Can military's satellite links be hacked? Cyber-security firm cites concerns.
Satellite communications terminals, including those used by the US military, are vulnerable, says IOActive, a cyber-security firm. SATCOM industry officials say the terminals are secure.
Satellite communication terminals, relied upon by US military aircraft, ships, and land vehicles to move in harmony with one another, are susceptible to cyber-attack through digital backdoors and other vulnerabilities, according to a new report that has sent a tremor through the global satellite telecommunications industry.
The report by IOActive, a Seattle-based cyber-security firm, arrives amid heightened concerns over a surge in cyber-attacks against satellite communications systems and vendors worldwide, industry experts say.
According to the IOActive report, a forensic security analysis of computer code buried inside the circuit boards and chips of the world’s most widely used SATCOM terminals found multiple potential hacker entry points. Many terminals use small dishes or receivers that ride on the roof of a military vehicle, the bridge of a ship, or inside a troop transport aircraft, the report said.
Built by a half-dozen of the world’s leading SATCOM equipment manufacturers, the SATCOM terminals cited in the report also serve nonmilitary uses, such as data collection from remote oil and gas pumping sites, pipelines, or retail chain stores. All involve sending data from far-flung operations up to large commercial satellite networks and back down again to their respective headquarters.
Industry officials, who generally acknowledged the proliferation of cyber-threats to the communications industry and were aware of the IOActive report, say SATCOM terminals are very secure when security features are turned on and used properly and are not insecure by design.
But what cyber-security researchers found when reverse-engineering the SATCOM terminals’ firmware – the core computer code stored on the memory chips that primarily control the equipment – was a shocker, they said.
“IOActive found that malicious actors could abuse all of the devices within the scope of this study,” wrote report author Ruben Santamarta, a principal consultant to the company. “These vulnerabilities have the potential to allow a malicious actor to intercept, manipulate, or block communications, and in some cases, to remotely take control of the physical device.”
Vulnerabilities in the firmware include digital “backdoors” built into the computer code, as well as “hardcoded credentials,” either of which could be used for unauthorized easy access to the devices, according to the report.
In addition, insecure communications protocols (languages) and relatively weak encryption on the system were other key problems, said the report, titled “A Wake-up Call for SATCOM Security.”
In at least some cases, an adversary might need only send a text message that included malicious code – one of several options – to take control of the SATCOM terminal, the researchers said. A nation-state adversary or hacker could then fake the locations of aircraft, ships, and ground forces – as well as emergency messages.
“If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk,” the report says. “Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by the vulnerabilities.”
“The findings,” Mr. Santamarta noted, “should serve as an initial wake-up call for both the vendors and users” of current SATCOM technology.
If the US military is concerned that SATCOM systems may be vulnerable to cyber-attack, it’s hard to tell.
“The Department of Defense is aware of a multitude of growing threats in cyber-space, that anything connected to the Internet is potentially vulnerable,” Lt. Col. Valerie D. Henderson, a Department of Defense spokeswoman, said Thursday in a statement responding to Monitor queries. “We manage all cyber-risks in accordance with one of DoD's primary cyber-space missions: Defense of all DoD information networks. We do not comment on specific operational vulnerabilities or the actions that we take to manage the associated risks, in order to preserve our operational security.”
Other experts note that it’s often easier to identify a vulnerability than to actually exploit it in the real world.
“No doubt it’s a concern, but it’s unlikely US aircraft will begin dropping out of the sky anytime soon,” says John Bumgarner, research director for the US Cyber Consequences Unit, a cyber-security think tank.
“It’s just not very easy to launch some of these attacks, even if you know the vulnerabilities involved,” he says in an interview. “Yes, they can happen. But it requires tons of reconnaissance and planning to pull it off.”
IOActive’s trumpet blast, meanwhile, is hardly the first such warning.
In November 2011, the US-China Economic and Security Review Commission revealed that unknown hackers had infiltrated command links to Landsat-7, a US Geological Survey Earth-imaging satellite launched in 1999, and Terra AM-1, which carried NASA climate change sensors. Neither satellite was damaged, although hackers on June 20, 2008, “achieved all steps required to command” NASA’s Terra, “but did not issue commands,” the commission said.
Soon after, the President’s National Security Telecommunications Advisory Committee reported in 2009 on cyber-threats to satellite networks, noting that “satellite and terrestrial networks share similar cyber-vulnerabilities.”
The IOActive report focused on the world’s most widely used SATCOM terminals that connect with Inmarsat, a British satellite communications provider, and Iridium, a US-based provider.
Even though newer satellites and SATCOM terminals have more secure communications available today than when Landsat or Terra were launched, the soaring demand for satellite bandwidth means US government and military communications are increasingly using commercial satellite data pathways that are somewhat less well protected, satellite communications experts say.
Indeed, proprietary satellite communications have ceded ground in recent years to lower-cost, easier-to-use Internet Protocol or “IP-based” systems that have increased usability – but also the vulnerability of SATCOM systems overall, some experts say.
“Reducing the technical expertise required to connect to a satellite has the unintended consequence of making it easier for hackers to connect to a satellite,” writes Jason Fritz, an Australian cyber-expert at Bond University in Queensland, in an e-mail interview.
SATCOM “vendor brochures often advertise security and encryption,” he notes, “but in some cases it is up to the individual user to enable these features and follow proper procedures.”
Dr. Fritz’s view was confirmed by a satellite industry official who, speaking anonymously to protect his business ties, agrees that there are indeed cyber-security “gaps among some of the more casual users” of SATCOM links. While high-security settings are usually available on such equipment, it is frequently not used or default passwords are not changed – lapses that increase vulnerability to attacks.
“This equipment has been developed and designed to be so secure that if the features that are there in the systems are coherently implemented by the users, they are among the most secure systems in the world,” says the industry official. “The big gap is among more casual users who are not in the middle of a fire-fight.”
But that gap is appearing at the very time that cyber-attackers are intensifying their hunt for vulnerabilities to exploit, SATCOM security experts say.
“The line between SATCOM networks and IT networks have blurred substantially,” said Christopher Fountain, president of Kratos SecureInfo, a Chantilly, Va., cyber-security company. He told Milsat Magazine, a satellite industry trade publication, in July that increased use of Internet-based satellite communications protocols is “bringing additional cyber-security risks. This is against an environment where cyber-attacks and threats continue to increase.”
According to the Kratos SecureInfo website, “cyber-attacks are increasing at an exponential rate and satellite communications are a prime target.”
In response, the satellite industry is ramping up its public face and focus on cyber-threats. In February, the Global VSAT Forum (GVF), which represents the satellite communications industry worldwide, announced a new “cyber-security task force” to address the threat.
"We're working with industry to thwart indicators of cyber-attacks being made on the entire telecommunications sector," says David Hartshorn, GVF secretary general, in an interview. “Our new task force was scrambled to advance and enable best practices throughout the global satellite industry to address these threats.”
While maintaining that satellite systems have long been among the most secure communications systems available, “you can never say everything is just fine,” says Matthew Kenyon, senior director of North American operations for Hughes Network Systems, a provider of broadband satellite network products and a member of the GVF cyber-security task force. “Every community provider, satellite and terrestrial, is constantly working to improve their capabilities.”
Commercial satellite providers like Intelsat and Iridium are seeing a surge in demand due to increased US military activity in North Africa, the Asia-Pacific region, the Horn of Africa, and the Middle East, industry officials say. Satellite communications links are soaring for ISR missions – intelligence, surveillance, reconnaissance – as well as for unmanned aircraft system communications.
Intelsat General Corporation, a Bethesda, Md.-based subsidiary of Intelsat, which has about 50 satellites in its fleet, last year was providing satellite links for more than 60 unmanned aircraft missions and at least 40 manned ISR missions simultaneously, according to Mark Daniels, vice president of engineering and operations.
All that activity has drawn its share of cyber-attacks.
“In the cyber-security area, we have seen significant activity and we have had to take strong action to deal with that,” Mr. Daniels said in a March 2013 interview in Global Military Communications, a trade publication. Intelsat, the parent company, “deals with cyber-attacks on a daily basis.”
For its part, IOActive said it is working with a Department of Homeland Security-affiliated center to inform the SATCOM equipment makers. In a public warning in February, the center noted that “a remote unauthenticated attacker may be able to gain privileged access to the [SATCOM] device.... Additionally, a remote unauthenticated attacker may be able to execute arbitrary code on the device.”
IOActive provided not-yet-released details of the vulnerabilities it says it found in its study to satellite operators Iridium and Innarsat and to SATCOM companies that included Cobham, Hughes, Harris Corporation, Japan Radio Corporation, and Thuraya, a mobile satellite operator.
Monitor e-mails and phone calls requesting comment on the IOActive study elicited several responses from the companies.
“Iridium has been in contact” with the DHS-affiliated center “since they brought these concerns to our attention, and we have taken the necessary steps in the Iridium network to alleviate the issue,” Diane Hockenberry, an Iridium spokeswoman, says in an e-mailed statement. “We have determined that the risk to Iridium subscribers is minimal, but we are taking precautionary measures to safeguard our users.”
“Cobham is aware of the paper by IOActive and its findings,” Greg Alan Caires, a spokesman for the Britain-based company, says in an e-mail. “It is under review. We have no comment to make at this time.”
Hughes’s Mr. Kenyon declined to comment on the IOActive report.
Harris Corporation in Melbourne, Fla., and Japan Radio Corp. did not respond to requests for comment by press time.
Dubai-based Thuraya Telecommunications Company issued a statement that was dismissive of the findings.
“As Thuraya’s equipment was not tested in a real world environment, the results and the conclusions of the whitepaper are theoretical and not a proper assessment of the equipment’s security features,” the company said.
Inmarsat, whose underlying technology was present in several of the systems tested by IOActive, said it had “conducted a preliminary assessment” of the claims as they relate to devices operating over its network.
“We believe that the claims have previously been identified and addressed by Inmarsat and its partners,” Jonathan Sinnatt, an Inmarsat spokesman, writes in an e-mail to the Monitor. “Inmarsat is studying the full report in detail and should any new issues be identified, we will act promptly to address them,” he said.
Staff writer Anna Mulrine contributed to this report from Washington.