A government report has concluded that some of the most advanced weapons in the US military arsenal can be hacked with very basic tools
The US Government Accountability Office (GAO) has disclosed a report of experts in digital forensics that verifies critical vulnerabilities in almost every system that controls weapons tested by the American military between the years 2012 and 2017.
This includes the recently launched F-35 fight jets, as well as missile launch systems.
Pentagon officials haven’t stated about this 50-page report yet. The report was requested to the GAO by the US Senate Armed Services Committee. Members of the Committee expressed their concern about the protection of weapons systems against possible cyberthreats. The main findings of the report are:
- The Pentagon does not change the default passwords in many of its weapon systems. In addition, one of the passwords that were in fact changed was very easy to guess by the experts in digital forensics
- A team appointed by the GAO was able to easily gain control of a weapons system and observe its operation in real time
- A team integrated of only two people got initial access to one of the weapons systems in just one hour. The next day, the system was completely compromised
- Many of the analyzed data could be copied, modified or deleted. One of the participating teams was able to download nearly 100 GB of information
In a statement, the GAO said the Pentagon “still does not know the full scope of the vulnerabilities present in their weapons systems”.
Experts in digital forensics from the International Institute of Cyber Security believe that these findings, although alarming, do not surprise anyone. Developing a weapons system takes too long and is often based on replicating the work done on older systems. As a result, the components and software can be based on codes that have always had persistent vulnerabilities.
Developers often overlook the implementation of appropriate security measures on their systems after they are put into operation, but they are unaware that the operation of a system does not guarantee that it is properly protected.
“However, that is not an excuse,” believes Ken Munro, an expert on cybersecurity. “This report shows some very basic security flaws that could have been easily solved by changing passwords and keeping the software updated”, the expert mentioned.