Recent news that NASA facilities have been hacked has raised the issue: If NASA can be compromised, how safe are commercial telecommunications satellites from freelance or government-sponsored hackers?
The answer, according to Felix Lindner, is probably not as safe as they could be. Lindner heads Berlin-based Recurity Labs, whose job is to detect network vulnerabilities for operators before an outside hacker makes the discovery.
Linder’s message: Threat modeling has made substantial advances, is not that expensive and should be on every satellite operator’s to-do list during satellite integration and testing.
At a recent meeting of satellite insurance underwriters, Lindner was asked if he had ever hacked into a satellite system. His answer: Never without having been asked to do so by the owner.
Lindner spoke with Space News staff writer Peter B. de Selding.
Are commercial telecommunications satellites vulnerable to hacker attack?
They expose more vulnerabilities than the terrestrial Internet infrastructure. On the other hand, they are probably better monitored than the terrestrial infrastructure. But what is surprising is that there has been very little focus by the industry on protecting the operations centers.
You refer to the telemetry, tracking and control functions?
Is this vulnerability still in evidence today despite the growing sophistication of the industry?
Yes it is. The benefit of satellites is that, in general, they use flight-proven technology that is not very sophisticated. In fact they are relatively dumb devices. The dumber they are, the less attractive they are to people who might want to attack the network.
So a bent-pipe satellite design with little onboard processing is more secure?
That’s correct. Some satellites will talk to you directly once they have received a message they sense is valid. The more intelligence you have onboard, the more vulnerable you are to security breaches.
How do you explain this?
There has been a fear among satellite operators that by adding security features they could unintentionally make it easier for the satellite to deny access to the owners or customers.
Is there among hackers a special appeal to penetrating a satellite network because it’s considered high technology?
We have seen this on the IT Security Exchange as the security question of the week: What would one need to do to hijack a satellite? There have been references to satellite hacking in the Hackerspace Global Grid. So the interest has always been there. Now it’s picking up for different reasons, and people don’t advertise what they are doing because they don’t want to spoil the fun. Once you make it public, you ruin the playground and the authorities will come after you. Of course, going after nation-states that sponsor hacking is a different story.
When you refer to hackers, are you speaking of technically savvy young people who view this as a kind of sport?
The playing field has changed in the past five years. Recreational hacking that looked at satellites was perhaps the most frequent hacking threat in the 1990s. But these hackers rarely destroyed stuff. The bigger threat today of course is organized crime and the military — neither of which wants to destroy a satellite in most cases.
The militaries of the developed world have clearly stated their intention to invest in offensive cyber capabilities. The United States military has declared cyberspace to be the fifth domain of activity. When you marry that to the fourth domain, which is space, it’s not hard to see where this leads.
Do U.S. military communications satellites have better defenses against hacking than commercial satellites?
I try to stay away from qualifying or quantifying defenses until I have seen them. Let’s say that some of them are not as sophisticated as their owners would like to think.
Here we are not talking about jamming in the usual sense. Call it higher-level jamming if you want, where you attack the availability of a communications line. A denial-of-service attack is one example, where you flood the server or send in malformed data.
But the more sophisticated hacking is just to inhabit the server to see what it does, and to monitor who is on the communication. There have been cases on networks that are selected for review by their owners of hackers, backed by nation-states, who have been just sitting there for three to five years, waiting for orders.
What about commercial mobile satellite networks using the GMR-1 and GMR-2 air interfaces?
GMR was developed on the basis of the GSM terrestrial wireless system’s algorithm, with the encryption developed by the European Telecommunications Standards Institute. GMR-2 is not much different. Researchers from Ruhr University obtainedand Thuraya phones and reverse-engineered them, and showed that an attack was possible because of a design flaw in the algorithms.
Mounting the attack was feasible in just 30 minutes using a standard PC. The breach enabled people to listen in on the satellite’s downlink.
You said just about everything in a satellite infrastructure is a perfect vantage point for attackers. What did you mean?
Corporate customers consider a satellite connection to a remote branch office as if it were a cable connection. You are inside their network once you have access to the link.
Studies have shown that 32 percent of all easily observable satellite traffic is now the network traffic of one corporation or another. The ability to see one part of the communications downlink provides a convenient attack path to the corporate network.
There is a debate in the industry over whether putting IP routers on satellites is a good idea. The argument in favor is that it offers flexibility to operators in case their business grows in ways that were not foreseen. What is your view?
There is a tremendous amount of logic embedded in an IP router. There’s lots of code, and the more code you have, the more vulnerable you are. The vulnerability increases with every additional line of code.
This is true even with the latest algorithms?
Both IPv4 and IPv6 are “best efforts” network protocols. So it is not easy to guarantee quality of service or security. When you have an IP router, you can see it in space by the timing of the hops on Earth — the delay is different compared to a router on the ground. So you could send traffic to that IP address and it would be difficult for operators to defend against that.
You could argue that IPv6 is even a bit worse because it is new. It took decades of serious effort for the community to sort out all the vulnerabilities of IPv4. Being comparatively new, IPv6 surely has undiscovered flaws.
You said satellite builders and owners are focused on meantime to failure, which measures the average time before a portion of the system fails, and not on intentional hacking.
Look at a hack as a sponsored malfunction. The potential for the malfunction is already there, inherent in the system. A hacker looks for it. When he finds it, he exploits it. Again, this is easier in sophisticated, complex systems.
Has threat modeling evolved as fast as the threat itself?
Microsoft, to take the biggest example, has over the past 10 years developed a pretty good program on how to test for security issues before shipping. Taking this methodology and applying it to satellites — while they are still on the ground — should not be that difficult. You could basically go box to box on the payload to test for potential malfunctions if you are confident that the satellite bus does not have functionalities that expose it to risk.
Do operators routinely conduct threat modeling?
My impression is that they do not. This is an industry where software security has not been a hot topic so far. There is therefore a lot of low-hanging fruit, meaning reducing the risk should not be that expensive. We have seen this in other industries that did not focus on this until there were a couple of high-profile examples of hacking. And of course in the PC industry we see this all the time: Until you lose your data, you never think about backing up your system.