Drone incident serves up data encryption lesson

Failure to encrypt surveillance feeds is a stunning security lapse, analysts say

The disclosure that Iraqi insurgents were able to intercept live video feeds from U.S. drones has focused the spotlight on a familiar IT security issue: data encryption.

In a story that's receiving widespread attention, the Wall Street Journal yesterday reported that Iranian-backed groups in Iraq and Afghanistan were tapping into live feeds from Predator drones using a $26 software tool called SkyGrabber from Russian company SkySoftware.

The hitherto largely unknown software product doesn't require Internet connectivity and is designed to intercept music, photos, video and TV satellite programming for free. Insurgents in Iraq, however, were able to use SkyGrabber to grab live video feeds from unmanned Predator drones because the transmissions were being sent unencrypted to ground control stations.

The fact that a sophisticated, multi-million-dollar aerial surveillance system could be compromised so easily because of a fundamental security oversight is stunning, several security analysts said.

"Frankly, this is shocking to me," said Ira Winkler, president of the Internet Security Advisors Group. (Winkler is also the author of Spies Among Us and a Computerworld columnist.) "You have one of the most critical weapon systems in the most critical regions transmitting intelligence data unencrypted," Winkler said.

While the intercepted data is likely to be of limited use to insurgents, it's still valuable, he said. "After all, one of the key attributes is, not knowing [that] a Predator is in the area," said Winkler. "Everyone involved should have known much better."

The apparent fact that the U.S. military knew of the vulnerability for a decade but assumed opponents wouldn't be sophisticated enough to exploit it is especially troubling, said James Lewis, director and senior fellow at the Center for Strategic and International Studies (CSIS). "The theory is that we encrypt the uplinks so that people can't take over the drone, but that we don't need to encrypt the downlinks," he said.

"Those sorts of assumptions always get us in trouble," said Lewis, who earlier this year led a group that developed a set of cybersecurity recommendations for the White House. "You can be sure that the insurgents weren't the only folks watching the feeds," he said.

Alan Paller, director of research at SANS Institute, a Bethesda Mad.-based security training institute, said the incident highlights a "systemic problem" permeating most new weapons systems. "The designers see IP connectivity as a great capability enhancer and bring in designers to help them integrate the capability," Paller said. "But those architects and designers think security is a compliance activity for security professionals and not their job. They are incapable of protecting the systems they design and build."

The exception that proves the rule is the drones used by the CIA, all of which feature transmissions that are properly encrypted and protected, he said. "They understand how cyberattacks work."

While the spectacular nature of the gaffe puts it in a class of its own, the compromise of the drone feeds is not very unlike countless data compromises involving loss of unencrypted corporate data . Though security analysts have long pushed the use of encryption as one of the most effective ways of protecting data, numerous companies have yet to implement the technology -- in many cases because they're unwilling to spend money to encrypt data. At other times, concerns about complexity and key management have contributed to a reluctance to embrace encryption.

John Pescatore, an analyst with Gartner Inc. and a former analyst at the National Security Agency (NSA), said the drone incident stems from some "really bad decisions" made years ago about not encrypting the data sent back by drones. "Confidentiality on that downlink really should have been a mandatory requirement from the start," said Pescatore, who has ranked the incident in his list of worst encryption failures ever.

Others on Pescatore's list include: a 2006 bid by Visa, MasterCard and Amex to hand out RFID cards that promised 128-bit encryption, but weren't actually turned on; Microsoft 's attempt to encrypt the user password in Windows CE by simply XORing it with the word Pegasus spelled backwards; and sloppy key generation procedures by the Germans during World War II that allowed Allied cryptographers to break the Enigma encryption machine.

"Note that brute force was not needed in any of these cases," Pescatore said in a blog post. "These incidents are all just based on dumb operational decisions to either not include, not turn on, or not manage security at all. Sound familiar?"

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter @jaivijayan , send e-mail at jvijayan@computerworld.com or subscribe to Jaikumar's RSS feed .

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags data encryptionsecurityus military

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?