Tech companies offer thousands of dollars for reported bugs. The military hands out nondisclosure agreements.
ANDREW BURTON / Via Reuters
The U.S. Army has been aware for years of a major security flaw in the system soldiers use to access computers — and has done nothing to fix it, two sources, including an officer who alerted superiors to the risk, told BuzzFeed.
Today countless computers, and the soldiers who use them, remain vulnerable to a simple hack, which can be executed by someone with little or no security expertise.
The officer, who reported the flaw, was told to keep quiet, despite evidence of its widespread exploitation. Another soldier, who went to his superiors and even Congress, got no results. They Army has not yet returned a request for comment.
The hack allows users with access to shared Army computers to assume the identities of other personnel, gaining their securities clearances in the process, by exploiting issues with the computers' long and buggy log-out process, according to the sources familiar with the flaw.
The officer, an Army lieutenant, spoke on the condition he not be named; he is referred to here as "Mark." He discovered the flaw in October 2011, when he was playing around on his military computer during one of his 18-hour shifts. Being "of the hacker mind-set and being really, really bored," as he puts it, he wanted to see if there were any holes in it.
That's when he discovered the major, and obvious, computer security flaw.
"Oh shit," Mark said to himself when he figured it out. "This isn't good."
He described to BuzzFeed calling in his superiors — two middle-ranking officers, one in military intelligence and the other in computer communications.
As Mark described it, their eyes grew wide.
But, according to Mark, they told him there was nothing they could do. It would cost too much to fix it, they told him. It would require redoing too many contracts. "The term they used is that it would be 'impractical' to try and fix it," he says.
Instead, they made him sign the Army's version of a nondisclosure agreement. If he told anyone else about what he found, he could face prison time, he said.
"I'm showing you this so you can fix this," Mark recounts telling the officers. "This is obviously a huge problem. I'm probably not the only asshole who figured out how to do this."
At least one other soldier besides Mark has tried to formally report the security flaw, going to his military superiors as well as Congress and the Pentagon. This soldier's efforts, too, were met with inaction and silence.
Mark made a second attempt to report the security flaw when a new officer replaced one of his superiors. But again, nothing came of it.
"At that point I could try to talk with one of the division-level guys, but I know from personal experience that he is one of the people who plays the game," he said. "I wondered if it would raise a red flag about me if I tried to keep addressing the flaw."
Big private tech companies like Google, Facebook, and Microsoft routinely seek out and sometimes pay people like Mark who expose security flaws. Some have set up bounty systems giving any member of the public who finds and reports a bug up to $20,000.
The military has no such system. If reporting to a superior goes nowhere, then in reality, there is little recourse for soldiers who discover computer security problems. They could report a bug to the Department of Defense inspector general, which handles complaints about fraud, waste, and abuse. But that's not an obvious avenue for computer issues. Moreover, if their superiors found out, they could face retaliation.
One refrain in the wake of the National Security Agency leaks is that Edward Snowden should have reported his concerns up the chain of command rather than leaking documents to the press. But the internal reporting system is seriously broken in the military. All too often when a soldier reports misconduct or illegal activity, it is swept under the rug.
Perhaps the most egregious recent example of such a mind-set is the tragically late response to reports of widespread sexual assault in the service. Women's reports weren't just ignored — the victims were subject to retaliation including but not limited to being barred from medical treatment, having their information made public, and being discharged from the military. Recent pressure on the issue led to an updated version of the Military Whistleblower Protection Act, first created in 1988. The fact that it had to be updated to specifically include people reporting sexual assault speaks to its inadequacy.
Retaliation against internal whistle-blowers is a fact of military life. Between October 2012 and April 2013, the Department of Defense's inspector general's office received 695 complaints about "whistleblower reprisal, restriction of service members from contacting an IG or member of Congress, procedurally improper mental health referrals and senior official misconduct." Those are only the cases which were reported.
Mark's case suggests serious issues with the military's security reporting infrastructure too, even when the issue at hand is ideologically neutral.
JOSE LUIS MAGANA / Reuters
Now, almost two years later, the security flaw still exists.
"It is still happening," says Mark. "People know about it and no one is addressing it." Knowledge of it has even spread to low-level soldiers who don't work in technology. More than one source confirmed with BuzzFeed the existence of the flaw.
To fully understand the significance of the security flaw, you need to understand the Army computer security system. In order to log into a shared Army computer — say, in a computer lab on a base — you need to insert your personal Common Access Code military ID. Each card contains a chip that has the individual soldier's permissions and security details, and which helps the military track your activity. Once you remove the card, you are fully logged out.
But Mark found that it was possible to access the system as the last user, even if his or her military ID has been removed.
When a computer stalls during the shut-down process — if, for example, a program locked up and required a force quit or if Outlook is delaying the process with a large file upload — the computer can remain temporarily logged in without the presence of the key card. If the next user jumps on at that moment, the shut-down process can be canceled and the log-in can remain active with credentials and security clearance. All subsequent activity will be recorded as the previous user's.
This is almost certainly the result of a system design mistake, not malice, according to Daniel Cohen, an RSA cyber-security expert. "Personally I haven't heard of this exploit or weakness in the system, but it sounds very severe," he says.
According to Mark, the hack is simple to accomplish on both secure and non-secure computers. Mark has even tested the exploit to see if it would allow a user to gain access to SIPRNet, the classified DoD network from which Chelsea Manning acquired some of the files she then leaked to the press. It could.
Since many military computers have stuffed, cluttered hard drives as the result of long-term use by large numbers of soldiers, they often hang while shutting down. When soldiers sharing computers are in a rush, this identity swap can easily happen by accident.
For a hacker or leaker to manipulate this exploit would be easy. It would simply involve "a little bit of social engineering," as Mark says. "But that is easy since most people just pull their card and walk away, often without looking at the screen. 'Hey, buddy, can you print X out before you go? Wait, you can't find X? Let me pull it up. Can you grab it off the printer? Thanks, man, here's your card; see you in 12 hours.'"
Recently, Mark saw a number of soldiers watching an Entourage DVD on a operation center computer. "Hey, you don't have rights on that computer," Mark recounts saying to one of the soldiers. "I look at him and he says, 'Well, sure,' and he pulls out his card and waves it at me and the computer still plays."
It's not just the log-in problem. Security in general is fairly lax in the computer rooms overseas. After the Manning leak, one of the fixes advised was to have soldiers rename various files in the SIPRNet database, as if that would add a level of security. Soldiers also routinely bring USB sticks, DVDs, and CDs into the tactical operation center computer rooms. The sign on the door prohibiting it doesn't deter them.
"It is a boring job. You are just sitting there for 18 hours waiting for chaos to happen," says Mark. "So multiple TVs are on showing drone feeds, but you have one that is playing a Game of Thrones DVD or a movie that was burned from BitTorrent."
He has gone to his superiors with recommendations for numerous best practices to improve security, ranging from setting up a routing security to having an ID card system with levels of access and systems to prevent DDOS attacks, but no one was interested.
View Entire List ›