Is it prudent to ask if Britain’s nuke subs, which also run Windows XP, have also been hit by ransomware?

Posted on May 13, 2017 by Rick Falkvinge

Britain’s hospitals have been brought to a standstill because of ransomware infecting obsolete and unpatched Windows XP systems. The same obsolete operating system is powering Britain’s nuclear weapons arsenal. Is it prudent to ask if the British nuclear weapons submarines have been patched against this ransomware, or even hit by it?

As reported in January of last year, Britain’s nuclear submarines still run Windows XP. This is the outdated Microsoft operating system that was vulnerable to ransomware, and which is the reason that practically Britain’s entire healthcare is currently nonfunctional and at a standstill: they ran Windows XP, they did not upgrade, and they did not patch.

(A security patch for this vulnerability has been out since March. Getting hit in May is therefore inexcusable.)

I would argue that hospitals and nuclear weapons platforms are both “mission critical” for a government. It can be safely argued that one is more dangerous than the other, but in terms of how important to society it is to upgrade them and keep them current, they are playing in roughly the same division.

In other words, seeing how Britain has failed to patch its Windows XP systems in mission-critical hospitals, I do not have faith that they have patched all other mission-critical systems – specifically including their nuclear weapons platforms.

Of course, this would all be classified and nobody would ever admit to something like this happening, except possibly fifty years later. But we do know that Britain’s nuclear submarines run Windows XP, and that they had a contract for support which expired in July of last year, and which had an option to extend to July of this year. We also know that Microsoft has issued the security patch whether you are on support or not, so a support contract makes no difference in this case.

We’ve observed that the NSA has a catastrophic conflict between its mission and its methods: it cannot keep a nation safe by simultaneously keeping it unsafe (refusing to fix vulnerabilities).

We’ve also observed that NSA tools will leak to whomever may want them.

We’ve also observed that mission-critical systems routinely go unpatched.

We’ve observed that military systems are supposed to be kept separate from the Internet, but that this is frequently ignored. Besides, the same is largely true for mission-critical medical systems. Yes, those at the now-brought-to-standstill hospitals.

Let’s reword this to drive the point home. How likely is it that the United States NSA, through its persistent interest in keeping us unsafe, has managed to hand control of Britain’s nuclear weapons platforms to unknown ransomware authors, perhaps in Russia or Uzbekistan?

Of course, this is just speculation; it is not even hypothesis level. There would be no way for a civilian of knowing whether the subs are vulnerable, or worse, hit.

But given what has already happened, it is not rather relevant speculation that forces a few inconvenient questions?

Photo of the British HMS Vanguard submarine provided by the UK Government.

Comments are closed.

1 Comments

  1. Wally Anglesea

    The nuclear subs will be airgapped and not connected to the outside world in any way and will have tempest rated hardware and software. The versions of xp are not what you and I use. Having said that, the idea of using off the shelf operating systems on warships has always struck me as stupid.

    7 years ago