Hacked Drones New Wake-Up Call for Enterprises
Page 1 of 2
Though it may not literally be a matter of life or death, security analysts say this week's revelation that Iraqi insurgents were tapping into live video feeds from U.S. Predator drones should have enterprises reevaluating the security applications and processes they're using to safeguard their wireless networks.
According to a story first reported in the Wall Street Journal, Iraqi militants for years have been using an off-the-shelf application called SkyGrabber to intercept unencrypted live feeds transmitted from unmanned aerial vehicles (UAVs) used to surveil and bomb suspected Al Qaeda and Taliban members.
SkyGrabber, which can be purchased online for $25.95 (and can also be downloaded for a free 15-day trial), is marketed as an application that intercepts satellite data including movies, music and pictures and then saves the stolen data on a user's hard drive. The fact that it doesn't require an Internet connection to gather all this content floating around in the wireless spectrum apparently made it even more appealing to the insurgents.
On Friday morning, Pentagon officials said the security breach was closed.
"It's an old issue that was addressed and fixed, an unnamed defense official told the WSJ.
These UAVs have become central to how the U.S. military does business in the Middle East. They provide real-time intelligence and a weapon to strike at the enemy without putting American soldiers at risk. According to the Department of Defense, more than 36 percent of the Air Force's 2010 budget will be spent on new drones like the Predator.
This reliance on new technologies, particularly those that transmit sensitive data over wireless networks, has the military and private sector businesses rethinking how they develop new applications and products and what security measures they need to take before it's too late.
"Every capability comes with its advantages, disadvantages, benefits as well as potential weaknesses," Pentagon spokesman Bryan Whitman told the WSJ. "As you develop those (technologies) you have to be mindful of how the enemy can counteract any technology that you have."
"That's why you always have a constant review process in place to not only improve that capability but address any vulnerabilities it may have," he added.
Lessons from the hacked drone incident
While constant review is certainly necessary, security experts said enterprise customers can learn a lot from the military's embarrassing missteps by dedicating more thought and investment in security before launching a new application or business process in their organizations.
"No business today would ever even think about sending out credit card or customer data that wasn't encrypted," Gartner analyst John Pescatore told InternetNews.com. "What I tell CIOs is that any wireless bits in motion have to be encrypted just like you'd encrypted any data you sent over the Internet."
Pescatore said companies often make the mistake of downgrading the importance of security during the initial design phase of a new application or product rollout. Because the designers and business decision makers are so consumed with getting the application out and in use, they're more focused on building something that works rather than considering how the "bad guys" might compromise it for their own uses.
"Imagine the design meeting for one these [UAVs]," he said. "They probably said to themselves: 'Adding this extra security might add a pound to the payload and decrease its range somewhat or mean two minutes less that it can be in the air.'
"At the time, it might have been the perfect rationale because the threat was underestimated," Pescatore added. "But does the benefit outweigh the cost? You have to remember that another important benefit is keeping the bad guys from seeing what we're seeing."
Next page: A bottoms-up approach to security