Friday, October 7, 2011

The Air Force Drone Fleet, Viruses, and the Internet


Wired has posted an article about a virus plaguing the systems used by the Air Force to control drones, including those used for attacks in Afghanistan and Pakistan. According to Wired, an apparent keylogger was detected on many of the systems and it was essentially impossible to remove the virus, requiring wiping and rebuilding the hard drives.

This brings up questions about how such viruses can get onto these classified systems. As we have discussed here before, the classified internet is air-gapped from the public internet. The virus undoubtedly made its way onto the hard drives by way of infected media brought into the control rooms, likely on USB drives. Apparently, the Creech Air Force Base control room did not have a policy against bringing USB drives or other media into the classified spaces, although that policy has been changed in light of this infection.

So the questions to be answered are:

1. How can such infections be prevented in controlled, classified spaces?
2. Are such infections a true security risk?
3. Is this infection similar to the earlier reported interception of drone video links?

The short answers to the questions are: (1) make it impossible to insert any kind of readable, writable media into classified computers; (2) no...this is not a true security risk, at least not in so far as it would be possible for the keylogging to be transmitted outside the controlled space (I do have on caveat to that, however); (3) no, this is not the same as the earlier reported interception.

Okay, the longer answer to each is a bit more involved.

Many, if not all Sensitive Controlled Information Facilities (SCIF) have had policies in effect for years that prevent the introduction of any kind of readable or writable media into classified computers. This is certainly the case for TS (JWICS) computers. The computer on my last desk in the Pentagon had all USB ports and CD/DVD drives disabled. Some security experts recommend either completely removing such ports/drives or taking physical action to disable them, to include super-gluing USB ports closed and physically removing internal wiring connections. No doubt such measures are being executed at Creech AFB right now.

The introduction of a keylogger, or even a trojan, onto a classified computer will not pose a threat in so far as sending data away from the computer and out onto the internet. Remember, classified systems are air-gapped from the internet. So, the only way such data, even if collected by the USB device, it would require an individual to take the device out of the space for connection to the internet. So, in this longer answer, it is possible that it was a security leak assuming a person was conducting espionage. I leave detecting that to the local security types. Once they get a fingerprint of the particular virus, they will learn more about how it got onto the systems. I presume it was a computer technician using sloppy technique by introducing a USB device for maintenance that had previously been in an unclassified machine and infected with the virus.

The earlier interception of drone video was an entirely different process. In that case, local individuals inserted themselves near the drone itself and intercepted the unencrypted video downlink directly from the drone. The only way such video could be intercepted is to be in the vicinity of the drone, not via the internet. Now, it is a legitimate question to ask why such video would be unencrypted. To encrypt a signal, particularly a video signal, would involve significant processor resources and would introduce some delay into the signal. Unencrypted video is easier to transmit and would entail less signal loss. Also, the liklihood of interception, while obviously possible as demonstrated, is not likely to cause significant operational problems.

I would like to hear from technicians who know far more than I do about these systems.