Fun with the Minuteman III Weapon System: Part 3
by Bad Bobby's Basement Bandits
Welcome to Part 3 of fun with an active Minuteman III nuclear weapon system. In Part 2, we examined how to intercept basic nuclear missile communications, and how different trips communicate with the transportation center and the missile flight security controller using the VHF radio. Finally, we examined the various radio communication scripts and learned how we may begin to put together our VHF radio hacking library.
As usual, I have received feedback from Part 2. I was able to speak with active and retired Minuteman III nuclear missile officers (otherwise known as "Crewdogs"). Some Crewdogs thought that I should have discussed the concept of frequency hopping as it relates to VHF radio transmissions. We all agreed that having a properly tuned trunked scanner would be the best way to intercept the VHF radio transmissions today.
A lot has happened in the Minuteman III community since Part 2 was published. It appears to this author that a great portion of the ICBM community is attempting to self-destruct. A two star general, who was an active commander of the Minuteman III nuclear force, has been fired because of his unusual behavior while performing temporary duty in Russia (excessive drinking, beautiful Russian girls, a.k.a. spies, etc.). Eleven Crewdogs were found to be involved with illegal drugs. Initially, 34 Crewdogs were caught cheating on a TOP SECRET Emergency War Order (EWO) test. The Air Force investigations continue and, as of today, the number of Crewdogs caught cheating on the TOP SECRET EWO test is closer to 100. The drug investigation has gone dark with no further information being released.
Today I'm going to put on my white hat. We will be discussing how any civilian can establish a communication link to be able to hack into any Minuteman III ICBM nuclear missile computer. This will be accomplished by completely bypassing the Launch Control Center (LCC) - the place that usually controls all communications having to deal with Minuteman III missiles. The main purpose for discussing this information is to show that even the most secure, unattached to the Internet system can be hacked as a result of owner/operator carelessness. The secondary purpose for exposing this information is so someone else in authority with the Air Force or government will read this and take the necessary steps to stop Crewdog buffoonery with the Airborne Launch Control System Holdoff Command (AHC).
Usual disclaimer: All of this information is unclassified. Standard disclaimer: For information purposes only. Do not do any of this.
First, some brief background information. Both the Minuteman III missile and its associated Launch Control Center each have their own computer. These computers handle the bulk of the communications back-and-forth between the missile and the Launch Control Center. Every six hours, Crewdogs in the LCC must initiate the Airborne Launch Control System Holdoff Command. This command is intended to be sent from every LCC to every Minuteman III nuclear missile, no exceptions.
The AHC command was built into the Minuteman III system during the dark days of the Cold War. The idea was if any LCC was destroyed by an enemy missile, there needed to be a way for United States forces to launch any remaining Minuteman III nuclear missiles. At the end of a certain amount of time, if the Minuteman III missile does not receive an AHC command, the missile computer switches on its UHF radio so that the missile can receive communications through its UHF radio. Sooner or later, an E-6B from the 624th Strategic Operations Squadron (containing the airborne launch control system) will fly by and Crewdogs in the aircraft will begin to communicate with any Minuteman III missiles that are in the UHF mode. Of course, in a time of nuclear war, they will be sending UHF commands that will cause the missile to launch.
There's something about pulling a lot of alerts in an underground nuclear Launch Control Center that eventually makes some Crewdogs do crazy (and dangerous) things. One of the crazy things that some Crewdogs do is play the "AHC Chicken" game. The goal of the AHC Chicken game is to see who can get the AHC command sent out to the missile as close as possible to the six hour timer without having it expire. Since the AHC timer clock does not report fractions of a second, then the winner of AHC Chicken would send the AHC command to the missile at one second before the six hour timer expires. There are five launch control centers in each squadron. To play AHC Chicken, two or more launch control centers will get a chance to run the AHC command. This game takes twelve or more hours to play. At the end of twelve (or more) hours, the launch control center with the closest time to zero on the AHC timer is the winner. If a mistake is going to happen, it is usually going to be at the 18-hour point (usually at about three or four in the morning). A mistake is made when the AHC command is not sent out and all the missiles go into the UHF mode (or RADMO).
A wild guess is that the "AHC Chicken" game is played about two times a year in any given nuclear missile wing. Generally, Crewdogs are quick enough to catch the mistake and run the AHC command within a few seconds. On other occasions, Crewdogs have left nuclear missiles in the AHC mode for nearly four hours. Of course, Crewdogs get in big trouble for having done this.
The materials we will need for this hack will be a tuned 40+ watt UHF transceiver and a DTMF tone generator. The purpose of this hack is to demonstrate that a civilian with no nuclear missile knowledge or experience can obtain electronic access and communicate directly with a Minuteman III nuclear missile computer by way of its UHF receiver. There is no danger of launching the nuclear missile since only the President and National Command Authorities actually have access to the real nuclear missile codes. This hack just feeds electronic gibberish to the nuclear missile computer. This hack demonstrates electronic access to a nuclear missile, nothing more.
We all remember from our "Radio 101" course that the UHF band operates in the line-of-sight mode. This means that our UHF transceiver must have a fairly clear line-of-sight between the operator and the nuclear missile site. We want to get close enough to the nuclear missile so that our UHF transceiver is able to make contact with the missile, but not so close that we can be picked up on the missile site security cameras. Once we are set up, all we need to do is set our UHF transceiver to the frequency of the Minuteman III nuclear missile computer's UHF receiver. The frequency of the Minuteman III nuclear missile's UHF receiver is set at... Okay, I can't tell you the actual frequency(s) because they are classified. However, a communications link can be established by stepping through UHF frequencies while transmitting random DTMF tones. We really only need to have a couple of random tones register on the missile's computer for proof of concept. And there you have it! A. Very. Cool. Hack.
I don't know why nuclear missile wing commanders do not take steps to completely stop the Crewdogs' ability to play the "AHC Chicken" game. It has been going on for more than 30 years. By highlighting this hack, it is my hope that nuclear missile wing commanders and politicians will take the necessary steps to shut down the Crewdogs' ability to play "AHC Chicken" immediately. This will also ensure that no hackers/civilians will be able to communicate with a nuclear missile.
(Bad Bobby has spent more than 6,500 hours on alert in the Minuteman III Nuclear Weapon System. Next time, Bad Bobby will wear his White Hat (again) as we examine the Enable codes for the Minuteman III nuclear warhead!)