The F-35 aircraft remains woefully unprepared against malware infections and other cyber-attacks, according to POGO – the respected non-profit watchdog Project on Government Oversight.
Dubbed the most expensive weapon system in history, the beleaguered fighter jet is plagued with problems, including a lack of protection against software nasties that would cripple its critical systems, it is claimed. Cybersecurity protections are particularly important because the aircraft relies so heavily on a network of automated systems to operate properly, we're told.
"The fully integrated nature of all F-35 systems makes cybersecurity more essential than for any other aircraft," POGO's Dan Grazier noted this month, having obtained documentation that the jet has low "fully mission capable" rates. That's military jargon meaning it's rarely fully ready for combat.
"Legacy aircraft already in service are equipped with software-enabled subsystems, and while a hacker could penetrate the GPS system in a legacy system, because the subsystems are not fully integrated, a hacker could not also access the communications system, for example," Grazier continued. "The F-35 is inherently far more vulnerable."
F-35 'incomparable' to Harrier jump jet, top test pilot tells El Reg
READ MOREMost worryingly, a report in October from the US government's General Accountability Office found the Department of Defense had failed to protect the software used to control the F-35's weapons systems. Testers could take control of weapons with "relatively simple tools and techniques."
To give you an idea of how the interconnected nature of the F-35's computer systems is a massive vulnerability in of itself: separate subsystems, such as the Active Electronically Scanned Array radar, Distributed Aperture System, and the Communications, Navigation, and Identification Avionics System, all share data. Thus, the GAO's auditors warned, just compromising one of these components could bring down the others.
“A successful attack on one of the systems the weapon depends on can potentially limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life,” said the GAO team.
POGO's Grazier also noted the Autonomic Logistics Information System (ALIS) – a network of on-board gear, and ground-based web-browser-accessed systems, that serve as the primary remote diagnostics and management tools for the planes – continues to harbor a number of security vulnerabilities that have been known of for years, and not yet resolved.
Should one of those ALIS flaws be exploited by miscreants, Grazier warned, the tech-heavy F-35s could end up crippled by deliberately falsified instrument readings as a result of that exploitation, or grounded for bogus repairs – ALIS is used to schedule maintenance and order spare parts. One flaw, identified in 2012, would incorrectly report aircraft as unfit for service, and has yet to be fixed over six years later.
"As in previous years, cybersecurity testing shows that many previously confirmed F-35 vulnerabilities have not been fixed, meaning that enemy hackers could potentially shut down the ALIS network, steal secret data from the network and onboard computers, and perhaps prevent the F-35 from flying or from accomplishing its missions," Grazier wrote.
As for penetration testing of the ALIS system, Uncle Sam dropped the ball, the independent watchdog suggested. Rather than unleash a DoD red team of hackers on the code, the US government paid F-35 manufacturer Lockheed Martin to do it, and just accepted the results. Such hands-off regulation didn't work out so great for Boeing and America's aviator regulator, the FAA.
ALIS, right now on software version 27, has other problems, too. The code is basically supposed to automatically detect any problems developing in the fighter jets well ahead of time, and arrange for repairs and spare parts so the planes can be fixed up before they have to be grounded for substantial work. Lockheed designed it this way to save time and money, with constantly updated databases of spare parts, logistics plans, and aircraft testing records – yet a report from the Pentagon last year said inputting information about repairs into ALIS often took longer than the repairs themselves.
Britain's new F-35s arrive in UK as US.gov auditor sounds reliability warning klaxon
READ MOREPOGO's findings are the latest bit of bad news for an F-35 program that has fallen hopelessly behind schedule thanks to a parade of delays, glitches, and manufacturing nightmares that have driven what was once supposed to be a low-cost next-generation fighter into a $122m per unit expense. That's just the per-plane price tag: each one costs $30,000 an hour to fly, plus upgrade costs, and other expenditures.
In addition to the US, UK, and Australia, the militaries of Israel, Japan, Canada, and Italy have all been named as customers for the final toys.
This isn't the first time software problems have been reported in the F-35. Last year reports surfaced that the onboard code for a number of the various systems on the plane had become so incompatible with one another that they hampered the ability for manufacturers to perform flight tests. ®
Sponsored: Becoming a Pragmatic Security Leader