Cyber Attack On Weapon Systems Is Easier Than You’d Think

Uploaded on 2018-10-31 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

All US weapons that the Department of Defense tested between 2012 and 2017 have “mission critical” cyber vulnerabilities, claims a new report from the US Government Accountability Office (GAO).

The report serves as a wakeup call for the DOD regarding cybersecurity threats to its weapons systems. 

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

Subtitled “DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the report finds that the department “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” 
GAO says the DOD is only now beginning to grapple with the importance of cybersecurity, and the scale of vulnerabilities in its weapons systems.

The report is based on penetration tests the DOD itself undertook, as well as interviews with officials at various DOD offices. DOD testers found significant vulnerabilities in the department’s weapon systems, some of which began with poor basic password security or lack of encryption. 

Among the findings of the report: one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open source software but administers failed to change the default passwords. 

Yet another tester managed to partially shut down a weapons system by merely scanning it, a technique so basic, the GAO says, it “requires little knowledge or expertise.” Testers were sometimes able to take full control of these weapons. 

The DOD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.” 

In other cases, automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.

Wired.com claims that this unclassified report lacks specific details, mentioning various officials and systems without identifying them. Wired emphasizes that when the DOD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams.

iHLS:

You Might Also Read:

Pentagon Weapons Systems Vulnerable To Cyber-Attacks

« Facebook Wants To Buy A Cybersecurity Firm. Which One?
Facebook Sued Over Video Viewing Figures »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

CyberPilot

CyberPilot

CyberPilot ApS is a Danish cybersecurity company. We work with all types of companies and organisations, both large and small, who want to achieve effective cybersecurity.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

HolistiCyber

HolistiCyber

HolistiCyber provide state-of-the art consulting, services, and solutions to help proactively and holistically defend against a new era of constantly evolving cyber threats.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

WhizHack Technologies

WhizHack Technologies

WhizHack's mission is to not only create a pipeline of cyber security products but also to empower people to sustainable innovation in securing digital assets of tomorrow.

GetHacked.ca

GetHacked.ca

GetHackded.ca is a certified company offering penetration testing and specialized cybersecurity services.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

Securadin

Securadin

Securadin - Defending Your Data Security. We will assist you in learning how to maintain the confidentiality, integrity, and availability of your organization's assets.

Gomboc.ai

Gomboc.ai

Gomboc solve cloud infrastructure security policy deviations by providing tailored remediations to the IaC (Infrastructure as Code).

SecureClaw

SecureClaw

SecureClaw offers specialized cybersecurity consultation, various products, and a range of services to meet your company's business domain needs.

Denodo

Denodo

Denodo transforms the way organizations operate by unifying their data assets in real time and making data ubiquitous and secure to all users and business applications.

CloudGuard

CloudGuard

CloudGuard is an AI-driven XDR platform that helps organisations to proactively detect and automatically remediate threats in real-time.

Alset Technologies

Alset Technologies

Alset Technologies provides DASH - a comprehensive solution to DISA STIG (Security Technical Implementation Guide) compliance.