Retour aux nouvelles

19 août 2019 | International, Aérospatial

The Cybersecurity 202: Hackers just found serious vulnerabilities in a U.S. military fighter jet

By Joseph Marks

LAS VEGAS — In a Cosmopolitan hotel suite 16 stories above the Def Con cybersecurity conference this weekend, a team of highly vetted hackers tried to sabotage a vital flight system for a U.S. military fighter jet. And they succeeded.

It was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses. And after two long days, the seven hackers found a mother lode of vulnerabilities that — if exploited in real life — could have completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight.

They even found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November without actually touching the device.

“They were able to get back in through the back doors they already knew were open,” Will Roper, the Air Force's top acquisition official, told me in an exclusive briefing of the results.

The hackers lobbed a variety of attacks — including injecting the system with malware and even going at it with pliers and screwdrivers. When I saw it, the metal box that's usually secure on the aircraft had wires hanging out the front.

The hackers briefed Roper on the findings on Saturday afternoon. He was surrounded by discarded pizza boxes, iced coffee drinks — and the hotel's drinking glasses filled with screws, nuts and bolts removed from five fully dismantled TADS devices, which run about $20,000 a pop.

He'd expected the results to be about this bad, Roper told me on a private tour of the hacking event. He pinned the weaknesses on decades of neglect of cybersecurity as a key issue in developing its products, as the Air Force prioritized time, cost and efficiency.

He's trying to turn that around, and is hopeful about the results of the U.S. government's newfound openness to ethical hackers. He'd come straight from Def Con's first-ever Aviation Village, which the Air Force helped establish, and was wearing a gray T-shirt with the words “No, Mr. Bond, I expect you to hack,” emblazoned on the front — a riff on a classic line from the 1964 James Bond film “Goldfinger.”

This is a drastic change from previous years, when the military would not allow hackers to try to search for vulnerabilities in extremely sensitive equipment, let alone take a literal whack at it. But the Air Force is convinced that unless it allows America's best hackers to search out all the digital vulnerabilities in its planes and weapons systems, then the best hackers from adversaries such as Russia, Iran and North Korea will find and exploit those vulnerabilities first, Roper told me.

“There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” he said.

Roper wants to put his military hardware where his mouth is.

During next year's Def Con conference, he wants to bring vetted hackers to Nellis or Creech Air Force bases near Las Vegas where they can probe for bugs on every digital system in a military plane, including for ways that bugs in one system can allow hackers to exploit other systems until they've gained effective control of the entire plane.

He also wants to open up the ground control system for an operational military satellite for hacker testing, he said.

“We want to bring this community to bear on real weapons systems and real airplanes,” Roper told me. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”

Those hacking challenges will also be useful for the private sector because military planes and satellites share many of their computer systems with the commercial versions of those products, Roper said, and the Air Force can share its findings.

The seven hackers probing the TADS devices were all brought to Vegas by the cybersecurity company Synack, which sells the Pentagon third-party vulnerability testing services, under a contract with the Defense Digital Service, a team of mostly private-sector technology stars who try to solve some of the Pentagon's thorniest technology problems during short-term tours.

The Defense Digital Service started by organizing large-scale hacking competitions in 2016, with names such as “Hack the Pentagon” and, eventually, “Hack the Air Force.” These were open to almost anybody — but included only public-facing hacking targets such as military service websites and apps.

Shortly after, they also began opening more sensitive systems to a smaller number of vetted hackers who sign nondisclosure agreements.

DDS has run about a dozen of those more sensitive hacking competitions so far, but this is the first time it has offered up the same system for hacking twice, said Brett Goldstein, DDS's director, who earned a reputation in technology as Open Table's IT director and chief data officer for the city of Chicago.

“That's important because security is a continuous process,” he told me. “You can't do an exercise and say, ‘Oh, we found everything' and check the box. You need to constantly go back and reevaluate.”

They also allowed the hackers to be more aggressive this time and to physically disassemble the TADS systems to get a better idea of what kinds of digital attacks might be effective, Goldstein said. That meant the hackers could simulate a cyberattack from adversaries that had infiltrated the vast network of suppliers that make TADS components and had sophisticated knowledge about how to compromise those elements.

They could also advise the Air Force about flaws in how the TADS hardware was built that make it more susceptible to digital attacks.

Moving forward, Roper told me, he wants to start using that knowledge to mandate that Air Force vendors build better software and hardware security controls into their planes and weapons systems upfront so the Air Force doesn't have to do so much cybersecurity work on the back end.

He's up against an arcane and byzantine military contracting process, however, that's going to make those sorts of fundamental reforms extremely difficult, he acknowledged.

In some cases, the company that built an Air Force system owns the software embedded in that system and won't let the Air Force open it up for outside testing, he says. In other cases, the Air Force is stuck with legacy IT systems that are so out of date that it's difficult for even the best technologists to make them more secure.

“It's difficult to do this going backward, but we're doing our best,” Roper told me. “I can't underscore enough, we just got into the batter's box for what's going to be a long baseball game.”

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/08/14/the-cybersecurity-202-hackers-just-found-serious-vulnerabilities-in-a-u-s-military-fighter-jet/5d53111988e0fa79e5481f68/

Sur le même sujet

  • DISA chooses 20 small businesses for big IT contract

    11 septembre 2018 | International, C4ISR

    DISA chooses 20 small businesses for big IT contract

    By: Daniel Cebul The Defense Information Systems Agency has selected 20 small businesses for the opportunity to work on a range of information technology services for the Department of Defense, intelligence community and other federal agencies, according to a Sept. 10 announcement. The contract could run as long as 10 years and has a maximum value of $17.5 billion. The ENCORE III small business set-aside suite makes 20 small companies eligible to compete for contracts to provide services in 19 performance areas. Those areas range from requirements analysis to cloud professional services and enterprise IT policy planning. “One of the key advantages of leveraging the ENCORE III vehicle is that mission partners are able to team with us to determine the best acquisition strategy for their task,” Steve Francoeur, ENCORE III contracting officer, said in a press release. “Together, we are able to determine whether a best-value-trade-off or lowest price technically acceptable approach fits the mission requirement.” The announcement follows DISA's award of the ENCORE III full and open large business suite in March when another 20 businesses became eligible for task orders on the contract. https://www.c4isrnet.com/newsletters/daily-brief/2018/09/10/disa-chooses-20-small-businesses-for-big-it-contract

  • Contract Awards by US Department of Defense - August 20, 2019

    21 août 2019 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité

    Contract Awards by US Department of Defense - August 20, 2019

    DEFENSE THREAT REDUCTION AGENCY Applied Research Associates Inc., Albuquerque, New Mexico, is being awarded a maximum ceiling $240,000,000, cost-plus-fixed-fee, indefinite-delivery/indefinite-quantity contract with a five-year base ordering period and an additional five-year option period. Competitive proposals were solicited and two offers were received. The contract provides for 24/7/365 technical reachback operational and decision support analysis, as well as research and development, to develop and advance the Defense Threat Reduction Agency's (DTRA's) weapons of mass destruction operational support capabilities. The work will be performed at multiple DTRA locations, primarily at Fort Belvoir, Virginia. Fiscal 2019 research, development, test and evaluation funds in the amount of $150,000 (the guaranteed minimum) are being obligated at time of award. DTRA, Fort Belvoir, Virginia, is the contracting activity (HDTRA1-19-D-0007). ARMY The Boeing Co., Mesa, Arizona, was awarded a $154,890,000 modification (P00026) to contract W58RGZ-16-C-0023 to procure new-build Apache AH 64E helicopters. Work will be performed in Mesa, Arizona, with an estimated completion date of Dec. 31, 2022. Fiscal 2018 and 2019 aircraft procurement, Army funds in the amount of $154,890,000 were obligated at the time of the award. U.S. Army Contracting Command, Redstone Arsenal, Alabama, is the contracting activity. Berg Manufacturing Inc.,* Spokane Valley, Washington, was awarded a $44,000,000 firm-fixed-price contract for a self-service laundry system. Bids were solicited via the internet with six received. Work locations and funding will be determined with each order, with an estimated completion date of Aug. 19, 2024. U.S. Army Contracting Command, Aberdeen Proving Ground, Maryland, is the contracting activity (W911QY-19-D-0027). DynCorp International LLC, McLean, Virginia, was awarded a $32,753,836 time-and-materials contract to train, advise and assist. Bids were solicited via the internet with three received. Work will be performed in Afghanistan with an estimated completion date of Aug. 19, 2020. Fiscal 2019 Afghanistan security forces, Army funds in the amount of $32,753,836 were obligated at the time of the award. U.S. Army Contracting Command, Rock Island Arsenal, Illinois, is the contracting activity (W560MY-19-C-0002). Manson Construction Co., Seattle, Washington, was awarded a $24,000,000 firm-fixed-price contract for rental of a cutterhead pipeline dredge for dredging in Mobile Harbor, Alabama. Bids were solicited via the internet with two received. Work locations and funding will be determined with each order, with an estimated completion date of Oct. 13, 2020. U.S. Army Corps of Engineers, Mobile, Alabama, is the contracting activity (W91278-19-D-0040). Manufacturing Support Industries Inc.,* Salisbury, Maryland, was awarded a $9,500,000 firm-fixed-price contract for M240 lightweight adjustable bipod. Bids were solicited via the internet with seven received. Work locations and funding will be determined with each order, with an estimated completion date of Aug. 20, 2024. U.S. Army Contracting Command, New Jersey, is the contracting activity (W15QKN-19-D-0097). AIR FORCE Akima Intra‐Data LLC, Colorado Springs, Colorado, has been awarded a $152,871,144 firm-fixed-price contract for Facility Support Services II. This contract will provide for industrial and test security; security services; command, control, and communication functions; fire and emergency services; environmental; safety; occupational and environmental health; base supply; cargo movement, and vehicle maintenance at Arnold Engineering Development Complex. Work will be performed at Arnold Air Force Base, Tennessee, with specific performance at White Oak, Maryland; and Moffett Field, California, and is expected to be completed by Nov. 30, 2027. This award is the result of a competitive small business set-aside acquisition utilizing a single solicitation and received two offers. No funds are being obligated at the time of award. The Air Force Test Center, Arnold Air Force Base, Tennessee, is the contracting activity (FA9101‐19‐C‐1000). The Stratagem Group Inc., Aurora, Colorado,* has been awarded a $32,600,866 cost-plus-fixed-fee contract for Radio Frequency Identification, Detection, and Geolocation of Emitting Systems software/hardware. This contract provides for improved collection and processing capabilities across multiple intelligence, surveillance and reconnaissance sensing sources in the detection and characterization of priority radar waveforms. Work will be performed at Aurora, Colorado, and is expected to be complete by Aug. 19, 2024. This award is the result of a competitive acquisition and two offers were received. The Air Force Research Laboratory, Rome, New York, is the contracting activity (FA8750-19-C-0072). NAVY BAE Systems Information and Electronic Systems, Nashua, New Hampshire, is awarded a $74,990,530 firm-fixed-price, cost-plus-fixed-fee contract to procure 1,440 Radio Frequency Countermeasures and the maintenance and repair of multi-function test stations in support of the F-35 aircraft. Work will be performed in Nashua, New Hampshire (74%); Landenberg, Pennsylvania (7%); Topsfield, Massachusetts (2.5%); Industry, California (1.6%); Hamilton, New Jersey (1.5%); Carson, California (1.3%); Dover, New Hampshire (1.1%); Londonderry, New Hampshire (1%); Chartley, Massachusetts (1%); and various locations within the continental U.S. (9%), and is expected to be completed in March 2022. Fiscal 2017, 2018 and 2019 aircraft procurement (Air Force); fiscal 2019 procurement ammunition (Navy, Marine Corps); and Foreign Military Sales (FMS) funds in the amount of $74,990,530 will be obligated at time of award, $2,394,867 of which will expire at the end of the current fiscal year. This contract combines purchases for the Air Force ($37,068,372; 49%); Navy and Marine Corps ($13,556,992; 18%); and FMS countries ($24,365,166; 33%). This contract was not competitively procured pursuant to 10 U.S. Code 2304(c)(1). The Naval Air Systems Command, Patuxent River, Maryland, is the contracting activity (N00019-19-C-0001). Sikorsky Aircraft Corp., a Lockheed Martin Co., Stratford, Connecticut, is awarded $48,325,008 for firm-fixed-price, cost-plus-fixed-fee order N00019-19-F-4126 against a previously issued basic ordering agreement (N00019-19-G-0029) to procure spare parts to repair and maintain CH-53K low-rate initial production Lot Three configuration aircraft. Work will be performed in Quebec, Canada (14.88%); Stratford, Connecticut (9.17%); Fort Walton Beach, Florida (2.32%); Rome, New York (2.06%); Bridgeport, West Virginia (2.02%); Chesterfield, Missouri (1.52%); Forest, Ohio (1.47%); Davenport, Iowa (1.38%); Rochester, Kent, United Kingdom (1.36%); Milford, Connecticut (1.22%); Windsor Locks, Connecticut (1.13%); various locations within the continental U.S. (53.97%); and various locations outside the continental U.S. (7.50%), and is expected to be completed in August 2024. Fiscal 2019 aircraft procurement (Navy) funds in the amount of $48,325,008 will be obligated at time of award, none of which will expire at the end of the current fiscal year. The Naval Air Systems Command, Patuxent River, Maryland, is the contracting activity. Raytheon Missile Systems, Tucson, Arizona, is awarded a $13,248,183 cost-plus-fixed-fee modification to previously awarded contract N00024-17-C-5410 to exercise options for engineering and technical services in support of Standard Missile-2/6. This contract combines purchases for the U.S. government (96%); and the governments of Australia, Taiwan, Germany, Denmark, Korea and Japan (4% total) under the Foreign Military Sales program. Work will be performed in Tucson, Arizona, and is expected to be complete by December 2020. This contract includes options which, if exercised, be complete by April 2022. Fiscal 2019 and 2017 weapons procurement (Navy); fiscal 2019 and 2018 research, development, test and evaluation (Navy); fiscal 2019 other Department of Defense; and Foreign Military Sales (governments of Australia, Germany, Denmark, Taiwan, Korea and Japan) funding in the amount of $13,248,183 will be obligated at time of award and not expire at the end of the current fiscal year. This modification is not competitively procured in accordance with 10 U.S. Code 2304(c)(1) and Federal Acquisition Regulation 6.302-1(a)(2)(iii). The Naval Sea Systems Command, Washington, District of Columbia, is the contracting activity. DEFENSE LOGISTICS AGENCY Campbellsville Apparel Co., Campbellsville, Kentucky, has been awarded a maximum $7,562,400 modification (P00006) exercising the third one-year option period of a one-year base contract (SPE1C1-16-D-1083) with four one-year option periods for fuel handler's undershirts and moisture wicking t-shirts. This is an indefinite-delivery contract. Location of performance is Kentucky, with a Sept. 7, 2020, performance completion date. Type of appropriation is fiscal 2019 through 2020 defense working capital funds. The contracting activity is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania. *Small Business https://www.defense.gov/Newsroom/Contracts/Contract/Article/1939263/source/GovDelivery/

  • Lockheed Martin hopes to deliver more F-35s to Australia

    27 février 2023 | International, Aérospatial

    Lockheed Martin hopes to deliver more F-35s to Australia

    Lockheed Martin Corp hopes Australia wants to buy more of its F-35 fighter planes after the country completes an ongoing defence review, an executive at the U.S. manufacturer said on Tuesday.

Toutes les nouvelles