Mission-critical satellite communications relied on by Western
militaries and international aeronautics and maritime systems are
susceptible to interception, tampering, or blocking by attackers who
exploit easy-to-find backdoors, software bugs, and similar high-risk
vulnerabilities, a researcher warned Thursday.
Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.
"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."
Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.
The paper gave examples of the types of weaknesses affecting specific SATCOM systems and the types of attacks that they made possible. The Harris RF-7800B BGAN, for instance, is a terminal the manufacturer markets as providing tactical radio communications to militaries. Santamarta said the devices contain vulnerabilities that allow hackers to replace the normal firmware with malicious code. Adversaries could then monitor the geographic location of the people using the gear or completely disable communications once a device enters a precise area chosen by the attacker. The Harris BGAN M2M terminal can be commandeered by sending malicious SMS messages to it, the researcher reported.
BGAN terminals from Cobham, meanwhile, can be hijacked by exploiting a weakness in its authentication mechanism. "If a member of a unit was targeted with a client-side exploit while browsing the Internet during personal communications time, an attacker would be able to install malicious firmware in the terminal," Santamarta wrote. He went on to catalog weaknesses in terminals that underpin mission-critical SATCOM used in international aviation and shipping systems as well.
As concerning as it is that the devices Santamarta reviewed made their way into mission-critical systems before the weaknesses were discovered, it's even more problematic that most manufacturers have yet to respond to the private overtures initiated by CERT. Given the potential threat to public safety and national security, Santamarta called for action.
"The findings of IOActive's research should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology," he said.
Ground-, sea-, and air-based satellite terminals from a broad spectrum of manufacturers—including Iridium, Cobham, Hughes, Harris, and Thuraya—can be hijacked by adversaries who send them booby-trapped SMS text messages and use other techniques, according to a 25-page white paper published by penetration testing firm IOActive. Once a malicious hacker has remotely gained control of the devices, which are used to communicate with satellites orbiting in space, the adversary can completely disrupt mission-critical satellite communications (SATCOM). Other malicious actions include reporting false emergencies or misleading geographic locations of ships, planes, or ground crews; suppressing reports of actual emergencies; or obtaining the coordinates of devices and other potentially confidential information.
"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," Ruben Santamarta, IOActive's principal security consultant, wrote. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."
Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did.
The paper gave examples of the types of weaknesses affecting specific SATCOM systems and the types of attacks that they made possible. The Harris RF-7800B BGAN, for instance, is a terminal the manufacturer markets as providing tactical radio communications to militaries. Santamarta said the devices contain vulnerabilities that allow hackers to replace the normal firmware with malicious code. Adversaries could then monitor the geographic location of the people using the gear or completely disable communications once a device enters a precise area chosen by the attacker. The Harris BGAN M2M terminal can be commandeered by sending malicious SMS messages to it, the researcher reported.
BGAN terminals from Cobham, meanwhile, can be hijacked by exploiting a weakness in its authentication mechanism. "If a member of a unit was targeted with a client-side exploit while browsing the Internet during personal communications time, an attacker would be able to install malicious firmware in the terminal," Santamarta wrote. He went on to catalog weaknesses in terminals that underpin mission-critical SATCOM used in international aviation and shipping systems as well.
As concerning as it is that the devices Santamarta reviewed made their way into mission-critical systems before the weaknesses were discovered, it's even more problematic that most manufacturers have yet to respond to the private overtures initiated by CERT. Given the potential threat to public safety and national security, Santamarta called for action.
"The findings of IOActive's research should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology," he said.
No comments:
Post a Comment