Simulated Hackers Learned Passwords to US Weapons Systems in 9 Seconds

In a recent cybersecurity test aimed at determining the resiliency of major weapons systems developed by the Pentagon, “testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected,” according to a government watchdog.

In one case, the testers accessed systems by guessing administrator passwords in nine seconds.

The Government Accountability Office (GAO) found up-and-coming American weapons riddled with cybersecurity vulnerabilities in a new report published October 9. "In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic," the watchdog said.

The significance of these cyber vulnerabilities is twofold. First, the Pentagon plans to spend $1.6 trillion on developing its existing stocks of major weapons systems, meaning any information lost could be extremely valuable, worth millions or billions of dollars.

Secondly, American weaponry is "more computerized and networked than ever before," which ultimately increases the surface area that can be attacked by cyber adversaries. GAO noted that this was "no surprise."

In one example, GAO showed a fictitious bomber aircraft that somewhat resembles a B-2 Stealth bomber to display how computerized some weapon systems are. The fictitious aircraft's cyber-dependent systems are many: maintenance, industrial control, microelectronics, logistics, targeting, database, communications, collision avoidance, controller area network bus and identifying friends or foes.

Technologist Chris Garaffa explained to Sputnik News Thursday how GAO's findings displayed the "frightening reality of the state of cybersecurity in the US military."

"Despite having a nearly $700 billion budget, there are basic security measures being ignored that any system with even moderate security requirements would need to consider. These include air-gapped systems, which aren't connected to the internet, [that] have physical vulnerabilities that could let an attacker who gets close to the system infiltrate it," Garaffa said.

"In other cases, default system passwords were so simple that ‘the test team was able to guess an administrator password in nine seconds,' while also pointing out that attackers could have timeframes of weeks or even months to figure out these same passwords undetected."

According to the web developer, the Pentagon's preferred method of buying weapon systems is part of the problem. The Department of Defense relies on contractors and vendors whose incentive is to minimize expenses and optimize profit, he noted.

"Cybersecurity appears to be one area where both the DOD has significant flaws in its requirements, and these companies do not see the need to provide security as a basic feature. The report explicitly says that ‘… until recently, DOD did not prioritize cybersecurity in weapons systems acquisitions,'" Garaffa lamented.

Source URL