Hacking the Predator drone: Cheaper than dinner and a movie

1 Predator drone: $4.5 million

Intercepting video from the Predator drone's unprotected communications link: $25.95

Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren't readily compatible, said people familiar with the matter.

Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator's price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.

Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.

Wall Street Journal: Insurgents Hack U.S. Drones


  1. I’m mostly worried about this bit(from TFA):

    “The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.”

    Curing an unencrypted communications channel is relatively simple, on the large scale. A modest amount of money, and a few competent engineers will do the trick. Curing massive arrogance, though, is hard, and often very ugly. An “eh, the locals are just ignorant sand farmers” attitude is the short path to learning about every new asymmetric warfare trick the hard way, over and over again.

  2. A recently posted intercept of a Predator drone was posted on a terorist website that read “bring home milk for the baby predators”. While this is unconfirmed, I believe it shows that Predators are caring drones, and any reference to Tiger Woods is uncalled for.

  3. Idiots. If I didnt secure my applications at work I would be fired. No one will be held accountable for this.

    1. “Hey I can see my house from here! Oh Wai…”

      “Hey I can see my house from here! Oh Shi…”

      There ftfy.

  4. A bit skeptical, here. I suspect this story was fed to short circuit a contracting process or add funding to a rehab effort. This concerns the sort of operational security “OpSec” stuff that they’re so often going on about being so terribly important to keep secret.

  5. Wait a minute, if we all live in the same world, why are we killing each other?

    Oh, that’s right. We drink different brands of God.

  6. Weren’t General Atomics the people who killed the wife of the main character of “Running Man”? Finally, some comeuppance.

  7. Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator’s price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.

    “There’s a balance between pragmatics and sophistication,” said Mike Wynne, Air Force Secretary from 2005 to 2008.

    Even the military has to work under the pressures of budget, time, and pragmatic performance.

  8. Someone intercepting the video feed doesn’t seem like a huge deal to me, but I hope to every god anybody has ever worshiped that the control channels are very, very well encrypted. Their attitude doesn’t encourage me to trust that.

    1. I think you’d be surprised how different military actions can end up when their opponent knows what they’re doing.

  9. The story would be both epicer and failier if they were hacking the control link, and making multimillion dollar planes do face plants into mountains.

    Maybe it’s possible, but they don’t do it because it would lead to accelerated patching.

    1. The story would be both epicer and failier if they were hacking the control link, and making multimillion dollar planes do face plants into mountains.

      Something tells me that crashing into mountains probably wouldn’t be at the top of an insurgent’s to-do list if they had control of a plane carrying guided missiles.

    2. I’m not worried about face plants into mountains; I’m worrying about “return to sender”.

      (Never draw a gun unless you are sure you will use it. Too much risk of it being taken away and used against you.)

  10. Yesterday tech support at a major hospital told me that they were going to use FTP (a 38 year old obsolete insecure protocol, even when used with SSL) to transfer legally protected health information, rather than SFTP (a modern secure file transfer method that piggybacks SSH), because modifying their firewall is too hard.

    The depth of technical ignorance amongst supposedly technical people is astounding. The lack of caring even more so!

    For the uninitiated, the firewall configuration to run SFTP and SSH is a single open port, with appropriate address restrictions, and no state management is required. By comparison, ancient crappy FTP requires stateful packet inspection (which is orders of magnitude more demanding and thus burdens your firewall and slows your internet connection accordingly) and constantly changing portholes. Furthermore, there are dozens of FTP implementations which are not interoperable, but all SFTP implementations are 100% compatible.

    So, the hospital staff are working harder to do it wrong, while violating federal law and possibly incurring prison time.

    All so they don’t have to learn how to do it right. Nobody should be using FTP or the Berkeley R-utilities for anything, they are obsolete and unnecessary.

    1. The sad part is that modifying firewalls can be hard, not from a technical standpoint, but from a procedural standpoint. Finding somebody to sponsor the change, somebody that can understand and approve it, etc- that can be maddening.

      To a technical person that understands it, sftp is a no-brainer. Explaining this to a neophyte boss that is afraid of changng the way “we’ve always done it” doesn’t get you very far.

      Working with the application development team to use sftp rather than ftp is also another process that has it’s own special circle. They’ve done things the same way for years, and finding the person that knows where the transfer portion of the code is and how to modify that, and then find somebody that can admin the box and install all the proper libraries is mind numbing.

      In a world with no process and full admin rights, I’d have just written a wrapper and alias that accepted ftp syntax, then buffered for username and password, and made the change transparent. Let the users think they’re using FTP, but fix my firewall and their process all at once. Until it breaks, at which point I catch holy hell and get fired. And one could argue that working at that position is worse than not working at all, but that’s a different discussion.

      [The corrollary to this is that the same management that doesn’t want to move off of trusted systems reads up on HIPAA regs and comes up with some obscure corner case example and insists that the entire network be restructured to accomodate scenario X. One that could be completley avoided if the app were just tweaked to use HTTPS rather than HTTP, but hey, let’s turn it into a network problem.)

      And this is just hospitals. They’ve got small-b bureauracracy, but Military? That’s Big B. Squared.

  11. And the government wonders why people hack into their computers. I’m no IT expert, and even I can properly configure a firewall. Why not buy 374 Reapers and spend the other 10-12 Million a firewall configurations/ software updates?

  12. Classic Security through Obscurity.

    I bet the control commands ride a separate channel or two and the trick is to find that channel among the different frequencies. Then the commands are probably in some oddball protocol with a drone-ID sig/code that would take a while to decode. You wouldn’t want to tell one to fire and have all the predators in the area fire at the same time.

    We’ve had frequency hopping radios for years but its a pain to co-ordinate so the command channel is fairly stable but may change between flights.

  13. “Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.”
    If only they had used open source drones, they would have quickly had a fix! :)

  14. They didn’t have time to spec a secure video channel, so they just went with a couple of those X10 Wireless Spy Cams!!!!

  15. “Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible”

    What are they, analog? Because otherwise this is really the most staggering load of crap. It’s not like AES cares what protocol or data format you’re using. And as for the timely sharing of data, were they expecting allies and intelligence people to connect to the drone directly, without any access control? It isn’t as if you’re obliged to LEAVE the data encrypted once you’ve pulled it off the feed.

    1. “What are they, analog? Because otherwise this is really the most staggering load of crap.”
      Why yes, there are three modes of video transmission from the drone, and one of them is analog C-band, broadcast with an omnidirectional antenna.
      Think “West Virginia state flower”, BUD, and you’ll get the picture.

  16. My guess for how this happened is (at a minimum) that a) the performance-penalty for encrypting and decrypting the video stream based on early 90s-spec computing power; b) the lack of availability of COTS technology to capture the feed when the Predator was designed; led to a decision not to encrypt the video feed.

    I’m sure somebody has a memo in their “Pearl Harbor folder” that points out the vulnerability.

  17. Skygrabber is for pulling content off satellite internet feeds – basically assembling frames that aren’t intended for your machine. Does this suggest that the drones are using two-way satellite internet to upload the video and sending it back down to the controller? Where are the drones controlled from?

    1. Depends on what stage of the flight they are in, but surprisingly- they are mostly controlled via satellite by a couple of guys sitting in an air-conditioned trailer in Nevada.

  18. @Colman — They are being controlled from Creech Air Force Base in Nevada, hence the need for satellite feeds. This information is widely known and reported in the media, as well as on Wikipedia.

  19. So what’s the point of using proprietary technology if it can easily be hacked using available tools? Oh, that’s right – to increase the cost.

    The Pentagon, providing desk jobs for people who aren’t competent enough to be trusted on the battlefield.

    1. Thank goodness 300 came out, because before that there was no way to be sure the battle of Marathon happened.

  20. The WSJ reporter was interviewed on a Boston radio show, available over the net here. At about five minutes into the broadcast, she says that the military set a tiger team to attacking the control channels, and found that they were vulnerable, but that there’s no evidence that the militants have done so yet. If true, I’m really surprised they would have told her about it.

    But then again, that’s not the only dubious statement in the air. If the software was really intended only for “free legal, content” on the internet, I’ve got a dacha to sell you in Novosibirsk…

  21. The video feed is openly accessible so Gary McKinnon can access it and NOT be extradited on criminal charges for embarrassing the US military.

  22. To add to that, most current autonomous military robots are thwarted by… a flashlight. Most vision is done with laser rangefinders. You can blind them pretty easily.

    I would also suggest that a reasonably simple Tesla coil could knock out communications to most radio-controlled things.

  23. This reminds me of the Blackboard debacle.

    A friend of mine back in college got taken to court for hacking (ie. exposing a gaping security hole) in the campus ident card one swiped through coke machines to debit a student account. The card ID was the student’s SSN (very dumb- they’ve fixed that since then). Blackboard claimed the data transmission was encrypted- it wasn’t. His “hack” pretty much just involved routing the line through his laptop and listening.

    Maybe the Pentagon should hire me as a consultant. I’m not too technical, but I could’ve told them to encrypt the transmission :)

  24. technogeek actually the quote is “Never draw a gun unless you are sure you are WILLING to use it.” Because there’s really nothing wrong with allowing people to surrender once you’re pointing a gun at them, you shouldn’t however rely on them make that decision.

  25. They didnt “hack” anything. The are using a 25 dollar software called Sky Grabber to simply download satellite info. Its available on the net. You can then see UNencrypted sat image etc. But you cant see the encrypted stuff.

    You need a sat dish.

  26. I’m not sure why there is all this talk in the comments about firewalls. As far as I can tell, and I have looked into pulling video data from satellites but have not tried it due to lack of antenna and interface for my radio, this is transmitted video. Video and images are transmitted by satellites around certain standards, and there are programs designed to receive it- often with just am approriate radio and a soundcard and software… nothing new or surprising there.

    I can’t believe they made the decision to leave it open though. It would have been easy enough to encrypt the video transmission, though the signal might have decayed non-gracefully. This does not take firewalls, it takes a nice long pre-shared key that would ideally differ for each sortie. I am sure they have some kind of authentication on the control… at least I really really hope they do… I suppose both of these data streams get beamed around via a network of satellites… bet those control signals might be subject to intentional interference, something that could possibly be much easier if you saw the transmitted video.

  27. Google Trends “SkyGrabber” (The software allegedly used to interceept the feeds) and this is what you get:

    1. Syria
    2. Libya
    3. Algeria
    4. Belarus
    5. Iran
    6. Tunisia
    7. Russian Federation
    8. Cyprus
    9. Ukraine
    10. Latvia

    Sketchy. It seems the largest bulk of the searches happened way back in 2006, too! I love how presumptuous the American military was about ‘ow dem towl heads aint gonna have the smarts to intercept unencrypted data. Its like they assumed the enemy’s sole response was going to be to point at the sky with amazement and gesticulate in the direction of the flying object.

  28. I suspect that when this was a technology demonstrator they were using off-the-shelf analog “outside broadcast” microwave links. Then the CIA wanted the capability in the Bosnian war and they were pressed into service in spite of it being a “security through obscurity” situation.
    Subsequent stages of development used lower bit-rate digital video transmission that lends itself to encryption (and in Ku band with compression lends itself to to satellite links), but users complained that the resolution wasn’t as good as the “old” version. So they got the ability to switch on the analog transmitter when they wanted a “detail” high frame-rate uncompressed signal, or when they wanted the special ops team on the ground to see the view of the observation drone.

    So as an operator you have a choice of Skype quality picture or broadcast video quality picture. Which do you watch?

    Bear in mind that the drone is a giant radio-location beacon for anyone with a spectrum analyzer and directional antenna, so unless we are confusing things with lots of extra missions on random-but-plausible itineraries then the Red team can have a pretty good idea of what we are interested in anyway…

  29. It has been a classic Western Culture tactic to misunderestimate the abilities of our enemies, frequently to result in both loss of life and societal embarrassment. The Taliban have use of the Internet, goddammit! Osama Bin Laden was trained as a civil engineer, fer chrissakes!

  30. why doesnt the article say how they do it?

    skygrabber software, a laptop, and a satellite dish. thats all you need.

Comments are closed.