Retour aux nouvelles

19 août 2019 | International, Aérospatial

The Cybersecurity 202: Hackers just found serious vulnerabilities in a U.S. military fighter jet

By Joseph Marks

LAS VEGAS — In a Cosmopolitan hotel suite 16 stories above the Def Con cybersecurity conference this weekend, a team of highly vetted hackers tried to sabotage a vital flight system for a U.S. military fighter jet. And they succeeded.

It was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses. And after two long days, the seven hackers found a mother lode of vulnerabilities that — if exploited in real life — could have completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight.

They even found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November without actually touching the device.

“They were able to get back in through the back doors they already knew were open,” Will Roper, the Air Force's top acquisition official, told me in an exclusive briefing of the results.

The hackers lobbed a variety of attacks — including injecting the system with malware and even going at it with pliers and screwdrivers. When I saw it, the metal box that's usually secure on the aircraft had wires hanging out the front.

The hackers briefed Roper on the findings on Saturday afternoon. He was surrounded by discarded pizza boxes, iced coffee drinks — and the hotel's drinking glasses filled with screws, nuts and bolts removed from five fully dismantled TADS devices, which run about $20,000 a pop.

He'd expected the results to be about this bad, Roper told me on a private tour of the hacking event. He pinned the weaknesses on decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.

He's trying to turn that around, and is hopeful about the results of the U.S. government's newfound openness to ethical hackers. He'd come straight from Def Con's first-ever Aviation Village, which the Air Force helped establish, and was wearing a gray T-shirt with the words “No, Mr. Bond, I expect you to hack,” emblazoned on the front — a riff on a classic line from the 1964 James Bond film “Goldfinger.”

This is a drastic change from previous years, when the military would not allow hackers to try to search for vulnerabilities in extremely sensitive equipment, let alone take a literal whack at it. But the Air Force is convinced that unless it allows America's best hackers to search out all the digital vulnerabilities in its planes and weapons systems, then the best hackers from adversaries such as Russia, Iran and North Korea will find and exploit those vulnerabilities first, Roper told me.

“There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” he said.

Roper wants to put his military hardware where his mouth is.

During next year's Def Con conference, he wants to bring vetted hackers to Nellis or Creech Air Force bases near Las Vegas where they can probe for bugs on every digital system in a military plane, including for ways that bugs in one system can allow hackers to exploit other systems until they've gained effective control of the entire plane.

He also wants to open up the ground control system for an operational military satellite for hacker testing, he said.

“We want to bring this community to bear on real weapons systems and real airplanes,” Roper told me. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”

Those hacking challenges will also be useful for the private sector because military planes and satellites share many of their computer systems with the commercial versions of those products, Roper said, and the Air Force can share its findings.

The seven hackers probing the TADS devices were all brought to Vegas by the cybersecurity company Synack, which sells the Pentagon third-party vulnerability testing services, under a contract with the Defense Digital Service, a team of mostly private-sector technology stars who try to solve some of the Pentagon's thorniest technology problems during short-term tours.

The Defense Digital Service started by organizing large-scale hacking competitions in 2016, with names such as “Hack the Pentagon” and, eventually, “Hack the Air Force.” These were open to almost anybody — but included only public-facing hacking targets such as military service websites and apps.

Shortly after, they also began opening more sensitive systems to a smaller number of vetted hackers who sign nondisclosure agreements.

DDS has run about a dozen of those more sensitive hacking competitions so far, but this is the first time it has offered up the same system for hacking twice, said Brett Goldstein, DDS's director, who earned a reputation in technology as Open Table's IT director and chief data officer for the city of Chicago.

“That's important because security is a continuous process,” he told me. “You can't do an exercise and say, ‘Oh, we found everything' and check the box. You need to constantly go back and reevaluate.”

They also allowed the hackers to be more aggressive this time and to physically disassemble the TADS systems to get a better idea of what kinds of digital attacks might be effective, Goldstein said. That meant the hackers could simulate a cyberattack from adversaries that had infiltrated the vast network of suppliers that make TADS components and had sophisticated knowledge about how to compromise those elements.

They could also advise the Air Force about flaws in how the TADS hardware was built that make it more susceptible to digital attacks.

Moving forward, Roper told me, he wants to start using that knowledge to mandate that Air Force vendors build better software and hardware security controls into their planes and weapons systems upfront so the Air Force doesn't have to do so much cybersecurity work on the back end.

He's up against an arcane and byzantine military contracting process, however, that's going to make those sorts of fundamental reforms extremely difficult, he acknowledged.

In some cases, the company that built an Air Force system owns the software embedded in that system and won't let the Air Force open it up for outside testing, he says. In other cases, the Air Force is stuck with legacy IT systems that are so out of date that it's difficult for even the best technologists to make them more secure.

“It's difficult to do this going backward, but we're doing our best,” Roper told me. “I can't underscore enough, we just got into the batter's box for what's going to be a long baseball game.”

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/14/the-cybersecurity-202-hackers-just-found-serious-vulnerabilities-in-a-u-s-military-fighter-jet/5d53111988e0fa79e5481f68/

Sur le même sujet

  • Contract Awards by US Department of Defense - February 04, 2020

    5 février 2020 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité

    Contract Awards by US Department of Defense - February 04, 2020

    ARMY Baywest LLC,* St. Paul, Minnesota (W912DY-20-D-0015); Bhate Zapata JV,* Birmingham, Alabama (W912DY-20-D-0016); HydroGeoLogic Inc.,* Reston, Virginia (W912DY-20-D-0017); IE Weston Federal Svcs JVB LLC,* West Chester, Pennsylvania (W912DY-20-D-0018); PIKA International Inc.,* Stafford, Texas (W912DY-20-D-0019); and Seres Arcadis SB JV LLC, Mount Pleasant,* South Carolina (W912DY-20-D-0020), will compete for each order of the $400,000,000 cost-plus-fixed fee, firm-fixed-price contract to perform Military Munitions Response Program responses involving conventional munitions and other munitions-related services. Bids were solicited via the internet with 18 received. Work locations and funding will be determined with each order, with an estimated completion date of Feb. 3, 2025. U.S. Army Corps of Engineers, Huntsville, Alabama, is the contracting activity. NAVY BAE Systems San Diego Ship Repair, San Diego, California (N00024-16-D-4416); Huntington Ingalls Industries Inc., San Diego, California (N00024-16-D-4417); and General Dynamics, NASSCO, San Diego, California (N00024-16-D-4418), are being awarded a $275,110,745 firm-fixed-price modification to exercise Option Period Four to previously awarded indefinite-delivery/indefinite-quantity multiple award contracts for complex, emergent and continuous maintenance and Chief of Naval Operations availabilities on surface combatants homeported in San Diego, California. Work will be performed in San Diego, California, and is expected to be completed by March 2021. No funding will be obligated when the option is exercised. The Southwest Regional Maintenance Center, San Diego, California, is the contracting activity. Lyon Shipyard Inc.,* Norfolk, Virginia (N50054-20-D-0001); BMFT JV,* Chesapeake, Virginia (N50054-20-D-0002); Colonna's Shipyard Inc.,* Norfolk, Virginia (N50054-20-D-0003); Fairlead Boatworks,* Newport News, Virginia (N50054-20-D-0004); and East Coast Repair and Fabrication,* Norfolk, Virginia (N50054-20-D-0005), are each awarded a fixed-price, multiple award, indefinite-delivery/indefinite-quantity contract to provide messing and berthing barges support in support of the Mid-Atlantic Regional Maintenance Center, Norfolk, Virginia. Lyon Shipyard Inc.* is awarded $82,029,325; BMFT JV* is awarded $87,651,824; Colonna's Shipyard Inc.* is awarded $96,692,648; Fairlead Boatworks* is awarded $97,020,569; and East Coast Repair and Fabrication* is awarded $109,260,981. This contract includes options which, if exercised, would bring the cumulative ceiling value of this contract to $109,260,981. Work will be primarily performed in the Hampton Roads area, Norfolk, Virginia, and is expected to be completed by January 2021; if options are exercised, work is expected to be completed by February 2025. Fiscal 2020 operations and maintenance (Navy) funding in the amount of $60,000 ($12,000 minimum guarantee per contract) will be obligated at time of award, and funding in the amount of $60,000 will expire at the end of the current fiscal year. This multiple award contract was procured as a small business set-aide via Federal Business Opportunities with six offers received. The Mid-Atlantic Regional Maintenance Center, Norfolk, Virginia, is the contracting activity. Colonna Shipyards Inc., Norfolk, Virginia, is being awarded a $10,536,728 firm-fixed-price contract for a 75-day shipyard availability for the regular post shakedown availability of USNS Burlington (T-EPF 10). Work will include Pump Room 1 and 2 renewal, tow modifications, Pump Room 7 and 8, ladder install, bilge preservation main engine rooms, line shaft bearing annual maintenance, freeze protection pipe heat trace instillation, freeze protection mission bay installation, perform annual stern ramp maintenance, install fuel sensors in diesel fuel service system, modify diesel fuel bunking piping, stern ramp upgrades, fire station isolation valves, adaptive force package temporary sensitive compartment information facility installations and temporary sensitive compartment information facility adaptive force package heating ventilation and an air condition upgrade install. This contract includes a 75-day base period and three options, which if exercised would bring the cumulative value of this contract to $10,711,518. Work will be performed at Colonna Shipyard Inc. and is expected to be completed by May 15, 2020. Navy working capital contract funds in the amount of $10,536,728 are obligated for fiscal 2020, and will expire at the end of the fiscal year. This contract was competitively procured with proposals solicited via the beta.SAM.gov website and two offers received. The Military Sealift Command, Norfolk, Virginia, is the contracting activity (N32205-20-C-6712). Data Link Solutions LLC, Cedar Rapids, Iowa, is awarded a $9,140,302 firm-fixed-price order for Joint Tactical Information Distribution System (JTIDS) Cryptographic Modernization (CM) kits. The JTIDS CM Kits will provide a build-to-print solution to maintain secure operations of Link 16 for all versions of the JTIDS terminal. This order covers the production of 47 kits along with the associated program management, testing and logistics support to deliver the kits. This order includes one option which, if exercised, would bring the cumulative value of this order to an estimated $12,057,419. If all options are exercised, work could continue until September 2021. Work will be performed in Wayne, New Jersey, with an expected completion date of July 2021. Fiscal 2020 other procurement (Navy) funds in the amount of $9,140,302 will be obligated at the time of award. Contract funds will not expire at the end of the current fiscal year. This order was negotiated as a sole-source under the authority of 10 U.S. Code 2304(c)(1), using the procedures defined under Federal Acquisition Regulation 13.5 for orders less than $13,000,000. The Naval Information Warfare Systems Command, San Diego, California, is the contracting activity (N00039-20P0003). DEFENSE HEALTH AGENCY Nexsys Electronics, doing business as MedWeb,* San Francisco, California, was awarded a definitized, firm-fixed-price, indefinite-delivery/indefinite-quantity, single award contract (HT0038-19-D-0002) with a maximum value of $52,852,585. This contract provides in-theater systems support services for the Deployed Tele-Radiology System, a commercial imaging product used at military treatment facilities. This effort has one-base year, two option years, and one six-month optional ordering period. The estimated completion date is May 11, 2022. Work location is task order dependent but will primarily occur in San Francisco, California. The base task order was funded by fiscal 2019 and 2020 operations and maintenance funds. The award is the result of a non-competitive sole-source action. The contracting activity is the Defense Health Agency, Falls Church, Virginia. (Awarded Dec. 3, 2019) DEFENSE LOGISTICS AGENCY The Boeing Co., St. Louis, Missouri, has been awarded a maximum $15,275,346 firm-fixed-price contract for the production of KC-135 aircraft structural component fittings (landing gear trunnions). This was a sole-source acquisition using justification 10 U.S. Code 2304 (c)(1), as stated in Federal Acquisition Regulation 6.302-1. This is a one-year contract with no option periods. Location of performance is Missouri, with a Jan. 31, 2023, performance completion date. Using military service is Air Force. Type of appropriation is fiscal 2020 defense working capital funds. The contracting activity is the Defense Logistics Agency Aviation, Richmond, Virginia (SPE4A5-20-F-8228). (Awarded Jan. 31, 2020) *Small business https://www.defense.gov/Newsroom/Contracts/Contract/Article/2074589/source/GovDelivery/

  • A lighter, high-tech Abrams tank is taking shape

    2 juin 2024 | International, Terrestre

    A lighter, high-tech Abrams tank is taking shape

    The new M1E3 Abrams' design is underway as the U.S. Army eyes a rapid fielding schedule.

  • Japanese firms sign $225 million deals to maintain Ospreys for Navy, Marine Corps

    29 juillet 2021 | International, Aérospatial

    Japanese firms sign $225 million deals to maintain Ospreys for Navy, Marine Corps

    NIPPI Corp. and Subaru Corp. will compete for individual, depot-level maintenance orders for V-22 Osprey tiltrotor aircraft across the Pacific.

Toutes les nouvelles