How to own a Predator drone in your spare time

| Comments (3) | COMSEC
This is seriously not good. It turns out that both military aircraft and drones transmit unencrypted video feeds of their activities:
How'd the militants manage to get access to such secret data? Basically by pointing satellite dishes up, and waiting for the drone feeds to pour in. According to the Journal, militants have exploited a weakness: The data links between the drone and the ground control station were never encrypted. Which meant that pretty much anyone could tap into the overhead surveillance that many commanders feel is America's most important advantage in its two wars. Pretty much anyone could intercept the feeds of the drones that are the focal point for the secret U.S. war in Pakistan.

Using cheap, downloadable programs like SkyGrabber, militants were apparently able to watch and record the video feed - and potentially be tipped off when U.S. and coalition forces are stalking them. The $26 software was originally designed to let users download movies and songs off of the internet. Turns out, the program lets you nab Predator drone feeds just as easily as pirated copies of The Hangover.

And here's the real scandal: Military officials have known about this potential vulnerability since the Bosnia campaign. That was over 10 years ago. And, as Declan McCullagh observes, there have been a series of government reports warning of the problem since then. But the Pentagon assumed that their adversaries in the Middle East and Central Asia wouldn't have the smarts to tap into the communications link. That's despite presentations like this 1996 doozy from Air Combat Command, which noted that that "the Predator UAV is designed to operate with unencrypted data links."

...

Meanwhile, military officials assure are scrambling to plug the hole. "The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones," the Journal notes. "Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes."

So, obviously this isn't the best design anyone has ever heard of. It would be interesting to ask whether the control channels used to send commands to the drones are are similarly unprotected.

In any case, there are two major technical obstacles to adding encryption to a system like this. The first is key management, as mentioned in the first linked article; you need to somehow get keys to the relevant people. The second is the problem of sending encrypted data around, as mentioned in the last graf.

I'm not overly worried about the need to upgrade individual network elements in between the drones and the operators: unless those elements actually process the data instead of passing it along, they should be relatively indifferent to whether the video is encrypted or not. I can imagine a couple of types of processing that would cause problems. For instance, if the intermediate elements compress the data with some lossy compression algorithm, this will interact badly with encrypted data, which is not only incompressible but also extremely sensitive to any damage. But if they're just relaying the data (which seems likely given that this seems to be all built with commodity protocols), that seems unlikely to cause any problems. It's not like all the routers on the Internet need to be upgraded whenever you get a new version of your Web browser.

As usual, the key management problem is more serious, as suggested by this paragraph:

"Can these feeds be encrypted with 99.5 percent chance of no compromise? Absolutely! Can you guarantee that all the encryption keys make it down to the lowest levels in the Army or USMC [United States Marine Corps]? No way," adds a second Air Force officer, familiar with the ROVER issue. "Do they trust their soldiers/Marines with these encryption keys? Don't know that."

As there are no encryption keys at all in the current environment, it's hard to see how the situation could get any worse by giving them to every marine in the field, but it's understandable that one would want to do a little better. In this case, we actually have two kinds of capabilities to deal with: those required to view the video feed and (in the case of drones) those required to remotely control them. These aren't necessarily going to be issued to the same people: you may want soldiers in the field to be able to view the video feed from the drones, but fun as it might be there's no real reason to let them pilot the thing. Since only authorized pilots are likely to be allowed to operate the drone, key management here seems pretty simple: just have a key manually shared between the operator and the drone.

One-way video feeds to soldiers in the field require a slightly more sophisticated system, but it's not inherently complicated, as we can use the same schemes used for broadcast encryption: We have a key of the day (or the hour or whatever) and we use that to encrypt the video. Each device has its own key and we periodically broadcast the key of the day encrypted under the device key. If a device gets lost or stolen, we just stop encrypting under that key. This doesn't work that well for video encryption because it's easy to get a decryption box and so attackers can just get a box and extract the key. Presumably soldiers in the field do a better job of keeping their viewing units in their possession and don't deliberately give them to the Taliban and we can periodically verify that they still have them. And as noted above, it's not like any encryption system we deploy is going to make the system less secure, so it's not like it has to be perfect.

Acknowledgement: Perry Metzger pointed this story out to me.

3 Comments

I don't have a comment for this post, I just wanted to say I was browsing through Savage Love archives and I really enjoyed your guest spot on his column. Thanks for the good read!

I don't see why key management would be difficult. They already have a key distribution system; guys that go around and re-key all crypto units. I would bet that the solider that is viewing the video stream is also carrying an encrypted radio that has keys loaded.

I think you've got the Army's threat model upside down. Many Army guys are worried that encrypting the video will make it more difficult for US soldiers in the field to view, because those soldiers might not have the right key. From that angle the risk is minimized now because the video is unencrypted.

You're writing as if the risk is that the enemy will see the video, so encryption will reduce that risk even if the keys might sometime leak.

The Army isn't afraid the keys will leak-- it's afraid the keys won't get to authorized users. Parts of the Army are also afraid that the folks who issue the keys will restrict who they give them to for intramural power-struggle reasons ("(secret) knowledge is power").

Personally, I think we should worry about your threats, but I recognize that many soldiers figure they'll be more hampered by loss of intel (whether due to key distribution problems or bureaucratic infighting) than by leaks. "After all," they'll rationalize, "the enemy already knows what he is up to-- the drones are to help us see what he's up to."

We should limit access to drone video because it invariably leaks info about US forces (directly, in that the drones may image US or allied forces; indirectly, in that drone routing reveals what US forces already know or think is interesting), and drone video provides intel about the battlefield and other (e.g., civilian) actors on it, and finally drone info provides the enemy with the feedback they need to improve their camouflage, movement security, etc. However, to many grunts, those are all "abstract" considerations which they weigh against the display-filled-of-hash inconvenience they fear.

Leave a comment