Hunt for Red Bugtober: US military's weapon systems riddled with security holes – auditors

Computer security vulnerabilities are widespread in US military hardware, and the Pentagon is only beginning to understand how to fix them.

This is according to a October report [PDF] on cybersecurity practices in Uncle Sam's armed forces, drawn up by the Government Accountability Office (GAO).

Leading with the subtle title "DOD Just Beginning to Grapple with Scale of Vulnerabilities," the dossier outlines how known exploitable flaws in components like micro-controllers, industrial control system boards, and management software, are being left un-patched with little in the way of plans to address them. That's bad news as more and more stuff is hooked up to computer networks and the internet, from where holes can be potentially exploited.

"Although GAO and others have warned of cyber risks for decades, until recently, DOD did not prioritize weapon systems cybersecurity. Finally, DOD is still determining how best to address weapon systems cybersecurity," the scathing report stated.

"In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic."

According to the auditors, the problem lies both in the structure of the Department of Defense itself – where network and information security is kept separate from weapons systems and acquisitions – and in the way the weapons are increasingly relying on network connectivity and smart connectivity to function.

As a result, the report claims the department is only beginning to figure out what it needs to patch and how it needs to go about doing it in things like missile guidance systems or fighter jets. Even new systems, the GAO said, are being introduced with major vulnerabilities and exposures like default passwords and unencrypted data connections.

"In part because DOD historically focused on the cybersecurity of its networks but not weapon systems themselves, DOD is in the early stage of trying to understand how to apply cybersecurity to weapon systems," the report stated.

"Several DOD officials explained that it will take some time, and possibly some missteps, for the department to learn what works and does not work with respect to weapon systems cybersecurity."

Here are some other choice highlights from the report:

• A security expert, who was on a "red team" employed by the government to test network defenses, cracked into a US Department of Defense system and rebooted it, but nobody noticed: the system suffered unexplained crashes. In another case, testers “caused a pop-up message to appear on users’ terminals instructing them to insert two quarters to continue operating.”
• In one case, defense testers “only had 41 hours to work with the system,” before they had to sign off on its security.
• ”Officials from one program we met with said they are supposed to apply patches within 21 days of when they are released, but fully testing a patch can take months due to the complexity of the system."
• ”Program offices may not know which industrial control systems are embedded in their weapons or what the security implications of using them are."
• ”One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software."
• Even when an intrusion detection system was in place and working correctly, “warnings were so common that operators were desensitized to them,” so they were ignored.
• ”Test team activity was documented in system logs, but operators did not review them”, and one system “had no documented procedures for reviewing logs.”

Legacy software is going to get someone killed

Even if Uncle Sam's techies are savvy enough to use strong passwords, patch software, and implement the other key “don't be stupid” features to secure the military's latest systems, the auditors claimed nearly every new piece of kit will be potentially vulnerable to attack anyway, because it has to be connected to an older and insecure system.

Their report stated there's probably “an entire generation of systems” with inadequate security, and “if DoD is able to make its newer systems more secure, but connects them to older systems, this puts the newer systems at risk.”

Some systems can't even be tested properly: one system uses proprietary black-box hardware and software and depended on a connection back to a contractor's corporate network, which was off-limits to security testers.

On the bright side, the auditors said the military has, since 2014, issued or updated “at least 15 department-wide policies, guidance documents, and memorandums intended to promote more cyber secure weapon systems,” and its existing infosec policies now “explicitly apply to weapons systems." So that's all right, then.

In the meantime, the auditors said the Pentagon should continue focusing on upping its efforts to develop cybersecurity offices (read: recruit more techies) and find ways to better coordinate communications between departments so they can share vulnerability and threat information with one another. ®