Fun with the Minuteman III Weapon System: Part 2
Intercepting Basic Nuclear Missile Communications
by Bad Bobby's Basement Bandits
Welcome to Part 2 of fun with an active Minuteman III nuclear weapon system.
In Part 1, we examined how to activate one of the Minuteman III security system alarms, how a basic security strike team responds to the alarm, what you need to do to avoid dealing with the strike team, and how multiple alarms might be fun to observe!
I have received some feedback from Part 1. The majority of feedback came from active and retired Minuteman III operators and maintainers. The active crewdogs were not that impressed with being able to throw snowballs and ice cubes to activate a security situation on a Minuteman III launch facility. However, most of them do not recognize the concept of hacking when it relates to having a hacker with no knowledge of an active Minuteman III system as new hackers begin to discover ways to interact with the system. This, of course, is the purest essence of hacking: taking an unknown system and discovering ways to make it known. As always, the contents of this article are completely unclassified.
First, a little bit on social engineering.
The Minuteman III Intercontinental Ballistic Missile System (ICBM) is one part of the nuclear triad. The other two parts are nuclear bombers and nuclear missile submarines. Both the bomber crews and submarine crews receive extra pay for performing their nuclear mission. Your friendly neighborhood Minuteman III crewdogs receive no extra pay for performing their nuclear mission. I find this quite humorous, and see this as another weak link in the Minuteman III nuclear chain. If I were a representative of China or Russia, I would be sorely tempted to offer a Minuteman III crewdog some extra cash. Most of the Minuteman III crewdogs could not be tempted with extra cash but, sooner or later, China or Russia would find the one crewdog who might need the cash.
To further weaken this third leg of a nuclear triad, the Minuteman III crewdog career field has been in a nearly complete state of disorder. Many of these guys don't know if they will be coded 13S or 13N until they're nearly through with their crew tour. These different job codes determine whether or not Minuteman III crewdogs will have a job in the space or nuclear career field, or whether they'll have to exit the Air Force. Clearly, the situation with the Minuteman III crew force is ripe for someone to employ social engineering techniques to discover what they will. Obviously, after printing this article things will tighten up for a while. But... the system is built on a dinosaur mentality and its equilibrium will shortly be restored to no extra pay and career uncertainty. Okay, enough social engineering for today!
Today we will be examining how to intercept Minuteman III ICBM communications.
We will start with the basic level of communications. What communication system does a Minuteman III crewdog use when in route between the main base and their missile site? Minuteman III crewdogs depart the main base using one of two modes of transportation: either by vehicle or by helicopter. The majority of Minuteman III crewdogs depart the main base by vehicle, and this will be the focus of our discussion. These crew vehicles contain a radio that allows the crewdogs to communicate with the main base or the missile site. The transportation center mainly communicates with crewdogs on their way out to their missile site. Most of the time the drive is long and boring and the transportation center communications are tedious. Some crewdogs will unplug the microphone from the radio and then alternately touch it and remove it from the radio while communicating with the transportation center. The crewdogs' message will be garbled and will allow them to tell the transportation center that their radio system is inoperable. This now gives them a free ride out to the missile site without having to deal with making stupid radio calls. Crewdogs leave the radio on so that they can monitor radio chatter. A hacker might say this is no big deal. So what if crewdogs hate using the radio?
Ahhhh! This is where the fun comes in. Any person who lives in the area of our Minuteman III missile sites has witnessed crew vehicles and maintenance vehicles driving out to the various sites. Many people have CB radios in their vehicles and have probably noticed that they have never been able to pick up any radio communications originating from the crew vehicles and maintenance vehicles. This is because the crew vehicles and maintenance vehicles' communication systems consist of VHF radios and various repeaters across the landscape. Those people who own boats will immediately recognize and understand what VHF radios are used for. A short glance at FCC regulations will show that VHF radios are to be used by the civilian population only on boats and only when those boats are in the water. I can go into the technical details for this, and it would be long and boring. Most of you wouldn't want to know it anyway. Suffice it to say that many military, government, and law enforcement agencies use VHF communications on land. I think the bottom line is they don't want civilians clogging up their VHF radio network. If I had a VHF radio on land near Minuteman III missile sites, I would probably turn it on and listen to the radio chatter. I'm sure I would never transmit any message over a VHF radio while I was on land. You'd be surprised what you could learn from listening to your VHF radio. You would hear something like this:
Crewdog: "Transportation center, this is trip 9-1 now arriving Charlie-I request time and initials."
Transportation Center: "9-1 acknowledged now arriving Charlie-1. 1800. Romeo Delta Sierra."
This little communication between trip 9-1 and the transportation center is a good example of the type of VHF communication made by Minuteman III crewdogs and maintenance crews. If you are actually observing this crew vehicle, you would see that it pulled onto the access road to Charlie-1. It has not yet begun to try to enter the site. You can see that trip 9-1 is maintaining very good radio discipline by only sticking to the business at hand. No one's asking about the guy's kids or how his sick aunt is doing or any of the normal types of day-to-day conversation. The next communication would go something like this:
Crew Vehicle: "Charlie-1 Security, this is trip 9-1 at your gate. Request permission to enter site."
Charlie-1 Security: "Roger that 9-1. Stand by while I verify your trip information and notify the site Commander."
Pause.
Charlie-1 Security: "Okay trip 9-1, you're cleared for entry on-site. Verify vehicle and weapons are secure."
Crew Vehicle: "Charlie-1 Security, vehicle and weapons are secure. Please notify the facility manager to assist us in unloading the vehicle."
As you can see from these two communication examples, they follow a very tight script.
For the most part, every crew vehicle and every security check tends to go the same way. That, my friends, is the big deal! Think about when you were first learning to hack. When you turned on your computer, the operating system tended to show the same messages in the same way every single time. You know that after a while you began to examine every single message and learned exactly what they meant. What you began looking for were exceptions to the startup messages. You learned that those exceptions provided you an opportunity to tweak and change them to see what happened.
On the above communications, can you spot the one exception? Of course you can. One exception that's not always in the script is their request to notify the facility manager that they need assistance. I'm not saying that you can insert a lot of different requests in that spot, but if I were hacking that system, that's where I would start. Obviously, the more you listen to the active Minuteman III VHF radio traffic, the more exceptions you'll hear and you can build your new hacking library accordingly.
In closing, remember it's okay to listen to a VHF radio while on land. Just don't transmit on a VHF radio while you are on land!
In 1987, Bad Bobby was the first kid (on his block) to hack the GEOS operating system for the Commodore 64. By removing the security dongle code, he was able to recompile a security-free GEOS operating system. Many kids in his neighborhood appreciated his efforts!