8 Jul, 2015 13:35

‘Military hardware governed by US software equally vulnerable to hackers’

Any software or hardware coming from US corporations might have backdoors built in, which means that those using and deploying it - like the German government - don’t have full control of their weapons, says former MI5 agent Annie Machon.

The American-made missile systems belonging to the German Bundeswehr and stationed in Turkey are reported to have become a target to computer hackers. According to a German media report the system began carrying out “unexplained” orders. A spokesman for the German Federal Ministry of Defense rebuffed the claims saying “there is no basis” for such an attack.

RT:Are these modern weapon systems really that vulnerable to hackers? Scary if they are.

Annie Machon: I think any system that is based on computer software is going to be vulnerable to hackers. These systems will be probed by other states, government level agencies. They will be probed possibly by corporations that are paid to do so, to test the resilience of the encryption around these systems and they could well be probed by hacktivists who just want to see what is possible and perhaps highlight the flaws and highlight vulnerabilities.

I think what we are seeing here is a parallel with some of the disclosures that Edward Snowden has come out with over the last few years, which have shown that US-based software is often very closed, very proprietary, nobody is allowed to see what the codes contain and the NSA has lent on companies to make sure that backdoors are built-in, which is for the NSA and its vassal states to look at. But also it allows vulnerabilities to other actors who might want to get in and have a nose around the systems. So what happens with other software means that the military hardware governed by US-based software can be equally vulnerable.

RT:The German magazine reporting the breach mentions two weak spots that could have been exploited by hackers. How is that possible, that such knowledge is even made public?

AM: It depends who’s been doing the hacking, I suppose. It probably argues against a corporation trying to expose vulnerabilities in the interests of upping the encryption and the security around it. It might be an active state trying to work against this software; it might be hackers just having a look around and see what they can do.

RT:The publication also mentions 'unexplained' orders. What might those be? How dangerous might that be?

AM: Well indeed, yes. Who has the finger on the trigger? This is a basic problem for partners of the US. If they buy US software, if they buy US military hardware, do they really have control of it? It’s a bit like the UK nuclear capability not necessarily they have to get permission of the US to launch that capability. Any other software, any other hardware that is based and coming from US corporations and US military corporations it might necessarily have this sort of backdoors built in, which means that the people who are using it, deploying it like the German government don’t necessarily have full control of their weapons. Now any country that is serious about it, its national security, its national interest should surely be building its own weaponry. And it should be making sure that it’s developing its own population knowledge base, its skills base to be able to do that too. Otherwise they are dependent on a so-called ally who might therefore in a few years turn around and spy on them.

‘Weapons systems technicians don’t always realize they’re connected to internet’

Once a device is exposed to the internet anyone can access it and we shouldn’t rely on the good will of strangers not to access weapon systems, says cyber security expert Billy Rios, who favors building better security practices instead.

RT:The German government denies any hack took place. But from what the media's reporting, do you think it's possible for hackers to override missile systems?

Billy Rios: It’s certainly possible. It’s surprising how these weapon systems become connected to computer networks and even to the internet, and so I think some of the folks who even run those systems - like missiles and aircraft - they don’t even really understand how these systems get connected in the first place because they don’t have a basic understanding of how they work and how to operate them. So it’s certainly possible.

Cyber-security expert Winn Schwartau on allegedly hacked German missiles: “These systems should not be connected to other systems; they should not be connected to the internet. If in fact criminal hackers have found a way to penetrate these systems that means that the management and the designers have got a misconfigured system and they’ve got a big problem on their hands. That’s if these reports are true.”

RT:How could such a hack work?

BR: It’s surprising how these things get connected to the internet or to the network. Normally it doesn’t start off that way. Normally it’s through an upgrade of some type: One day it’s not connected and the next day it is. The surprising thing is that people who are working on these systems usually don’t realize that they are connected. That’s probably the most typical thing that we see is some kind of upgrade like that. And once it’s exposed to the internet anyone can access that device and it’s really just a computer at that point in time and it’s subject to the same things we deal with on our regular computers and laptops, like vulnerabilities, exploits and software holes. Those can definitely exist in those systems as well.

RT:How vulnerable are these systems then? Could it be possible for hackers to start firing weapons?

BR: That’s a good question. I think each system is different so each individual weapon system probably presents a different set of systems that someone would have to penetrate in order to take control of it, but that’s a good question for commanders to be asking themselves: “Hey, are our systems connected, are they connected to the internet, have we had any recent upgrades that make these things smart, like a smart weapon, where it can transmit data to and from other places?” And they need to do assessments against those exposures to determine what the capability of an attack would be, if they would be able to take over a system, deny the ability to use or degrade the capability of the weapon system. It’s an important question, I think a lot of military commanders should be asking themselves and that’s probably a question they are not very comfortable asking themselves, to be honest.

RT:What could the motivation be here?

BR: I think you had on the key word there: motivation. I never try to guess what someone’s motivations are. It’s really difficult. In fact, we shouldn’t be relying on the good will of strangers not to do bad things to our computer systems and our military weapon systems. Instead we should just build in good security engineering practices, so if even someone wanted to do this we would be able to stop him from doing it. It’s really more of a question of what’s the engineering look like as far as the resiliency and cyber security, more than what’s the motivation of someone because motivations change easily and they are very difficult to guess. Engineering is real, it’s tangible and it all stops someone even if the motivations are bad.