Insurgents Hack U.S. Drones

[Requia ☣]

Or someone is pushing the story in the hope that it'll cause a flurry of encryption and security related purchases.

I love the way you think.

Well, it is the WSJ.  Its readers are mostly businessmen and think-tanks hawks (who are heavily invested in military-related corporations, but sssssssh!  its a secret) and anything that identifies a potential weakness which they can then sell solutions to will go down well.  Expect a flurry of articles from AEI and the Heritage Foundation on information security soon.

On the other hand, John Robb thinks it is real.  I suppose there probably are specific difficulties concerning encryption for each unit (they were rolled out in 2001....using pre-2000 tech), not to mention the military's constant ability to both overestimate and underestimate their enemies at the same time ("terrorists are gonna blow up THE WORLD!!!?!!/ we can easily defeat a bunch of ragheads"), so it seems possible.

Also, this software was originally designed in Russia to steal media files from peoples satellite internet downloads.  How cool is that?

That is probably overoptimistic.  I'd be surprised if they were using better than pre 90s tech (joking, slightly).

[Cain]

No, you're probably right.  The actual tech behind it isn't too hard, as I understand it the problem was bandwidth (which is not such an issue now). 

Anyway, it seems possible.  Just because the US military is competent in some areas of information security doesn't necessarily mean it is competent in all areas.  It's a bloated mess run by the whims of senators recieving kickbacks from defense contractors, its not exactly run according to what it needs, and more like what allows for the most money to be shunted into private hands.

[Requia ☣]

I'd actually guess early to mid nineties tech, the military seems to like that stuff.  Which makes sense really, its cheap, well understood, doesn't suffer from supply chain nightmares* and lowish in power.

Just not suitable for encrypting high bandwidth communications.

*At least, not as bad as the supply chain for modern kit.

[Cain]

Incidentally, the Skygrabber website is currently down.

[Shibboleet The Annihilator]

I wouldn't really call this hacking. More like looking at an unencrypted feed.

Um, how's that not a hack?

As I explained in the other thread, it's like stage magic tricks, as soon as you know how it's done, it's no longer special?

If you'd frame it as "gathering information from an unexpected side channel", would it be hacking?

IMO, picking up communications from a military drone plane using a piece of cheap electronica is a hack.

"Van Eck phreaking" is also picking up an unencrypted signal using cheap electronica. Is that not a hack?

====

BTW my best guess about the reason why they didn't opt for encryption would be that they have certain legacy communication hardware that would not be able to process it. Just a guess, but it sounds like one of those very typical scenarios. "we're not going to replace all our field scanners."

I don't know, I believe the term "hack" is being overused and misapplied a LOT these days. They're using commercial software pretty much for its intended purpose (they just happen to not be the intended users or the intended target). This was just a happy coincidence for the terrorists that occurred thanks to lax security on the military's part. If you want to call this hacking then every retarded script kiddie and every person who jailbreaks their iPhone or roots their Pre through automated software is a hacker.

I disagree with how the term is "hack" is being used by the media these days.

==

The legacy hardware explanation does make sense, they use a lot of outdated equipment because of its reliability. NASA does the same thing.

[Elder Iptuous]

also, i've heard it said that they are 'hacking the drones' which is right out...

[Cain]

Yeah, but they should.  Make the next decade of warfare more hilarious, at least.

[Shibboleet The Annihilator]

http://www.networkworld.com/news/2009/121809-drone-video-traffic-intentionally-unencrypted.html

"The reason the U.S. military didn't encrypt video streams from drone aircraft flying over war zones is that soldiers without security clearances needed access to the video, and if it were encrypted, anyone using it would require security clearance, a military security expert says."

"Kahn says that the video information loses its value so rapidly that the military may have decided it wasn't worth the effort to encrypt it. 'Even if it were a feed off a drone with attack capabilities, and even if the bad guys saw that the drone was flying over where they were at that moment, they wouldn't have the chance to respond before the missile was fired,' he says"

"Classified data would have to be encrypted using hardware encryption, which would require upgrades of a significant amount of equipment, and the military might have determined it just wasn't worth the effort. The military likes to minimize hardware encryption especially in devices used in the field in case the gear falls into the hands of the enemy, Kahn says. 'The answer to the question of why people know about the hole and allowed it to persist is that it was so difficult to plug the hole,' he says. 'There was a legitimate need for people without clearance to see the data, so a decision was made to let it continue. Now they know it was exploited, they need to close it.'"

Looks like we were all pretty close on why they didn't encrypt it.

[Cain]

I heard from some people I know that the OSD under Rumsfeld's malign guidance was to blame, that they instituted a culture of contempt for those who urged caution and security, no matter what the topic.  Sounds halfway plausible, from my own reading on how the Pentagon was run.

[Shibboleet The Annihilator]

Yeah, from what I understand Rumsfeld was a real piece of shit when it came to safety and security... and pretty much everything else...

[Triple Zero]

I am going for either ignorance or legacy problems, still. The whole "security clearance" and "hardware encryption might fall into enemy hands" reasons are horseshit.

Or bureaucracy. Which is basically a combination of ignorance and legacy problems.

[Shibboleet The Annihilator]

[Triple Zero]

Why is it so hard to encrypt a video signal properly then? Because it's analog? Because digital encryption is easy as fuck, XXTEA is a secure symmetric cipher* that requires like 5 lines of bit shuffling code or can be computed with a simple, cheap and fast hardware chip.

then it becomes a problem of distributing the key of course, which is the security-clearance issue mentioned.

(*unsure if it's "military grade"--whatever that means--but it has no known vulnerabilities, and even if you'd be up against an insurgency of cipherpunks, the timeframe required would most likely render the information near-useless)

[Triple Zero]

Hm yeah if it's mpeg it's digital. And you'd think the military has some kind of protocol in place for dealing with keys that are valid for just one week or something, with a lower security clearance.

[Bebek Sincap Ratatosk]

Now its not diffficult to encrypt a video stream... in 2001 the hardware was still a bit off and it may be that these drones have a low carrying capacity I dunno.

However, there are plenty of ways to do secure keys... DUKPUT is one option (these would all be symetric keys which could be used with an XXTEA implementation.

DUKPUT (Derived Unique Key Per Transaction) is a key management protocol used in PIN PAD devices here in the US. Basically, you start with the Base Derivation Key (BDK). The BDK is located in two places Point of Encryption and Point of Decryption. Both locations are Tamper Resistant to protect the BDK. At the beginning of the life of the device an IPEK (Initial PIN Encryption Key) is injected. These two keys then create a finite set of 10,000 or so "Future Keys". The cryptogram that is created has a KSN (Key Serial Number) which the back end recognizes and can pull the correct key from the Future Keys to decrypt. Each key is then invalidated after use (like a One Time Pad).

So after all the 'Future Keys' have been used, a new IPEK has to be injected to create another batch of keys. If a device is compromised it compromises ONLY that device and the Future Keys for that device. Hopefully its in a Tamper Resistant case and fries everything when someone tries to open it.

The Private/Corporal etc monitoring the system would not need access to any keys at all... in fact, if the developer was smart I bet they could implement a two-layer approach... DUKPUT for the initial connection and then use something like WPA/TKIP to generate unique session keys every 5 seconds or 100 packets or even for every packet.