This just makes me sad. Two articles, one in the WSJ, the other on CNN, describing how insurgents in Iraq are hacking predator drones and receiving the video feeds that the drones are sending back to U.S. ground stations.  First things first, let’s fix the headlines. Both are running something like “Iraqi insurgents hacked Predator drone feeds.” That should more clearly read: “Iraqi insurgents watching the videos that the Predator drone sends out unencrypted.” Or maybe “Iraqi insurgents watch Predator drone feeds on TV.”
If you look into the article, you find that insurgents are apparently using a $26 piece of software that let takes satellite data and saves parts of it that might not be intended for your computer. Essentially, it monitors the data that is sent and when it sees a file transferred will save it to your hard drive, regardless of whether or not your computer was the intended destination.
Now, I’ve been doing computer security work for over a decade. I was the first person at my university to implement anti-virus in email, I was the first to require a department to use all-encrypted communication for transmitting passwords. I discovered one of the earliest IRC-based botnets. I’ve found vulnerabilities in financial systems. I’ve seen … [a]ttack ships on fire off the shoulder of Orion. I’ve watched C-beams glitter in the dark near the Tannhauser Gate. Er, some of that last bit may have been someone else, but you get the idea.
This stuff isn’t that hard. SSL is over 15 years old, we know how to do encryption. Hell, back in the 90s when we were developing the Predator, the U.S. was treating encryption as a munition – you had to get the government’s blessing to use decent encryption. Is it too much to ask that an actual weapon include the munition that was encryption? And this from the WSJ article strikes me as BS:
Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.
In an email, a spokeswoman said that for security reasons, the company couldn’t comment on “specific data link capabilities and limitations.”
Or more to the point, entirely irrelevant. First, the communication system can’t be *that* proprietary, since the commercial (if somewhat sketchy) SkyGrabber software can read the transmissions. Second, you developed a proprietary communication system in the mid to late 90s and didn’t include encryption? That’s the sort of thing that makes the baby Bruce Schneier cry.
On the other hand, this from CNN seems far more likely:
A senior defense official who was not authorized to speak about the security breach said, “This was an old issue for us and it has been taken care of,” but he would not elaborate on what specifically had been taken care of.
The official said that many of the UAV feeds need to be sent out live to numerous people at one time, and encryption was found to slow the real-time link. The encryption therefore was removed from many feeds.
Removing the encryption, however, allowed outsiders with the correct tools to gain unauthorized access to these feeds.
I’ll buy that.  There are certainly a few encryption schemes that will send encrypted data to multiple parties, hell at the very least, you could use symmetric encryption with shared keys. But that kinda sucks. Most commercial communication encryption technology assumes point to point transfers. If you wanted to send the same data to many people… you send it multiple times.
Regardless, this is just embarrassing. These days I’m doing security modelling work and if this is the sort of thing that we’ll have to consider, I’m going to sink into