Whistleblower uncovered critical vulnerabilities in two US military Android apps
- Despite reporting of vulnerabilities in KILSWITCH and APASS apps, they remained in use for almost a year in active combat zones.
- The whistleblower behind the revelation of the flaws was acknowledged for his efforts despite facing initial backlash and thanked by the Special Counsel in a letter to the White House.
A report by the US Navy Inspector General has revealed today that two Android apps with security flaws were in use with the military troops.
Two powerful apps
The two apps in question here, carry hefty names just like the tasks they are used for. They are called KILSWITCH (Kinetic Integrated Low-Cost Software Integrated Tactical Combat Handheld) and APASS (Android Precision Assault Strike Suite).
These apps are meant to provide a modern solution for the troops to coordinate with other military branches with a real-time messaging client instead of using legacy equipment like radios and paper maps. The troops could also call in an air strike using these apps. A press release and a demonstration video from DARPA back in 2015, showed the impressive functionalities available in these apps.
The apps were developed under a DARPA program started in 2012 and entered general use with the troops in 2015. However, it was revealed in the Navy Inspector General’s report from March 2018 made public today that these apps had flaws which could leak information to the enemy.
Vulnerabilities and the Aftermath
Though the report doesn’t clarify the exact details about the vulnerabilities, it does mention the Navy’s failure in controlling the distribution of these apps and also in warning the troops using them for almost a year.
Moreover, the report states that the two apps were only meant for use in training, and were not approved for deployment in live combat. Due to the primary use in training, cybersecurity was not a concern for the developers as per the report.
However, the apps were quite a hit among the troops who used it and consequently its use spread across various military branches and even among allied forces.
The auditors said that the troops using KILSWITCH and APASS should have been warned against using them in combat zones, and advised to instead use another thoroughly-tested and approved app called ATAK (Android Tactical Assault Kit).
The credit for discovering the flaws goes to a whistleblower in this case. Though the whistleblower’s name is redacted, it is known to be a person named Anthony Kim.
After this investigation, Navy sent out an official warning to stop the use of these apps in combat zones by the troops in June 2018.
One can only imagine the dire consequences if crucial military systems get hijacked by cybercriminals in active combat zones. In the modern threat landscape, dealing with any cybersecurity vulnerability should always be treated as a high priority task.