Cybersecurity Issues with Predators, Reapers, and Unmanned Aerial Systems

Creech Air Force Base UAV hangars
According to Wired, Creech Air Force Base has been struggling to clean its Reaper and Predator Ground Control Stations (GCS) of a persistent virus of unknown origin; perhaps something like TDL-4 which loads before the operating system, right at the beginning of the computer's boot-up sequence. This type of virus is almost impossible to get rid of. Whether its TDL-4 or something with similar behaviors, I spent the last few days researching Unmanned Aerial Systems (UAVs plus their ground control stations) and there are a few serious cybersecurity issues besides the 2009 unencrypted video feed controversy and the one Noah Shachtman reported about last Friday. Before we get to those, I think it's important to note that while there are only a few countries (U.S., Israel, Britain, France) who are using drones operationally in Afghanistan, there are over 50 who have built or bought them. I wouldn't be surprised to see this technology near the top of someone's list for targeted cyber-espionage.

Unencrypted mission control data feeds
On 20 Dec 2009, shortly after the news broke about unencrypted Predator video feeds, a security engineer using the alias "kingcope" posted an article to the Full Disclosure list entitled "Reading Mission Control Data Out Of Predator Drone Video Feeds". He pointed out that not only was the line of sight transmission unencrypted, but so was the Ku-Band satellite transmission which extends the range of interception far beyond just line-of-sight and that if the MPEG stream wasn't encrypted, then the metadata inside the stream was probably being transmitted in the clear as well. Both the mission control data and the video stream data are part of the MPEG stream and could be read using a free tool called LEADTOOLS.

According to the Air Force, they've known about the unencrypted video feeds for over 10 years, and that it'll be 2014 before that vulnerability is fixed. Presumably that'll include the unencrypted mission control data feed as well.

Internet Access
There shouldn't be any connection between the UAS network and public-facing Internet however at least one GCS that I looked at did utilize an Internet connection as part of its architecture: the Network Centric Ground System.

I assume that the above network architecture was not deployed at Creech AFB since the GCS stations would be handling classified data however it would be worth a look at how Creech AFB has connected its Ground Control Stations to the Global Information Grid. The volume of data handled is growing at an extremely rapid pace as are the number of analysts who are viewing it according to the New York Times. With the deployment of "Gorgon Stare", an incredible 1.8 gigapixel camera offering 12 simultaneous views of the target environment, the UAV firehouse must be more massive than ever. Whatever has infected the Creech GCSs could theoretically spread beyond Creech AFB via the GIG. Let's assume that the point of entry was one of the portable hard drives used to load map updates and transport mission videos. Once in the network, its infection path could include printer servers and other shared resources regardless of geography. In other words, other Air Force bases who are conducting analysis on this data may be exposed to the same virus that the Creech technicians are struggling with.  This could include Britain's Royal Air Force whose 39 Squadron use Creech AFB as ground control for their own fleet of UAVs. I assume that the Brits are conducting their own analysis of the video feeds which would stream from Creech's GCS, thus providing a means for the virus to possibly infect British networks.

Why Kaspersky?
One of the nagging questions that I had after reading Noah's article was why would the Creech AFB technicians go to Kaspersky? DISA's Host-Based Security System website references McAfee as a supporting vendor, not Kaspersky. One of my Twitter followers suggested that they might be dealing with TDL-4, a particularly nasty TDSS variant that was originally detected by Kaspersky and which they've dubbed the "most sophisticated threat today". That might explain why the technicians turned felt they needed to visit the Russian company's site even though no one has a patch for this; not even Kaspersky. Based upon its description and functionality, a TLD-4 infection would be a worst-case scenario for the U.S. Air Force because it means that their data is being exfiltrated to cybercriminals in a way that's extremely hard to detect:
TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
If it is TDL-4, no one has a way to remove it short of shit-canning the old hard drives and buying new ones. And speaking frankly, the Air Force appears to me to be a bit too relaxed about its vulnerabilities in cyberspace. It let its UAS data stream remain unencrypted for over 10 years because someone thought the enemy was too unsophisticated to know how to read it. Someone else apparently thought it was OK to make an exception on its removable media rule for UAV data transfer. And as far as its public response to this breaking story goes, a standard CYA response like the one Lt. Col. Tadd Sholtis gave - "We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover" - is pretty meaningless in light of past events. Then there's the remarks of an unidentified senior Air Force official for Fox News who claimed that Wired's entire story was over-blown:
"The planes were never in any jeopardy of 'going stupid'," the source said, and the virus "is not affecting operations in any way ... it showed up on a Microsoft-based Windows system. We have a closed-loop system and heavily protected cockpits -- the planes were never in jeopardy."
I have no idea who this un-named source is or what article he thinks he read but it wasn't the article in Wired. There's not a single mention of planes being in jeopardy or "going stupid" in Noah Shachtman's article. If he can't get his facts straight about what the article said, why should anyone believe his assessment of the malware? Having met and spoken with many USAF officers involved in cyber including some General officers, I know that the Air Force is capable of better cybersecurity management. Hopefully this breach will spur some positive changes before any more damage is done.


  1. Assuming it is TDL4/TDSS, it is likely they tried to use Kaspersky's TDSSKiller -


Post a Comment