made public to inform the controversy surrounding the incident.

Related:
Loss of the RQ-170. What Happens Next?
Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran
How Iran May Have Captured an RQ-170 Stealth Drone
Was Iran's Downing of the RQ-170 Related to the Malware Infection at Creech AFB?

Add to Cart View detail

Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran

Courtesy of Recorded Future: https://www.recordedfuture.com/rf/s/2z0Cm4

The loss of the RQ-170 Stealth Sentinel drone to Iran is potentially one of the most critical events that has occurred in 2011 because it implies an offensive electronic warfare or cyber capability that no one expected Iran to have. Now that Iran has released a video of the captured drone and the U.S. government has confirmed that it's authentic, it's clear that the original FARS report claiming that it was captured via electronic means may have been accurate in spite of unanimous Western media reports to the contrary; i.e., that it was shot down.

EMEA's strategic intelligence report on the RQ-170 says that the Stealth Sentinel is a high altitude and long endurance unmanned aerial vehicle (UAV) designed and manufactured by Skunk Works, a division of Lockheed Martin Corporation, for the United States Air Force (USAF). According to EMEA:

The UAV can capture real time imagery of the battlefield and transfer the data to the ground control station (GCS) through a line of sight (LOS) communication data link. The 27.43m wide and 1.82m high aerial vehicle was designed to execute intelligence, surveillance, reconnaissance and target acquisition (ISTAR) and electronic warfare missions over a target area.

According to Earl Lum, President of EJL Wireless Research LLC what is supposed to happen when an Unmanned Aerial Vehicle (UAV) like the RQ-170 loses its comms link is that it should autonomously follow a pre-programmed lost-link profile consisting of waypoints at various altitudes, forming a loop until it re-establishes contact or crashes. The communication link for the UAVs is typically today LOS (line of sight). If it falls below the mountains and loses LOS, it is supposed to then go through this process. However while this applies to UAVs in general it may not be the case with the RQ-170.

Navigation technology
According to the EMEA report, the RQ-170 can be controlled either manually from the GCS or through autonomous mode. An automatic launch and recovery (ALR) system facilitates the aircraft to land safely when communication with the control station fails.

Ground control station
The GCS of the RQ-170 displays the real time imagery or videos captured by the vehicle's payload cameras onboard. The data supplied by the vehicle is retrieved, processed, stored and monitored at the control station which was designed and built by Skunk Works. The GCS tracks, controls and monitors the RQ-170 by transferring commands to the vehicle via LOS SATCOM data link. The sentinel is being operated by 432nd wing of air combat command (ACC) at Creech Air Force Base, Nevada, and 30th reconnaissance squadron at Tonopah Test Range, Nevada.

Related cyber incidents that may have compromised the RQ-170:
- A South Korean newspaper, JoongAng Daily, reported in December 2009 that the RQ-170 was flight tested in South Korea to supersede the U-2 aircraft at Osan Air Base for carrying out missions over North Korea. North Korea is an ally of Iran and has conducted offensive CNE (Computer Network Exploitation) and CNA (Computer Network Attack) missions against South Korea repeatedly for several years. It's unknown what information has been stolen however this type of intelligence is highly sought after and its reasonable to assume that the DPRK would include it on a CNE acquisitions list.
- Lockheed Martin reported a cyber attack in June, 2011 that lasted about one week. LM didn't report what was taken however as with the DPRK example, UAV research has been targeted at U.S. defense firms as late as this past summer according to my own confidential sources.
- Creech Air Force Base experienced a malware infection that impacted its UAV Ground Control Stations in October 2011. It's public report on the incident was confusedly written and lacked details regarding the malware involved, its propagation and its remediation.

Summary
The objective of this article is to assess possibilities. Based on EMEA's report on the RQ-170, it appears that the drone had the ability to land itself without operator control. I'd appreciate hearing from any experts who can confirm whether that's the case or not. If it is, then Iran may have lucked out. If it isn't, then Iran's claim that it used its electronic warfare capacity to assume operational control of this substantial U.S. military asset appears to be true. Considering how easy it is for an adversary to conduct CNE against targeted U.S. networks, this is probably a capability that they obtained from one of many mercenary hacker crews who engage in that type of activity. While the scope of this article is hypothetical, the CNE targeting of UAV R&D is a fact born out by my own company's work in this area. Iran may or may not have that capability now but eventually it will. The RQ-170 event should be a massive wake-up call on the part of the U.S. Air Force to reinstall a self-destruct capability, harden the RQ-170's operating system, and examine potential vulnerabilities in its UAV fleet supply chain.

UPDATE (1528 PST 09DEC11): From an article in today's SF Gate:

The most frightening prospect raised by what appears to be a largely intact Sentinel is that the Iranians' second claim about how they brought it down -- by hacking into its controls and landing it themselves -- might be true, said a U.S. intelligence official, who spoke only on the basis of anonymity because the RQ-170 is part of a Secret Compartmented Intelligence (SCI) program, a classification higher than Top Secret.
The official said the possibility that the Iranians or someone else hacked into the drone's satellite communications is doubly alarming because it would mean that Iranian or other cyber-warfare officers were able to disable the Sentinel's automatic self-destruct, holding pattern and return-to-base mechanisms. Those are intended to prevent the plane's secret flight control, optical, radar, surveillance and communications technology from falling into the wrong hands if its controllers at Creech Lake Air Force Base or the Tonopah Test Range, both in Nevada, lose contact with it.

UPDATE (1708 PST 22DEC11): Cryptome has an interesting thread on the use of the RSA cyber to protect the GPS Red band used on military systems like the RQ-170. This suggests that data from the RSA breach last March may have been shared with the Iranians.

UPDATE (0715 PST 05JAN12): AviationWeek has an excellent technical article on the F-22 technology used on the RQ-170.

Related:
Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?
How Iran May Have Captured An RQ-170 Stealth Drone
U.S. Air Force Demonstrates How Not To Report A Malware Attack 

Add to Cart View detail

How Iran May Have Captured An RQ-170 Stealth Drone

On December 4th, the Iranian FARS news agency announced that the electronic warfare group of the Iranian military took over the operations of a very sophisticated, un-manned RQ170 Stealth Sentinel drone along the border between Afghanistan and Iran. NATO acknowledged that operators lost control of a drone in that area one week ago but that doesn’t necessarily mean that Iran was responsible. Iran has lied about drone captures before and they may be lying this time, but there are at least four good reasons why they may have succeeded.
Through my company’s work in this area, I know that Un-manned Aerial Vehicle (UAV) technology is actively being targeted and acquired via acts of cyber-espionage. This includes research in the Narrowband spectrum which is how UAVs receive their commands.
It’s not enough to know that Narrowband technology is used. An adversary would need to know the specific frequency in order to assume control of the vehicle. That obstacle may have been solved in October with the discovery of “credential-stealing” malware infecting the Ground Control Stations at Creech AFB. If the UAV operators (or pilots) entered the narrowband frequencies used to control their drones on a keyboard, and that keyboard was infected with a keylogger, that information would be captured and delivered to a command and control server and then collected by whomever was responsible for the attack.
The RQ170 Stealth Sentinel along with the Reaper and Predator drones are all operated by pilots manning ground control stations at Creech AFB. The Air Force has not been forthcoming with details of the malware attack nor its remediation and the information that it has provided has been vague and misleading.
Thanks to Stuxnet, Iran is spending a lot of money to ramp up its cyber warfare capabilities, and it's highly motivated to obtain some "get-back" against the U.S. since it believes that the U.S. and possibly Israel are responsible for the Stuxnet attack.
No one will know for sure if Iran successfully launched a cyber attack against “The Beast of Kandahar” (as the RQ170 is called) unless Iran presents proof, but its intent to do so is real; the theft of related technology is real; the lapse in cyber-security at Creech AFB was very real and the Air Force would be well-advised to take this threat seriously and re-evaluate the vulnerabilities that exist today in its UAV fleet.

RELATED:

Danger Room - Wired.Com: Iran Probably Did Capture A Secret U.S. Drone

Was Iran's Downing of an RQ-170 Related to the Malware Infection at Creech AFB?

U.S. Air Force Demonstrates How Not To Report A Malware Attack

Add to Cart View detail

Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?

The Washington Post has reported that Iran's cyber warfare unit took over the controls of a Lockheed Martin RQ-170 Sentinel stealth drone flying over Eastern Iran and landed it with minimal damage. As of this writing, the U.S. Air Force hasn't yet confirmed or denied the attack. I've left a message with the on-call PA officer at Creech Air Force Base, which is the home of the 432d Wing which flies RQ-170 Sentinels according to this factsheet.

Creech Air Force Base, as you may recall, suffered a malware infection of its Reaper and Predator Ground Control Stations last October. After Noah Shachtman broke the story, the Air Force issued a press release claiming that the malware was a simple "credential stealer" and not a "keylogger", which is a distinction without a difference as I pointed out here. Approximately one and a half months after the Air Force issued that statement, Iran claims to have successfully compromised the flying operations of one of its drones - possibly flown out of the same Air Force base.

Iran's Cyber Warfare Capabilities

Note: The following assessment comes from chapter 16 of the 2nd edition of Inside Cyber Warfare, due out this month:

In 2010 the Iranian Islamic Revolution Guards Corps (IRGC) set up its first official cyber warfare division.Since then, its budget and focus has indicated the intention of growing these cyber warfare capabilities. Education is considered a top priority in the strategy, with increased attention to computer engineering-specific cyber security programs. The IRGC budget on cyber capabilities is estimated to be US$76 million. The IRGC’s cyber warfare capabilities are believed to include the following weapons: compromised counterfeit computer software,wireless data communications jammers, computer viruses and worms, cyber data collection exploitation, computer and network reconnaissance, and embedded Trojan time bombs.
The cyber personnel force is estimated to be 2,400, with an additional 1,200 in reserves or at the militia level. In June 2011 Iran announced that the Khatam al-Anbiya Base, which is tasked with protecting Iranian cyberspace, is now capable to counter any cyber attack from abroad, a claim that will likely be tested soon given the volatile nature of cyberspace. In August 2011 Iran challenged the United States and Israel, stating that they are ready to prove themselves with their cyber warfare capabilities. Should the Iranian cyber army be provoked, Iran would combat these operations with their own “very strong” defensive capabilities. 

In my opinion, the U.S. Air Force needs to respond to this claim by the Iranians quickly and authoritatively because its lackluster conduct regarding the initial infection found at Creech makes this claim by Iran more believable, not less.

UPDATE (1121 04DEC11): CNN quotes a U.S. official confirming that an operator lost flight control of an RQ-170 Sentinel over Western Afghanistan (which borders Eastern Iran).

UPDATE (1807 04DEC11): Western sources are reporting that the RQ-170 drone was shot down however FARS quoted an Iranian military official saying that it was taken down via electronic means "with electronic war units" and with minimal damage which makes this a cyber attack. The Al-Jazeera story is here.

Add to Cart View detail