Key point: Hackers are exploiting vulnerabilities that we don't know exist.
A team of hackers in early August 2019 gained access to an F-15 fighter in an eye-opening U.S. military test. The successful hack underscores U.S. forces’ vulnerability to electronic intrusion.
“It was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses,” reporter Joseph Marks wrote for The Washington Post.
From the article:
And after two long days, the seven hackers found a mother lode of vulnerabilities that — if exploited in real life — could have completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight.
They even found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November  without actually touching the device. …
The hackers lobbed a variety of attacks — including injecting the system with malware and even going at it with pliers and screwdrivers. When I saw it, the metal box that's usually secure on the aircraft had wires hanging out the front.
The hackers revealed their success to Will Roper, the Air Force’s top weapons-buyer, Marks wrote. “They were able to get back in through the back doors they already knew were open,” Roper said.
Roper is “trying to turn that around,” Marks explained. The acquisitions chief is “hopeful about the results of the U.S. government's newfound openness to ethical hackers.”
More from the post story:
This is a drastic change from previous years, when the military would not allow hackers to try to search for vulnerabilities in extremely sensitive equipment, let alone take a literal whack at it.
But the Air Force is convinced that unless it allows America’s best hackers to search out all the digital vulnerabilities in its planes and weapons systems, then the best hackers from adversaries such as Russia, Iran and North Korea will find and exploit those vulnerabilities first.
“There are millions of lines of code that are in all of our aircraft and if there’s one of them that’s flawed, then a country that can’t build a fighter to shoot down that aircraft might take it out with just a few keystrokes,” Roper told Marks.
The F-15, which after 40 years of service is still the Air Force’s main air-to-air fighter, was the target of an earlier hack that wasn’t at all “ethical.”
Starting in 2014, North Korean hackers infiltrated a computer network belonging to a South Korean aerospace firm’s computer network.
The hackers made off with some 42,000 documents, including blueprints for the F-15’s wing design.
South Korea operates one of the same models of F-15 that the United States does. Korea Aerospace Industries builds the F-15’s wings under contract with Boeing, the number-two U.S. defense firm. Boeing has described KAI as a “valued supplier.”
South Korean authorities first detected the hack in February 2017, South Korea’s police cyber investigation unit told Reuters.
North Korea has neither the know-how nor the resources to copy the F-15 or even adapt the Eagle’s blueprints to its own designs. “North Korea will never build a serious air force,” Robert Edwin Kelly, an associate professor at Pusan National University in South Korea, told The Daily Beast.
The hack nevertheless exposed a vulnerability, one of many that the U.S. military hopes to address. In 2020 Roper wants to invite, to Nellis or Creech Air Force Bases near Las Vegas, what Marks called “vetted hackers.”
There the hackers “can probe for bugs on every digital system in a military plane, including for ways that bugs in one system can allow hackers to exploit other systems until they’ve gained effective control of the entire plane,” Marks explained.
“We want to bring this community to bear on real weapons systems and real airplanes,” Roper told Marks. “And if they have vulnerabilities, it would be best to find them before we go into conflict.”