On Thursday, IOACTIVE Principal Security Consultant Reuben Santamarta described how a malicious attacker could breach satellite communications (SATCOM) systems for ships and aircraft. Santamarta’s presentation at Black Hat USA 2014 received considerable attention and speculation prior to his August 7 briefing. Santamarta presented his findings based on the IOACTIVE white paper SATCOM Terminals: Hacking by Air, Sea, and Land. With IOACTIVE, Santamarta explored the most common SATCOM-related vendors: Harris, Hughes, Cobham, JRC, and Iridium.
SATCOM Naval Air Station in Sigonella, Italy Photo: Wikimedia Commons
The white paper divided SATCOM systems into two categories: space and ground. “Space” includes the infrastructure necessary to control satellites, while “ground” involves the capability to access satellite data from what the paper calls “Earth station terminals.” The study focused on Earth station terminals both on the ground as well as on ships and aircraft, with the unnerving declaration “IOACTIVE found that 100% of the devices could be abused.”
Researchers’ first phase involved gathering comprehensive information about their target equipment and reverse engineering publicly-available firmware updates for major SATCOM technologies. According to the study, “our research was not intended to stress the software in search of common memory corruptions, but rather to understand the devices’ native security strengths and weaknesses.” Researchers collected the information one would use to build a model of the equipment, including datasheets, manuals, and press releases.
Because the researchers did not have access to the actual equipment (and neither, most likely, would a hypothetical hacker), they focused instead on configuration software and firmware.
IOActive often develops a simulated device to trick the configuration software into thinking it is actually connected to a real device. We leverage this environment to collect the set of inputs that a device supposedly accepts, as well as the outputs the configuration software expects.
The researchers then reverse engineered the firmware to map code functionalities, uncover undocumented functionalities, identify entry points, and analyze how different components communicate with one another. Santamarta points out in the paper that this is the same methodology IOACTIVE has used in the past to successfully reveal vulnerabilities in satellite communications and industrial control systems.
Santamarta classed security vulnerabilities into five categories: Backdoors, Hardcoded Credentials, Insecure Protocols, Undocumented Protocols, and Weak Password Reset. Every device IOACTIVE analyzed contained at least two of these vulnerabilities. Along with aircraft, industries potentially affected by these vulnerabilities include ships, military personnel, emergency services, media, and industrial facilities (such as oil rigs). The white paper documents a variety of possible scenarios for the different analyzed SATCOM equipment.
In one scenario, Santamarta’s team tested Cobham AVIATOR, “designed to meet the satellite communications needs of aircraft, including those related to safety operations.” AVIATOR’s services include SwiftBroadband and Classic Aero (used for cockpit communication with Inmarsat I-4 satellites). The study defines international security regulations and their categorizations for systems failure, ranked in Levels A-E: Catastrophic, Hazardous, Major, Minor, and No Effect.
Software meant to operate at D and E levels, because their communications possess a lower security threat, are allowed more “relaxed” controls. The white paper suggests that security concerns arise in the communication between lower- and higher-level software.
IOActive was able to demonstrate that it is possible to compromise a system certified for level D that interacts with devices certified for level A, potentially putting the level A devices’ integrity at risk.
Another scenario reaffirmed previous literature expressing concerns about military personnel accessing the Internet during personal communications time. The scenario concluded services such as Facebook could potentially expose a military unit to client-side exploits.
In the wake of the media coverage surrounding this paper, several have stepped forward to express doubts. Vice’s technology channel Motherboard released a critique of the supposed security threats on August 4, three days before Santamarta’s Black Hat briefing. Motherboard reported that it would be unlikely for an attack to occur via in-flight wireless Internet (the claim that prompted much of the pre-presentation hype). Most aircraft today do not have direct connections between passenger Internet services and the plane’s navigation systems. Other experts, according to Motherboard, remain unconvinced that any possible security breach could cause catastrophic or life-threatening damage.
Perhaps in expectation of these responses, the white paper itself has this to say:
The threats posed by these vulnerabilities deserve calm, measured analysis. That said, from a technical perspective, it is not wise for commercial entities to downplay the severity of the risks to businesses dependent upon the integrity and secrecy of such communications… some of the services these products access are critical from a safety perspective.