Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Dismal State of SATCOM Security

timothy posted about 6 months ago | from the my-sputnik-or-yours dept.

Security 54

An anonymous reader writes "Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."

Sorry! There are no comments related to the filter you selected.

SATCOM or Ship-to-Ship? (-1)

Anonymous Coward | about 6 months ago | (#46779729)

This reads like two summaries smushed together.

Also, I want to meet the hacker with a giant dish in his backyard trying to exploit satellites: that would be an interesting conversation for sure.

Re:SATCOM or Ship-to-Ship? (0)

Anonymous Coward | about 6 months ago | (#46779859)

Not nearly as interesting as a conversation with this guy. [nationalpost.com]

Re:SATCOM or Ship-to-Ship? (0)

Anonymous Coward | about 6 months ago | (#46779913)

There are alot of guys who do it. One of the best was Ivan Artner, and he suspiciously died in a motorcycle accident.

Re:SATCOM or Ship-to-Ship? (1)

ColdWetDog (752185) | about 6 months ago | (#46780309)

You don't need a giant dish. You see those Iridium handsets? That's all that you need. The newer ones fit in a cargo pocket.

Tell us MORE! (0, Troll)

Anonymous Coward | about 6 months ago | (#46779737)

Keep telling us! More Please! Again! Remind those that may have missed this before how any simpleton can hack satellites. Please, you're doing the entire
world a great service by restating what everyone wants no one to know. Like this HELPS in any form? Do you really think that the 'good guys' are going to listen to YOUR great words of, well, repetition?

Re:Tell us MORE! (1)

Bugamn (1769722) | about 6 months ago | (#46787421)

So you believe in security through obscurity, right?

Encryption (1)

drizuid (444751) | about 6 months ago | (#46779783)

so, just like your data communications in your house, if you don't want someone eavesdropping on your conversation toss a type1 encryption device in front of it, like every other security conscious satcom user.

Re:Encryption (2, Informative)

Anonymous Coward | about 6 months ago | (#46779997)

That won't protect you from denial of service attacks.

And in quite a lot of the use cases, the reaction won't be "Bummer, can't get to slashdot" but will be:
- "Bummer, can't warn the train driver there are boulders on the rail"
- "Bummer, can't contact search and rescue and the ship is sinking"
- "Bummer, can't contact HQ and request Air support to help with these guys shooting rpgs on my convoy"
Note: Substitute "Bummer" with appropriate four letter word.

Also,
type 1 encryption devices won't be available to most users (certainly not to civilians outside the US).

Re:Encryption (2)

K. S. Kyosuke (729550) | about 6 months ago | (#46780305)

Be a contrarian - go for Type i encryption devices!

Re:Encryption (1)

X0563511 (793323) | about 6 months ago | (#46780583)

Or, one could fall back on terrestrial radio for all of these examples...

Re:Encryption (1)

Gareth Iwan Fairclough (2831535) | about 6 months ago | (#46781143)

In my experience in the military, satcom IS the backup for the radio. In fact, we were told only to use satcoms as a last resort due to a lack of encryption.

Re:Encryption (0)

Anonymous Coward | about 6 months ago | (#46780221)

so, just like your data communications in your house, if you don't want someone eavesdropping on your conversation toss a type1 encryption device in front of it, like every other security conscious satcom user.

not everybody can get access to type1 encryption devices...

ignorance was bliss (2, Insightful)

Anonymous Coward | about 6 months ago | (#46779785)

Isn't it great how security went from a concern, to an afterthought, to completely irrelevant over the span of twenty years? Only to be magically resurrected as a hot button issue of worldwide concern for every other news story for arguably the next 5 years. And all because big corps, with all their endless offshoring, cost cutting, profit seeking, litigation circumvention, and merciless assault on tax avoidance will continue to skip to the loo with endless payrolls, blaming all of this all the while on "outside forces". It makes me feel like IT Security is as fun a joke in the boardroom as GAAP. We don't even have a real ruling body anymore according to IETF sources. Is there anything that isn't a mucked up mocked up half assed attempt at stopping this all?

Re:ignorance was bliss (1)

Lumpio- (986581) | about 6 months ago | (#46813587)

Huh? Security was completely irrelevant at some point in the recent past? When exactly?

And the Republican's solution... (-1)

Anonymous Coward | about 6 months ago | (#46779855)

is to make more and more draconian laws. They're anti-technology so they are unable to comprehend that this is a technical problem with a technical solution. As usual, they are hurting the US with their hateful religious beliefs. We need to protect technology from religion.

Aren't those guys rocket scientists? (1)

johnjaydk (584895) | about 6 months ago | (#46779869)

You would have thought people who made satellites were, like rocket scientists. Not drunken lemmings.

Re:Aren't those guys rocket scientists? (0)

Anonymous Coward | about 6 months ago | (#46779953)

Their focus is more on keeping something in orbit at 18,000 miles an hour, 24 hours a day, so you can yammer on about them being idiots to social media.

Re:Aren't those guys rocket scientists? (1)

Anonymous Coward | about 6 months ago | (#46779987)

Not saying I'm representative of the whole group, but I'm a rocket scientist, and I'm pretty pants at information security.

Re:Aren't those guys rocket scientists? (0)

Anonymous Coward | about 6 months ago | (#46780127)

It seems your peers at NASA are equally shitty at security, so no reason for you to feel bad.

NASA basically is hacked by everybody who wants to. An enromous "mart" for anybody who wants to start an ICBM capability, bascially.

Re:Aren't those guys rocket scientists? (0)

Anonymous Coward | about 6 months ago | (#46780199)

So how's your ICBM coming, poseur?

Re:Aren't those guys rocket scientists? (0)

Anonymous Coward | about 6 months ago | (#46780441)

You are a fucking idiot.

Re:Aren't those guys rocket scientists? (1)

johnjaydk (584895) | about 6 months ago | (#46780535)

Not saying I'm representative of the whole group, but I'm a rocket scientist, and I'm pretty pants at information security.

Getting them up there and not having them fall down is not half bad. I still try to keep my kerbals from blowing up. But seriously, at least accept that info-sec is important. There might be a business case in not being totally p0wnd.

Re:Aren't those guys rocket scientists? (0)

Anonymous Coward | about 6 months ago | (#46779993)

Rocket scientists and rocket engineers design (and sometimes help with the building and operation of) the rockets that launch the satellites. Companies that own the rockets are generally willing to launch whatever a legal entity that pays their large fee wants launched unless a government tells them "no, we're not letting you launch that." Unless the communications satellite has rockets of its own, odds are slim that rocket scientists will be involved in its design.

Re:Aren't those guys rocket scientists? (1)

X0563511 (793323) | about 6 months ago | (#46780613)

I'd think most expensive satellites have some form of thruster on them for retasking, station adjustment, and debris avoidance...?

Re:Aren't those guys rocket scientists? (3, Insightful)

cusco (717999) | about 6 months ago | (#46780235)

The problem is that reliability has always been considered as paramount in these devices, for very good reasons, and inserting a security layer in the stack increase the likelihood of problems and increases their complexity. There are satellite phones out there which have been in almost continuous use for 15 years, good luck flashing that firmware to handle encryption or to obfuscate that hard-coded password. For most satellite communications users I don't foresee the situation changing any time soon. They guy running a gold dredge in the upper Amazon isn't going to want to cough up for a new phone when his current one has been working fine for the last decade, nor is the tribal chief in New Guinea or the crab boat captain in the the Bering Straight. What they have works, and they don't give a shit whether the phone can be hacked as long as it works when they really need it. The commodities speculator in his Lear jet might be concerned, let him pay for the system upgrades, but leave the rest of the system backwards compatible for those people who need reliability overall.

Re:Aren't those guys rocket scientists? (1)

Joe_Dragon (2206452) | about 6 months ago | (#46783399)

crab boat captain in the the Bering Straight boat upkeep is noting next to the cost of a new sat phone

Re:Aren't those guys rocket scientists? (1)

cusco (717999) | about 6 months ago | (#46783485)

No, but just because it won't bankrupt him doesn't mean that he wants the annoyance of buying, setting up and learning a new (and more expensive) system that may well not be as reliable as the old one. My dad bought one of the first consumer-level Lowrance fish finders on the market. He used it until he couldn't fish any more, even though there were "better" models on the market. Why buy a new one when that one did exactly what he wanted exactly the way he was used to it?

Re:Aren't those guys rocket scientists? (1)

ColdWetDog (752185) | about 6 months ago | (#46780327)

Even rocket scientists have managers. And managers have VPs and VPs have to talk to the CEO about shareholder value.

As always, shit rolls down hill.

Re:Aren't those guys rocket scientists? (1)

dave562 (969951) | about 6 months ago | (#46783095)

I know you are kidding, but the scientists who are putting the satellites into orbit are not the same group as the engineers who are designing the satellites in the first place.

WTF! Republicans don't make a damn bit of sense: (-1)

Anonymous Coward | about 6 months ago | (#46779885)

We're thankfully long been downloaded 100 million times. Apache OpenOffice successfully supports the leading Open Source software, Apache OpenOffice include Asturian, Basque, Danish, Korean, Norwegian, Polish, Scottish Gaelic, and Swedish, thanks to bring better compatibility with all the latest version of word processor ("Writer"), a self-selected team of a mathematical formula editor ("Impress"), a word processors. "Family," because the next 100 million?" If you want to grow, no matter where users who wishes to its user interface with daily peaks of word processor ("Writer"), a self-selected team of Apache OpenOffice was submitted by the community members The Apache OpenOffice features integrated improvements from its acquisition of Microsoft Office documents they're stuck with low-vision The most frequently used channel for user support is the ASF) to the administrative region of the user interface with for Windows, Apple OS X and an Android port of word processor, even more than 170 Open Source projects and incubators of Apache OpenOffice mentor and Linux OpenOffice project, with the Sidebar, developed by Oracle after further development as "StarOffice" by community at Apache products, Apache OpenOffice name "OpenOffice.org", OpenOffice project, with hundreds of successful combination of Brand Management. "We are hosted or with what they are 100% translated and Fun Facts about 250,000 and Templates sites we show how many users who write the Project's day-to-day operations, including community development as "StarOffice" by Oracle after a remarkable achievement in less than two years," said Andrea Pescetti, Vice President of the 60,000+ user-strong official.

Re:WTF! Republicans don't make a damn bit of sense (0)

Anonymous Coward | about 6 months ago | (#46785817)

I think the Apache Foundation only hired illiterate morons. It's like the Apache people just string random words together.

They will take it seriously (0)

Chrisq (894406) | about 6 months ago | (#46779941)

They will take it seriously when someone pwns a communications satellite.

Re:They will take it seriously (2)

janoc (699997) | about 6 months ago | (#46780153)

Which is happening routinely. Many older birds don't require any authentication nor anything - they simply retransmit whatever they hear on one frequency on another one: http://spectregroup.wordpress.... [wordpress.com]

And those are US NAVY (!!!) satellites!

Doing that with Iridium or Inmarsat hardware is a bit more complex, because the protocols are mostly digital, but not impossible neither.

As a SATCOM professional... (3, Informative)

DeTech (2589785) | about 6 months ago | (#46779945)

LDR services like Inmarsat were never meant to be secure. Now if this was about AEHF that would be news.

Re:As a SATCOM professional... (1)

DigitAl56K (805623) | about 6 months ago | (#46780121)

LDR services like Inmarsat were never meant to be secure. Now if this was about AEHF that would be news.

I'm pretty sure they're meant to be at least secure enough that Joe Shmoe couldn't take them over with a text message or a known hardcoded credential. Well, unless you can point someone at this list of vulnerabilities and say "it's not meant to be secure", and still make your sale, of course.

Re:As a SATCOM professional... (2)

DeTech (2589785) | about 6 months ago | (#46780203)

Well, unless you can point someone at this list of vulnerabilities and say "it's not meant to be secure", and still make your sale, of course.

That of course is the kicker. The customer base for Inmarsat and Iridium is not the SHIELD/HYDRA community the OP has in his head. This is more the western union /pay-as-you-go-phone crowd.

Re:As a SATCOM professional... (1)

jratcliffe (208809) | about 6 months ago | (#46780249)

Iridium's largest customer (by far) is the US DoD.

Re:As a SATCOM professional... (1)

DeTech (2589785) | about 6 months ago | (#46780339)

yes. but look at what they use it for.

Re:As a SATCOM professional... (0)

Anonymous Coward | about 6 months ago | (#46780839)

TFA shows that BGAN was marketed to the military for use on the secure network.

Re:As a SATCOM professional... (0)

Anonymous Coward | about 6 months ago | (#46782081)

Yes, it was. That said, it doesn't rely on the default security model, which is virtually nonexistent.

Why would you think otherwise? (2)

mveloso (325617) | about 6 months ago | (#46780097)

Anyone talking on a sat phone is by definition interesting to the government - any government. Why would you think that these would be secure?

Uh no (1)

jon3k (691256) | about 6 months ago | (#46781475)

> Anyone talking on a sat phone is by definition interesting to the government - any government.

Uh, no. I live on the coast and every big (especially charter) fishing boat has sat phones. Most of it the conversations are: "Yes honey I'm still at the office looks like I'm going to be REALLY late".

Re:Uh no (1)

tirefire (724526) | about 6 months ago | (#46782341)

Not just fishing boats, but people in Alaska, Nevada's Great Basin, The Northwest Territories...

OSS security debate (3, Interesting)

janoc (699997) | about 6 months ago | (#46780107)

Wasn't it just yesterday that someone has posted a flamebait summary [slashdot.org] about the Heartbleed bug changing the "Open source is safer" discussion?

This is a great evidence of what happens when you rely on security by obscurity in proprietary software. Nobody is forced to fix things, sloppy coding is the norm and there are backdoors galore ...

Unfortunately, the bad guys laugh, the vendors play ostrich with the heads in sand and everyone else is suffering the consequences ...

Timothy, please edit before posting... (1)

Em Adespoton (792954) | about 6 months ago | (#46780111)

"Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals includes not only design flaws, but also device features that attackers could leverage. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; sending a simple SMS or specially crafted message from one ship to another ship would be enough to compromise some of the SATCOM systems."

Took 30 seconds, and makes the summary actually make sense.

Satellites? Vital? (0)

Anonymous Coward | about 6 months ago | (#46780239)

Maybe in the 60s and 70s. Then people figured out what ~250ms of RTT costs and figured undersea cable was worth the investment. Satellite is mainly for:

1. Backup links when undersea cables are too congested to survive.
2. Sat phones which typically use LEO satellites and is really only viable if there are no other alternatives. I'll lump fixed basestation Internet access here as well, even though they're often geostationary satellites.
3. TV broadcast where latency doesn't matter.

The idea that you pick up a cell phone and the camera instantly pans to a beeping satellite and then down to who you're talking to is a great movie effect, but has little bearing on reality.

Beta Sucks (0)

Anonymous Coward | about 6 months ago | (#46780431)

You, uih, missed the whole 'anything mobile that may be out of range of a cell tower' thing.

Re:Satellites? Vital? (0)

Anonymous Coward | about 6 months ago | (#46780901)

Satellite is mainly for:

1. Backup links when undersea cables are too congested to survive.

This is a ridiculous speculative statement. You have no idea what you're talking about, really none.

2. Sat phones which typically use LEO satellites and is really only viable if there are no other alternatives.

Again you are flat wrong. Please see Wikipedia's article on "Satellite phone" for basic clue, but Inmarsat BGAN and Thuraya are the two relevant systems, and they're both geostationary and both cheaper than roaming.

Re:Satellites? Vital? (0)

Anonymous Coward | about 6 months ago | (#46782585)

Cheaper than roaming in what world? BGAN is shockingly expensive.

Brazil and US Navy Satellites (1)

Anonymous Coward | about 6 months ago | (#46780291)

Hijacking satellites has been going on for some time. There is this story from Strategy Page:
-----
Brazil and the U.S. have been arresting people who have been illegally using obsolete, but still functioning, U.S. Navy FLTSATCOM communications satellites. The FLTSATCOM (Fleet Satellite Communications System) were eight communications satellites launched between 1978-89. Two of the launches failed, and FLTSATCOM was replaced by the UFO in the 1990s. Although the FLTSATCOM birds were built to last for seven years, two of them are still operational twenty years later.

As the navy stopped using FLTSATCOM in the late 1990s (shifting over to the more efficient UFO satellites), ham radio users in Brazil discovered that the FLTSATCOM satellites had no security on them. If you knew the frequency and had a satellite dish, you could send a signal to the FLTSATCOM satellite, that would then automatically be rebroadcast by the satellite over a wide area below. While the navy sent encrypted messages (which sound like static, for anyone picking it up below on ham radio gear), the Brazilians found that they could simply use FLTSATCOM to communicate over a wide area (the interior of the country) that lacked telephones. FLTSATCOM birds had multiple transponders, making several simultaneous conversations possible. There was no security because, back in the 1970s,the remote possibility of homemade satellite dishes using FLTSATCOM, did not seem to warrant the additional hassle of adding passwords to transmit from the satellites.
--------
https://www.strategypage.com/dls/articles/U.S.-Navy-Satellites-Hijacked-5-31-2009.asp

Paging Bob Cooper (0)

Anonymous Coward | about 6 months ago | (#46780869)

... and that guy/guys who broadcast that Max Headroom bit back in the 80s!

troolkore (-1)

Anonymous Coward | about 6 months ago | (#46781201)

non-fucking-existant. Mir3 of decay, SURPRISE TO THE Whether to repeat

Unique conditions and needs (1)

KaLeVR1 (34637) | about 6 months ago | (#46783333)

There are a couple of factors that are worth considering. Unlike fiber or coax transport systems, satellites are usually used for very long distance communications. Because of this, it is quite frequent that your link will terminate in another country or even continent. This will make standards compliance and procurement a challenge from day one since you can't guarantee everyone has access to the same equipment.

Secondly encryption standards have to be agreed upon and quite often, equipment from different manufacturers can't be cross-utilized, so you can't just assume that off-the-shelf crypto will be an option to everyone who will participate.. This means everyone has to agree what to use in advance, which could lead to still other challenges. So it's not as easy as the question implies.

Who would've thought? (1)

Lumpio- (986581) | about 6 months ago | (#46813569)

A big ancient expensive government-backed system is full of security flaws.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?