Satellite communications started before the invention of the Internet, but that head start has not led to it being further along in security.
It has usually been practiced only by governments, government contractors, and organizations like large-scale telecommunications companies that often have a quasi-governmental nature (and in many countries, literally are government ministries). That led to tightly controlled accessibility and quite a bit of obscurity of the technical details. But now the technology is becoming available to a much wider range of operators along with a greatly decreased price and increased popularity.
IOActive published a paper describing how they reverse-engineered the firmware of several commonly used commercial Inmarsat and Iridium satellite terminals from Harris, Hughes, Cobham, Thuraya, JRC, and Iridium.
They found a number of security risks including what seem to be backdoors, hardcoded credentials, undocumented and insecure protocols, and the use of weak encryption algorithms. All the systems studied had multiple vulnerabilities which allow an attacker to intercept, block, or manipulate communications. Some scenarios would require no physical access to a terminal, as a specially crafted SMS or inter-ship message could exploit some of the systems.
They managed to do most of this without physical access to the equipment! They found the vulnerabilities by reverse engineering publicly accessible firmware updates.
The possible exploits of the Harris systems were striking. These were the RF-7800-VU024 and RF-7800-DU024 military land mobile and land portable BGAN terminals. Those units are used with software-defined radios such as the FALCON III AN/PRC-117G. Malware running on an infected laptop connected to the terminal could inject malicious code, obtaining the GPS coordinates of the system and then possibly cutting off communication.
The Hughes BGAN M2M terminal was found to be susceptible to a remote exploit. If the attacker knows the Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) and the International Mobile Equipment Identity (IMEI), he can send an SMS incorporating the backdoor ”admin code” and install malicious firmware.
As for the Cobham BGAN terminal, the attack scenario is that a military unit member could be browsing the Internet during personal time and be lured onto the wrong website. There they would be hit with a client-side attack that would install malicious firmware which leaks the device’s GPS-derived location.
IOActive reported what they found through the CERT CC but only one vendor, Iridium, responded. At least this work got some attention at the World Space Risk Forum in Dubai this past May, or at least the paper was informally discussed by the manufacturers, operators, and insurers.
Cybersecurity is a wide field, that makes it challenging but interesting. In Learning Tree’s System and Network Security Introduction course we stick mostly to the computer and network systems typical attendees are already familiar with. But as technology becomes more widely available, we all have to keep up!