Pentagon's new next-gen weapons systems are laughably easy to hack

Bad passwords, non-encrypted communications, and a lot of unpatched bugs.

New computerized weapons systems currently under development by the US Department of Defense (DOD) can be easily hacked, according to a new report published today.

The report was put together by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress.

Congress ordered the GAO report in preparation to approve DOD funding of over $1.66 trillion, so the Pentagon could expand its weapons portfolio with new toys in the coming years.

But according to the new report, GAO testers "playing the role of adversary" found a slew of vulnerabilities of all sort of types affecting these new weapons systems.

"Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications," GAO officials said.

The report detailed some of the most eye-catching hacks GAO testers performed during their analysis.

In one case, it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing.
Some programs fared better than others. For example, one assessment found that the weapon system satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders. Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system.
In one case, the test team took control of the operators' terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.
Another test team reported that they caused a pop-up message to appear on users' terminals instructing them to insert two quarters to continue operating.
Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.
One test report indicated that the test t eam was able to guess an administrator password in nine seconds.
For example, in some cases, simply scanning a system caused parts of the system to shut down. One test had to be stopped due to safety concerns after the test team scanned the system.
Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.

The report claims the DOD documented many of these "mission-critical cyber vulnerabilities," but Pentagon officials who met with GAO testers claimed their systems were secure, and "discounted some test results as unrealistic."

dod-next-gen-weapons-systems.png
GAO

GAO said all tests were performed on computerized weapons systems that are still under development. GAO officials highlighted that hackers can't yet take control over current weapons systems and turn them against the US.

But if these new weapons systems go live, the threat is more than real, GAO said.

"It looks grim unless they see this as a wake-up call and they start taking action in a serious manner," said Christina Chaplin, one of the GAO employees who participated in putting together the report.

Answering questions in a podcast, Chaplin said that one of the reasons these new computerized weapons systems are so vulnerable to hacks is because, until recently, the DOD didn't prioritize "cyber" as part of the development process, "but it has begun to grasp the magnitude of the problem and taken a way of action."

One way was by instituting better testing procedures, and the second was by setting "cyber" as a focus during the acquisition process of the many components part of these new systems.

But despite this, the GAO report warns that if the DOD doesn't act on its own findings to patch the vulnerabilities its employees discover in their own software, then all their internal testing procedures are useless.

And according to the GAO report, the DOD is pretty bad at addressing these flaws.

For example, one test report indicated that only 1 of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error.

"There's also a culture right now at the DOD were we feel like the extent of the problem isn't really appreciated at the program level," Chaplin said. "The DOD has a lot of work ahead of it to overcome some cultural issues."

The report didn't go in great detail of what the Pentagon's next-gen weapons systems are, because of national security concerns, but GAO did say all systems were heavily computerized and many were also networked together, which would make them a high-value target for many foreign nation-state hacking groups once they go live.

"Nearly every conceivable component in DOD is networked," the report said. "Weapon systems connect to DOD's extensive set of networks--called the DOD Information Network--and sometimes to external networks, such as those of defense contractors. Technology systems, logistics, personnel, and other business-related systems sometimes connect to the same networks as weapon systems. Furthermore, some weapon systems may not connect directly to a network, but connect to other systems, such as electrical systems, that may connect directly to the public Internet."

In other words, once these new weapons systems go live, they'll essentially live on the Internet, and they'd better be secure or they'll get hacked in a hurry, especially if the reported issues won't get corrected.

RELATED COVERAGE: