A team of hackers given unprecedented access to a flight system used in F-15 fighter jets reportedly confirmed the existence of serious cybersecurity bugs.
Researchers discovered vulnerabilities that, if exploited, could be used to shut down the Trusted Aircraft Information Download Station (TADS)—a $20,000 device that collects data from video cameras and sensors while jets are in flight, The Washington Post first reported.
Key technical details remain unknown, but it was confirmed that the tests took place during the Def Con conference, held in Las Vegas between August 8 and August 11.
In November last year, the U.S. military announced it was teaming up with bug bounty platform HackerOne for the third time, touting a new four-week program called “Hack the Air Force 3.0.” It said the discovery of a critical issue would result in a minimum payout of $5,000. The largest single payout to date as part of the public hacking programs had been $10,000, it confirmed.
The ethical hackers were brought there by Synack, a cyber company that partners with the Department of Defense on a “Hack the Pentagon” bug-hunting program. The new demo was the first time that researchers had been allowed physical access to the F-15 system.
Hackers have successfully infiltrated a data system in an F-15 Eagle fighter jet. But it was with the approval of the Defense Department — this time, at least.
Will Roper, a top U.S. Air Force acquisitions executive, told the Post: “There are millions of lines of code that are in all of our aircraft and if there’s one of them that’s flawed, then a country that can’t build a fighter to shoot down that aircraft might take it out with just a few keystrokes.”
The seven hackers probing the TADS devices were all brought to Vegas by the cybersecurity company Synack, which sells the Pentagon third-party vulnerability testing services, under a contract with the Defense Digital Service, a team of mostly private-sector technology stars who try to solve some of the Pentagon’s thorniest technology problems during short-term tours.
The Defense Digital Service started by organizing large-scale hacking competitions in 2016, with names such as “Hack the Pentagon” and, eventually, “Hack the Air Force.” These were open to almost anybody — but included only public-facing hacking targets such as military service websites and apps.
“We want to bring this community to bear on real weapons systems and real airplanes. And if they have vulnerabilities, it would be best to find them before we go into conflict,” Roper added.
What to Do When You’ve Been Hacked?
Contact LIFARS.com Cyber Incident Response Team immediately