Though it may not literally be a matter of life or death, security analysts say this week’s revelation that Iraqi insurgents were tapping into live video feeds from U.S. Predator drones should have enterprises reevaluating the security applications and processes they’re using to safeguard their wireless networks.
According to a story first reported in the Wall Street Journal, Iraqi militants for years have been using an off-the-shelf application called SkyGrabber to intercept unencrypted live feeds transmitted from unmanned aerial vehicles (UAVs) used to surveil and bomb suspected Al Qaeda and Taliban members.
SkyGrabber, which can be purchased online for $25.95 (and can also be downloaded for a free 15-day trial), is marketed as an application that intercepts satellite data including movies, music and pictures and then saves the stolen data on a user’s hard drive. The fact that it doesn’t require an Internet connection to gather all this content floating around in the wireless spectrum apparently made it even more appealing to the insurgents.
On Friday morning, Pentagon officials said the security breach was closed.
“It’s an old issue that was addressed and fixed, an unnamed defense official told the WSJ.
These UAVs have become central to how the U.S. military does business in the Middle East. They provide real-time intelligence and a weapon to strike at the enemy without putting American soldiers at risk. According to the Department of Defense, more than 36 percent of the Air Force’s 2010 budget will be spent on new drones like the Predator.
This reliance on new technologies, particularly those that transmit sensitive data over wireless networks, has the military and private sector businesses rethinking how they develop new applications and products and what security measures they need to take before it’s too late.
“Every capability comes with its advantages, disadvantages, benefits as well as potential weaknesses,” Pentagon spokesman Bryan Whitman told the WSJ. “As you develop those (technologies) you have to be mindful of how the enemy can counteract any technology that you have.”
“That’s why you always have a constant review process in place to not only improve that capability but address any vulnerabilities it may have,” he added.
Lessons from the hacked drone incident
While constant review is certainly necessary, security experts said enterprise customers can learn a lot from the military’s embarrassing missteps by dedicating more thought and investment in security before launching a new application or business process in their organizations.
“No business today would ever even think about sending out credit card or customer data that wasn’t encrypted,” Gartner analyst John Pescatore told InternetNews.com. “What I tell CIOs is that any wireless bits in motion have to be encrypted just like you’d encrypted any data you sent over the Internet.”
Pescatore said companies often make the mistake of downgrading the importance of security during the initial design phase of a new application or product rollout. Because the designers and business decision makers are so consumed with getting the application out and in use, they’re more focused on building something that works rather than considering how the “bad guys” might compromise it for their own uses.
“Imagine the design meeting for one these [UAVs],” he said. “They probably said to themselves: ‘Adding this extra security might add a pound to the payload and decrease its range somewhat or mean two minutes less that it can be in the air.’
“At the time, it might have been the perfect rationale because the threat was underestimated,” Pescatore added. “But does the benefit outweigh the cost? You have to remember that another important benefit is keeping the bad guys from seeing what we’re seeing.”
Next page: A bottoms-up approach to security
Page 2 of 2
A bottoms-up approach to security
Embracing and encouraging technologies such as virtualization, cloud computing, mobile devices and, especially, Web 2.0 tools such as social networking applications, blogs and wikis, are creating new security concerns for enterprises that require a bottom-up approach to security, analysts said.
“Organizations need to spend time to clearly understand their risk posture,” Dwayne Melancon, vice president of configuration assessment and change auditing software maker Tripwire, said in an e-mail to InternetNews.com. “It’s often the little things’ that compromise security such as, in the case of the drones, transmitting sensitive data ‘in the clear’ where others can gain uncontrolled access to it.”
A recent study, conducted jointly by Traverse City, Mich. security researcher Ponemon Institute and CA, found that 79 percent of enterprise CIOs predict that the increasingly reliance on collaboration tools will significantly increase the amount of unstructured and sensitive data that is not adequately protected or secured.
“In this day and age, the person who intercepts the data might not even care and might not even be evil,” Pescatore said. “He might pass it along inadvertently or on purpose. It’s not that expensive to turn encryption on for these wireless systems. It’s definitely more expensive to try to do after the fact.”
The blogosphere weighs in
Reaction to the hacked drones on the NowPublic Newsroom blog ranged from shock to dispassion.
“How overblown,” someone with the moniker “SVJJ” wrote on the blog. “So you see the satellite feed. Whatcha gonna do about it? In the desert, there are no obvious landmarks…and if you do see a landmark, what are you gonna do then? Smile at the satellite before being blown to smithereens within seconds?”
Others were more disturbed by the security breach.
“Even if you didn’t have [SkyGrabber], there are fairly simple ways [to intercept the video feeds] with slightly modified receivers,” wrote a contributor identifying himself as Steve Packard. “I’m floored that the pentagon would ever even consider sending video without the most basic security of any kind. DirecTV has a more secure signal than this!”
Pentagon officials said they first became aware of the security breach last year after apprehending a Shi’ite insurgent who had digital files of drone video feeds on his laptop. More files were found on other militants’ laptops in July.
While this particular security hole has finally been filled, analysts said the ramifications of such an embarrassing breach will surely impact an organization’s relationship with the public, its customers and its business partners.
“External perception of how you manage risk is a big deal whether governments or businesses are involved,” Melancon said. “When word gets out that you knew about a problem but haven’t been quick to resolve it, it often degrades public confidence in your ability to manage other risks.”
(Predator photo courtesy of Reuters.)