MPR’s Dan Gunderson produced a short series this week on the University of North Dakota’s unmanned aircraft program. North Dakota, thanks to the number of predators that operate out of the state, has become the UAV capital of the world. The school believes there will be a growing commercial use of UAVs, according to Gunderson.
But a Wall St. Journal report today reveals a major flaw in the assumption. The Journal reports that insurgents in Iraq have hacked into the drones’ data used by the U.S. military.
The tool September 11 hijackers used to rain destruction was a 99 cent box-cutter. In this case, insurgents used a $25.95 program downloaded from the Web.
The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.
It didn’t help that the data in question wasn’t encrypted.
Are we too complicated to envision the simple work-arounds to our security infrastructure?
And it was simple –ridiculously simple — according to CBS News.
Still, the wide-open pathway to the drones seems obvious. Why wouldn’t anyone involved do something about it? John Biggs at Tech Crunch says he’s “flabbergasted”:
See, all of the “*Grabber” programs – there’s also a LAN program – sniff packets on the Internet and intercept downloads. If you were on my LAN downloading a copy of the Spiderman over an unencrypted connection, I would, in theory, be able to watch this and grab the download alongside you. The same, in theory, can be said of satellite connections apparently used by the freaking US military. This suggests either they’re storing video on MegaUpload or that the US military has a plaintext, uncoded FTP server set up in NORAD for the quick and dirty uploading of images from Predator Drones… you now, because the IT staff wanted to rock some Quake 2 instead of using quantum-encrypted connections for matters of national security.
Of course, what we’re dealing with here is data being downloaded. The more serious “hack” would be the feed that controls the drones in the first place. Today’s story leads to the obvious question: How secure is that?