IoT horrorshow: F-35 Far from Ready to Face Current or Future Threats, Testing Data Shows

Next-gen IoT worries:

Cybersecurity Concerns Continue

Pentagon officials have touted the F-35’s supposed advantages as a “computer that happens to fly.” The aircraft derives almost all of those advantages from the intricate internal and external network of hardware and software linking it to other aircraft, intelligence sources, ground stations, satellites, software labs, maintenance computers, and more. Testing for cyber vulnerabilities is therefore crucial to any evaluation of the program. The Government Accountability Office released a report in October 2018 showing that nearly every software-enabled weapon system tested between 2012 and 2017 can be hacked, often by simple means like looking up default passwords online for commercially available software. Numerous parts of the F-35 program use this kind of software; ALIS runs on Windows, for example.

Cybersecurity testing has long been part of F-35 program evaluation. The testing office is mum on the specific issues found so far, but reports that as of 2018 “some of the vulnerabilities identified during earlier testing periods still had not been remedied.” DOT&E calls for more cyber testing of the aircraft and of the program’s supply chain to “ensure the integrity of hardware components for initial production of air vehicles and ALIS components, plus resupply of replacement parts.”

So significant are DOT&E’s concerns about the integrity of ALIS that the report reiterates an earlier warning that program officials should find a way to operate the F-35 entirely without it, in case the network is compromised. F-35 program office officials claim that an F-35 can fly for at least 30 days without connecting to ALIS to exchange data and log maintenance actions. DOT&E wants the program to do better than that. “In light of current cybersecurity threats and vulnerabilities, along with peer and near-peer threats to bases and communications, the F-35 program and Services should conduct testing of aircraft operations without access to ALIS for extended periods of time.” However, DOT&E has not planned or mandated a testing event to confirm whether or not the F-35 can operate without ALIS for 30 days or more.

The fully integrated nature of all F-35 systems makes cybersecurity more essential than for any other aircraft. Legacy aircraft already in service are equipped with software-enabled subsystems, and while a hacker could penetrate the GPS system in a legacy system, because the subsystems are not fully integrated, a hacker could not also access the communications system, for example. The F-35 is inherently far more vulnerable. Lockheed Martin brags on its website about the aircraft’s “sensor fusion” that connects all of the onboard subsystems, such as the Active Electronically Scanned Array radar; the Distributed Aperture System; and the Communications, Navigation, and Identification Avionics system. That means enemy cyber-warriors need only compromise the software of one of these to corrupt the entire system. According to the 2018 Government Accountability Office report: “A successful attack on one of the systems the weapon depends on can potentially limit the weapon’s effectiveness, prevent it from achieving its mission, or even cause physical damage and loss of life.”

1 Like

The Japanese Defence Forces have reported one of their F-35A’s as missing over the Pacific today. I think that is only the second one in operational service to crash (assuming it has crashed) I think a USMC one crashed last year. All things considered that’s actually a good safety record for a new jet fighter/bomber.

I honestly don’t know what to make of stories like the one you have linked to. The F35 programme is way over original budgets and has had many delays - there is no shortage of critics and detractors who will spin any story about it in a negative light. All things said it is a very impressive jet and I suspect that once it matures in operational service will become very, very effective.

Working in IT I know there are plenty of IoT horror stories but I also know that many ‘hacks’ and vulnerabilities are only a threat if the bad actor has physical access or scenario A + B + C magically all come together. I’ve also had a small amount of experience with the military and defence sectors and to say they don’t take cyber-security seriously would be disingenuous - although people do stupid, too often.

If you enjoyed reading through all those stories you’d probably enjoy the novel Ghost Fleet, it was pretty typical of its genre and not as good as Tom Clancy’s older books, but the Chinese do neutralise the F35 fleet via the various electrical components that Chinese companies supplied:


Talking with people who are and have in the past worked on the F-35, I 100% understand why. Can’t say much, but the development lifecycle is ass-backwards.

This is 100% accurate. The plane probably has some vulns. So does my desktop though.

Everything has vulns. The only realistic solution to those is to keep the edge guards up.


Don’t forget they also need to install AdobeTM Reader.


It’s pretty easy, to be honest. You just need to look past the whole “we need new planes to combat al qaeda” and to be safe.
What everyone needs to realize is that this is corporate socialism, just like the reconstruction contracts after Iraq had been destroyed, etc., were a form of corporate socialism for Halliburton and the like. Financing for this project is on what’s called ‘cost-plus’ basis – i.e., everything LH-M bills gets paid, no penalties, no nothing. So they have every incentive to build planes with as many design flaws as possible, by going for the edgiest design options, and the most idiotic customer requests. That’s why, after 20 years of development and a $200B cost overrun so far, this is still the case:

Prior to beginning the operational testing phase, officials had also failed to properly address 941 design flaws during the program’s development phase, with 102 listed as “Category I” flaws that “may cause death [or] severe injury,” or lead to major damage to the aircraft or seriously inhibit combat effectiveness. As POGO reported, rather than taking the proper corrective actions, program officials made paperwork adjustments in a series of meetings during the summer of 2018 to make some design flaws, like one involving the emergency transponder and another with the F-35A’s emergency tailhook, appear to be less serious “Category II” deficiencies.

Each of these 102 flaws could ground aircraft or force them to abort missions. These design flaws likely also contribute to the program’s poor availability rates. According to DOT&E, this will have an impact on the operational testing process, which requires an 80 percent availability rate for the 23 aircraft instrumented for operational testing. The fleet is averaging a monthly rate “well below” 80 percent (the rate is not specified in the report), which “will remain a challenge for the efficient conduct and timely completion of [operational testing].”

But right now, Lockheed would love to move forward to production, because it means more money can be later retrofitting the already-built planes, because of “sunk costs”. And the govt is more than happy to go along with that, as it is run by people who believe the public purse exists to benefit big business, though the two parties differ on which big businesses should benefit, because they’re sponsored by different parts of the corporate sector.

1 Like

Good reply, thanks. It’s not a story I’ve followed to closely, watching the videos of F35B’s and C’s looking cool on carrier operations is about the extent of it :slight_smile:

I’m aware that there has been plenty of negative press, especially after the article about an F35 being defeated in mock combat by an F16; but such is life of a new jet, and honestly there probably aren’t many jet’s that could go up against an F16 with a very experienced pilot.

Well, that’s the wrong angle for LH or anyone to push, the roots of the F35 come from the later years of the cold-war. I remember reading following its very early development in the 1990’s - seems crazy the programme has been running that long!

So they have every incentive to build planes with as many design flaws as possible, by going for the edgiest design options, and the most idiotic customer requests.

I seem to remember critics way back saying it was insane to try and wrap the requirements of the air-force, the navy’s air-force, and the air-force of the navy’s army all into a single air-frame :smiley:

I think with hind-sight it’s clear that had each service pursued it’s own contracts with tech exchange and cooperation on stealth and avionics etc. It would have been cheaper and each programme would be much further along.

Overall, I think the governments view is the programme is now too far gone to terminate/start over and there are plenty of examples in military projects that span decades of getting there - eventually.

Corporate-socialism? Yes, I agree there. It makes me laugh when people claim EU based aerospace companies get unfair advantage by being part government owned, but are happy to ignore the fact that US Government contracts and the way they are written basically mean Boeing, LH, BAE et al get similar support - just in a different way.

“A computer that happens to fly”. That thing doesen’t even flies properly. Aside from that unless they were able to realize a self contained system able to do everything offline it’s going to be plagued by the constant nightmare of being hacked. I’m pretty sure that government agencies or indipendent hackers are drooling over the idea of getting into one of those things. And they will one day or the other.
Also a malfunctioning in the software could take that thing down, like recently happened to that Boeing.
It’s not like war machines should be all analog like a T-34 but FFS why make an unrealistic project like this that most likely suck forever? And same goes for always connected cars, I’m “afraid” of those.
I’m not at all surprised by this kind of news and I really hope that those things will never be shipped to anyone beside some already out for testing.

They are already in operational service and have been used by Israel and the USAF in air-ground strikes in Syria. The British RAF has already withdrawn the older Tornado from Cyprus and their F35B’s will be deployed there soon so I expect those will likely be used over Syria/Iraq as well (assuming sorties are still happening now that ISIS is all but gone.)

The jet is very much like a software programme, it will evolve overtime and will continue to suck money for a long time to come. The fact that the US Navy & Air Force have placed orders for updated Super Hornets and Eagles (in relatively small numbers) suggests that it’s not at the point where there are enough of them, and mature enough to do all things yet.