The MQ-9 Reaper, according to the U.S. Air Force, “is an armed, multi-mission, medium-altitude, long-endurance remotely piloted aircraft that is employed primarily against dynamic execution targets and secondarily as an intelligence collection asset. Given its significant loiter time, wide-range sensors, multi-mode communications suite, and precision weapons — it provides a unique capability to perform strike, coordination, and reconnaissance against high-value, fleeting, and time-sensitive targets.” It can carry just under two tons of missiles and bombs, has very sophisticated visual sensors, can fly as high as 50,000 feet and can stay aloft for a long, and highly classified, period of time.
You wouldn’t expect to find a user manual for the MQ-9 Reaper on-line. But if you know where to look on the dark web, you can.
Internet security company Recorded Future discovered the hack. As they tell it, the hacker exploited a well-known Netgear router flaw to download numerous classified materials from an unsuspecting Air Force captain’s computer.
What’s disturbing isn’t just that U.S. military secrets are available for sale on the web, although that’s disturbing enough. No, what’s most worrisome is that this flaw has been known for more than two years and the Air Force still has Netgear equipment that hasn’t been patched.
In early 2016, several security researchers publicly announced that Netgear routers with remote data access capabilities were susceptible to malicious attacks if the default file transfer protocol (FTP) authentication credentials were not updated. More than two years after the vulnerability was first discovered, and the fix announced, the Air Force is still using unpatched equipment.
Among the documents stolen and for sale was the victim’s “Cyber Awareness” course completion certificate.
But, really, it wasn’t anything that this captain at 432d Aircraft Maintenance Squadron Reaper, stationed at the Creech Air Force Base in Nevada, did or didn’t do. The problem was in the Netgear router he or she used to connect to the internet. The problem was likely a civilian security contractor who failed to do his or her job.
The Netgear Router at Creech Air Force Base isn’t the only unpatched Air Force router. The same hacker was offering to sell more than a dozen various training manuals describe improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics manuals. The hacker also told Recorded Future that while he was talking to Recorded Future he was watching sensitive live footage from border surveillance cameras and airplanes. The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.
This was an unsophisticated, rudimentary attack. A single hacker with moderate technical skills went through Air Force security like wet Kleenex™. It’s frightening to think what a sophisticated attack by a hostile nation might do.
Put it in you long list of things to worry about.