Several Critical Vulnerabilities Identified in Major Weapon Systems Being Developed by US DoD.
The advanced weapon systems developed by the US Department of Defense with a whopping estimated expenditure of $1.66 trillion are plagued with grave flaws, which make them a potential target for rivals looking to disrupt or control their functions.
According to the new 50-page report [PDF] from the US Government of Accountability Office (GAO), an analysis of the different development stages of the systems revealed several mission-critical vulnerabilities. Such vulnerabilities, claim the GAO, are present in “nearly all” the weapon systems that are currently being developed.
Testing teams responsible for investigating the systems’ ability to resist cyber-attacks could gain full control of the target or managed to disable it using mundane tools and techniques. At times, they could shut down some parts of the system simply through scanning. The full extent of the issue is yet unclear, states the GAO in its report.
GAO reported that the implemented digital protections are “insufficient” to protect the weapon systems and expressed concern over the fact that government officials weren’t too interested in improving the security of their programs. The department was only starting to deal with the extent of vulnerabilities.
The report was published on Tuesday. The GAO further explained that the hackers who tested the developing weapon systems were able to operate without getting detected while the flight software, industrial control systems, and communication lines were amongst their key targets.
The purpose of conducting this study was to ensure that the systems on which the defense department was willing to spend such an enormous amount should be protected from enemies possessing highly advanced cyber-spying and cyber-attack capabilities.
Bolstering security would require a lot of work because during the audit several vulnerabilities were identified in key systems. GAO notes:
“In one case, it took a two-person test team just one hour to gain initial access to a weapons system and one day to gain full control of the system they were testing.”
While in another case they could observe in real-time whatever the operators were seeing on the screen. Besides, they could easily exploit the system too. Passwords were managed poorly and various weapon systems used open-source software. Testing team was able to crack login credentials of one administrator in just 9 seconds.
“Multiple test teams reported that they were able to copy, change, or delete system data including one team that downloaded 100 gigabytes, approximately 142 compact discs, of data.”
It was also noted in the report that almost all of the weapon system functions relied on computers such as aircraft’s life support function or the incoming missile interception function, which “significantly expands weapons’ attack surfaces.”
GAO warns that cybersecurity of these systems needs bulking up, which may be a slow and tedious process. The audit was conducted from July’17 to October’18. GAO hasn’t made recommendations this time as the evaluation process is still underway as until now the focus was mainly on networks and infrastructure and not on the weapons.