Details of some US nuclear missile bunkers in Europe, which contain live warheads, along with secret codewords used by guards to signal that they’re being threatened by enemies, were exposed for nearly a decade through online flashcards used for education, but which were left publicly available.
The astonishing security blunder was revealed by investigative journalism website Bellingcat, which described what it found after “simply searching online for terms publicly known to be associated with nuclear weapons.”
The flashcards “detail intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have,” Bellingcat reported.
Merely googling “PAS” (protective aircraft shelter), “WS3” (weapons storage and security systems) and “vault” (the US military term for nuclear weapons bunkers) together with the names of US Air Force stations in Europe came back with flashcards used in training and hosted on websites Chegg, Quizlet, and Cram.
Materials found by Bellingcat suggested the protocols had been in use as recently as April, though the oldest dated back to 2013. The flashcards themselves have since been deleted, with the US Air Force telling Bellingcat it was “investigating the suitability of information shared via study flashcards.”
Some flashcards included the locations and sightlines of surveillance cameras pointed at key entrances, and the locations of modems networking the vaults’ systems with the wider base. Precisely which vaults were being used to store nuclear warheads was detailed in some cards.
The investigative website’s findings are similar to the open-source intelligence it found when looking at beer-rating app Untappd last year. Using Bellingcat’s techniques, The Register was able to easily identify key government personnel working in militarily sensitive establishments.
Online OPSEC is important: subscribing to ebooks website Scribd and searching for certain terms can reveal all manner of confidential manuals and handbooks, and slide-deck website Prezi occasionally contains internal slideshows the content of which probably wasn’t intended to be published to the wider world.
Think of it this way: if you’re uploading sensitive data to a website that isn’t operated by or contracted to your company (or the government in this case), you probably shouldn’t do it. Particularly if you’re guarding nuclear weapons. ®