Category Archives: Hacking

See How USAF Aggressors Jam Civilian GPS Signals in Training at Nellis Air Force Base

GPS Jamming is a New Story from Red Flag 18-1, But We Videotaped It at Nellis Last Year.

Despite the Jan. 27, 2018 accident with a Royal Australian Air Force EA-18G Growler, the massive tactical air training exercise Red Flag 18-1 continues from Nellis AFB outside Las Vegas, Nevada. The training exercise extends throughout the sprawling 7,700 square mile Nellis Military Operating Area (MOA) ranges.

Aviation authority and journalist Tyler Rogoway broke the story of the U.S. Air Force jamming GPS signals on a large scale for training purposes during Red Flag 18-1 in an article for The War Zone last week. But earlier in 2017 we went inside Nellis AFB to get a firsthand demonstration of how easy and how quickly the U.S. Air Force can jam GPS signals for training purposes.

In our demonstration, members of the 527th Space Aggressor Squadron (527th SAS) at Nellis AFB showed us how they can use off-the-shelf equipment to conduct tactical short-range jamming of the GPS signal on a local level. The 527th Space Aggressor Squadron was at Nellis AFB for the 2017 Aviation Nation Air and Space Expo. Our reporters got a firsthand look at GPS jamming on media day. In only a few seconds members of the 527th SAS used off-the-shelf equipment available to the public to jam local GPS reception. As you can see in the video, the signal bars on our test receiver, a typical consumer GPS, disappeared entirely as thought GPS simply didn’t exist anymore.

The 527th Space Aggressor Squadron’s mission is not active combat jamming of GPS, but to provide these and other electronic warfare capabilities for training purposes in exercises like Red Flag 18-1. The unit is based at Schriever AFB in Colorado but is attached to the 57th Wing at Nellis. According to the U.S. Air Force, the 57th Wing, “is the most diverse wing in the Air Force and provides advanced, realistic and multi-domain training focused on ensuring dominance through air, space and cyberspace.”

The 527th Space Aggressor Squadron personnel showed enthusiasm for their mission and reminded us that cyber and electronic warfare is the most dynamic and fastest growing battlespace in modern combat.

The unique insignia worn by members of the elite 527th Space Aggressor Squadron. Notice one version worn by the unit is in Russian. (Photo: TheAviationist.com)

In an operational environment jamming GPS signals represents both a threat and an important capability. In addition to serving an important purpose in navigation on land, sea and in the air GPS also provides targeting capability for precision weapons along with many other tactical and strategic purposes.

For instance, among the various theories surrouding the capture of the U.S. RQ-170 Sentinel drone by Iran in 2011, one mentioned a GPS hack. This is what The Aviationist’s David Cenciotti wrote back then:

Eventually there is an explanation for the mysterious capture of the U.S. stealth drone by Iran. In an exclusive interview to the Christian Science Monitor, an  Iranian engineer (on condition of anonymity) working to reverse engineer the RQ-170 Sentinel hacked while it was flying over the northeastern Iranian city of Kashmar, some 225 kilometers (140 miles) away from the Afghan border, says they were able to exploit a known vulnerability of the GPS.

In simple words, in a scenario that I had more or less described in my last post which described also the known threats to the drone’s Position, Navigation and Guidance system, the Iranain electronic warfare specialist disrupted the satellite link of the American robot and then reconfigured the drone’s GPS setting the coordinates to make it land in Iran at what the Sentinel thought it was its home base in Afghanistan.

They jammed the SATCOM link and then forced the drone into autopilot reconfiguring the waypoint of the lost-link procedure to make it land where they wanted.

Such techniques were tuned by studying previously downed smaller drone, like the 4 U.S. and 3 Israeli that could be exhibited in Iran in the next future.

Although we don’t know what really happened to the Sentinel drone during its clandestine mission (in the above article our own Cenciotti was skeptical about the version mentioned by the anonymous Iranian engineer), it’s pretty obvious that dominating the GPS “domain” is crucial to win. That’s why during Red Flag 18-1 the widespread jamming of GPS for training purposes enables warfighters to operate in an environment where electronic and cyber-attacks may disable GPS capability. This compels the players to develop new tactics for fighting “GPS blind” and to revisit existing capabilities perfected in the era prior to widespread use of GPS in a warfighting role.

The 527th SAS displayed press clippings about GPS jamming incidents around the world at Nellis AFB. (Photo: TheAviationist.com)

Up close and personal with NASA’s Global Hawk drones at Edwards Air Force Base

NASA operates the giant Northrop Grumman Global Hawk drone to collect weather data.

On Feb. 5, NASA showed off its newest and smartest unmanned Global Hawk aircraft to reporters at NASA’s Armstrong Flight Research Center located on Edwards AFB, CA.

Shorealone Films photographer Matt Hartman went there to report about the NASA’s Global Hawk fleet.

NASA GH 1

These aircraft have been helping NOAA scientists, researchers and forecasters with gathering weather information from altitudes and conditions not suitable for humans.

NASA GH 2

The missions tasked by these aircraft can last almost 24hours without refueling.

The Sensing Hazards with Operational Unmanned Technology (SHOUT) project led by the NOAA Unmanned Aircraft System (UAS) Program, will deploy the NASA Global Hawks carrying a suite of meteorological sensors and deploying dropsondes during four research flights in February.

NASA GH 3

According to the NASA website, the agency acquired its three drones from the U.S. Air Force. These are among the very first UAS (unmanned Aerial Systems) built under the original Global Hawk Advanced Concept Technology Demonstrator development program sponsored by DARPA (Defense Advanced Research Projects Agency).

The Global Hawk is a gigantic drone: 44 feet in length it has a wingspan of more than 116 feet, a height of 15 feet, and a gross takeoff weight of 26,750 pounds, including a 1,500-pound payload capability. It is powered by a single Rolls-Royce AE3007H turbofan engine and features a distinctive V-tail.

NASA GH 4

The engine cover, aft fuselage and wings are constructed primarily of graphite composite materials; the center fuselage is made of aluminum, whereas various fairings and radomes feature fiberglass composite construction.

NASA’s Global Hawks made the headlines last week, after a hacker under the name of @CthulhuSec and the hacking group AnonSec started posting massive data belonging to NASA on Pastebin: such leaked data included around 150 GB of drone logs as well as 631 aircraft and radar videos along with 2,143 email address of NASA employees.

NASA GH 7

Interestingly, not only did the hacking group exfiltrate data from NASA’s network, but they also claim to have achieved “semi-partial control” of one of the agency’s Global Hawk drones by replacing the original .gpx file (containing the aircraft’s pre-planned route) with one crafted to direct it along a different route; a claim that has been denied by NASA.

NASA GH 8

This is not the first time civil or military drones are hacked.

The Intercept has recently reported that GCHQ and NSA compromised video feeds from Israeli drones from a base in Cyprus.

Previously, Iran claimed to have captured a CIA’s RQ-170 Sentinel drone by hijacking it.

U.S. Air Force Predator drones were reportedly infected by a malware that captured all the operator’s keystrokes in 2011.

NASA GH 10

All images: Matt Hartman

Targeting Iran's nuclear program with Stuxnet virus

I must confess that I hadn’t heard about Stuxnet until my close friend, colleague, ICT security expert and blogger Paolo Passeri, discussing about my recent visit to Decimomannu airbase for the Vega 2010, an exercise attended by Israeli Air Force aircraft (for the report, wait until Nov. 26), explained me the complexity of this virus and its potential catastrophic effects.
Stuxnet is a malware whose aim is to target industrial control systems implying a sabotage strategy that foresees speeding up and slowing down physical machinery at a plant. It was discovered for the first time in June in Iran and, since then, it has already infected more than 100.000 computers all around the world. Initially believed to be a “normal virus”, Stuxnet contains code designed to attack SCADA (Supervisory Control and Data Acquisition) control systems that manage pipelines, nuclear plants and various utility and manufacturing equipment. According to researchers at Symantec, Stuxnet was most probably aimed at sabotaging Iran’s nuclear power plant in Bushehr or Natanz.
Below you can read an excerpt from a detailed article published by Wired.com (full article available at http://www.wired.com/threatlevel/2010/11/stuxnet-clues/). For the Italian readers, I suggest a look at the post on Paolo Passeri’s blog titled “Come ti impoverisco l’uranio con un virus“.

…..
According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.

The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

The malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz. Information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 around the time the nuclear incident WikiLeaks mentioned would have occurred.

Researchers who have spent months reverse-engineering the Stuxnet code say its level of sophistication suggests that a well-resourced nation-state is behind the attack. It was initially speculated that Stuxnet could cause a real-world explosion at a plant, but Symantec’s latest report makes it appear that the code was designed for subtle sabotage. Additionally, the worm’s pinpoint targeting indicates the malware writers had a specific facility or facilities in mind for their attack, and have extensive knowledge of the system they were targeting.

The worm was publicly exposed after VirusBlokAda, an obscure Belarusian security company, found it on computers belonging to a customer in Iran — the country where the majority of the infections occurred.

German researcher Ralph Langner was the first to suggest that the Bushehr nuclear power plant in Iran was the Stuxnet target. Frank Rieger, chief technology officer at Berlin security firm GSMK, believes it’s more likely that the target in Iran was a nuclear facility in Natanz. The Bushehr reactor is designed to develop non-weapons-grade atomic energy, while the Natanz facility, a centrifuge plant, is designed to enrich uranium and presents a greater risk for producing nuclear weapons.

The new information released by Symantec last week supports this speculation.

As Symantec points out in its paper, frequency-converter drives are used to control the speed of another device -– for example, a motor at a manufacturing facility or power plant. Increase the frequency, and the motor increases in speed. In the case of Stuxnet, the malware is searching for a process module made by Profibus and Profinet International that is communicating with at least 33 frequency-converter drives made by either the Iranian firm or the Finnish firm.

Stuxnet is very specific about what it does once it finds its target facility. If the number of drives from the Iranian firm exceeds the number from the Finnish firm, Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones, a different sequence is initiated.

Once Stuxnet determines it has infected the targeted system or systems, it begins intercepting commands to the frequency drives, altering their operation.

“Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz,” writes Symantec’s Eric Chien on the company’s blog. “Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.”

“That’s another indicator that the amount of applications where this would be applicable are very limited,” O Murchu says. “You would need a process running continuously for more than a month for this code to be able to get the desired effect. Using nuclear enrichment as an example, the centrifuges need to spin at a precise speed for long periods of time in order to extract the pure uranium. If those centrifuges stop to spin at that high speed, then it can disrupt the process of isolating the heavier isotopes in those centrifuges … and the final grade of uranium you would get out would be a lower quality.”

O Murchu said that there is a long wait time between different stages of malicious processes initiated by the code — in some cases more than three weeks — indicating that the attackers were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.

“It wanted to lie there and wait and continuously change how a process worked over a long period of time to change the end results,” O Murchu said.

Stuxnet was designed to hide itself from detection so that even if administrators at a targeted facility noticed that something in the facility’s process had changed, they wouldn’t be able to see Stuxnet on their system intercepting and altering commands. Or at least they wouldn’t have seen this, if information about Stuxnet hadn’t been released last July.

The conclusion is that the sophistication of Stuxnet is such that only a few hackers could be capable of producing this kind of weapon suggesting that resources required to develop such a malware could only have been provided by highly specialized cyber warfare-capable organizations, as the US Cyber Command or the Mossad (that’s why Paolo Passeri began talking about Stuxnet when I recalled of the Israeli Air Force F-15Ds and F-16Ds deployed to Decimomannu…….).

Even Predator UAVs face Information Security problems

A series of interesting articles, dealing with the interception of live video feeds broadcasted by the Predator UAVs (Unmanned Air Vehicles) operating in Iraq and Afghanistan by the local insurgents, was published today on worldwide newspapers.

Evidence of the hack was found in the insurgent’s laptops that contained video files intercepted by the aircraft’s unencrypted downlink to the ground stations. Obviously, being a live video feed from the aircraft’s on-board camera, the insurgents could only “eavesdrop” the communication between the Predator and the ground station and could not take control of the drones or interfere in some way with their flight.

Nevertheless, being able to intercept the images gave the insurgents the advantage of determining which building, roads, tents etc were under surveillance before either the aircraft or the ground troops could intervene. One might think the hack was done using sophisticated tools but according to the information released so far, the insurgents used a commercial software, SkyGrabber, from Russian company SkySoftware, that can be purchased for as little as $25.95 on the Internet. The stolen video files show once again how the most advanced military technologies can lose their effectiveness because of very well known vulnerabilities, exploited with cheap off-the-shelf code.

Lt. Gen. David Deptula, who oversees the Air Force’s unmanned aviation program, told the Wall Street Journal that some of the drones would employ a sophisticated new camera system called “Gorgon Stare,” which allows a single aerial vehicle to transmit back at least 10 separate video feeds simultaneously. But since the UAVs need to send their feeds over great distances they are subject to listening and exploitation: in other words, as we have already explained many times on this blog, Confidentiality (the attribute of Information representing the assurance that information is shared only among authorised persons) was compromised.

Since the U.S. government has known about the vulnerability since the U.S. campaign in Bosnia in the 1990s, it is clear that the Pentagon assumed the risk of data being intercepted by local insurgents or enemies, unimportant. An effective countermeasure that could prevent anybody from intercepting the video feeds is obviously encryption. Someone wondered why there are plenty of systems to encrypt radio transmissions while there’s almost nothing to encrypt video feeds. Simple: because encrypting a hi-definition video streaming is much more demanding (in terms of computational needs, hence hardware equipments) than encrypting audio.

Therefore, fixing the security hole would have caused additional costs and delays (because of the time needed for procurement, testing, implementation etc). Even the MQ-9 Reaper (whose version order by the Italian Air Force is known as Predator B), whose cost is around 10 million USD each, despite being faster, better armed and more capable than the Predator, will be subject to the same problem…an issue that will have to be fixed as soon as possible since the aircraft is already operating in Afghanistan, Iraq and it is also involved in anti-piracy combat patrols in the Indian Ocean.

Italian Air Force website hacked?

On Nov. 2, I typed the URL http://www.aeronautica.difesa.it to get the latest news from the website of the Aeronautica Militare (Italian Air Force, ItAF) but I got the following message:

Looks like the website has been report as being compromised with some malware injected on the page. According to Google, in the last 90 days, suspicious activity has been reported 3 times. 135 out of 563 pages visited by Google, caused the download of malicious code.

The last time the website was checked is Nov. 2, 2009, while the last time malcious code was detected on the site is Oct. 30, 2009 (again, according to Google).
By ignoring the message I got access to homepage of the ItAF website that is temporary unavailable because is currently under maintenance as you can see from the below screenshot. What is not clear right now is whether the ItAF website is being updated because it was hacked with malicious code or it is undertaking maintenance that has nothing to do with the malicious code inserted in some of its internal pages.