Cyber Attack On Weapon Systems Is Easier Than You’d Think

Uploaded on 2018-10-31 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

All US weapons that the Department of Defense tested between 2012 and 2017 have “mission critical” cyber vulnerabilities, claims a new report from the US Government Accountability Office (GAO).

The report serves as a wakeup call for the DOD regarding cybersecurity threats to its weapons systems. 

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

Subtitled “DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the report finds that the department “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” 
GAO says the DOD is only now beginning to grapple with the importance of cybersecurity, and the scale of vulnerabilities in its weapons systems.

The report is based on penetration tests the DOD itself undertook, as well as interviews with officials at various DOD offices. DOD testers found significant vulnerabilities in the department’s weapon systems, some of which began with poor basic password security or lack of encryption. 

Among the findings of the report: one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open source software but administers failed to change the default passwords. 

Yet another tester managed to partially shut down a weapons system by merely scanning it, a technique so basic, the GAO says, it “requires little knowledge or expertise.” Testers were sometimes able to take full control of these weapons. 

The DOD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.” 

In other cases, automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.

Wired.com claims that this unclassified report lacks specific details, mentioning various officials and systems without identifying them. Wired emphasizes that when the DOD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams.

iHLS:

You Might Also Read:

Pentagon Weapons Systems Vulnerable To Cyber-Attacks

« Facebook Wants To Buy A Cybersecurity Firm. Which One?
Facebook Sued Over Video Viewing Figures »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

ON-DEMAND WEBINAR: Harnessing the power of Security Information and Event Management (SIEM)

Join our experts as they give the insights you need to power your Security Information and Event Management (SIEM).

Privacy Professor

Privacy Professor

Privacy Professor provides information privacy, security and compliance services, tools and products to organizations in a wide range of industries.

techUK

techUK

techUK represents companies operating in the tech sector in the UK. Focus areas cover all aspects of ICT including cyber security.

Digital Hands

Digital Hands

Digital Hands is an award-winning managed security services provider.

Identillect Technologies

Identillect Technologies

Identillect Technologies provide a user-friendly secure email solution to protect critical information, with an emphasis on simplicity.

KLDiscovery

KLDiscovery

KLDiscovery is a global leader in delivering best-in-class eDiscovery, information governance and data recovery solutions.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

Trusted CI

Trusted CI

Trusted CI, the NSF Cybersecurity Center of Excellence is comprised of cybersecurity experts who have spent decades working with science and engineering communities.

Blu Venture Investors (BVI)

Blu Venture Investors (BVI)

Blu Venture Investors is a venture capital firm that supports early stage companies with a focus on technology in diverse domains including cybersecurity, IoT, defense and homeland security.

Russell Reynolds Associates

Russell Reynolds Associates

Russell Reynolds Associates is a global leadership advisory and search firm with functional expertise in Digital Leadership, Data & Analytics, and Compliance.

Aurora Systems Consulting

Aurora Systems Consulting

Aurora is a Cybersecurity solutions provider with a portfolio consisting of security consulting, products and services that proactively prevent, secure and manage advanced threats and malware.

TopSOC Information Security

TopSOC Information Security

TopSOC Information Security provide a wide range of security consultation, implementation and training services.

Normalyze

Normalyze

Normalyze are solving some of the most painful problems enterprise IT security teams face in the cloud and data security space. We help enterprises protect all the data they run in the cloud.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

SeQure

SeQure

SeQure is a cutting-edge startup specializing in the development of advanced security infrastructure for artificial intelligence and blockchain.

Proaxiom

Proaxiom

Proaxiom are focused on erasing cyber driven panic paralysis for Small and Medium Enterprises through brilliant cyber technologies which drive productivity and support growth.