
Computer virus hits US Predator and Reaper drone fleet - llambda
http://arstechnica.com/business/news/2011/10/exclusive-computer-virus-hits-drone-fleet.ars
======
JonnieCache
Like hugh says, this doesn't add up at all.

 _“We keep wiping it off, and it keeps coming back,” says a source familiar
with the network infection, one of three that told Danger Room about the
virus. “We think it’s benign. But we just don’t know.”_

C'mon. You're the _military._ "It just keeps coming back?" So you decide to do
a press release about it? Please.

I wouldn't have whined like that when I was de-malwareing neighbourhood PCs at
age 13, I would have _fixed it_. If I can successfully keep malware off the
PCs of middle aged parents with teenaged children, then the government capable
of developing and operating fleets of _unmanned military drones_ can certainly
isolate a network and disable the USB bus.

There is definitely some high level shit going on right here. I doubt we'll
know about it for many years, if ever.

~~~
Bud
I don't know how I can be any more clear here:

If they are not smart enough to keep malware off of what should be the most
secure systems around, perhaps they shouldn't be building the fricking FLYING
REMOTE-CONTROL DEATH MACHINES for a while, until they can figure out the
basics.

Capisce, guys?

~~~
teej
I am totally with you. If software is going to operate deadly weapons, it sure
as hell better be secure.

But you are glossing over a LOT of detail here. The military doesn't work like
Apple: they don't design, oversee, or directly control the construction of the
hardware they use. And they shouldn't - the government is woefully inefficient
at building products, that's what corporations are good at.

Here's the situation:

\- The Air Force contracts General Atomics Aeronautical Systems to build UAVs.
You can bet your ass the contract covers things like "protected from malware"

\- General Atomics contracts out the different components of the UAV. No
device worth $150M gets built by one company alone. The radar, the metal
shell, the inside components, and each component of the software are all made
by _different companies_.

\- Each component is meticulously specified and rigorously tested. The makers
of a component is contractually liable if they fuck up, giving them an
incentive to do it slow & right. That's why it's so damn expensive.

\- General Atomics puts the pieces together into the final product and
delivers it to the Air Force after another round of rigorous testing.

\- A team of guys in the Air Force are trained on operating the UAVs to deploy
on missions.

=====================

So to say something like "Ugh, military, don't deploy UAVs if you can't keep
it virus free!" is an oversimplification. These are extremely complex
machines, with highly specialized embedded software, meant to deliver explodey
things with extreme precision, while being operated from very far away. You
can't just slap Norton on these things and call it a day.

~~~
Bud
teej, I assure you, I am under no illusion that they can "slap Norton on these
things and call it a day". I am at least somewhat conversant with the
realities of designing complex military systems. But if the systems really are
so highly specialized, and I assume they are, that's still no excuse. At all.
If they can't keep malware off them, they have no business flying them, at
least for the time being. Which is all I was saying. I know it's not easy.

~~~
josefresco
The systems are less specialized than we all would hope. Even with our massive
budget the military is still 'forced' to use existing tech, which opens them
up to situations like this.

And if you think this little press release means anything to actual national
security, you have much to learn about our secret war against terrorism.

------
hugh3
It seems to me that a more interesting question than "how did the malware get
there?" is "why are they telling us that they found it?"

Presumably the default thing to do under these circumstances would be to shut
up about it, so the fact that they're broadcasting it to the whole world must
mean something. In any case I wouldn't take any of the details at face value
-- e.g. do they _really_ not have any idea where it came from, or are they
feigning ignorance in the hopes of lulling their opponent into a false sense
of security?

~~~
Pyrodogg
Because someone leaked it.

> “We keep wiping it off, and it keeps coming back,” says a source familiar
> with the network infection, one of three that told Danger Room about the
> virus. “We think it’s benign. But we just don’t know.”

The end of the article says they asked for an official response and were
stonewalled.

> The Air Force declined to comment directly on the virus. “We generally do
> not discuss specific vulnerabilities, threats, or responses to our computer
> networks, since that helps people looking to exploit or attack our systems
> to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air
> Combat Command, which oversees the drones and all other Air Force tactical
> aircraft. “We invest a lot in protecting and monitoring our systems to
> counter threats and ensure security, which includes a comprehensive response
> to viruses, worms, and other malware we discover.”

'The military' doesn't want anyone to know; some individuals inside do.

~~~
roc
Or the military staff is leaking this to motivate the higher-up who green-lit
the contract to exert some pressure, because they have unfortunately-little
direct power themselves.

~~~
Pyrodogg
I don't think that is really an 'or' case. Either someone with authority to
disclose makes an official statement or someone lacking that authority leaks
it.

~~~
roc
I was speaking to the possible motivation for the leak.

I certainly didn't intend my reply as a counterpoint to the "if it's not
official it's a leak" point.

------
jarrett
Does anybody know what operating system the infected machines run? If it's a
Unix variant, ouch--I guess they have some really bad luck. But if this is
just an everyday virus, as opposed to cyber warfare targeting the drones
specifically, I can't help but think they might be running Windows. Air gap or
not, that seems risky to me.

~~~
rdl
That's funny.

It's Windows. Very little Unix anywhere in the DoD over the past few years on
new systems; it's mainly legacy, or embedded in products they purchase. There
are definitely some Unix server deployments within DoD even now, but they're
few and far between.

Blue Screen of Death and all.

~~~
misterbwong
Wow can anyone confirm this? I'm surprised that the drones themselves are
running windows. If so, I presume it's win CE or a custom variant of?

~~~
jlarocco
The way it works is some AF guy in Nevada remotely controls the drones flying
half way across the world.

My guess is it's not the drones themselves running Windows, but the consoles
used to communicate with the drones. It makes sense. AF guy gets to work,
plugs in his USB drive filled with music and pulls up the drone control
program...

Though, now that I think about it, I would be disappointed, but not entirely
surprised, if the drones ran Windows also. Sigh.

~~~
pcottle
No modern UAV has hardware capable of running an entire Windows installation.
Think of arduino boards; those things can control huge robotics systems and
they are very simple (and thus simple to debug). If you're designing a robot
from the ground-up, why would you scale all the way to Windows? No one is
going to be playing minesweeper inside the plane

~~~
javert
_No modern UAV has hardware capable of running an entire Windows
installation._

I highly, highly doubt that you're right about this. If you happen to be
right, you won't be for long. It might be that nobody wants to run _Windows_ ,
but there is clear motivation, as well as hardware and software technology, to
have a full-scale OS on an advanced UAV.

~~~
pcottle
The google car is an exception where there is a lot of sophisticated software.
UAV's like Boeing's and even the ones you buy online (with the open source
software) are running on boards, not full-scale PC's with the ability to play
a DVD.

UAVs are very complicated in terms of technology and engineering, but the
hardware is simple because it's basically just running control loops on some
board.

~~~
javert
You're wrong to associate "UAV" with small "remote-controlled" airplanes.
There are much more sophisticated things out there, and also in the works.

------
EGreg
Terrorism is primarily a problem of technology, imho. As things become more
automated, they have a capacity to be used for both intended and unintended
purposes. If our military relies on drones, it should make sure they can't be
used against us :)

But to illustrate my main point, 1000 years ago it was impossible for one man
to destroy a lot of people. 500 years ago a man Guy Fawkes could use gunpowder
to blow up part of a building. SInce then we invented dynamite, planes,
rockets... a society in which technology enables a small group of people to
wreak havoc on a large group of people must necessarily have more
surveillance/intelligence than one where this is not possible, if it is to
ensure the security of its citizens. I mean what is to prevent a person from
releasing a contagious virus in the NYC subway or something similar, and the
effects to show up only days later? I hate to say it but we don't know where
we're going with all this technology's potential for bad things.

~~~
saucetenuto
I've heard the modern version of this called "Moore's Law of Mad Science" -
every year, the IQ necessary to destroy the world drops by one point. In
practice it's probably exponential rather than linear, but that's not really
better.

------
civilian
Okay! Here's what the sysadmins should be doing: Each GCS should be recording
the identity & timestamp of each removable drive that is attached to it. Then
we'll have a graph of all the connections between the machines. If any GCSes
aren't infected (or if we have any information about which machines first
showed evidence of the virus) then we might be able to trace out the path of
infection. Hopefully it'll lead to patient zero, and they can figure out
whether it was intentional (charge w/ treason!) or accidental (500 push-ups).

~~~
roc
Or they could just fill all the usb ports with glue and remove the optical
disk drives, if any.

I thought the whole point of an air gap network is that nothing crosses the
gap. Having those ports/devices available is just asking for it.

~~~
ghshephard
"usb ports with glue" Keyboards, Mice, Joysticks for these systems were
probably designed with the idea that a USB bus would be available.

It will take a while to replace all of these systems with their non-USB
configurations.

Given that BlueTooth is probably a no-no as well, how would one build a system
these days that needs to support Mice, Joysticks, and Keyboards without using
USB?

~~~
roc
How about an over-cage for the physical machine?

A literal chicken-wire-style cage that encloses the PC case, with openings too
small to pass the head of a USB device.

The cage would be locked to prevent removal of the machine and have a locked
backpanel which allows certified staff to install the various usb devices --
with some sort of cage mount inside to loop the cables around, so that a tug
from the user wouldn't pull the usb connector from the machine and cause an
obnoxious number of calls to 'the guy with the key' to plug a mouse back in.

The cage would neatly deny access to any and every port or drive that may or
may not be present in one fell swoop, which would likely simplify OEM
contracts and final installation as well as increase security.

You could build the cage physically larger than the general range of whichever
flavor(s) of ATX cases are being used, so that the cages could be manufactured
in bulk without too much worry about a switch between PC OEMs causing
problems.

You could even add a screw-style bracket or two to hold the PC case firm
within the cage and put some acoustic foam pads here and there to cut down on
any extra noise.

~~~
rdl
People do this for kiosks (unattended, public use) all the time. It's a good
solution for some things.

It's easier to enforce a security policy on well-managed PCs which turn off
various ports in software (AND DISABLE AUTORUN!), vs. trying to physically
disable them, but DoD also had people go around and epoxy USB ports, or at the
very least put foil seals on them. There are problems with this, like the usb
cd-rom token things, and the attack mouse.

One of the few areas of IT security the DoD gets right is physical protection
of infrastructure (relatively). Unfortunately, it's usually basically a strong
shell with a gooey inside of software/networks, and with big pipes bringing
lots of stuff in and out of the shell constantly. Once something bad gets in,
it's kind of too late.

There's a lot of awesome new Intel stuff to make PC hardware potentially more
secure -- secure boot, CPU features, memory protection, etc. Combined with the
right OS, you could go a long way. Unfortunately a lot of people are also
against this technology because it has been used for Digital Rights Management
(DRM) anti-piracy, other privacy violations, etc. I was really against it for
those reasons, but have come to think it would on the whole be a net win for
society to have more secure IT, even if not being able to break it so easily
means some people can use computers for bad things.

~~~
vogonj
_(AND DISABLE AUTORUN!)_

on the topic of disabling autorun, there was a patch earlier this year to
disable autorun on non-shiny media by default in XP and Vista (it's already
turned off in 7.)

[http://blogs.technet.com/b/mmpc/archive/2011/06/14/autorun-a...](http://blogs.technet.com/b/mmpc/archive/2011/06/14/autorun-
abusing-malware-where-are-they-now.aspx)

infections by autorun-abusing malware families dropped by over 60% as
everything got patched, and total infection rate dropped by almost half.

~~~
rdl
Never underestimate the power of defaults.

------
scarmig
"We think it's benign, but we just don't know."

Whoever this is is obviously so far out of the loop and technical domain that
everything they say should be taken with a heaping pile of salt.

I don't doubt that a virus exists, but the scope of it is likely wildly
overblown. At least, there's no reason to actually think it's some military
grade virus that is impossible to eradicate that intercepts all communications
with the drones.

------
pavpanchekha
Perhaps the fact that our computer systems are now of military importance and
the fact that a security hole can mean deaths and international relations
disasters will finally lead to people taking a good look at verified
computing. Where a virus doesn't mean outsmarting some forgetful C programmer
but is mathematically impossible.

Or not, it was just a bug, we'll fix it this one time and pretend it will
never happen again. Worse is better, as they say!

~~~
dmoney
How can a virus be mathematically impossible? And what if there's a bug in
your math?

~~~
pavpanchekha
To answer your two questions, it is possible to mathematically prove, using
certain tools that are admittedly rather academic (my argument is that we
should consider using them more), that certain behaviors are impossible in a
program. For example, a buffer overflow, or some form of data leak. This has
been done, though admittedly not to programs anywhere near as complex as, say,
the Windows kernel.

And, if there's a bug in your math, you will, of course, have some bug.
Garbage in, garbage out. But! You can write your mathematical proof in such a
way that the computer checks it for you (for example, static typing is a weak
form of this). So all you need to have faith in is that program. Now we've
exchanged faith in all programs to faith in one program. Which is an advance.
But then we can formulate a proof that that program is correct in its own
proof language. We hand-check this proof once, and then from then on the
program can check later iterations of itself.

That's the dream, anyways. Some of the machinery to do this is available
today, but some not.

------
bitstream
This seems about as random and undirected as Stuxnet magically appearing at
five Iranian nuclear plants.

------
mindstab
next up: "Virus ridden US attack drones strafe US cities" "Iran strikes back
for virus that temporarily crippled nuclear infrastructure"

Though really the drones probably live in middle east so it'd be more like
drones would go berserk in a US military bases in middle east and kill troops
or attack innocent foreign civilians drumming up more anti American sentiment

"Americans use drone to assassinate Afgan president"

~~~
sliverstorm
No, the headline would be "Americans use drone to murder hundreds of
civillians". It would make us look even worse, and judging by the history of
suicide bombers, the Taliban or whoever would not hesitate.

Edit: This may be a bit of a cynical view, but if you believe I'm actually
_wrong_ , I'd like to hear why

~~~
user9756
Eh, guys. I may be off here but isn't the problem that the US use of drones
_is_ killing civilians ("collateral damage"). And that is what is currently
making people living there very sad and angry.

------
runjake
Clarification: It's infecting the control station computers (which I believe
are still Windows XP), not the UAVs themselves.

~~~
roc
Those computers have access to every bit of data coming from the UAVs and
every bit of control data going _to_ the UAVs. So the fact that the
compromised machine is in Nevada and not over Pakistan is pretty close to
irrelevant.

Unless you want to make the argument that it's far _worse_ for the ground
control systems to be continually reinfected, as they have access to the rest
of the air-gapped private network as well.

~~~
runjake
You don't need to tell me about the systems. I worked on them.

It's far less worse that the control stations are infected as opposed to the
aircraft themselves. It's pretty easy to shift control stations for a UAV.
It's not so easy to regain control of a malfunctioning UAV. So, far from
irrelevant.

That said, I was merely clarifying a common misinterpretation people were
getting from the article.

------
wrs
Hang on a minute... (a) You have malware on a computer on a secret network and
you try to _remove_ it? Shouldn't that be an automatic "shred the entire
machine and start over" situation? (b) Flight suits? Really?

------
munin
the quote used from the source seems to mean they don't know anything. a
keylogger is benign? by what definition of benign are we operating under here?

downside of things being "off the record" is this could be someone who
oveheard two guys talking about something unrelated in the cafeteria, put "two
and two" together, and picked up the phone. and since you can't get an
official line ... you just run with the rumors and BS

~~~
bostonvaulter2
Well if the keylogger is on an airgapped network it would be relatively hard
for it to get data off of the network, so some might call it "benign".

~~~
rbanffy
unless, of course, it's designed to leak data out of the airgapped network
when the next USB stick is connected...

------
saturn7
wait wait this is my fav part, "At first, they followed removal instructions
posted on the website of the Kaspersky security firm. “But the virus kept
coming back,”" They have access to the same information my mom does? Don't
they have their own people for stuff like that. Seriously Kaspersky isn't
exactly the best antivirus program in the world and from their own website
"The company’s headquarters are located in Moscow, Russia" US military uses a
Russian antivirus company for help with military security.

------
joeybaker
It would be great if Ars had used its security and technical staff to tell us
if this is a problem or the minor annoyance that the military says it is. The
article amounts to little more than a summary of the drone program and a bit
of "he said she said"
<http://archive.pressthink.org/2009/04/12/hesaid_shesaid.html> reportage.

~~~
brown9-2
How could they do that analysis without having the virus or other data
firsthand? They can only report what they have.

~~~
joeybaker
Analyse what they know: 1\. It's a keylogger 2\. They've been aware of it for
weeks 3\. They admit that they can't seem to beat it 4\. These are isolated
systems and it's likely that the attack was via USB drives

Based on those facts, is it likely that this is benign? Are there known
viruses that fit this pattern? Who's in charge of this project, and what do
they say about it? Is it SOP for viruses to be able to completely beat
military security for weeks? What are the possible security breaches? Why
attack this part of the system?

There's a lot of questions that could and should be asked. Instead, Ars just
repeated history and summarized the press release.

~~~
wanorris
1\. As reported upthread, there was no press release to summarize. This was a
story built on leaks from anonymous sources.

2\. This is a Wired story republished on Ars, not actual Ars reportage.

I certainly agree that additional commentary from security researchers would
be welcome, however.

------
nickolai
Im not worried. Its the military. They'll soon come up with a "Feynman can
open our safe locks ? Don't allow Feynman near the safe locks!" kind of
solution.

~~~
orenmazor
the worst part about this mentality is that whatever process/documentation
they come up to "solve" the problem will make life 10x more difficult for
everybody and cost a lot of time and money.

------
FrojoS
_in what has become the US military’s most important weapons system._

Seriously? Already?

~~~
mturmon
People in this thread would enjoy reading the following excellent short review
of what drones are doing and their implications:

[http://www.nybooks.com/articles/archives/2011/sep/29/predato...](http://www.nybooks.com/articles/archives/2011/sep/29/predators-
and-robots-war/)

The statement you quote is impossible to rate as true or false. But here's a
fuller quote from the article above:

"But there are also quite a few things about drones that you might not have
heard yet. Most Americans are probably unaware, for example, that the US Air
Force now trains more UAV operators each year than traditional pilots. [...]
As I write this, the US aerospace industry has for all practical purposes
ceased research and development work on manned aircraft. "

------
colanderman
"Eventually, the technicians had to use a software tool called BCWipe to
completely erase the GCS’ internal hard drives."

You mean they paid $40 a license for _dd if=/dev/null of=/dev/sda_?

(I know BCWipe is a secure delete tool. But a computer virus can't perform
forensic analysis of your hard drive.)

------
shabble
From _Rule 34_ [1]:

 _Ever since Filipino Jemaah Islamiyah hackers pwned an MQ-9 Reaper and zapped
the governor of Palawan with USAF-owned Hellfire missiles, the Americans have
gone back to keeping a human finger on the trigger: not because a state
governor from a foreign country was killed, but because of who was in the
armoured limousine right behind him. (The prospect of having to utter the
term_ collateral damage _in the same sentence as_ President of the United
States _before a congressional enquiry had focussed a few minds.)_

[1] [http://www.amazon.com/Rule-34-Charles-
Stross/dp/0441020348/c...](http://www.amazon.com/Rule-34-Charles-
Stross/dp/0441020348/charlieswebsi-20) (his referral tag, not mine)

------
0x12
Disinformation at work.

Either that or gross incompetence but my money is on the former.

------
LiveTheDream
One solution could be to keep machine images stored, like AMIs, and use a tool
like Chef or Puppet to re-deploy a known good configuration. This strategy
lends itself to the case where everything is virtualized.

Of course, the source of the infection could be really nefarious. For example,
imagine if someone replaced a keyboard with one that delivered a payload
(trojan, keylogger, etc) when it is plugged into a computer's USB port? Then
reformatting the hard drive does nothing because it will immediately infected
again.

~~~
bonzoesc
> One solution could be to keep machine images stored, like AMIs, and use a
> tool like Chef or Puppet to re-deploy a known good configuration.

It's probably Norton Ghost, and I'd put $5 on the Ghost image being cooked
bad.

------
7952
The article says that USB keys are used to move data on to the system from
other networks. If this is true it would be better to assume that all data
from that other network is bad, and require it to be serialized in a none
executable format. The software then needs to validate the data against a
schema. This is something websites have done for years and is very basic.

The mistake that is made here is to assume that a network can ever be secure.
It is like assuming that no one will ever pee in a swimming pool.

------
svag
I suppose the virus is one of the 18 keyloggers that the virus encyclopedia of
Kaspersky has...

[http://www.kaspersky.co.uk/find?objs=virus&words=keylogg...](http://www.kaspersky.co.uk/find?objs=virus&words=keyloggers)

------
Hyena
How difficult would t be for the DoD to make an OS just for themselves with no
public distribution or documentation? That seems like the permanent solution
here.

~~~
astrofinch
Well they'd also have to port Microsoft Office, etc.

------
ajays
So all that terrorists have to do is commandeer a drone (thanks to this virus)
and then they can rain terror anywhere they want? This is scary.

~~~
brown9-2
That's a bit like saying all a terrorist would need to do to seize control of
an ICBM is to infect the missile base with a virus. It's not _that_ easy.

~~~
ajays
They have infected the control computers, and the keylogger (and mouselogger?)
is logging all the commands being given. If they can come this far, how
difficult is it to, say, insert spurious "fire" commands? Or redirect the
drone to some other place?

~~~
brown9-2
My point was that there isn't any indication from this report that the drones
were purposefully infected. Random infections are probably inevitable due to
probabilities, but deliberate ones seem quite a bit harder.

------
NHQ
How to turn your enemy's weapons against him.

------
Havoc
Try disabling autorun for USB drives. These guys don't sound qualified to fly
a paper plane let alone drones...

------
ck2
Oh please tell me they aren't running windows.

Just wait until the cops start using these in the USA for "crowd control" ugh.

~~~
brianobush
probably are... mission control at spacex has many windows terminals.

~~~
kakali
What does this have to do with SpaceX? They're not DoD and they don't fly
drones.

~~~
brianobush
They obviously fly satellites into low-orbit on contract for the govt. My
point was control of expensive/dangerous things - by (or for) the govt with
potentially dangerous sw.

------
code_duck
If this was true, the last thing they would do is put out a press release
about it.

------
perlgeek
So they wipe it off without actually patching the exploit which the virus
uses...

------
kmil
It scares me thinking that mortal drones are running on Windows.

------
nazgulnarsil
BULLSHIT, this is covering ass for future liability.

------
bilban
Attack of the drones.

------
noduerme
“We think it’s benign. But we just don’t know.” Lol. Yes, when all else fails,
just assume that the military-grade, impossible-to-erase virus is harmless.
Hasn't done any damage yet, right?

This is the problem with rigid hierarchies. Everyone just passes the problem
to someone else until the whole thing blows up. In this case, literally.

------
shareme
So why does a secret operation want it known that is open to computer viruses?

I submit this a Black Flag operation story.

------
tomjen3
This is going to be fun when somebody figures out how shoot somebody with a
virus based predator.

Next time think twice before antagonizing your local geek :)

