A hacker stole US drone and tank documents because nobody changed the default router password

William Gayde

Posts: 378   +5
Staff member

A computer hacker was able to infiltrate the computer network of a Nevada Air Force base because nobody changed the default password of a Netgear router on its network. The hacker then made off with sensitive documents about the Air Force's MQ-9 Reaper drone and put them up for sale on a dark web marketplace.

The documents were discovered online by security research firm Recorded Future who spoke with the hacker to confirm their validity. They determined the breach took place as a result of a well known Netgear router vulnerability and a default FTP password on that router.

The stolen documents themselves are not classified, but could still pose a security threat if they fell into the wrong hands.

To find the vulnerable router, the hacker used a service called Shodan which is essentially a search engine for finding internet connected devices around the world. There are still thousands of routers online that are still vulnerable to this type of attack.

Once the attacker found the device, it was trivial to compromise it since the IT department at the Air Force base had not patched the router. From here, the attacker gained access to the router's root directory and the ability to remotely execute commands. This gave the hacker access to the computer of the Officer in Charge at the base and all the documents on it. Ironically, one of the documents the hacker exfiltrated showed that the Officer had recently completed a "Cyber Awareness Challenge."

Upon further questioning, the hacker also offered up documents on IED defenses, M1 Abrams tank operation, tank tactics, and more. It's not clear where these documents came from, but based on the information they contain, it's likely they were stolen from the Pentagon or a US Army official.

The government is aware of the leak and is investigating. Although they believe they have the hacker's name and country of origin, they haven't made that information public.

Update: Netgear has released the following statement to us in response to the issue

NETGEAR has previously released a firmware that fixes this issue. We ensure that remote services are disabled by default, and passwords are required to be configured during device setup.

Details can be found on the firmware release notes articles # 29959, 29461, and 27635. Customers can be notified of the new firmware by checking the Router Update page, desktop, and mobile genie app. NETGEAR has also proactively notified our registered customers via email.

In general:

1. Secure by default – we don’t enable services unless configured by the consumer.

2. Easier security updates – making it very easy for customers to keep their system up to date with auto updates or single button upgrades.

3. Email notifications to registered customers urging them to update to latest software including security fixes.

Permalink to story.

 

jobeard

Posts: 14,061   +1,819
First, ALL router default passwords are well known AND accessible online -- DUH!

Second, this is a common mistake for home users, and this case shows even the pros get into a rush and fail to complete the setup :sigh:
 
This could all have been avoided with a system set in place. I won't go into detail. I wondering if it was a contractor, DOD, or military member that installed that appliance.
 

psycros

Posts: 3,330   +3,740
The government is aware of the leak and is investigating. Although they believe they have the hacker's name and country of origin, they haven't made that information public.
Someone just got hired.
For a middle school level intrusion? I doubt it. More likely someone just got fired.
 

Bluescreendeath

Posts: 239   +336
The government is aware of the leak and is investigating. Although they believe they have the hacker's name and country of origin, they haven't made that information public.
Someone just got hired.
For a middle school level intrusion? I doubt it. More likely someone just got fired.
It's incredibly hard to fire someone in the federal government. Low performers/problem employees just get bounced around or transferred into different departments.
 

PinothyJ

Posts: 491   +39
Um, why is there such thing as default passwords? It is 2018, right? If you can print a sticker with a serial number that coincides with the box, the hardware, and the sticker, why can't they do the same with the password?
 

Uncle Al

Posts: 7,981   +6,754
You know, the military and government has led so many drives to get people to do simple password maintenance you would think by now they would REQUIRE any company selling the government ANY kind of software write in a more robust password system to prevent this from happening .... of course if our super duper government lawyers are too lazy to include it in the contracts .... we will have pinpointed the real problem!