The CANOPY WING Vulnerability: Weaponizing the Weakness
Finding a vulnerability, developing an exploit, and then launching (or not launching) this exploit – is repeated many times every day. Now more than ever companies must be aware of two perspectives: what a system is intended to do, and what a system can do. The term Cyber-Newtonian Wormhole captures this duality.
The Cyber-Newtonian Wormhole bridges the perspectives between people who use systems to do a legitimate thing (Newtonian side of the wormhole) and the attackers that know how to hijack the system to perform something insidious and devastating (Cyber side of the wormhole). The capabilities of nation-state level hackers might appear as magical as a wormhole – popping in from thousands of miles away, months or years in the past, to change the course of our systems in very subtle, seemingly unimportant ways.
Modern cyber criminals are able to compromise victim systems with unfettered impunity. One possible explanation is that an undetectable wormhole opens up into our Newtonian-physics based lives and our computer systems just start behaving in unintended, quasi-magical ways. Another more likely explanation is that hackers have unlimited time and resources to pursue their goals.
But stay with me on the theme. This article will attempt to document the incursions by travelers from the cyber side of the wormhole into our neat, Newtonian lives. Then I’ll suggest a way to keep things rational and Newtonian.
The CANOPY WING Vulnerability
At the height of the Cold War, U.S. and Soviet governments were trying to answer the question of how to “win” a global nuclear war. While the public discourse on both sides of The Wall focused on how to fight and win World War III, a highly classified, dedicated group of Americans perfected a capability to make sure that war never happened.
CANOPY WING was a series of tactics that could disrupt Soviet military and missile communications. While the details of the vulnerability remain beyond the reach of this author, we do have insights into ways it could be exploited. NATO forces would be able to both block legitimate orders from Soviet leadership to launch Soviet nuclear weapons and also generate fake orders to the Soviet Air and Ground forces that could “take them out of the fight” for 10-15 minutes.
Strategies around the utilization of this capability remain classified, but well-sourced analysis by Benjamin B. Fischer suggests that CANOPY WING would be part of a pre-emptive decapitation strike against Soviet forces, in the face of an imminent Soviet first strike.
Weaponizing the Weakness
The capability of CANOPY WING shifted the balance of power in the Cold War. It’s also a jaw-dropping example of exploiting a system vulnerability. (I’ll get back to the analogy in a bit.)
Using techniques that presage current information warfare, U.S. analysts were able to transform an isolated system weakness into a strategic capability that could change the course of life on Earth.
CANOPY WING was a program “designed to exploit a Soviet communications vulnerability uncovered in the late 1970’s.” The electronic warfare capabilities were able to crack a single communications vulnerability into an entire infrastructure, “for a nuclear first strike.” The complete CANOPY WING capability was able to:
- Precisely identify Soviet and Warsaw Pact command centers, evacuation sites, military installations, armed forces, and communications facilities;
- Identify methods for short-circuiting communications and weapons systems using carbon-fiber particles;
- Block communications electronically immediately prior to an attack, thereby rendering a counterattack impossible;
- Target precision weapons to destroy command-and-control centers while communications were blocked; and
- Generate false commands to aircraft and submarines, using computer-simulated voices (one of the most audacious nuances in this capability).
Analysis of the Architecture and Protocol
The list of CANOPY WING capabilities assembled allows us to infer a few things about the actual vulnerability and the overall system architecture. A few points of conjecture:
- The vulnerability allowed for unauthorized sources. Anyone can generate an RF signal, but some weakness in the system did not filter out RF that came from unauthorized sources.
- The architecture allowed for system-wide denial. Certain network architectures, such as Ethernet (802.3) and walkie-talkies allow for a malicious party to disrupt all communications from one single point by just flooding packets or holding down the push-to-talk button, respectively.
- The architecture had no apparent ability to detect that it was being probed. Years’ worth of unauthorized system interrogation went undetected and occurred from inside U.S. and NATO facilities.
- The communications protocol allowed extensive interrogation about location and system information.
- Message authentication procedures seemed incomplete. For a well-formatted message to be accepted, the sender must self-identify, usually with some type of “sender ID” that is separately verifiable.
The Takeaway – Assume All Vulnerabilities are Compromised
The Cyber-Newtonian Wormhole – and likewise exploits of software vulnerabilities – can’t be kept at bay with a silver bullet. To keep your company’s assets from becoming an unwitting part of another country’s foreign policy objectives, you must contemplate how every part of your system can be misused. The analysis of how something can be exploited can’t be faithfully done by Newtonians but must come from the other side of the wormhole. It is too easy in a risk matrix to say, “no one could do that.”
Get the perspectives of professional hackers in weighing the risks of each potential point of vulnerability. Crack the wormhole open and understand how the magicians on the other side work. Come to understand the mentality and methods behind perturbing legitimate system behavior. A major obstacle that leaves companies unaware of the wormhole’s capabilities is the reluctance to accept that one’s own system could be “the weakness” or have “the flaw.”
A good assumption is that your system has likely already been compromised. Thankfully, runtime application self-protection (RASP) transformation techniques can mitigate the work of the magicians by randomizing software binaries. That process prevents malware from executing and replicating. Cloud architecture providers, telecommunications companies, automotive OEMs, and other critical infrastructure organizations which can’t afford to have a disruption in operations are using RASP techniques as a proactive layer of defense.
To learn more, click here.
This article was written by Doug Britton, Chief Technology Officer at RunSafe Security. Prior to joining RunSafe, Doug served as founder and CEO of Kaprica Security, where he successfully developed groundbreaking technologies, including its mobile device management business which was sold to Samsung.