Cyber Attack On Weapon Systems Is Easier Than You’d Think

All US weapons that the Department of Defense tested between 2012 and 2017 have “mission critical” cyber vulnerabilities, claims a new report from the US Government Accountability Office (GAO).

The report serves as a wakeup call for the DOD regarding cybersecurity threats to its weapons systems. 

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

Subtitled “DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the report finds that the department “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” 
GAO says the DOD is only now beginning to grapple with the importance of cybersecurity, and the scale of vulnerabilities in its weapons systems.

The report is based on penetration tests the DOD itself undertook, as well as interviews with officials at various DOD offices. DOD testers found significant vulnerabilities in the department’s weapon systems, some of which began with poor basic password security or lack of encryption. 

Among the findings of the report: one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open source software but administers failed to change the default passwords. 

Yet another tester managed to partially shut down a weapons system by merely scanning it, a technique so basic, the GAO says, it “requires little knowledge or expertise.” Testers were sometimes able to take full control of these weapons. 

The DOD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.” 

In other cases, automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.

Wired.com claims that this unclassified report lacks specific details, mentioning various officials and systems without identifying them. Wired emphasizes that when the DOD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams.

iHLS:

You Might Also Read:

Pentagon Weapons Systems Vulnerable To Cyber-Attacks

« Facebook Wants To Buy A Cybersecurity Firm. Which One?
Facebook Sued Over Video Viewing Figures »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

European Defence Agency (EDA)

European Defence Agency (EDA)

EDAs mission is to improve European defence capabilities. Programme areas include Cyber Defence.

StrongKey

StrongKey

StrongKey (formerly StrongAuth) is a leader in Enterprise Key Management Infrastructure, bringing new levels of capability and data security at a price point significantly lower than other solutions.

Netsafe

Netsafe

Netsafe is an independent, non-profit New Zealand organisation focused on online safety. We help people stay safe online by providing online safety education, advice and support.

Infosec (T)

Infosec (T)

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

WISeKey

WISeKey

WISeKey is a leading cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using Blockchain, AI and IoT.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

Sonrai Security

Sonrai Security

Sonrai Security delivers an enterprise security platform focused on identity and data protection inside AWS, Azure, and Google Cloud.

CyberKnight Technologies

CyberKnight Technologies

CyberKnight Technologies is a cybersecurity focused value-added-distributor (VAD) headquartered in Dubai and covering the Middle East.

Tetrad Digital Integrity (TDI)

Tetrad Digital Integrity (TDI)

TDI is a world-class consulting firm offering cybersecurity services to government agencies and commercial clients around the world.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

FourthRev

FourthRev

FourthRev is an education-technology start-up with a mission to solve the skills crisis of the Fourth Industrial Revolution.

Xmirror Security

Xmirror Security

Xmirror Security focuses on integrated detection and defense of the continuous threat to the DevSecops software supply-chain with artificial intelligence technology as the core.

AdronH

AdronH

AdronH is a company of Cyber Security consultants. We support companies and public institutions with their digital transformation to new and secure business platforms.

J.S. Held

J.S. Held

J.S. Held is a global consulting firm providing technical, scientific, and financial expertise across all assets and value at risk.

Telesign

Telesign

Telesign connect, protect, and defend online experiences with sophisticated digital identity and programmable communications solutions.

IDVerse

IDVerse

IDVerse is focused on making user verification effortless through technology. We build intelligent tools that protect users from identity fraud while enabling a seamless user experience.

Keyrus

Keyrus

Keyrus is a global consultancy that develops data and digital solutions for performance management.

Reveald

Reveald

Reveald is making Exposure Management a reality to solve the biggest challenges in cybersecurity with a trailblazing ‘offense to defense’ approach that gives the advantage back to the business.