Infected US drones: rather embarrassing but (probably) no big deal

Even though the news that a computer virus has infected US Predator and Reaper drones, logging pilots’ keystroke during their missions over Afghanistan, Libya and other warzones (Yemen?), spread like fire thanks to the exclusive article published by Wired’s Danger Room on Oct. 7, the fact that today and tomorrow’s war robots have been targeted by a computer virus is far from being surprising.

Drones or, to use the standard designation, Unmanned Aircraft Systems (UAS) play a vital role in modern wars. They are able to silently fly for 20 or more hours deep inside the enemy territory; they carry a wide array of sensors, radars and (in some cases) weapons to identify or attack time-sensitive targets; and they are “expendable” because they are controlled from a remote Ground Control Station by pilots who fly them in the same way you might fly a plane in your favourite flight simulator game.

UAS have been flying in support of ground troops, helping them to identify suspect activity and to prevent IED (Improvised Explosive Device) attacks in Iraq and Afghanistan for years. In the last few months they were dispatched to monitor and attack Gaddafi forces in Libya, and took also part in Operation Neptune’s Spear, when they flew over Abbottabad, in Pakistan, to keep watch over Osama Bin Laden’s compound prior to the Navy Seals raid that unveiled the Stealth Black Hawk helicopter.

Drones have been supporting ground troops, helping them to identify suspect activity and to prevent IED (Improvised Explosive Device) attacks in Iraq and Afghanistan for years. They were dispatched to attack Gaddafi forces in Libya, played a vital role in Operation Neptune’s Spear in Pakistan (where they helped monitor Osama bin Laden’s compound prior to the Navy Seals raid that resulted in the al-Qaida leader’s death) and, more recently “an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula”.

A UAS consists of four main components: the remotely piloted vehicle (RPV), its sensors, its Mobile Ground Control Station (MGCS), and its data link and communication suite. That’s why the term UAS, which describes the whole system, is preferred to UAV (Unmanned Aerial Vehicle).

Although they have their own peculiarities and equipments, Predator A and B and other drones control stations are much similar in terms of layout. Both have five workstations, each one equipped with two or more screens providing all the information required by the specific operator’s tasks: from the pilot’s view with the proper flight symbology, to the moving map showing the aircraft position and the regions “covered” by the UAS sensors, to the live video feed. There are also some telephones: in fact, even if the Predator A+ and B are equipped with secure radios, a fixed telephone line can be used to contact air traffic control units in case of radio failure: a clear advantage over conventional planes.

Each crew can be made up of five members: a Mission Monitor, who is responsible for the entire mission; a Pilot, who flies the drone using a joystick to send inputs to the aircraft flight control surfaces; a Sensor Operator, who takes care of the cameras, radar and targeting systems; an Intelligence Operator, who performs a first analysis of the imagery; and a Flight Engineer, who supervises the entire system.

The malware,  a keylogger, was detected nearly two weeks ago, at the MGCS at Creech AFB, in Nevada. According to the reports it didn’t prevent the drones to fly their missions, but it has shown an unexpected resilience, so that all the efforts to remove it have failed to wipe it out.

Since MGCS are not interconnected to public networks, they should be immune to the viruses and malware that travels thanks to the Internet. However, crews use removable hard drives to load maps and planned routes into the system and to download mission video, the keylogger might have entered the secret control rooms by accident, by means of an infected USB token.

So, what kind of information could be grabbed by a keylogger inside a Predator or Reaper ground control station?

Anything you might need to input with your keyboard when flying your favourite plane on a Flight Simulator game: most probably, altitude, speed, heading, and other autopilot inputs, radio frequencies, coordinates for the navigation systems, and so on. Unless they are correlated with a specific engine, capable to use those data and to determine the current position and track of a drone, these inputs are hardly interesting or useful. Much more dangerous for drones is the lack of encryption used to transmit live high-resolution video to the ROVER (Remote Operations Video Enhanced Receiver) tactical hand-held receivers on the ground. The video should give the troops on the ground a clear view from the overhead Predator improving the overall situational awareness and reducing the risk of collateral damage or friendly fire. However, in 2009, US forces discovered hours of footage recorded by American drones on the laptops of Iraqi insurgents.

ICT Security expert Paolo Passeri says on his blog:

This is not the first time that an infection has been spread through an hard drive: in late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. It looks like the Pentagon is still disinfecting machines, three years later.

Curiously the [Predator] virus showed to be very resistant to digital vaccines, and after several attempts to remove it with standard procedures (following removal instructions posted on the website of the Kaspersky security firm), the only safe method to clean it was to wipe the infected hard drives and rebuild them from scratch: a time consuming operations. As to say: sophisticated military weapons and technologies suffer the same issues than civil users (how many Windows installations from scratch after a malware infection), on the other hand the drone virus was detected by the military’s Host-Based Security System, a flexible, commercial-off-the-shelf (COTS)-based application. If you look carefully at the HBSS web site you will also be able to identify the commercial security technology which lays behind the HBSS.

Concluding, I don’t think the information leaked because of the malware is worth the reputational damage suffered by the entire US drone fleet and by the USAF INFOSEC (Information Security) capability.

About David Cenciotti
David Cenciotti is a journalist based in Rome, Italy. He is the Founder and Editor of “The Aviationist”, one of the world’s most famous and read military aviation blogs. Since 1996, he has written for major worldwide magazines, including Air Forces Monthly, Combat Aircraft, and many others, covering aviation, defense, war, industry, intelligence, crime and cyberwar. He has reported from the U.S., Europe, Australia and Syria, and flown several combat planes with different air forces. He is a former 2nd Lt. of the Italian Air Force, a private pilot and a graduate in Computer Engineering. He has written five books and contributed to many more ones.