Back to news

August 19, 2019 | International, Aerospace

The Cybersecurity 202: Hackers just found serious vulnerabilities in a U.S. military fighter jet

By Joseph Marks

LAS VEGAS — In a Cosmopolitan hotel suite 16 stories above the Def Con cybersecurity conference this weekend, a team of highly vetted hackers tried to sabotage a vital flight system for a U.S. military fighter jet. And they succeeded.

It was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses. And after two long days, the seven hackers found a mother lode of vulnerabilities that — if exploited in real life — could have completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight.

They even found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November without actually touching the device.

“They were able to get back in through the back doors they already knew were open,” Will Roper, the Air Force's top acquisition official, told me in an exclusive briefing of the results.

The hackers lobbed a variety of attacks — including injecting the system with malware and even going at it with pliers and screwdrivers. When I saw it, the metal box that's usually secure on the aircraft had wires hanging out the front.

The hackers briefed Roper on the findings on Saturday afternoon. He was surrounded by discarded pizza boxes, iced coffee drinks — and the hotel's drinking glasses filled with screws, nuts and bolts removed from five fully dismantled TADS devices, which run about $20,000 a pop.

He'd expected the results to be about this bad, Roper told me on a private tour of the hacking event. He pinned the weaknesses on decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.

He's trying to turn that around, and is hopeful about the results of the U.S. government's newfound openness to ethical hackers. He'd come straight from Def Con's first-ever Aviation Village, which the Air Force helped establish, and was wearing a gray T-shirt with the words “No, Mr. Bond, I expect you to hack,” emblazoned on the front — a riff on a classic line from the 1964 James Bond film “Goldfinger.”

This is a drastic change from previous years, when the military would not allow hackers to try to search for vulnerabilities in extremely sensitive equipment, let alone take a literal whack at it. But the Air Force is convinced that unless it allows America's best hackers to search out all the digital vulnerabilities in its planes and weapons systems, then the best hackers from adversaries such as Russia, Iran and North Korea will find and exploit those vulnerabilities first, Roper told me.

“There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” he said.

Roper wants to put his military hardware where his mouth is.

During next year's Def Con conference, he wants to bring vetted hackers to Nellis or Creech Air Force bases near Las Vegas where they can probe for bugs on every digital system in a military plane, including for ways that bugs in one system can allow hackers to exploit other systems until they've gained effective control of the entire plane.

He also wants to open up the ground control system for an operational military satellite for hacker testing, he said.

“We want to bring this community to bear on real weapons systems and real airplanes,” Roper told me. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”

Those hacking challenges will also be useful for the private sector because military planes and satellites share many of their computer systems with the commercial versions of those products, Roper said, and the Air Force can share its findings.

The seven hackers probing the TADS devices were all brought to Vegas by the cybersecurity company Synack, which sells the Pentagon third-party vulnerability testing services, under a contract with the Defense Digital Service, a team of mostly private-sector technology stars who try to solve some of the Pentagon's thorniest technology problems during short-term tours.

The Defense Digital Service started by organizing large-scale hacking competitions in 2016, with names such as “Hack the Pentagon” and, eventually, “Hack the Air Force.” These were open to almost anybody — but included only public-facing hacking targets such as military service websites and apps.

Shortly after, they also began opening more sensitive systems to a smaller number of vetted hackers who sign nondisclosure agreements.

DDS has run about a dozen of those more sensitive hacking competitions so far, but this is the first time it has offered up the same system for hacking twice, said Brett Goldstein, DDS's director, who earned a reputation in technology as Open Table's IT director and chief data officer for the city of Chicago.

“That's important because security is a continuous process,” he told me. “You can't do an exercise and say, ‘Oh, we found everything' and check the box. You need to constantly go back and reevaluate.”

They also allowed the hackers to be more aggressive this time and to physically disassemble the TADS systems to get a better idea of what kinds of digital attacks might be effective, Goldstein said. That meant the hackers could simulate a cyberattack from adversaries that had infiltrated the vast network of suppliers that make TADS components and had sophisticated knowledge about how to compromise those elements.

They could also advise the Air Force about flaws in how the TADS hardware was built that make it more susceptible to digital attacks.

Moving forward, Roper told me, he wants to start using that knowledge to mandate that Air Force vendors build better software and hardware security controls into their planes and weapons systems upfront so the Air Force doesn't have to do so much cybersecurity work on the back end.

He's up against an arcane and byzantine military contracting process, however, that's going to make those sorts of fundamental reforms extremely difficult, he acknowledged.

In some cases, the company that built an Air Force system owns the software embedded in that system and won't let the Air Force open it up for outside testing, he says. In other cases, the Air Force is stuck with legacy IT systems that are so out of date that it's difficult for even the best technologists to make them more secure.

“It's difficult to do this going backward, but we're doing our best,” Roper told me. “I can't underscore enough, we just got into the batter's box for what's going to be a long baseball game.”

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/14/the-cybersecurity-202-hackers-just-found-serious-vulnerabilities-in-a-u-s-military-fighter-jet/5d53111988e0fa79e5481f68/

On the same subject

  • How Army IT modernization is reshaping this cadre of soldiers

    October 15, 2019 | International, Land

    How Army IT modernization is reshaping this cadre of soldiers

    By: Mark Pomerleau The Army's efforts to modernize its tactical networks and information technology are expected to reshape its signal corps, according to service officials. One of the Army's efforts includes creating what is known as “expeditionary signal battalion-enhanced," or ESB-E. Expeditionary signal battalions support units that don't have organic communications capabilities. These groups could include military intelligence battalions, chemical battalions, engineering battalions or air defense artillery branches. However, the Army realized it took too long to get equipment to theater, and the units said the gear performed too slowly on the battlefield, Sgt. Maj. Wendle Marshall, the head of 50th ESB-E, told C4ISRNET during a September trip to Fort Bragg, North Carolina. In response, the service adopted a more expeditionary approach, hence the “enhanced.” The Army as a whole is working to be more expeditionary and mobile to stay ahead of potential future threats, which will require units to move rapidly. Mobility extends to the overall tactical network modernization effort, for which the ESB-E is part of the first iteration of development to the force in 2021. The 50th ESB-E is the experimental unit, and three of its companies each received different equipment to test. When the Army receives feedback from those units and makes a decision on fielding, it will retrofit the entire battalion with the same gear. In 2021, the Army plans to outfit three ESB-Es out of 24 total ESBs. The biggest difference between the enhanced version of these battalions? Advancements in technology allow them to be more mobile and use less equipment while proving more capable. Soldiers described to C4ISRNET the difference in equipment between two sister battalions in the same signal brigade — one being an enhanced battalion. Based on the current configuration of a company in a typical battalion, six vehicles are needed to establish communications for a battalion or brigade — three vehicles and three trailers totaling six drivers — and three to seven C-17 planes to transport the vehicles. The enhanced versions can deploy that same company in a single C-17 requiring just a four-seat Humvee and one trailer to house equipment and personal gear. “If we had to get somewhere fast, we would not be able to provide the combat power as effective or fast as the ESB-E would,” Lt. Col. Trey Matchin, commander of 67th Expeditionary Signal Battalion, a sister battalion of the 50th located at Fort Gordon, Georgia, told C4ISRNET. Marshall said the enhanced battalions also aren't constrained to just satellite communications. “This kit's allowing us to change force structure to meet the needs of the Army,” Col. Matthew Foulk, commander of 35th Signal Brigade, which includes the 50th and 67th, told C4ISRNET in August. Moreover, with less equipment, soldiers' loads are lighter, they are more multifunctional and they rely less on contractor support. “ESB-Es being fielded is going to come to an apex at the perfect time. Which is creating a more multifunctional soldier instead of ‘I only do SATCOM [satellite communications] or I only do baseband, I only do radios.' We're getting away from that,” Foulk said. Marshall demonstrated how the motor pool for the 50th is smaller and simplified compared to sister battalions. One prominent example is an operations cell in which soldiers work on their kits as opposed to contractors. This allows war fighters to become proficient on systems ahead of exercises. https://www.c4isrnet.com/show-reporter/ausa/2019/10/15/how-army-it-modernization-is-reshaping-this-cadre-of-soldiers

  • Pentagon orders $2B worth of jam-resistant radios

    May 21, 2020 | International, C4ISR

    Pentagon orders $2B worth of jam-resistant radios

    Nathan Strout The Navy has issued two contracts totaling as much as $2 billion for Joint Tactical Radio Systems over the next five years. Viasat and the joint venture Data Link Solutions LLC (comprised of BAE Systems and Collins Aerospace) were each awarded indefinite delivery, indefinite quantity contracts worth as much as $1 billion for the production, retrofitting, development and sustainment of the Multifunctional Information Distribution System Joint Tactical Radio Systems, or MIDS JTRS, terminals. There were two proposals submitted for the contracts. The MIDS JTRS terminal is a software-defined radio that provides secure, line-of-sight voice and data communications for a variety of air, sea and ground platforms. The jam-resistant radio can transmit and receive data over Link 16 and Tactical Air Navigation systems like existing technology. It can also use new communications protocals and advanced networking waveforms, including the multifunction advanced data link and the intra-flight data link. According to the contract announcement, there are three terminal variants covered by this award: the Concurrent Multi-Netting-4, the Tactical Targeting Network Technology and the F-22 variant. The combined contracts will provide terminals for the U.S. Navy, U.S. Air Force and NATO nations. The award is a followup to five-year contracts issued to both companies in 2015, which are set to expire May 27. Work under the new contracts is expected to be complete by May 2025. https://www.c4isrnet.com/battlefield-tech/c2-comms/2020/05/20/dod-ordering-2b-worth-of-jam-resistant-radios/

  • Indonesia to buy Boeing’s F-15 jets, Lockheed’s Black Hawk helicopters

    August 23, 2023 | International, Aerospace

    Indonesia to buy Boeing’s F-15 jets, Lockheed’s Black Hawk helicopters

    Indonesia has an ongoing need for new combat aircraft as it seeks to better defend the airspace of its estimated 18,000 islands.

All news