This post is also available in: heעברית (Hebrew)

All US weapons that the Department of Defense tested between 2012 and 2017 have “mission critical” cyber vulnerabilities, claims a new report from the US Government Accountability Office (GAO). The report serves as a wakeup call for the DOD regarding cybersecurity threats to its weapons systems.

“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report states. And yet, perhaps more alarmingly, the officials who oversee those systems appeared dismissive of the results.

Subtitled “DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the report finds that the department “likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.”

GAO says the DOD is only now beginning to grapple with the importance of cybersecurity, and the scale of vulnerabilities in its weapons systems.

The report is based on penetration tests the DOD itself undertook, as well as interviews with officials at various DOD offices. DOD testers found significant vulnerabilities in the department’s weapon systems, some of which began with poor basic password security or lack of encryption.

Among the findings of the report: one tester was able to guess an admin password on a weapons system in nine seconds. Other weapons used commercial or open source software but administers failed to change the default passwords. Yet another tester managed to partially shut down a weapons system by merely scanning it — a technique so basic, the GAO says, it “requires little knowledge or expertise.” Testers were sometimes able to take full control of these weapons.

The DOD also had a hard time detecting when testers were probing the weapons. In one case, testers were in the weapons system for weeks, according to the GAO, but the administrators never found them. This, despite the testers being intentionally “noisy.”

In other cases, automated systems did detect the testers, but that the humans responsible for monitoring those systems didn’t understand what the intrusion technology was trying to tell them.

Wired.com claims that this unclassified report lacks specific details, mentioning various officials and systems without identifying them. Wired emphasizes that when the DOD dismisses these results, they are dismissing the testing from their own department. The GAO didn’t conduct any tests itself; rather, it audited the assessments of Defense Department testing teams.