GAO: U.S. Weapon Systems Easily Hacked
Cybersecurity testers quickly disrupted or accessed and gained control of many tools.
U.S. military aircraft, ships, combat vehicles, radios and satellites remain vulnerable to relatively common cyber attacks, according to a report published Tuesday by the U.S. Government Accountability Office (GAO). The report does not specify which weapon systems were tested.
In one case, a two-person test team took just one hour to gain initial access to a weapon system and one day to gain full control of the system, the report says. Another assessment demonstrated that the weapon system “satisfactorily prevented unauthorized access by remote users, but not insiders and near-siders.”
Once inside the system, test teams “were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system,” the report specifies. “In one case, the test team took control of the operators’ terminals. They could see in real time what the operators were seeing on their screens and could manipulate the system. They were able to disrupt the system and observe how the operators responded.”
Another test team reported that it had caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating. Multiple test teams reported that they were able to copy, change or delete system data, including one team that downloaded 100 gigabytes—approximately 142 compact discs’ worth—of data.
“The test reports indicated that test teams used nascent to moderate tools and techniques to disrupt or access and take control of weapon systems. For example, in some cases, simply scanning a system caused parts of the system to shut down,” the report says. “One test had to be stopped due to safety concerns after the test team scanned the system. This is a basic technique that most attackers would use and requires little knowledge or expertise. Poor password management was a common problem in the test reports we reviewed.”
Multiple weapon systems use commercial or open source software, but program personnel often do not change the default password when the software is installed, allowing test teams to look up the password on the Internet and gain administrator privileges. Numerous test teams reported using free, publicly available information or software downloaded from the Internet to avoid or defeat weapon system security controls.
Furthermore, program offices were aware of some weapon system vulnerabilities that test teams exploited because they had been identified in previous cybersecurity assessments. For example, one test report indicated that only one of 20 cyber vulnerabilities identified in a previous assessment had been corrected. The test team exploited the same vulnerabilities to gain control of the system. When asked why vulnerabilities had not been addressed, program officials said they had identified a solution, but for some reason, it had not been implemented. They attributed it to contractor error. Another test report indicated that the test team exploited 10 vulnerabilities that had been identified in previous assessments.
The report explains that the U.S. Defense Department only recently has begun to seriously focus on weapon systems and has “taken several steps to improve weapon systems cybersecurity, including issuing and revising policies and guidance to better incorporate cybersecurity considerations.” Improvements include specifying that cybersecurity policies apply to weapon systems and requiring more focus on cybersecurity throughout a weapon system’s acquisition life cycle.
The report did not mention the cybersecurity strategy recently completed by the department’s chief information officer, Dana Deasy, or the establishment of the Air Force Cyber Resiliency Office for Weapon Systems (CROWS).
The report indicates that the Defense Department faces challenges such as recruiting and retaining cybersecurity talent—especially personnel with weapon systems cybersecurity expertise.