Hackable ICBMs? America’s ballistic missile system is poor secured and includes an unpatched vulnerability from 1990
A report from the US Department of Defense (DoD) Inspector General has revealed that US ballistic missile systems have very poor cyber-security.
The report found that these systems have no data encryption, no antivirus programs, no multifactor authentication mechanisms, and in some cases, 28-year-old unpatched vulnerabilities.
It comes after a 2016 report by the US Government Accountability Office (GAO) found a system used by the Department of Defence to co-ordinate the US’ nuclear forces uses 8-inch floppy disks.
The DoD report can be found here, and has been heavily redacted in a number of places.
The report came after inspections by the Inspector General on five random locations where ballistic missiles are located as part of the Ballistic Missile Defense System (BMDS).
This BMDS system is designed to protect US territory by launching ballistic missiles to intercept enemy nuclear ICBMs. The report found that most branches of the US military do not protect networks and systems that “process, store, and transmit BMDS technical information.”
To make matters worse, multi factor authentication was not consistently used, and there were poor controls over who could access the BMDS network.
And unbelievably, the DoD also found that patching of vulnerabilities was consistent. Indeed, the inspectors found a vulnerability that had been identified back in 1990, but still had not been patched.
Other problems discovered included the fact that removable media data was not encrypted.
And in some cases no intrusion detection and prevention systems was ever implemented.
The reaction from the security industry was a lack of surprised at the news.
“I am not surprised at all – the bad news is that the missile systems were built using very old technology that makes it harder to support and is low capability, generally,” said Sam Curry, chief security officer at Cybereason.
“The good news is that the older tech was built to survive EMPs, to last decades (if not longer) and to avoid (generally) single points of failure,” said Curry. “However, the goods news/ bad news trade offs go out the window when this stuff is made IP addressable and put on networks.”
“The real danger is when systems are abstracted, aged and then used in new ways and new places,” he added. “Anything that has the ability to be a weapon of mass destruction on a species-extinction-level event should have the closest scrutiny, safeguards and not be repurposed for a new mission and security target.”
Another expert said the report should raise awareness of the need to urgently secure national defence systems.
“The recent report from the US Department of Defence Inspector General (DOD IG) brings attention to the urgency of securing national defence infrastructure and it is concerning to hear that many of the locations inspected have been deemed insecure,” commented Edgard Capdevielle, CEO at Nozomi Networks.
“The potential consequences of not investing in industrial cyber security best practices and supporting technologies could be numerous and severe,” said Capdevielle. “Destructive malware is being developed, and tested, and critical infrastructure operators need to be able to identify and mitigate anomalous behaviour before damage is done. Therefore, the right approach is to both shore up defences and be able to respond when attacks do occur.”
Meanwhile Lamar Bailey, director of security research and development at Tripwire noted a particularly damming aspect of the Inspector General report.
“While I agree at first glance this sounds horrible the key word in the findings is ‘consistently’,” said Bailey. “This audit was also only done at 5 facilities which is less than 5 percent of the facilities in operation. We should not take a chicken little stance here but remember basic security hygiene and foundational security controls apply to everyone.”
And Javvad Malik, security advocate at AlienVault was concerned about how many of these poorly secured systems are connected to the Internet.
“The findings are indeed quite eye-opening, and there are things that could be done better,” said Malik. “But it’s important to bear in mind that updating military systems, or indeed many custom built products isn’t as easy as downloading and installing a patch, where there are many unknown side effects.”
“Also, most modern malware isn’t capable of running on hardware from 1990, therefore, patching the boxes would have little impact,” said Malik. “Mikko Hypponen referred to this as, “security by antiquity’”.
“Finally, one has to consider how many of these systems are connected to the internet,” said Malik. “In many cases they are not, which would require physical access – and to do so, they would have to contend with soldiers.”
President Trump has sought to transform the US government IT systems as part of the shakeup of Washington.
He has already ordered lawmakers to carry out cutting government measures to reduce spending by $3.6 trillion over the next decade. That cost cutting has seen federal agencies being ordered to stop providing updates on the Y2K bug.
Trump has also signing an executive order to upgrade US cyber defences, a move that has been broadly welcomed by industry experts.
What do you know about President Trump and his relationship with technology? Try our quiz!