A series of encryption and software issues in drones operated by the U.S. military remain unresolved, prompting concern among some security experts, according to recent reports.
Despite a 2008 warning that enemy militants were tapping into unencrypted drone video feeds, more than half of the U.S. military fleet of Predator and Reaper drones still broadcasts classified streams unsecurely, according to Wired’s Danger Room blog. The blog noted that intercepted video footage from U.S. drones was found on the computers of Shi’ite militants in Iraq in 2008. The footage was obtained using $26 software.
Despite promises from the Pentagon and defense manufacturers that the aircraft would be retrofitted with encrypted transceivers, Danger Room cited a confidential source familiar with the program who claimed the U.S. fleet of Predator and Reaper drones will not be fully secure until 2014. The source said that currently only 30 to 50 percent of the drones have encrypted transmissions. Although several sources said no new incidents of militants accessing drone transmissions have been discovered, it is impossible to rule out the possibility that such an attack has happened.
A longstanding security struggle
In addition to encryption problems, drones have exhibited other embedded software flaws. A recent Washington Post story detailed an instance in 2011 in which a parked Predator drone started its engine without human direction, despite the fact that the ignition had been turned off. According to the newspaper, technicians concluded there was a software bug in the “brains” of the drone, but never offered a more technical explanation.
“After that whole starting-itself incident, we were fairly wary of the aircraft and watched it pretty closely,” one Air Force squadron commander said, according to the Post. “Right now, I still think the software is not good.”
According to Danger Room, the encryption problem with Predator drones dates back to the earliest models, which did not have the payload at the time to carry heavy radio encryption systems. Predator and Reaper drones communicate using two types of signals. Encrypted satellite feeds provide a link to operators, who may be on the other side of the world, while communication with troops on the ground is handled using a radio frequency called the Common Data Link (CDL). The CDL signal receivers were not originally designed for encryption, focusing instead on fast, mobile deployment.
”Standard unencrypted video is basically a broadcast to whoever can figure out the right carrier frequency, so essentially, we are simulcasting to battlefield commanders and the opposing force,” one Navy unmanned aerial vehicle (UAV) developer told Danger Room. “If that opposing force knows we can see them and from where, they can take better evasive maneuvers.”
The blog reported that the majority of Navy drones are encrypted and that Army drones are the ones lagging behind. While militants may have little value for drone video feeds, the fact remains that such information is considered classified and often directly informs commanders’ decisions.
A military threat
While such embedded security flaws could potentially be prevented with more thorough testing, they remain unresolved, Danger Room noted. Nobody familiar with UAVs currently believes that the drone fleet is vulnerable to a hacker taking control and piloting an aircraft, but the fact that hundreds of U.S. military drones operate above sensitive areas such as Libya, Yemen, Somalia, Pakistan and Afghanistan means that any flaw could constitute a national cybersecurity threat.
“If somebody could obtain reliable access to real-time Predator or Reaper video – without attribution or alerting U.S. military – that would a tremendous intel coup,” says Micah Zenko, a fellow at the Council on Foreign Relations told Danger Room.