Drone Video Intercepts: Military Case Study with a Universal Lesson

By Dan Cornell and Michael McBryde

There has been a lot of hubbub over the past day and a half about insurgents intercepting video feeds from US unmanned drone aircraft.  Wired has covered this story pretty extensively:

·         Insurgents Intercept Drone Video in King-Size Security Breach

·         Not Just Drones: Militants Can Snoop on Most U.S. Warplanes

Basically, a system was designed quickly, without security as a requirement, for a very limited number of Predator drones used by Special Operations.  Then the drones became much more popular, the system was adopted for much wider use, and the system’s scope was increased to include a majority of the jets flown in the U.S. military.  Net result?  Iraqi insurgents can view or potentially jam video feeds from the majority of U.S. aircraft using materials they could get at Radio Shack.  Yikes!

So let’s review:

·         A system was designed and implemented quickly – with limited scope.

·         Obscurity was the main security protection, and general system security was not a requirement.

·         The usage and utility of the system increased rapidly – so rapidly that decision-makers ignored security reviewers warning of the vulnerability.

·         Gaping security holes were found by 3rd parties and exploited.

·         Fixing the problem will not be cheap and will likely result in material operational downtime

Strange … I’ve heard this before.  This isn’t a case study specific to the military – this is something we see all the time with both public and private sector organizations.  Business (or “mission,” in this case) requirements for new features and functions are favored over addressing known system weaknesses.  This decision gets made once.  And then again.  And then again.

Vulnerability management and security remediation are ongoing tasks in the development of any system.  Ignoring vulnerabilities and focusing exclusively on new features pretty much guarantees that you will get hit eventually.

Contact us if you would like help remediating those pesky, lingering, known vulnerabilities in your software systems.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *