A computer virus has infected the cockpits of America\u2019s Predator and Reaper drones, logging pilots\u2019 every keystroke as they remotely fly missions over Afghanistan and other warzones.<\/p>\n
The virus, first detected nearly two weeks ago by the military\u2019s Host-Based Security System<\/a>, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech\u2019s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military\u2019s most important weapons system.<\/p>\n \u201cWe keep wiping it off, and it keeps coming back,\u201d says a source familiar with the network infection, one of three that told Danger Room about the virus. \u201cWe think it\u2019s benign. But we just don\u2019t know.\u201d<\/p>\n Military network security specialists aren\u2019t sure whether the virus and its so-called \u201ckeylogger\u201d payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don\u2019t know exactly how far the virus has spread. But they\u2019re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.<\/p>\n Drones have become America\u2019s tool of choice in both its conventional and shadow wars, allowing U.S. forces to attack targets and spy on its foes without risking American lives. Since President Obama assumed office, a fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times<\/a>; all told, these drones have killed more than 2,000 suspected militants and civilians<\/a>, according to the Washington Post<\/em>. More than 150 additional Predator and Reaper drones, under U.S. Air Force control, watch over the fighting in Afghanistan and Iraq. American military drones struck 92 times<\/a> in Libya between mid-April and late August. And late last month, an American drone killed top terrorist Anwar al-Awlaki<\/a> \u2014 part of an escalating unmanned air assault<\/a> in the Horn of Africa and southern Arabian peninsula.<\/p>\n But despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don\u2019t encrypt the video they transmit to\u00a0American troops on the ground. In the summer of 2009, U.S. forces discovered \u201cdays and days and hours and hours<\/a>\u201d of the drone footage on the laptops of Iraqi insurgents. A $26 piece of software allowed the militants to capture the video<\/a>.<\/p>\n The lion\u2019s share of U.S. drone missions<\/a> are flown by Air Force pilots stationed at Creech<\/a>, a tiny outpost in the barren Nevada desert, 20 miles north of a state prison and adjacent to a one-story casino. In a nondescript building, down a largely unmarked hallway, is a series of rooms, each with a rack of servers and a \u201cground control station,\u201d or GCS. There, a drone pilot and a sensor operator sit in their flight suits in front of a series of screens. In the pilot\u2019s hand is the joystick, guiding the drone as it soars above Afghanistan, Iraq, or some other battlefield.<\/p>\n Some of the GCSs are classified secret, and used for conventional warzone surveillance duty. The GCSs handling more exotic operations are top secret. None of the remote cockpits are supposed to be connected to the public internet. Which means they are supposed to be largely immune to viruses and other network security threats.<\/p>\n But time and time again, the so-called \u201cair gaps\u201d between classified and public networks have been bridged, largely through the use of discs and removable drives. In late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers<\/a>. The Pentagon is still disinfecting machines<\/a>, three years later.<\/p>\n Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.<\/p>\n In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. \u201cBut the virus kept coming back,\u201d a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe<\/a> to completely erase the GCS\u2019 internal hard drives. \u201cThat meant rebuilding them from scratch\u201d \u2014 a time-consuming effort.<\/p>\n The Air Force declined to comment directly on the virus. \u201cWe generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,\u201d says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. \u201cWe invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.\u201d<\/p>\n However, insiders say that senior officers at Creech are being briefed daily on the virus.<\/p>\n \u201cIt\u2019s getting a lot of attention,\u201d the source says. \u201cBut no one\u2019s panicking. Yet.\u201d<\/p>\n