Hacker News new | past | comments | ask | show | jobs | submit login
Computer virus hits US Predator and Reaper drone fleet (arstechnica.com)
369 points by llambda on Oct 7, 2011 | hide | past | favorite | 192 comments

Like hugh says, this doesn't add up at all.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

C'mon. You're the military. "It just keeps coming back?" So you decide to do a press release about it? Please.

I wouldn't have whined like that when I was de-malwareing neighbourhood PCs at age 13, I would have fixed it. If I can successfully keep malware off the PCs of middle aged parents with teenaged children, then the government capable of developing and operating fleets of unmanned military drones can certainly isolate a network and disable the USB bus.

There is definitely some high level shit going on right here. I doubt we'll know about it for many years, if ever.

I don't know how I can be any more clear here:

If they are not smart enough to keep malware off of what should be the most secure systems around, perhaps they shouldn't be building the fricking FLYING REMOTE-CONTROL DEATH MACHINES for a while, until they can figure out the basics.

Capisce, guys?

I am totally with you. If software is going to operate deadly weapons, it sure as hell better be secure.

But you are glossing over a LOT of detail here. The military doesn't work like Apple: they don't design, oversee, or directly control the construction of the hardware they use. And they shouldn't - the government is woefully inefficient at building products, that's what corporations are good at.

Here's the situation:

- The Air Force contracts General Atomics Aeronautical Systems to build UAVs. You can bet your ass the contract covers things like "protected from malware"

- General Atomics contracts out the different components of the UAV. No device worth $150M gets built by one company alone. The radar, the metal shell, the inside components, and each component of the software are all made by different companies.

- Each component is meticulously specified and rigorously tested. The makers of a component is contractually liable if they fuck up, giving them an incentive to do it slow & right. That's why it's so damn expensive.

- General Atomics puts the pieces together into the final product and delivers it to the Air Force after another round of rigorous testing.

- A team of guys in the Air Force are trained on operating the UAVs to deploy on missions.


So to say something like "Ugh, military, don't deploy UAVs if you can't keep it virus free!" is an oversimplification. These are extremely complex machines, with highly specialized embedded software, meant to deliver explodey things with extreme precision, while being operated from very far away. You can't just slap Norton on these things and call it a day.

teej, I assure you, I am under no illusion that they can "slap Norton on these things and call it a day". I am at least somewhat conversant with the realities of designing complex military systems. But if the systems really are so highly specialized, and I assume they are, that's still no excuse. At all. If they can't keep malware off them, they have no business flying them, at least for the time being. Which is all I was saying. I know it's not easy.

The systems are less specialized than we all would hope. Even with our massive budget the military is still 'forced' to use existing tech, which opens them up to situations like this.

And if you think this little press release means anything to actual national security, you have much to learn about our secret war against terrorism.

>The military doesn't work like Apple: they don't design, oversee, or directly control the construction of the hardware they use.

they are just wined and dined by the contractor when they should be directly overseeing and controlling.

>And they shouldn't - the government is woefully inefficient at building products, that's what corporations are good at.

Starting at some architectural level, many DoD systems is a just one-off system, not a product.

>they are just wined and dined by the contractor when they should be directly overseeing and controlling.

There are actually very strict controls on how much government personnel are allowed to accept from contractors. IIRC, the limit is something like $20-$50 per year in gifts. When contractors host large events with catered lunches, they put out bowls or some other sort of receptacle so that government personnel can pay for their lunch, otherwise it would count towards that annual limit.

Enforcement at the level of "you didn't pay for that six-inch sub and can of coke" is not really practical, but quite a few government personnel have gone to jail in recent memory for accepting more lavish gifts from contractors.

Now, if you send your lobbyists to buy expensive meals for legislators (you know, the ones who actually decide how the money gets spent) and write them big checks, that's generally perfectly legal.

Perhaps they shouldn't use a platform that runs Norton in the first place?

I suspect that under it all, you'll find an unpatched XP or even Win2000.

I guarantee UAV's are not running XP or Windows 2000. The government has heard of things called RTOS.

But the computers controlling the Drones seem to be running some sort of Windows variant. There's no real need to control the drones directly if you can control the computer that controls the drones.

The UAV itself will have a computer running a commercial RTOS. The computer on the ground which the operator sits and and uses to interact with the UAV is almost certainly a Windows box. And as someone else said, the military's way of securing Windows machines like those has traditionally been not to hook them up to a network in the first place, instead of installing anti-virus software. That actually worked really well until portable USB devices came along. The result is that the military is only now getting up to speed on securing these types of computers; it's not that they're dumb about computers, it's that in the past they dealt with the threat operationally rather than technically.

USB flash drives are banned DOD-wide. Most DOD computers are setup up to not even mount them when they are plugged in.

Unless policy has changed dramatically since I was in USB drives can be used after they have been classified, properly marked, and scanned. That being said policy and reality are very different beasts. While deployed we had exactly 0 instances of malware/virus on our unclassified NIPRNet devices and at least 2 dozen malware/virus outbreaks on our SIPRNet machines. Usually these came about from the fact that those on SIPRNet tend to be of higher ranks and "above the rules" just like in a corporate structure. The other common offenders where MI and Signal geeks who "knew" better and assumed that their stuff couldn't possibly be infected.

I was told recently by someone working with DoD equipment that although USB flash drives were banned, certain USB hard drives were still OK. He was telling me this because it was so hilarious and alarming.

I was talking to a guy who makes "encrypted" USB drives at the NSA TCC recently. It sounded scarily hand wavy to me. I was asking, "but where is the key stored" and he tells me with a straight face, "right on the drive".

Couldn't it work so that the key used to encrypt the files is stored on the disk, encrypted using a password as a key?

No, it was just "plug and play" not auth necessary as far as I could extract from him. Plain "check box" encryption.

My experience with these is that you must either use your PKI certificate or a password as the key to decrypt the drive. The default configuration is generally to use the PKI certificate on the chip embedded in your ID card. Since you have to have that card in your computer to be logged in to begin with, using it to access other stuff is essentially effortless.

The hard drive has to be scanned by an administrator before you're allowed to use it (not sure what this process entails). It also has to be encrypted, and won't mount unless it is encrypted with the proper DOD-approved software.

As far as I know, SSDs are not allowed, only magnetic drives.

Unfortunately, most cell phones charge from a USB port.

You can actually still do that: drawing 5V doesn't require the phone to mount as a drive.

So, what happens when a virus on the phone tells it to pose as a CD drive, and install a keylogger?

I'm pretty sure it won't mount that, either. The only external storage they'll mount are external hard drives that have been encrypted with their approved software.

The Social Engineering Toolkit's keyboard based malware deployment engine for Teensy could be repurposed for use on other USB devices.

I thought that was only common among smartphones.

If the drones are not running Windows, then why are they following virus removal instructions on Kaspersky's site?

The operating system the drones run and the control software are different. A RTOS does not run on the desktop as XP is not used on UAVs.

I wouldn't be so sure about that.


And, have you seen all the computers necessary to carry out a drone operation? I guarantee you not all of them are running an RTOS. Probably not even all of them onboard the drone.

The article is from 1998. Please forgive me if I don't see it as framing the situation of today.

Military acquisitions take a long time. To give one example, I know for a fact that there are airplanes flying right now that use DEC Alphas to control their weapons systems. Those planes first came into use in the early 2000's. An older version of that plane is still in use, and will be for several more years; you don't even want to know what it's using.

>I guarantee UAV's are not running XP or Windows 2000. The government has heard of things called RTOS.

Of course. There is Windows NT for _that_ :


Soft real-time systems aren't used for things like drones. Look at things like INTEGRITY from Green Hills for that sort of task: http://www.ghs.com/customers/bae_herti.html

"You can't just slap Norton on these things and call it a day"

No, you can't - you have to slap Symantec Critical System Protection on them. /Then/ you can call it a day.

It really shouldn't be so hard to put a TPM in autonomous killer robots and only let digitally signed code run. That should make it much harder for hackers.

How do you know you could trust the code in the first place?

There are hundreds of thousands of machines and millions of removable drives. Tracking down every last instance of a piece of malware and then dealing with it is quite hard at that scale. Usually they fall back on policy ("no usb/removable drives")

They're handicapped by a need AND compulsion to use contractors for everything. Actual government employees didn't build drones; they were all developed and in many cases largely maintained and even operated by private contractors, working to government requirements (which themselves are structured to make the contractors inefficient, compared to normal commercial companies). Same thing with networks.

If I'm ever in charge of a PC capable of firing guns at people, then at a bare minimum I would disable the USB bus entirely, I probably wouldn't fit a NIC either. I'd also definitely install some of that software that makes the HDD read only and transparently passes through all writes to RAM. Fuckit, if I'm the US military I'd develop such a device in hardware. Send the recorded video/telemetry data to a write-only volume.

It's not that hard.

But anyway, my point was that I don't for a second believe that they're this incompetent, there must be other factors at play.

"I would disable the USB bus entirely" So how would you support Mice, Keyboards and Joysticks? And how long would it take you to retrofit all of the some 100K+ PCs rated "secret" or above in the Government?

I'd attach them to the PCIe bus somehow, or otherwise wire them straight into the motherboard.

Let me remind you that this computer can fire missiles at people, and has a potentially unlimited budget.

It does not have a potentially unlimited budget. As was mentioned above, these are often contracted third parties who develop the systems. They put in bids on government jobs and undoubtedly have their own margins to look after. Once the job is awarded, my understanding is that you can't change the price-tag it was awarded at. (At least, not easily)

The individual contracts have limited budgets, but if there were a DoD or Government-wide instruction that all systems meet a specific security standard, all contracts would be amended (cost increased along with scope) to comply with that standard. There's very little external pressure to constrain the maximum possible IT and IT security spending within government, especially the military.

The costs of good vs. bad IT security are actually not terribly significant in the context of the overall defense budget, either.

It's really a failure of process and vision, not resource constraint. Government IT and IT security used to lead industry; now consumers especially and even enterprises are more advanced than government.

you can disable any removable device, except the drone itself which seems talking back to the base using [non-encrypted] regular TCP/Ethernet and thus is a very plausible vector of continuous re-infection. The problem is well known and dates several years back:


I remembered that article and it was the first thing I thought of too, and also why it hadn't been fixed. It's all about steak and strippers man.

Seriously? Have you ever worked on a PCIe bus device? They are hard to design, hard to test, and in general quite expensive. You're not going to build PCIe keyboards and mice that cost 10,000x COTS. That would at the very least cost someone their political career. (And the people who are making the decisions think about it that way, whether you want them to or not.)

>It's not that hard.

eye roll

It's hard (in an engineering sense) at that scale, but certainly not impossible, and easier than a lot of engineering problems the world has solved. It's harder because DoD is actively being attacked, but easier because they have a near-infinite budget.

The thing which makes it hard is humans, politics, and economics -- there is a huge amount of CYA with respect to vendor choice (hence, they're a huge Microsoft/Cisco shop), lots of little fiefdoms, an "up or out" promotion policy combined with people being in leadership roles for short periods (with minimal prior background), and lack of real accountability.

The Microsoft-ness isn't enough to kill them on its own; look at the Israeli military, which is also heavily Microsoft based, and has world-class computer security.

It's not that hard if you have a top notch engineer in charge and give him whatever he needs to get the job done.

If you have a good engineer or a great engineer but any kind of bureaucracy, yes, it's near impossible.

google - top notch engineers, given whatever they need to get the job done, no bureaucracy, still get owned?

If you're talking about the China hacks, they were using ie6. I'd argue that would preclude the "top notch engineer" label.


Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7



"Microsoft thanks the following companies for working with us and for providing details of limited, targeted attacks against customers of Internet Explorer 6:

Google Inc. and MANDIANT; Adobe; McAfee; French government CSIRT (CERTA)"


also needed: no users.

Bespoke hardware for government agencies with unlimited budgets is nothing new.

I think for single-purpose machines (like "control a UAV"), custom hardware makes a lot of sense, even for commercial operations. Unfortunately custom hardware usually ends up being a Windows box in a weird case, with some buttons connected over...USB.

A requirement that all components of the TCB be FIPS 140-2 level 3+ for anything which is routinely used in combat operations would please me, I think. Right now that's just for the crypto modules themselves.

How does the PC make the drone 10,000 miles away fire the missiles once you take the NIC out?

I'd phone up the people who'd designed me my multimillion dollar bespoke unmanned laser-accurate weapons delivery platform, and ask them if they fancied whipping me up a quick encrypted serial protocol for a couple of extra million dollars on top.

The difference between the military and the neighborhood computers you used to assist with are the military has to deal with a plethora of entry points for viruses, and can't scrub every USB thumb drive that is at home rather than at the office. I get the feeling that you've not been doing this for 10-12 years yet. Am I right?

The hospital my dad works at, and all other hospitals in this area of the UK, all the machines have the USB ports disabled. All laptops issued by the local Health Authority have the USB ports/bus disabled. They had issues with worms, twice back in the early 00s, and after that all removable storage was banned.

If it's good enough for the NHS, it's good enough for uncle sam.

It seems pretty trivial to me just to string the cabling into a lockbox with the computer inside to prevent people from screwing around with your ports.

That said, i'm not in charge of physical security of anything. I'm sure the guys with missile launching computers figure anybody that can get to the secure terminal is trustworthy.

(Shrug) I just wouldn't use Windows. What's wrong with VxWorks for this type of thing?

then the general will tell you "y'know the boys tell me that their job would be easier if they could listen to pandora on this puppy. i order you to connect it to the internet. if you don't comply, i'll have you arrested."

have fun!

Despite being as fucked up as it is, that's not how the military works.

no not entirely, but a lot of assed up things (especially with compusec) can happen because a 4-star wills it so.

> Tracking down every last instance of a piece of malware and then dealing with it is quite hard at that scale.

Sure, it's hard. But it's the fucking military. Figure it out.

US hacks other countries war machines with targeted virus: brilliant!

Other countries hack US war machines with targeted virus: man, I couldda stopped that shit easy.

This is consistent. The assumption is that defense will be top notch. Therefore attacking is hard and defending is, if not easy, solved.

Wired article citing anonymous sources != press release

This reminds me of that other news story from 2009 claiming that people were intercepting drone video feeds with $30 of software.


There is definitely some high level shit going on right here.

Such as: they discovered and disabled the virus but are still sending fake info over the virus's communication channel and want the Chinese/Iran/whoever to think it is still working?

That sounds much better than a technically incompetent military with dangerous toys.

Are you so surprised? Have you worked with the military security and computer specialists? There are some good people but there lots of HBGary types...

The "problem" is that people want to actually get stuff done. Security vs. availability is always the conflict. Perhaps the USB is being used to bring in the latest maps, perhaps it's being used to bring in mission orders, who knows. Unless you understand the system, it's absurd to say the equivalent of a military 13 year old can fix it.

> So you decide to do a press release about it?

The military deny this is happening, the info is from somebody leaking to the media - probably frustrated with what is going on.

It seems to me that a more interesting question than "how did the malware get there?" is "why are they telling us that they found it?"

Presumably the default thing to do under these circumstances would be to shut up about it, so the fact that they're broadcasting it to the whole world must mean something. In any case I wouldn't take any of the details at face value -- e.g. do they really not have any idea where it came from, or are they feigning ignorance in the hopes of lulling their opponent into a false sense of security?

Because someone leaked it.

> “We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

The end of the article says they asked for an official response and were stonewalled.

> The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”

'The military' doesn't want anyone to know; some individuals inside do.

Or the military staff is leaking this to motivate the higher-up who green-lit the contract to exert some pressure, because they have unfortunately-little direct power themselves.

I don't think that is really an 'or' case. Either someone with authority to disclose makes an official statement or someone lacking that authority leaks it.

I was speaking to the possible motivation for the leak.

I certainly didn't intend my reply as a counterpoint to the "if it's not official it's a leak" point.

An unauthorized leak out of a secretive program disclosing a major vulnerability? That sounds very court-martialable. Especially considering the presumably small number of people who would know about it, and hence the high probability of the leaker getting caught, I find it hard to imagine anyone would risk it, let alone what their motivation for doing so would be. And especially not three different people.

Nope, I don't think the USAF leaks anything like this unless it means to.

They announced the big "jihad on all USB drives" back in 2009. There were factory shinkwrapped USB drives for sale on base which came pre-loaded with viruses; people would buy those, mark them as Secret, put them on SIPRnet, and then machines would be infected. It was lulztastic, actually.

I think once something hits a large enough scale, they announce it; it's the easiest way to communicate to the affected DoD community (military, contractors, etc.), at which point it is basically public knowledge.

Wow, that's crazy. Do you have a link for that?

It's a leak, not an official comment.

The official comment about the incident from the story is:

“We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”

Perhaps. But in modern politics, diplomacy, etc., intentional strategic "leaks" are a common practice, for many reasons.

And considering how kindly they looked on some of the mundane stuff revealed by wiki leaks debacle...I'd definitely assume this intentional.

Maybe they anticipated a leak and wanted to get out in front of the story.

Does anybody know what operating system the infected machines run? If it's a Unix variant, ouch--I guess they have some really bad luck. But if this is just an everyday virus, as opposed to cyber warfare targeting the drones specifically, I can't help but think they might be running Windows. Air gap or not, that seems risky to me.

That's funny.

It's Windows. Very little Unix anywhere in the DoD over the past few years on new systems; it's mainly legacy, or embedded in products they purchase. There are definitely some Unix server deployments within DoD even now, but they're few and far between.

Blue Screen of Death and all.

Wow can anyone confirm this? I'm surprised that the drones themselves are running windows. If so, I presume it's win CE or a custom variant of?

The way it works is some AF guy in Nevada remotely controls the drones flying half way across the world.

My guess is it's not the drones themselves running Windows, but the consoles used to communicate with the drones. It makes sense. AF guy gets to work, plugs in his USB drive filled with music and pulls up the drone control program...

Though, now that I think about it, I would be disappointed, but not entirely surprised, if the drones ran Windows also. Sigh.

Well, there was that case maybe ten years ago of the nuclear carrier that had to be towed back to port after a BSoD killed it dead in the water; its control systems all ran Windows.

> On 21 September 1997, while on maneuvers off the coast of Cape Charles, Virginia, a crew member entered a zero into a database field causing a divide by zero error in the ship's Remote Data Base Manager which brought down all the machines on the network, causing the ship's propulsion system to fail.


Wow. Reading more of the wiki article (and linked sources) reveals that the actual towing to port is a contested issue. Noone denies that a /0 error killed the whole ship though.

Ok I don't feel so bad now. I was stationed on a nuclear carrier and one day I accidentally deleted the entire supply/logistics/personnel/maintenance database cluster.

I mean come on, the menu option was labeled "Re-index databases". I thought it would make it go faster :)

I ended up just making something up and restoring from backup.

So the problem was actually the data validation logic in the application, allowing invalid data to get into the database (and why no constraint on the database field?) coupled with no exception handling on a division operation (always a red flag). None of that has anything to do with Windows, really, but it's an easy cheap shot to take.

No modern UAV has hardware capable of running an entire Windows installation. Think of arduino boards; those things can control huge robotics systems and they are very simple (and thus simple to debug). If you're designing a robot from the ground-up, why would you scale all the way to Windows? No one is going to be playing minesweeper inside the plane

No modern UAV has hardware capable of running an entire Windows installation.

I highly, highly doubt that you're right about this. If you happen to be right, you won't be for long. It might be that nobody wants to run Windows, but there is clear motivation, as well as hardware and software technology, to have a full-scale OS on an advanced UAV.

The google car is an exception where there is a lot of sophisticated software. UAV's like Boeing's and even the ones you buy online (with the open source software) are running on boards, not full-scale PC's with the ability to play a DVD.

UAVs are very complicated in terms of technology and engineering, but the hardware is simple because it's basically just running control loops on some board.

You're wrong to associate "UAV" with small "remote-controlled" airplanes. There are much more sophisticated things out there, and also in the works.


spoilers: Microsoft has a significant enterprise support organization, which the military is probably already dealing with, and Windows scales farther down than you'd think.

> why would you scale all the way to Windows?

For the only reasons such stupid thing happens: the clueless manager wants the machine to run a modern OS and thinks Windows is the most modern OS out there.

post-downvote edit: I am saying nothing about viruses like Stuxnet, designed as weapons tailored to infect specific systems, for which no OS would be safe, but how brain-dead is it to design critical systems that control airborne weapon systems around an OS that's vulnerable to each and every piece of malware known to man?

I'd say you're being downvoted because you're rather clueless about the qualifications of the manager designing unmanned drones.

Now I am curious. Why would Windows end up in such a system? I would expect an RTOS like QNX (which is not that hard to program).

I agree I am more familiar with corporate IT disasters where some pointy-haired boss decided Windows was the way to go instead of what would be the optimal choice, but I always expected flight-control software to be built with a great amount of attention to every detail.

"The way it works is some AF guy in Nevada remotely controls the drones flying half way across the world."

Not entirely true. They (can and do) use closer locations: http://www.military.com/news/article/report-secret-drone-bas...

Well the ISS uses windows [1] and there were reports of malware getting up there. They also had driver compatibility issues and were rebooting the systems that controlled the gyros a lot. One would think you could just write a mil-spec OS for their computers but government, and more specficially government procurement, doesn't really work that way.

[1] http://www.zdnet.com/blog/security/malware-detected-at-the-i...

There's no virus on the ISS. It was on the laptops the crew carries around. Big difference. The control systems of the ISS aren't windows.

To refute your statement that the control systems of the ISS aren't windows, there was a story in wired [1] where it talked about Windows problems on the station's on board computers. They linked to the commander's log [2] which mentions the NT problems. Generally infrastructure issues with specific software and such is redacted from this log for national security reasons but this tidbit survived apparently. The speculation from wired was "The network appears to be a mix between IBM AIX (Unix) and Windows NT servers and Russian laptops running an unspecified operating system." which correlates with what folks I know at NASA have hinted at as well.

[1] http://www.wired.com/science/discoveries/news/2001/04/42912?...

[2] "At about 2200, we were reconfiguring some mail files which, with a lot of help from Windows NT, got put in the wrong place during the backup procedure. When we finished restoring the files, the network was down and would not come back up. We worked this for several hours. Finally, jiggling some cables brings just a part of the net back. (that really instills confidence in the stability of your network)." - from http://spaceflight.nasa.gov/station/crew/exp1/exp1shepmarfeb...

I still disagree. 'Mail files' could be anything. Local mail clients on those laptops they carry on the ISS. It sounds like they have a local LAN which is not any type of control system. Most likely the ISS is run by some RTOS. Its typical in aircraft and ships and power plants to have a unsecure network for things like workstations and completely separate and often incompatible network for control systems. All the mail servers could crash and every laptop infected, but the ISS control systems would be fine.

Yes, we all know they use Windows on their workstations and it was assumed they had a file/mail server too. Why wouldn't they?

You can use differing definitions for "what the ISS runs" but a mail server is not a control server and its disingenuous to keep insisting it is. Its purposeful misdirection like this that leads Joe Sixpack into thinking the spaceships get viruses a la Independence Day and hacker kiddies can whistle a virus that'll send the ISS crashing into the Earth.

The control systems run XP, Vista, or maybe Windows 7 (not sure about 7 yet). This is true of almost all military desktops, and all office automation servers, and most specialized servers (well, Windows Server 2003/2008).

I'm not sure what OS is on the aircraft; I think it's probably a RTOS for flight control and possibly separate processors (running whatever) on a bus for sensor packages. A lot of UAVs have interchangeable sensors, and sometimes a special camera, electronics package, etc. costs more than the airframe, is developed independently, etc.

There are tens (hundreds worldwide?) of UAV platforms in the US military, ranging from tiny little throwable tactical systems up through almost U2-sized "real aircraft, minus a pilot" like Global Hawk.

I know the F22 runs windows on top of a RTOS. I imagine many other planes and such are similar.

I have never heard of a drone running anything other than an RTOS. However the ground stations for command/control/monitoring are typically run on traditional Windows-OS machines.

If the drone is running a RTOS, wouldn't the GCS need RTOS-like reliability as well to communicate with it? That's all I can say (I think)

No. Windows boxes can communicate to an RTOS like VxWorks over a network just fine.

The level of performance needed in the GCS is even less than you might think, too -- for most of the UAVs, you don't have direct flight controls -- it's more like a naval ship, where you instruct it to go to certain altitude and fly a flight path you plot on a map. Some of them have more stick/rudder style controls, mainly for landings, which are often controlled by another operator physically at the launch/recovery site (and who might be a contractor vs. soldier/airman).

it's more like a naval ship, where you instruct it to go to certain altitude and fly a flight path you plot on a map.

Woah, what Navy has ships like that? Bowser's navy?

But yah, I know what you're talking about.

I don't know myself but I'm willing to bet for sure it's Windows. DoD contractors prefer hardware that has simple-stupid .NET libraries, you won't find Linux drivers for most of it, nor a developer that can separated from the cozy comfort of Visual Stupio.

I would think about this for a second; the DoD doesn't manufacture, produce, or design these systems. They contract that out. Considering that General Atomics Aeronautical is a smaller defense company (relative to other ones), I'm sure they could make their own decision about what OS to run on the planes and on the ground. That's all I can say...

> Blue Screen of Death and all.

Remember: for the military, death is just business as usual.

Terrorism is primarily a problem of technology, imho. As things become more automated, they have a capacity to be used for both intended and unintended purposes. If our military relies on drones, it should make sure they can't be used against us :)

But to illustrate my main point, 1000 years ago it was impossible for one man to destroy a lot of people. 500 years ago a man Guy Fawkes could use gunpowder to blow up part of a building. SInce then we invented dynamite, planes, rockets... a society in which technology enables a small group of people to wreak havoc on a large group of people must necessarily have more surveillance/intelligence than one where this is not possible, if it is to ensure the security of its citizens. I mean what is to prevent a person from releasing a contagious virus in the NYC subway or something similar, and the effects to show up only days later? I hate to say it but we don't know where we're going with all this technology's potential for bad things.

I've heard the modern version of this called "Moore's Law of Mad Science" - every year, the IQ necessary to destroy the world drops by one point. In practice it's probably exponential rather than linear, but that's not really better.

Okay! Here's what the sysadmins should be doing: Each GCS should be recording the identity & timestamp of each removable drive that is attached to it. Then we'll have a graph of all the connections between the machines. If any GCSes aren't infected (or if we have any information about which machines first showed evidence of the virus) then we might be able to trace out the path of infection. Hopefully it'll lead to patient zero, and they can figure out whether it was intentional (charge w/ treason!) or accidental (500 push-ups).

Or they could just fill all the usb ports with glue and remove the optical disk drives, if any.

I thought the whole point of an air gap network is that nothing crosses the gap. Having those ports/devices available is just asking for it.

But how will they update Windows & DOD-specific software if they are not connected to the Internet … oh, right, okay, a server on the "air gapped" network that does still have USB.

"usb ports with glue" Keyboards, Mice, Joysticks for these systems were probably designed with the idea that a USB bus would be available.

It will take a while to replace all of these systems with their non-USB configurations.

Given that BlueTooth is probably a no-no as well, how would one build a system these days that needs to support Mice, Joysticks, and Keyboards without using USB?

How about an over-cage for the physical machine?

A literal chicken-wire-style cage that encloses the PC case, with openings too small to pass the head of a USB device.

The cage would be locked to prevent removal of the machine and have a locked backpanel which allows certified staff to install the various usb devices -- with some sort of cage mount inside to loop the cables around, so that a tug from the user wouldn't pull the usb connector from the machine and cause an obnoxious number of calls to 'the guy with the key' to plug a mouse back in.

The cage would neatly deny access to any and every port or drive that may or may not be present in one fell swoop, which would likely simplify OEM contracts and final installation as well as increase security.

You could build the cage physically larger than the general range of whichever flavor(s) of ATX cases are being used, so that the cages could be manufactured in bulk without too much worry about a switch between PC OEMs causing problems.

You could even add a screw-style bracket or two to hold the PC case firm within the cage and put some acoustic foam pads here and there to cut down on any extra noise.

People do this for kiosks (unattended, public use) all the time. It's a good solution for some things.

It's easier to enforce a security policy on well-managed PCs which turn off various ports in software (AND DISABLE AUTORUN!), vs. trying to physically disable them, but DoD also had people go around and epoxy USB ports, or at the very least put foil seals on them. There are problems with this, like the usb cd-rom token things, and the attack mouse.

One of the few areas of IT security the DoD gets right is physical protection of infrastructure (relatively). Unfortunately, it's usually basically a strong shell with a gooey inside of software/networks, and with big pipes bringing lots of stuff in and out of the shell constantly. Once something bad gets in, it's kind of too late.

There's a lot of awesome new Intel stuff to make PC hardware potentially more secure -- secure boot, CPU features, memory protection, etc. Combined with the right OS, you could go a long way. Unfortunately a lot of people are also against this technology because it has been used for Digital Rights Management (DRM) anti-piracy, other privacy violations, etc. I was really against it for those reasons, but have come to think it would on the whole be a net win for society to have more secure IT, even if not being able to break it so easily means some people can use computers for bad things.


on the topic of disabling autorun, there was a patch earlier this year to disable autorun on non-shiny media by default in XP and Vista (it's already turned off in 7.)


infections by autorun-abusing malware families dropped by over 60% as everything got patched, and total infection rate dropped by almost half.

Never underestimate the power of defaults.

Lenovo on their business machines still includes PS/2 ports, and USB can be completely disabled by setting a jumper on the motherboard, or changing a setting in the BIOS.

When asked why they were told that for government contracts, and for businesses that wanted to make sure that USB devices could not just be used at random.

> "usb ports with glue" Keyboards, Mice, Joysticks for these systems were probably designed with the idea that a USB bus would be available.

Its not particularly hard to modify/remove the drivers which make only the usb-disks work on linux. I can't imagine it being much harder on windows either.

All other usb devices could work, but not external storage. Even better the usb drivers could contain a whitelist of device classes for which drivers can be loaded.

I'd glue those into a PCIe USB card or straight on to the motherboard. Then fill all the remaining holes with glue.

They have tools available for them to do that today. In fact, that's one of the driving forces behind HBSS deployment.

"We think it's benign, but we just don't know."

Whoever this is is obviously so far out of the loop and technical domain that everything they say should be taken with a heaping pile of salt.

I don't doubt that a virus exists, but the scope of it is likely wildly overblown. At least, there's no reason to actually think it's some military grade virus that is impossible to eradicate that intercepts all communications with the drones.

Perhaps the fact that our computer systems are now of military importance and the fact that a security hole can mean deaths and international relations disasters will finally lead to people taking a good look at verified computing. Where a virus doesn't mean outsmarting some forgetful C programmer but is mathematically impossible.

Or not, it was just a bug, we'll fix it this one time and pretend it will never happen again. Worse is better, as they say!

How can a virus be mathematically impossible? And what if there's a bug in your math?

To answer your two questions, it is possible to mathematically prove, using certain tools that are admittedly rather academic (my argument is that we should consider using them more), that certain behaviors are impossible in a program. For example, a buffer overflow, or some form of data leak. This has been done, though admittedly not to programs anywhere near as complex as, say, the Windows kernel.

And, if there's a bug in your math, you will, of course, have some bug. Garbage in, garbage out. But! You can write your mathematical proof in such a way that the computer checks it for you (for example, static typing is a weak form of this). So all you need to have faith in is that program. Now we've exchanged faith in all programs to faith in one program. Which is an advance. But then we can formulate a proof that that program is correct in its own proof language. We hand-check this proof once, and then from then on the program can check later iterations of itself.

That's the dream, anyways. Some of the machinery to do this is available today, but some not.

This seems about as random and undirected as Stuxnet magically appearing at five Iranian nuclear plants.

next up: "Virus ridden US attack drones strafe US cities" "Iran strikes back for virus that temporarily crippled nuclear infrastructure"

Though really the drones probably live in middle east so it'd be more like drones would go berserk in a US military bases in middle east and kill troops or attack innocent foreign civilians drumming up more anti American sentiment

"Americans use drone to assassinate Afgan president"

No, the headline would be "Americans use drone to murder hundreds of civillians". It would make us look even worse, and judging by the history of suicide bombers, the Taliban or whoever would not hesitate.

Edit: This may be a bit of a cynical view, but if you believe I'm actually wrong, I'd like to hear why

Eh, guys. I may be off here but isn't the problem that the US use of drones is killing civilians ("collateral damage"). And that is what is currently making people living there very sad and angry.

Clarification: It's infecting the control station computers (which I believe are still Windows XP), not the UAVs themselves.

Those computers have access to every bit of data coming from the UAVs and every bit of control data going to the UAVs. So the fact that the compromised machine is in Nevada and not over Pakistan is pretty close to irrelevant.

Unless you want to make the argument that it's far worse for the ground control systems to be continually reinfected, as they have access to the rest of the air-gapped private network as well.

You don't need to tell me about the systems. I worked on them.

It's far less worse that the control stations are infected as opposed to the aircraft themselves. It's pretty easy to shift control stations for a UAV. It's not so easy to regain control of a malfunctioning UAV. So, far from irrelevant.

That said, I was merely clarifying a common misinterpretation people were getting from the article.

>So the fact that the compromised machine is in Nevada and not over Pakistan is pretty close to irrelevant.

Well, at least it's easier to axe a box in the room than to shoot down a rogue UAV across the world.

Hang on a minute... (a) You have malware on a computer on a secret network and you try to remove it? Shouldn't that be an automatic "shred the entire machine and start over" situation? (b) Flight suits? Really?

the quote used from the source seems to mean they don't know anything. a keylogger is benign? by what definition of benign are we operating under here?

downside of things being "off the record" is this could be someone who oveheard two guys talking about something unrelated in the cafeteria, put "two and two" together, and picked up the phone. and since you can't get an official line ... you just run with the rumors and BS

Well if the keylogger is on an airgapped network it would be relatively hard for it to get data off of the network, so some might call it "benign".

unless, of course, it's designed to leak data out of the airgapped network when the next USB stick is connected...

wait wait this is my fav part, "At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,”" They have access to the same information my mom does? Don't they have their own people for stuff like that. Seriously Kaspersky isn't exactly the best antivirus program in the world and from their own website "The company’s headquarters are located in Moscow, Russia" US military uses a Russian antivirus company for help with military security.

It would be great if Ars had used its security and technical staff to tell us if this is a problem or the minor annoyance that the military says it is. The article amounts to little more than a summary of the drone program and a bit of "he said she said" http://archive.pressthink.org/2009/04/12/hesaid_shesaid.html reportage.

How could they do that analysis without having the virus or other data firsthand? They can only report what they have.

Analyse what they know: 1. It's a keylogger 2. They've been aware of it for weeks 3. They admit that they can't seem to beat it 4. These are isolated systems and it's likely that the attack was via USB drives

Based on those facts, is it likely that this is benign? Are there known viruses that fit this pattern? Who's in charge of this project, and what do they say about it? Is it SOP for viruses to be able to completely beat military security for weeks? What are the possible security breaches? Why attack this part of the system?

There's a lot of questions that could and should be asked. Instead, Ars just repeated history and summarized the press release.

1. As reported upthread, there was no press release to summarize. This was a story built on leaks from anonymous sources.

2. This is a Wired story republished on Ars, not actual Ars reportage.

I certainly agree that additional commentary from security researchers would be welcome, however.

Im not worried. Its the military. They'll soon come up with a "Feynman can open our safe locks ? Don't allow Feynman near the safe locks!" kind of solution.

the worst part about this mentality is that whatever process/documentation they come up to "solve" the problem will make life 10x more difficult for everybody and cost a lot of time and money.

in what has become the US military’s most important weapons system.

Seriously? Already?

People in this thread would enjoy reading the following excellent short review of what drones are doing and their implications:


The statement you quote is impossible to rate as true or false. But here's a fuller quote from the article above:

"But there are also quite a few things about drones that you might not have heard yet. Most Americans are probably unaware, for example, that the US Air Force now trains more UAV operators each year than traditional pilots. [...] As I write this, the US aerospace industry has for all practical purposes ceased research and development work on manned aircraft. "

Any technology that enables you to strike the "enemy" from further away is your "most important weapons system". Slings, Arrows, Gunpowder, Aircraft, Missles, and now Drones all follow this paradigm.

"Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives."

You mean they paid $40 a license for dd if=/dev/null of=/dev/sda?

(I know BCWipe is a secure delete tool. But a computer virus can't perform forensic analysis of your hard drive.)

From Rule 34[1]:

Ever since Filipino Jemaah Islamiyah hackers pwned an MQ-9 Reaper and zapped the governor of Palawan with USAF-owned Hellfire missiles, the Americans have gone back to keeping a human finger on the trigger: not because a state governor from a foreign country was killed, but because of who was in the armoured limousine right behind him. (The prospect of having to utter the term collateral damage in the same sentence as President of the United States before a congressional enquiry had focussed a few minds.)

[1] http://www.amazon.com/Rule-34-Charles-Stross/dp/0441020348/c... (his referral tag, not mine)

Disinformation at work.

Either that or gross incompetence but my money is on the former.

One solution could be to keep machine images stored, like AMIs, and use a tool like Chef or Puppet to re-deploy a known good configuration. This strategy lends itself to the case where everything is virtualized.

Of course, the source of the infection could be really nefarious. For example, imagine if someone replaced a keyboard with one that delivered a payload (trojan, keylogger, etc) when it is plugged into a computer's USB port? Then reformatting the hard drive does nothing because it will immediately infected again.

> One solution could be to keep machine images stored, like AMIs, and use a tool like Chef or Puppet to re-deploy a known good configuration.

It's probably Norton Ghost, and I'd put $5 on the Ghost image being cooked bad.

One solution could be to keep machine images stored

Didn't I read recently about a real virus discovered in the wild, that could infect the BIOS of certain computers?

The article says that USB keys are used to move data on to the system from other networks. If this is true it would be better to assume that all data from that other network is bad, and require it to be serialized in a none executable format. The software then needs to validate the data against a schema. This is something websites have done for years and is very basic.

The mistake that is made here is to assume that a network can ever be secure. It is like assuming that no one will ever pee in a swimming pool.

I suppose the virus is one of the 18 keyloggers that the virus encyclopedia of Kaspersky has...


How difficult would t be for the DoD to make an OS just for themselves with no public distribution or documentation? That seems like the permanent solution here.

Well they'd also have to port Microsoft Office, etc.

So all that terrorists have to do is commandeer a drone (thanks to this virus) and then they can rain terror anywhere they want? This is scary.

That's a bit like saying all a terrorist would need to do to seize control of an ICBM is to infect the missile base with a virus. It's not that easy.

They have infected the control computers, and the keylogger (and mouselogger?) is logging all the commands being given. If they can come this far, how difficult is it to, say, insert spurious "fire" commands? Or redirect the drone to some other place?

My point was that there isn't any indication from this report that the drones were purposefully infected. Random infections are probably inevitable due to probabilities, but deliberate ones seem quite a bit harder.

Indeed, the barrier to entry has been lowered by a staggering amount. Previously, terrorists had to pay many millions of dollars to General Atomics to rain down death from above.

How to turn your enemy's weapons against him.

Try disabling autorun for USB drives. These guys don't sound qualified to fly a paper plane let alone drones...

Oh please tell me they aren't running windows.

Just wait until the cops start using these in the USA for "crowd control" ugh.

It's almost certainly Windows. What would you expect a DoD desktop computer to be running?

As you can see in the picture of the Predator cockpit so helpfully provided, it is definitely windows.

probably are... mission control at spacex has many windows terminals.

mission control at spacex has many windows terminals

What in the...!?!?

What does this have to do with SpaceX? They're not DoD and they don't fly drones.

They obviously fly satellites into low-orbit on contract for the govt. My point was control of expensive/dangerous things - by (or for) the govt with potentially dangerous sw.

I don't think the problem here is their OS, rather it'll be their network structure. So instead, perhaps that should be:

"Oh please tell me they didn't connect directly to the internet".

That's the sort of thinking that leads to a crunchy shell with a soft, chewy center.


If this was true, the last thing they would do is put out a press release about it.

So they wipe it off without actually patching the exploit which the virus uses...

It scares me thinking that mortal drones are running on Windows.

BULLSHIT, this is covering ass for future liability.

Attack of the drones.

“We think it’s benign. But we just don’t know.” Lol. Yes, when all else fails, just assume that the military-grade, impossible-to-erase virus is harmless. Hasn't done any damage yet, right?

This is the problem with rigid hierarchies. Everyone just passes the problem to someone else until the whole thing blows up. In this case, literally.

So why does a secret operation want it known that is open to computer viruses?

I submit this a Black Flag operation story.

This is going to be fun when somebody figures out how shoot somebody with a virus based predator.

Next time think twice before antagonizing your local geek :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact