Ethical Hackers Sabotage F-15 Fighter Jet, Expose Serious Vulnerabilities

A team of hackers given unprecedented access to a flight system used in F-15 fighter jets reportedly confirmed the existence of serious cybersecurity bugs.

Researchers discovered vulnerabilities that, if exploited, could be used to shut down the Trusted Aircraft Information Download Station (TADS)—a $20,000 device that collects data from video cameras and sensors while jets are in flight, The Washington Post first reported.

Key technical details remain unknown, but it was confirmed that the tests took place during the Def Con conference, held in Las Vegas between August 8 and August 11.

The ethical hackers were brought there by Synack, a cyber company that partners with the Department of Defense on a "Hack the Pentagon" bug-hunting program. The new demo was the first time that researchers had been allowed physical access to the F-15 system.

Will Roper, a top U.S. Air Force acquisitions executive, told the Post: "There are millions of lines of code that are in all of our aircraft and if there's one of them that's flawed, then a country that can't build a fighter to shoot down that aircraft might take it out with just a few keystrokes."

"We want to bring this community to bear on real weapons systems and real airplanes. And if they have vulnerabilities, it would be best to find them before we go into conflict," Roper added.

Roper said ethical hackers will increasingly be needed to stay ahead of threats from Russia, Iran and North Korea, countries that may jump at the chance to exploit U.S. cybersecurity weaknesses. Such fears came to the fore in 2016 after North Korean-aligned hackers stole a trove of military material from South Korean organizations—including F-15 blueprints.

The same year, the Pentagon started to bulk up relationships with the private sector, mostly led by a technology and research division called the Defense Digital Service (DDS). The original Hack the Pentagon program found 138 "unique and previously undisclosed" cyber vulnerabilities.

Since then, cyber programs have continued to expand behind the scenes.

In November last year, the U.S. military announced it was teaming up with bug bounty platform HackerOne for the third time, touting a new four-week program called "Hack the Air Force 3.0." It said the discovery of a critical issue would result in a minimum payout of $5,000. The largest single payout to date as part of the public hacking programs had been $10,000, it confirmed.

"Finding innovative ways to identify vulnerabilities and strengthen security has never been more important," Chris Lynch, the director of the DDS, said in October last year.

He added: "When our adversaries carry out malicious attacks, they don't hold back and aren't afraid to be creative. Expanding our crowdsourced security work allows up to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets."