Hacking nuclear submarines – how likely is the nightmare scenario?

Last July, the UK’s parliament voted overwhelmingly to renew Trident, its submarine-based nuclear weapons system. Almost a year later, experts argue that it’s vulnerable to cyberattack. Should we be worried?

The British American Security Information Council (Basic), a London-based thinktank, issued a report called Hacking UK Trident: A Growing Threat. It says that despite claims to the contrary, the system is vulnerable.

Trident, which Britain started using in the early 1990s, is the replacement for the Polaris missile system that had been operating since the 1960s. Four Vanguard submarines each carry eight Trident ballistic missiles, which in turn house independently targetable warheads each (they can carry up to 16 missiles if needed). The UK gets one sub out at a time while the others are docked for maintenance work or handling exercises.

When the submarine is cruising, it keeps quiet. The whole idea is that the enemy doesn’t know where it is, so that it can fire missiles even after a first strike. That makes it part of the deterrent system that keeps nuclear war both too close for comfort and inconceivable at the same time. The idea is that either side could launch an attack at a moment’s notice, but neither would because both have vowed to retaliate. No one wins.

That makes Trident one big, floating dead man’s switch, costing between £31bn and £179bn, depending on what you factor in and who you listen to. If no one can agree on how much the thing actually costs, can they get any more clarity on how secure it is?

Trident has one big security advantage: when a submarine is at sea, it’s very difficult to talk to. Communications are all one way, from the mainland, via low-frequency radio or satellite. There are no internet connections, in what’s commonly known as an air gap (shouldn’t that be a water gap?)

The UK government has always maintained that this isolated design makes the missiles secure and protects them from hackers. BASIC is far from convinced, calling this view “patently false and complacent”.

Its report explores the system’s vulnerabilities methodically, and says that there are ways in to Trident that could lead to a variety of outcomes: stopping missiles firing, exploding them early, or even destroying the vessel by hitting its reactor.

Let’s start with the outlandish stuff first. In the future, surveillance nano-drones could infiltrate the vessel, the report says. People could use subdermal skin implants and “advanced nano and bionic technologies” to compromise its systems. It worries about nano-surveillance drones that could somehow hack a sub from the outside. That’s all conjecture, though.

The report says that cutting-edge technology quickly outpaces large military projects like this, creating future disparities, between cyber attackers and submarine defenders. Perhaps, but it’s certainly not realistic now, and the establishment may develop countermeasures if and when such things develop.

Windows for Warships

So let’s talk about present-day threats. The report raises more realistic security issues that could get attackers through the air gap and affect things happening aboard the vessel. The subs get software patches and other fixes when in port, it says. Wouldn’t it be possible to install malware on its systems that could be triggered by an event such as a missile launch, or even set to execute at a certain time?

It points to the oft-cited story that the subs run Windows XP. Well they do, after a fashion, although it’s a customised version still under special support contract. It’s difficult to know just how customised, although it’s worth pointing out that the government rolled the thing out in 18 days, and that it’s also used across other naval systems. How susceptible could it be to malware? We can’t say.

Could someone install zero-day malware on the subs, or tinker with other control systems in port? Or perhaps they could get to one of the crew? This isn’t inconceivable. Tech is difficult enough to secure, but people and processes are far messier, in all sorts of ways.

Let’s not forget security concerns raised by nuclear whistleblower William McNeilly, who alleged severe laxity in the navy’s procedures. These holes could easily let someone into a base or on a sub, said the former engineering technician submariner, who claims that security is so lax he was able to scan the Trident instruction manual page by page on his phone while on the vessel. He says in his account:

The fact is it would’ve been even easier for me to cause a nuclear catastrophe than to gather that information.

So a rogue actor on board could be a possibility.

The other entirely conceivable attack is on the supply chain. Many contractors and subcontractors work on components for Trident. Attackers could infiltrate their systems and insert malware or other key attacks, it warns.

We’ve seen attempts at this before, some unsuccessful (because Sophos intercepted them) and some successful. One of the most successful defence contractor hacks saw nation state actors pilfer plans for the Lockheed Matin F-35 Lightning II. If you can pull something like that off, you’d probably have a go at compromising a deterrent system, wouldn’t you?

If you did compromise the “Windows for Warships” system, you’d be able to knacker critical ship control functions. You could also go after the programmable logic controllers and attack the ship’s reactor, rendering it inoperable or worse. We know that intelligence types are good at hitting PLCs, don’t we?

But no, you couldn’t launch a thermonuclear device by hitting CTRL-ALT-DELETE. Windows for Warships doesn’t control the actual firing of the missiles – they have their own software and would be fired using a mechanical switch, and only after two on-board officers agreed.

The report does worry about direct tampering with the warheads, though. McNeill claims to have scurried around inside a missile, right next to them.

Alternatively, attackers could wreak havoc simply by whispering in the crew’s ear, the report frets. Here’s how that might work.

The crew follows orders when firing a missile but ultimately has autonomy. The US ballistic system uses a Permissive Action Link (PAL) which means that the chiefs of staff have to send their nuclear launch site a code before the missile can be fired.

Accounts differ over whether the code was set to all-zeroes for more than a decade. When configured properly, though, this avoids a megalomaniac with a short temper firing the missiles in a hissy fit, by keeping the president in charge (oh, wait).

The UK subs don’t use a PAL. They still get told what to do by the prime minister of the day, but don’t need a code to do it. They can fire missiles autonomously if they think the country has fallen, relying on a handwritten “letter of last resort” that presumably gives them permission.

The report worries that an attacker could hack the very low frequency radio that sends data to the subs at 300 baud. They could use it to manipulate malware aboard the vessel, or simply mislead and confuse the crew into firing (or not firing) a nuke, they say.

We are in danger, but only a bit

What does all this mean? The report floats several scary fictional scenarios, which make great bedtime reading, but it’s worth putting it all in context, and avoiding extremes on either side.

On the one extreme, you have the doomsday dramatists. Newspaper straplines suggesting that “a country can be brought to its knees with the click of a mouse” aren’t helpful.

On the the other extreme, you have the denialists. The UK government claims that Trident is safe because it is air-gapped, but safety is never absolute. Whenever anyone calls something “safe” from hacking, a red flag should go up.

The report says:

The vulnerability to cyberattacks is real. It can be reduced by significant, vigilant and continuous cyber protection, but cannot be eliminated.

But this is basic cybersecurity theory. The real question is, does Trident’s level of risk fit its purpose?

The isolated nature of the ships elevates security by an order of magnitude, and claims of air-gap hacking are speculative and futuristic. Talk of underwater drones and nano-hacking make great science fiction but don’t seem to present any clear and present danger.

If someone were going to get inside Trident, they’d probably take the path of least resistance, whether that’s through the supply chain or through the people and systems interacting with the subs when they’re in port.

So you’re really looking for security flaws at their touchpoints with the rest of the military ecosystem. There are plenty of those, both direct and indirect. Look closely enough and you’ll probably find some nasty holes. McNeill says that he already did.

What’s more interesting for us is the human element. We’ve seen many instances where we narrowly avoided Armageddon because of simple mistakes.

In 1983, the world almost went to war because the Russians thought a NATO exercise was going to turn into a real nuclear attack, and went on hair trigger alert. In that same year, a satellite malfunction sent false signals of a massive incoming nuclear strike to this Soviet technician, who thankfully ignored them.

In 1961 an ailing US plane actually bombed North Carolina with a nuke that nearly went off. During the Cuban missile crisis, a bear on an airforce base set of an alarm that had ground crews scurrying for takeoff.

There are many more such stories. If the world does end in a bang, it might not be because a smart state actor got control of the switch. It’s more likely that we’ll be fried because someone else was asleep at it. Sleep well.


from Naked Security – Sophos http://bit.ly/2s64BmY
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s