SOCOM’s got an OPSEC (OPerational SECurity) problem. Or is it an OSINT (Open Source INTelligence) problem? Maybe both. The lines blur. I know what both terms mean (you should look them up if you don’t). And I know how they both apply in theory, and practice. The practical application of both, in the following tale, is nothing short of a joke.
Idle hands are the Devil’s workshop. In this case, those idle hands belong to a pretty under par fence tester (spoiler alert: it’s me). And the Devil’s workshop ended up being an actual actionable gap in the Good Guys’ OPSEC.
The beautiful thing about tiger teamers/red teamers, is that we can tread that line between *thinking* bad-guy… and being a bad-guy. Some of us have to work years to make that mold. Others of us take to it as naturally as walking. Dharma’s a bitch sometimes. (Yes, *dharma*, not karma.) There are some things that some people are just “born to do”…
So, this inadvertent problem set introduced itself on one of my forays into what I would do if I was a bad-guy. And here’s how it happened:
Initially, I typed “flight tracker” into the Google. Clicked the first site listed. (There are a shit ton.) This particular site is searchable in a Google Earth-esque way. I scrolled over the map and found where I thought secret squirrel aircraft would be flying. (Pick one, the news is full of ’em. I *did not* use anything I actually know about where these aircraft fly. I just used the news.)
I zoomed in. The screen lit up with dozens of aircraft, *all* being tracked by legit air traffic orgs–all public/open knowledge (regardless of whatever bullshit classification you want to delude yourself with). The vast majority of these were actual airlines, just doing their thing. Some were other aircraft, doing their thing, too. Others were operator aircraft, operating operationally.
Hovering the mouse over the little plane-shaped icon would net you a flight number (AA1234; American Airlines flight 1203), or whatever. Flights were shown in near real-time (NRT), and refreshed themselves every second or so to reflect their continued NRT location. Clicking on any flight icon would call up the Tron Lightcycle trail flowing out from behind the aircraft, showing its flight path–just like the ones on flights normal people take to go places. Clicking also pulls up a detailed info bar on the left side of the screen–complete with registration/tail number, ground speed, calibrated altitude, track, radar, and LAT/LONG. (Some of which *can* be faked, but usually isn’t.) Pretty fucking detailed stuff, kids.
Especially for the flights that did not need to have that stuff known. (Of which, there were *many*.)
Clicking on one aircraft, the Lightcycle trail stretched back to a country the U.S. still, as yet, does not admit to stage from. The tight circles and yo-yos this thing had been flying over its area of operations (AO) for that last several hours would not require any prior insight into ISR (Intelligence, Surveillance, Reconnaissance) operations in order to understand it is not a “regular” flight. And you can bet your ass that any OPFOR (OPposing FORce; bad guys) already has that basic understanding.
So watching this (and another flight) over the course of an entire sortie showed me their entire ingress, op-path, and egress–to and from that place we don’t stage from. Accessing a few other open-source sites allowed me to dig up a helluva lot more details about who was doing what and where. These things are about exactly what fucking OPSEC exists to shitscreen. And watching several flights over several days, began to net a pattern. Bad bad juju…
Once I had tail numbers and flight patterns, I hopped back over to El Goog and punched in “flight registration numbers.” Brought up a pile of websites. Picked one. Plugged in tail numbers. Got an equal amount of crazy-ass info. Who registered the aircraft, when, both mil and civ equivalents of the airframe, crew number. On these particular numbers, it was the “who” that really caught me: UNITED STATES AIR FORCE SPECIAL OPERATIONS COMMAND. Hmmm. That’s interesting. Well, I’ll bite. What *does* a U-28 do? Google knows, I bet. I’ll just go over and ask. Oh. My, those are the people in AFSOC that fly those. And that is the unit that supplies certain crew members for certain publicized (by the PAO) types of missions. Let’s just mission creep on over to social media and see what those units dredge up for me.
Yada yada yada. Extrapolate the data. Ask more questions. Process. Exploit. Disseminate. Repeat.
I have been told by some pretty trusted folks in this community that “…those numbers can be faked.” Sure they can. And fucking *SHOULD BE*. But these were not. And if they were…why in the shit would you mask an AFSOC bird with a fake tail number that led me right back to an AFSOC bird (and the very same airframe)? Could be genius. But I’m not thinking so.
This was all accomplished through the use of strictly open source media, a networked PC, and a cell phone (both on its network, and public wi-fi), and my rapist wit. Nabbed a ton of screen caps. Could be done, I assume, with any device plugged into the internets.
This issue has come up periodically over the last few years. And new field-rigged devices in the AOs that can actually read aircraft squawks with line of sight (LOS). And if I have this open-source trove to help cross-check what I’m reading in person–along with pages and pages of both “plane spotter” geek blogs and forums, as well as mil geek forums to augment everything even more–I should be pretty golden.
This is the kind of bullshit that should damn sure drive a solid reset on how we wage operations everywhere.
“We” know that people have purchased dongles “they” can link to that field-rigged squawk tracker stuff mentioned above. We also know that they can link all that stuff up to their devices. We also know that they can link another dongle to an SA-7…That entire mix makes for a pretty decent “fuck your day” mix that can be utilized at anything that has been found to work at an SA-7’s reachable altitude (something like 3.5km, if I remember correctly)–which ain’t much, mind you. But give it time…this whole system’ll get worked into a more efficient one.
The need leads to learning. Learning leads to the flight tracking and identification info. Innovation leads to that line of sight and home-brew link targeting. Targeting leads to shit going boom and falling out of the sky. Mother of invention. Mission Accomplished.
Hasn’t happened yet. But why should we wait for it to?
Obstacles are puzzles. Challenges. If I can find your secret shit on my phone in a Starbucks timezones away from your secret shit, and on a whim…Someone with far greater necessity than I has, or will.
Mis- and disinformation are things for a reason.
Featured image courtesy of The Aviationist