The need to encrypt wireless data is a lesson still being learned

The Wall Street Journal published an article on December 17 reporting that the U.S. military has discovered that wireless video feeds from unmanned Predator drones operating in Iraq are often intercepted by enemy insurgents. The ability of insurgents to capture the wireless data is apparently facilitated by the fact that the video transmissions are not encrypted, allowing anyone in the geographical vicinity of the drones to intercept the video feeds using inexpensive commercially available wireless sniffing software. You might think that encryption would be an operational requirement for the wireless transmission of such sensitive intelligence data gathered in the field, but statements from defense and intelligence officials suggest that other functional priorities — such as transmission over large distances with potentially limited bandwidth — may have trumped security considerations. Most surprising is the acknowledgment by the military that the vulnerability exposed by using unencrypted transmissions has been known for nearly 20 years, yet still hasn’t been mitigated, in part because U.S. military officials “assumed local adversaries wouldn’t know how to exploit it.”

This scenario exposes what must be a glaring weakness in the security posture for unmanned drones in terms of risk assessment, as any characterization of the threat environment in Iraq and other operational theaters appears to be underestimating the knowledge and technical capabilities of the adversaries representing threat sources to U.S. military operations. The military is now moving to upgrade the network infrastructure involved to add encryption to its wireless transmissions, although in a report from the Air Force that has drawn the ire of Congressman Jim Langevin and others, the work to add encryption to video transmissions from drones is not expected to be completed until 2014.

While the U.S. military places a great emphasis on information assurance and is often held up as an example of robust security practices, the long-term vulnerability with its video surveillance operations is reminiscent of widely publicized wireless data breaches in the commercial retail sector. Way back in 2002, large retailers began to implement security measures for wireless network communication within their stores. Short-range wireless transmissions without encryption were common practice at the time, for purposes such as communicating transactions between computerized cash registers and back-office financial management and inventory control systems. When retailers such as Best Buy discovered that hackers were intercepting customer credit card data by sniffing wireless traffic sent from point-of-sale terminals, they quickly moved either to encrypt their wireless transmissions, or (like Best Buy) opted to stop using wireless cash registers altogether.

More recently, TJX suffered an enormous data breach at its TJ Maxx stores, reported in 2007 but starting as early as 2005. The severity of the breach was attributed in part to the company’s persistent storage of unencrypted customer data (in violation of the Payment Card Industry (PCI) Data Security Standard), but the attack was also enabled by the company’s use of ineffective wireless security, including the use of Wired Equivalent Privacy and, in some cases, no encryption at all. The industry’s response to TJX’s breach has been to revise and strengthen PCI requirements and to adopt stronger wireless encryption where sensitive or personal information and transactions continue to be transmitted using wireless networks.

What all these cases have in common is a failure — made blatantly obvious only after attacks succeeded — to identify and implement appropriate security controls commensurate with the risk resulting from existing known threat sources and existing known vulnerabilities. It also seems likely that in all cases the failure in the risk analysis was mischaracterization or underestimation of threats, rather than an undervaluation of the impact associated with a breach. This type of mistake was acknowledged explicitly in the case of the U.S. military and its Predator video feeds, and is implied by Best Buy, TJ Maxx, and other retailers choosing not to use encryption to protect their wireless transmissions. The lesson here is simple: don’t overlook any threat sources when assessing risk, and don’t underestimate the capabilities of the threats that are identified.