1 January 2019

How a Guy With a Camera Outsmarted the United States

JAMES BALL

On the morning of December 26, Alan Meloy stood on the front porch of his home in northern England and noticed that “murky” early clouds were clearing into a crisp and sunny winter’s day.

Meloy, a retired IT professional and a plane spotter of 45 years, decided to grab his best camera to see whether he could catch any interesting flyovers. Before long, he saw a “jumbo”—a Boeing VC-25A—and, knowing there were few such aircraft left, took about 20 photos of the plane. He could tell immediately that there was something unusual about it, though.

“It was just so shiny,” he told me. As it turned out, Meloy had unwittingly captured Air Force One.


Meloy’s photo, which he uploaded to the image-sharing service Flickr, provided the confirmation a group of hobbyists needed to outwit the security precautions of the world’s largest superpower transporting its leader on a secret trip to a conflict zone. In effect, President Donald Trump’s visit to a U.S. military base in Iraq the day after Christmas was publicly known among a band of enthusiasts even before he landed in the country.

The incident is just the latest in a long line in which hobbyists, hackers, or armchair internet detectives have outwitted or thwarted the best intentions of governments, secret services, and militaries, a reminder of how the connected world opens all of them to new, evolving threats—and how unprepared even the world’s most advanced governments are to deal with the simplest of these threats.

Trump is not the first world leader to run into such issues. Britain has faced its own set of headaches with the tracking of planes.

Last year, when Prime Minister Theresa May traveled to meet the newly inaugurated U.S. president, a journalist noticed that her plane was being tracked online. At the time, Jim Waterson, then the politics editor at BuzzFeed’s British operation, tweeted that the Royal Air Force refueling craft that doubles as May’s executive transport plane could be tracked on FlightRadar and similar flight-tracking websites. “No one on the trip raised a complaint when I tweeted this,” said Waterson, now at The Guardian. Weeks later, though, The Mail on Sunday, a British newspaper, claimed that the fact that the plane could be tracked left open the possibility of, as Waterson described it, “terrorists potentially—with the emphasis on potentially—being able to use this information to shoot the prime minister out of the sky.” May’s plane is now no longer trackable on most consumer websites.

Still more embarrassment for the British government came in the form of another Mail on Sunday story, this time noting that a U.K. spy plane, reportedly flying a U.S.-U.K. operation scouting Russia’s air defenses, was also trackable by plane-spotting apps.

Regardless of who is aboard a plane, stopping people from tracking its location is not entirely straightforward: Crossing crowded airspace over multiple countries requires a transponder to be sending information on the aircraft’s location, call sign, and similar details (Air Force One’s disguised call sign on Trump’s Iraq trip, for the record, was RCH358). That does mean that in the new, far more connected online world, there will always be a form of risk.

Plane spotters such as Meloy have been watching out for aircraft for decades, but as David Cenciotti, a respected aviation blogger, notes, new technical tools at their disposal, along with the near-instantaneous communications afforded by the internet, have changed the dynamic. “You are crowdsourcing something that 20 years ago would require weeks of investigations and letters exchanged with other geeks,” Cenciotti told me.

In other words, whereas once Meloy’s photo might have been an item of curiosity in a plane-spotting magazine a month after the fact, it now allows the president’s plane to be tracked in real time.

In fact, Cenciotti noted, military aircraft are fitted with the same transponders as civilian ones, and on occasion the operators of the military aircraft have forgotten to turn off the transponders during operations—including in Syria. This has been flagged as a real “operations security risk” in a report by the U.S. Government Accountability Office, increasing the risk of warning an adversary of an impending strike or even of allowing an attack to be intercepted. In the case of Air Force One this past week, Cenciotti said that because it was traveling through multiple countries’ airspace, it could not simply turn off its transponder (though he suggested it could have flown a different route or, to make sighting it harder for plane spotters, flown at night).

Planes are just the most obvious area in which the worlds of government and security services connect with civilians and hobbyists in potentially dangerous ways. Another is the world of cybersecurity, where nation-states, criminal hackers, and enthusiasts can interact.

Take the hack that became known as WannaCry: Exploits and hacking tools discovered by the National Security Agency were stolen and posted online. Several of these tools were modified into a devastating ransomware attack, which effectively held a computer hostage unless the victim paid a ransom. That particular attack began in Ukraine, but soon spread much farther, infecting, among others, Britain’s National Health Service, where it did more than $100 million worth of damage. And then, once in the wild, it was modified for commercial purposes by criminal hackers and used to extort still more victims.

These are hardly isolated examples, and it’s not only Western countries that have found themselves on the wrong end of such efforts: The open-source intelligence outlet Bellingcat has built its entire website on the basis of using openly available information to expose truths and counter misinformation, including using mapping information and satellite imagery to get to the bottom of attacks in both Ukraine and Syria.

The era of spy versus spy—if it ever truly existed—has certainly been ended by the internet. Today it is spy versus tweeter, plane spotter, criminal, activist, journalist, bored teenage hacker, and who knows who else. Many will intend no harm, and most breaches, such as the revelation of President Trump’s flight, will prove harmless.

But neither good intentions nor the fact that most breaches end up being inconsequential matters. The risks are real, and the signs don’t suggest that even the world’s largest superpower is ready to take the issue seriously, not least because it can’t seem to resolve even the simplest of problems: making the president’s plane hard to track.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.

No comments: