Amid the DEF CON 2019 hacking conference in Las Vegas, Nevada, the USAF’s personally selected team of highly vetted “ethical hackers” took part in the aviation branch’s first-ever probing of the F-15’s Trusted Aircraft Information Download Station (TADS), which collects data from cameras and other sensors on the jet.
In a Wednesday cybersecurity article, the Washington Post reported that the seven hackers, housed in a hotel suite just 16 floors above the hotel conference, performed a number of attacks on the $20,000-apiece systems, ranging from the injection of malware to physically removing and cutting wires.
Five dismantled TADS systems later, Will Roper, a top acquisition official for the USAF, was briefed on the team’s findings on Saturday and concluded that the system’s weaknesses were the result of decades of military branch prioritizing time, efficiency and cost over security.
Additionally, the vetted hackers were able to identify software vulnerabilities previously pointed out by a different team in November that did not have physical access to the TADS. Despite the Air Force’s best attempts over the past few months, it would appear a number of these issues were never fully addressed.
“They were able to get back in through the back doors they already knew were open,” Roper told the Washington Post. “There are millions of lines of code that are in all of our aircraft, and if there’s one of them that’s flawed, then a country that can’t build a fighter to shoot down that aircraft might take it out with just a few keystrokes.”
According to the UK’s The Register, the hackers who did not have access to the TADS back in November found a total 22 software vulnerabilities in the F-15’s operating system.
Roper told the Post that he hopes the results of these tests of the system’s vulnerabilities will promote a continued openness to consulting non-military, but ethical hackers in the country. He also noted that without enlisting these cyber experts, the “best hackers from adversaries such as Russia, Iran and North Korea will find and exploit these vulnerabilities first.”
When not with his team of hackers, Roper was spotted scouting for new potential recruits at the “aviation hacking village” at DEF CON.
Though it’s unclear whether the USAF official was able to recruit any new cybersecurity experts and start funneling them through the vetting process, he did tell the Post that he plans to expand the range of systems available for future hackers to take a whack at, including an operational military satellite’s ground control system.
“We want to bring this community to bear on real weapons systems and real airplanes,” Roper explained. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”
