When Security Gets Embarrassing: Mickey Mouse Breaches Andrews Air Force Base

Sep 05, 2024

Air Force inspector general investigating 'serious' security breach at Joint Base Andrews - POLITICO

Any reader of this blog will know that I view physical security as crucial, especially when it comes to protecting some of the most valuable assets in the world—like Air Force One. But even the most secure bases can have their moments of, well, let’s call them “learning opportunities.”

Lets look at one such “learning opportunity” that happened to occur at Andrews Air Force Base. This base isn’t just a random patch of tarmac; it’s where Air Force One, Marine One, and other VIP aircraft reside, along with many foreign dignitaries, kings, and such VIP aircraft coming into and out of the US. It’s also, apparently, where people sometimes just wander in uninvited.

The 2021 “Mouse Ears” Incident

Before I begin with this story, it is true … and while parts of the story sound outragous, because they absolutely are, they are also true. I will leave this link with a good breakdown of events as they unfolded.

Picture this: A 36 years old man drives up to the gate at Andrews Air Force Base, and despite having no credentials, he’s waved right through by the MP on duty.

Our brave intruder then goes missing for a few hours on post, is later seen at the PX food court before disappearing again for several more hours, keep in mind that when i say disappeared, it means no security camera or personnel could later figure out where he was or what he was doing. He later shows back up on base cameras at the tarmac … the place where all the planes hang out, and in this case it is both military and extremely VIP planes.

He manages to bypass the tarmac security gate … because it was apparently broken which he simply slipped passed, again unobserved, and now on an active flight line. He locates a parked C-40 plane, a military equivalent of a 737 which has the door open and stairs leading up allowing him to then board and wander around.

Note that there were actually several airmen onboard this plane when our intruder got onboard and started poking around, but the confussed airmen allowed him to move around the aircarft for about 20 min before getting involved and asking him for ID and calling security.

By the way, according to the Air Force’s website, the C-40 is responsible for …

Now up until this point, you may be picturing a guy with a military haircut, wearing a stolen or fake military uniform and looking very confident in what he was doing which threw off the guards and personnel.

Well humorously you would be wrong. Joseph Armstrong, the intruder in question, was caught because he apparently had been wearing a pair of mickey mouse ears as a hat the entire time that got him noticed by arguably the only two sane airmen in this story (the ones in the plane).

According to a report put out on the event by the Air Force,

Text within this block will maintain its original spacing when published

      Part of the reason the civilian got so far onto the base was that his clothes looked similar to those worn by civilian contractors. He was wearing “dark pants, a dark jacket, black high top sneakers, and carrying a brown backpack,” the report said. “According to 89 Airlift Wing leadership, civilian maintenance personnel … characteristically wear dark blue pants and tops with black boots …. even military aircrew often fly in civilian clothes.” - US Air Forcce Report

The real question is, did Mr Armstrong know that this outfit would throw off guards, or was he simply this lucky … both options are terrifying in their own way. That said, I unfortunatley have to contest that it was likely simply luck, since the same Air Force report also included this line,

Text within this block will maintain its original spacing when published

     "one thing that set the intruder apart was his hat. According to the report, it was bright red or pink, partially covered his ears, and “had distinctive balls on top that looked a little like mouse ears.”

Picard memes: Patrick Stewart's best viral Star Trek moments ...

Obviously this is not a case of James Bond, or some state level agency conducting a secretive mission to gain access to a military base. As I have said many times, every organization, even military, is like a game of Jenga, where everything is balanced upon a few key blocks. If you discover what those are, you can often capitalize on them and cause severe damage … or in this case just some free time inside a military transport plane.

C-40B/C > Air Force > Fact Sheet Display

That said, I hope everyone really thinks about this case and what it took to gain access to not only the base itself, but also the airport tarmac and even military equipment. Suppose this had of actually been a threat actor, one who wanted to cause harm, steal secrets or worse.

In my opinion, the issue here are two fold: complacency of guards / personnel and very likely never actually testing the base’s physical security.

A Lesson from the 1980s: The US Navy SEAL "Red Cell" Team

RIP Commander Richard Marcinko .. : r/JSOCarchive

To understand why physical security at military bases may not be tested as rigorously as it should be, let’s take a trip back to the 1980s and look at the story of the US Navy SEAL "Red Cell" team. This elite unit, led by Richard Marcinko, was tasked with testing security at U.S. military installations—and they did their job with gusto.

Red Cell conducted surprise security tests on various bases, with spectacular (and often embarrassing) results. They managed to infiltrate highly secure areas, including gaining access to Air Force One. In one infamous exercise, they even took military personnel hostage, slipping past guards and bypassing security systems with ease.

Red Cell’s antics were so effective—and humiliating to the base commanders and senior staff—that their success may sadly have lead to their demise. Commanders were often left red-faced as their bases’ vulnerabilities were exposed in the most public and dramatic ways imaginable, within the military community.

While the intention was to highlight weaknesses and improve defenses, the embarrassment caused by these tests led to pressure and, eventually, the disbandment of Red Cell. While the exact reason for the disbanding of the group is contested, it is very likely that the embarrassment of senior leadership played a role in pressuring red cell to simply disappear.

As a result of the loss of red cell, you can imagine how, and arguably why, regular physical penetration tests are not really conducted in the same way, or to be more specific, in a realistic way throughout the US military.

And, in my opinion, a result of this loss means that idiots with no credentials and wearing literal mickey mouse hats can find themselves unattended inside a military aircraft on military installations.

Why Is This Relevant Today?

Unfortunately these incidents are not rare, and in fact becoming a very common occurrence. As I previously wrote about the U.S. Navy has been facing a significant increase in the number of foreign nationals attempting unauthorized access to its bases, raising serious concerns about national security.

These incidents, occurring about two to three times a week, primarily involve individuals from adversarial nations like China and Russia. The rise in such attempts has prompted heightened vigilance and strengthened security protocols across military installations.

According to U.S. Fleet Forces Commander Admiral Daryl Caudle, these intrusions often involve foreign nationals posing as tourists or students, claiming to be enthusiasts interested in military ships. However, many of these individuals have been identified as engaging in suspicious activities that suggest espionage motives. For instance, some have been caught attempting to access bases illegally, conducting unauthorized drone flights, and even scuba diving near sensitive areas such as Cape Canaveral and missile launch sites in New Mexico (Maritime Executive) (the deep dive)

Conclusion

Just because the facility is military or government does not mean that it is any more secure than any other building. While there will be more gates, guards, cameras etc there will also very likely be just as many holes, dead zones and blind spots.

It is vital that such organizations recognize that they too are vulnerable to physical breach, and do what they can to resolve the issues. For all my readers who are on their own black teams, or wanting to get into the field, whether you’re client is a corporate entity or secure government office, do your recon, take your time and look for the vulnerabilities … they all have them.

Training Resources:

For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.

Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .

Covert Access Team