Slashdot Mirror
Satellite Command Security?
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?
"Three major issues concern me (I'm going to assume that our network security works (grin!):
- Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
- How many of you think that you could decipher the structure of the command (given the motivation)?
- Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
How many of you think that you could decipher the structure of the command (given the motivation)?
Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.
I forgot to lock the vault at the bank I manage, and no one is there right now!
Limited time offer!
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Did the :)
"...this is a lesson that teridon wants his company to learn."
sound like a veiled threat to anyone else?
Maybe it's the pre-caffeine stage.
Check out my sysadmin blog!
Otherwise the aliens will be able to use the satellite network to coordinate their attack on the Earth.
"Make publicly available all the source code and documentation of the satellite's protocols. Then the entire Open Source community can have any and all bugs fixed in under 2 hours. Also, by making it Open Source, bugs in the code that would make it vulnerable to cracking can be found more quickly, and thus sealed up. The idea that all your protocols should be classified and confidential is ludicrous. Just look at Microsoft, they close their stuff up and look at all the holes in their software! You must release everything to the public."
but if you don't know the answers yourself, or can't find the answer from some other source than slashdot readers, we're all in big trouble.
...this might sound obvious to some, but maybe if you need to ask this type of question, you shouldn't be in charge of securing a satellite...
Just a thought.
..especially if the hacked science satellite had enough manoevering fuel to be used to crash into a GPS or military satellite.
Satellites are getting larger: if the satellite was sufficiently large to enable large lumps to reenter and you could predict reentry then you could attempt to use it as a missile, but this is obviously a very hit and miss affair.
In the light of September 11I don't think you should assume that civilian targets (or civilian satellites) will be left alone by a terrorist.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Oohh boy, here's an article that's just begging for "expert" slashdot advice.
"While I've never actually worked on a satellite system, I did hack encryption into my walkie-talkies when I was 8..."
For the most part, what would you do with a satellite you just took over? Save on long distance?
I don't like the idea of some big freaking satellite bombing down on my apartment, so heres my input.
I like the idea of encryption. It will turn away most of the little script kiddies, but then again so does obscurity for the most part.
most crackers don't have access to a huge radio antenna with which to transmit
Never Underestimate!!! I don't know much about RF communications with satellites, or how powerfull it has to be or whatnot, but I'm pretty sure if someone was determined enough, they could hack something togather. Or if they work at a radio station in a small town that goes off air at night. *shrugs* who knows.
Obscurity is a great thing in some cases, but I don't think it comes anywhere close to actuall good security. Then add confidentiality to it, and awesome physical security, and your in the right direction.
Just my small view on it.
Can all fish swim?
After the apocalypse, the only thing left will be satellites and spam.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Sorry, no. You'd need optics much closer and more powerful, as in an electron microscope.
Obscurity doesn't work. Internet seems to know everything, or know someone who does, it's strange but true.
Where I work we rely on a couple of things for security and they seem to work pretty well, I've been working here for nearly 5 years and I can't remember we ever got cracked.
1. SSH
2. Identity keys and passphrases along with 1.
3. IP filtering, you have to be on an IP in our network before you can reach any critical servers.
If you couple this with a private network I don't see any real threats to the network, unless some kid builds a nuclear powered high frequency mega super radio antenna thingy in his backyard to send the whole thing crashing down to Tora Bora.
-- Si hoc legere scis nimium eruditionis habes.
Questions about your own company's security are better not asked in public, especially if you suspect said security to be lacking...
Although in general real security is preferable over the appearance of security, the appearance of security can still serve the useful purpose of making would-be crackers believe that they'd be losing their time trying. Admitting security weaknesses in public will have the effect of getting a whole bunch of folks interested and motivated...
What if we just slashdotted the hell out of one those satellites. Just to show the that decent scurity isn't luxury.
Just to give you an idea, some crackers during the BB era in southern california were stealing credit cards to buy commercial software, then sold cracked versions to the largest BB in southern CA. They were eventually caught and the FBI took away all the computers. All of them were under-aged, so they didn't do any time. All of them were interested in science, so they would definitely be interested in what your satellite is sending. More interesting is getting control of your satellite.
Also, remember that crackers tend to have parents who have technical careers, but no time to watch their kids. Hackers and crackers have a lot of time, brains and energy to burn. With all the articles recently about amatuer and college programs building their own satellites, it will become a bigger concern. As kids get more technically advanced at a younger age, more systems will get compromised. It's a fact of life.
Yea nobody has a big antenna that can transmit a signal to satellite. Just how big of a attenna do you think you need. The one in my yard is not that big and with a little hacking probably would do the job nicely. Hell you reading this message means that I can already transmit a signal to a bird. Only obscurity for the command protocol, you must be kidding. Bo ha ha ha ha
Got Code?
The simplest system for ensuring that two entities are talking to each other, without a complex system involving third parties, seems to me to be PKI. Just embed a private key in hardware on the satellite (or perhaps several) and then use PKI as normal. This key never leaves the satellite so the risk of being "hacked" is equivalent to cracking PKI. This of course could be strengthened (or weakened??) by coupling with precise data only known through obscure methods involving lots of precise scientific hardware, e.g. stuff the crackers won't have.
It's 10 PM. Do you know if you're un-American?
I would recommend you to read the book Security Engineering by Ross Anderson. :).
It gives you a perspective of security from a lot of different fields.
If you must secure stuff you have to think like an alien.
If people who were supposed to control the Defense satellites
in Britain had thought like an alien, none of their satellites
would have been hijacked,
but that story seems to be untrue
Anyway, secure your babies.
Definitely assume that anybody you really don't want knowing your command structures will know them. Do you keep the documentation (or source code) in a locked vault with genuine security (not just "don't tell anybody where the vault is")? Do you have strong entry/exit security (can you take an 8mm tape home with nobody noticing)? Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works? Are you sure none of them wouldn't sell information for a few tens of thousands of dollars (or sex)?
Complete security is impossible. If someone wants access, they will eventually get it.
d wa re_token.html
The most secure authentication scheme I've seen in a while is talked about in great detail here:
http://www.rsasecurity.com/products/securid/har
The idea is that if you need a physical token, and some knowledge to authenticate, you have added another level of security. These tokens are (from my understanding) REALLY hard to reverse engineer. They generate a number (that looks random, but isn't) every minute. On the other side of the connection, the same pseudo-random number is generated. If they match at authentication time, you get access, if they don't, try again.
The other thing you were wondering about was DOS attacks. Go read this article on GRC:
http://grc.com/dos/intro.htm
It boils down to this: if it's distributed there is little you can do.
On the flip side, since these signals would require massive antenae, you can triangulate the source in a matter of seconds, and send some guys (cops, navy, army, etc) over to shut them down.
Either way it goes, this is an interesting problem. Keep us posted with the results.
Beware TPB
If that is the case, then you really only need to change the format slightly to include timestamped (or sequentially numbered), signed messages rather than unauthenticated ones (timestamps to prevent simple retransmission of commands as a "cut and paste" control system). There are plenty of PK signature solutions out there - but I assume uploading a new program may be a problem - debugging would be a nightmare ;)
-=DaveHowe=-
As for new satellites under design, just encrypt the channel, stupid! Its not like its rocket science or anything.
...secure your satellite systems is a huge security breach. You just told us you don't use encryption and that to attempt communication you need a radio antenna. Some people do have access to radio antennas. Heck they aren't that hard to build yourself anyhow, there are specific books and internet articles on them. Pick up most books on HAM radio antennas and they atleast mention it. So given some time and effort could someone exploit your satelittes and crash them into another one?
In general case any single channel signal can be drowned with another signal at the same freq. and with a comparable power.
Gentlemen, you can't fight in here, this is the War Room!
General comments:
This type of question is probably best not asked here.
I highly suspect you are whom you say:
1) Why ask questions about such a sensative issue here in such a loose and public forum
2) If your company does indeed control multiple satellites, why do you not have answers to such simple questions as # 1? I would expect you would contact one of your own engineers.
3) This list could go on for quite a while.
I appologize if I'm wrong about the above, but I tend to suspect this is a dupe post by someone either interested in hacking a network or interested in getting people together to hack sat's.
Questions:
1) This would depend to some degree on the com hardware on the bird. Signal jamming is a quite known property of emf communications.
2) Yes. People have deciphered far harder things than a ordered (probably) control protocol.
3) I didn't look at the protocol yet. Yes, folks will want to hack it though. Sat's are l337 d00d.
1.Can someone effectively execute a DOS attack by
;-) strange blast of ? power
uplinking to the satellite with a powerful signal
(the frequency would be easy to 'snoop' from our
transmitting antenna), thus preventing us from
commanding it? In general, how do receivers handle
multiple command carriers (would there be too much
noise to command)?
No need to execute DOS attacks, an overpowering RF
signal would do the trick.
If the story is still around, and (iirc) look for
the story of UOSAT-18, how it was given up for
'dead', and how a
restored it
2.How many of you think that you could decipher
the structure of the command (given the
motivation)?
See # 1. Taking it out and gaining control are
two different things and (imo) gaining control is
useless.
3.Standards being developed (like SCPS) intend to
make satellites 'just another node on the
Internet.' Take a look at the security protocol
(which is based on IPSEC, et. al) and tell me if
you think it is secure, or whether you'd want to
crack it.
See # 1 and read up on "Project ALOHA"
Addendum:
Going above the RF problem, you might consider L.
Brett Glass's paper on bipolar quadrature
amplitude modulation (using a constellation
pattern) and using a form of FEC that gets the
header/etc. decoded locally.
Hopefully the DOS attack you mention would be quickly thwarted. (If your satellite was worthy of gov't help that is) If the attacker was using extra power to block your signal, you could track the signal to it's transmitting atenna. This shouldn't take too long to find.
Yep, I never spell check.
More incorrect spellings can be found he
Many years ago HBO's satellite was overtaken for a few hours by someone in the "northwest quadrant" of the continental US. My electronics teacher at the time told me that most satellites would lock into the strongest signal being transmitted to them, and that most control centers used the least amount of power to get a lock-in. So apparently this guy just used a stronger signal than they were using.
As for hacking the command set? You better believe it. Get four engineers and a large blackboard and you might be amazed at how useless "security through obscurity" really is.
"Hello, World", 17 errors, 31 warnings
We should we tell you?
Isn't that why you get that *fat* satellite commander paycheck? I'm sure someone here could tell you, but really, if you're not competent to do your job, why should you have it?
These "I dunno how to do my job so I'll ask Slashdot" posts are getting really tired.
I'm tired of people making loads more money than me, when they really don't know squat about what they're doing.
Seroiusly, why should your company pay you to do a job if you don't know how to do it? Why don't they just fire your ass and "Ask Slashdot" themselves?
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
Think easy :
1 - Because I can.
Coolness Factor +10 8)
2 - Because I"ll have access to a HUGE bandwith (FXP is the term here) (Coolness +8)
3 - Because I can (Ditto 8)
4 - Fucking Race horse too boring, let's go Space Opera !!!
5 - C'aus if I take the right one, I will have access to ALL the Phone Network...(nice, Coolness +4)
6 - Caus I can hunt the ISS AND see the track the progression record on CNN Live 8)
7 - Caus the insurance company that just rejected my file IS responsible for the Sat...
8 - I WILL save on Long distance caus I have 16 000 phone lines available
9 - Caus I can
10 - If the only thing you ask is "Ok I have the Sat, no what" please go to the parlor and get a Perrier. Sparkling water Might be a little too much for your overexerted mind...
11 - (last idea) Caus I can have a 801.11 Network that is large as half the USA.
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this.
/.er are ebay bidding on dishes right now....)
Wow, really? (imaging how many
As an undergraduate I worked on a small student-built scientific satellite, and even though the satellite barely had any need of an uplink, I seem to recall we still required strong command authentication, and that we also required the ability to be able to turn off the satellite transmitter and receiver in certain regions of the world, and that these requirements came straight from the DoD. My understanding is that we had to be prepared to respond to certain possible DoD advisories. In fact we probably would have done away with the uplink except for them.
The trasmitter turn-off requirement was apparently so that rogue states could not use the bird for navigation purposes or possible sensing.
Now the advising engineers on this project came from a lab (JHU APL) that does a TON of military birds, so it's very possible they were just imposing good practice on us. Maybe someone in the know could tell us more.
--Braddock Gaskill
Do you really think that, in case there was any ultra-secure system, this information would be posted in /.?
Security through obscurity is not an option, but this doesn't mean that you have to publish in capital letters all your security measures. That would be simply silly (no flaming).
Giving goatses
Penis birds
First posts
and more to every one
You have just unvielded a great new target for all the script kiddies out there...
"Hey man, lets go hack a satalight and use it to spy on GIRLS!"
"What, do you think I can access it with my 802.11 Airport?"
"We could crash it into the Whithouse like in that movie!"
...you avoid extending "challenges" like this to the hacker world. Obscurity is only effective when it is TOTAL obscurity. It doesn't work for Microsoft because everyone already knows that they will (after X number of attempts) find some type of hole in their software. For situations like this, however, there is no interest in targeting the satellite, because there is little or no knowledge of its existence. Therefore, it's not a challenge, and won't be considered such by hackers-at-large.
But now that the cat's out of the bag...look out...
Reading Slashdot for content is like picking peanuts out of shit.
I saw Independence Day - I know just how easily "they" can upload a virus to an orbital device :-)
Enjoy Y2K? Roll-on Year 2037!
Military Sats use encryption for two reasons, one to make sure they can't be cracked, two to make sure they can't be listened two. The second is the more important. As long as the command sequence to the sat is tied to a physical device (which I'd hope at the very least) then your fine as long as you don't get invaded.
The easiest way to secure these systems is to ensure that there is a closed VPN which is tied to two devices, one on the sat, one on the ground. Redundant nodes come into play but its again only the physical that matters.
It takes a hell of a rich hacker to set up the transmission equipment to crack a satellite, and then the sat should just be saying "who are you ?" standard H/W ident stuff should block them off.
Physical rules, if you aren't using H/W paired security then its very worrying as its very simple to do and very standard (I assume it is as anyone with half a brain is going to do that) from then on its just a matter of how important is the information and does it need to be encrypted as listening is miles easier than transmitting.
An Eye for an Eye will make the whole world blind - Gandhi
I'm no expert but I assume that in order to give commands to the bird you would want to know where it is located in the sky, if you could keep that info secret I think ppl will have quite a hard time to find it.
PS: this ofcourse would only work if it doesn't communicate with joe average. If it would you could probally use multiple dishes to figure out where it is located
Sig you!
HAHA!
Back in my university days they had an "antenna farm" out the back of the electronics department. Now one of these arials consisted of dozens of dipoles strung end to end over a length of about 200 meters. This "string" sat above a V shaped wire mesh. This thing was used to listen to satellites as they passed through it narrow beam width. Well if it can recieve it can also transmit effectively. My point is that if one has a large garden and a few rolls of checken wire then a large arial is not out of the question.
Reverse engineering the protocol certainly isn't impossible, and whether anyone is going to attempt it is hard to predict. You only have to capture the imagination of one cracker for them to have a go. So, clearly, you should NEVER assume that, "Well, no-one will care... it's only a satellite".
;-)
... ooops - your satellite has landed in the North Atlantic. It's a bit late to fix it though!
;-) (troll)
And, let's face it, this is the sort of thing that some geeks would consider the ultimate war-drive.
However, opening up the source completely here could be problematic in one way: You may not get a second chance. Someone may find a major flaw, exploit it, and
This is one reason why you don't let hackers work on air-traffic control systems.
I used to work for BAe Space Systems, and once a year we used to teach part of a course at one of the UK's Universitys (cann't remember which). Part of the course was a practical project building a groundstation from scratch using off the shelf kit and making the dish from scrap parts. It's not cheap, but it's within reach of a lot ot western tech heads (but ok, not your average script kidde). I've still got the course notes + designs in my attic....
+++ BASELINE REALITY FAILURE+++ +++ PLEASE REBOOT UNIVERSE +++
You just need to take all the I.P. addresses offline while your goons chase Ryan Phillipe around the building.
Learn to Improvise
Depending on how the protocol's set up, this may not even be necessary. If replaying a previous set of movement commands causes the satellite to move some more, you've already lost that battle. The net result is that an attacker can drive the satellite off course and deplete its fuel reserves, making it a floating piece of junk.
Of course it may be that there's a sequence number in the commands that needs to be updated (most likely to prevent inadvertent duplicates due to transmission problems). In that case, it'd actually require some deciphering effort. Still, remember that you lose as soon as someone figures out enough of your protocol to move the satellite around. An attacker doesn't need to figure out every little detail.
Finally, there's always the social engineering approach. If the attacker can get the protocol by creatively lying to people at your organization (or just by getting a job there), then not only do you lose, but the attacker would have enough information to theoretically do something really fun (like trying to get the satellite to reenter the atmosphere in such a way that the attacker can watch the light show). That further cranks up the attacker's motivation to carry out the plan.
How many of you think that you could decipher the structure of the command (given the motivation)?
Man, isn't that a little like asking a bunch of high-school/college jocks if they think they could go one-on-one with MJ?
"Uh....yeah, I could do that! I mean, I'm a little out of practice and all, but shoot, I used to be able to hang with the best of them in my prime. I'm sure I could manage, if I was motivated enough!"
Hacking a freaking satellite with no knowledge of the command structure would seem to me to be one of those uber-hacks, on scale with bringing down Ma Bell for a few hours, or finally tracking down the true identity of Signal11. In other words, it's probably possible, but you're not likely to find anyone around here that could do it, regardless of what they might tell you.
It hurts when I pee.
I'm not going to analyze the up-link protocol or try to brainstorm motivations for cracking your system, but as a security professional let me try to clarify the issue a bit.
You are on the right track with your questions. You are trying to figure out: a) how badly does somebody want to crack it, and b) how difficult is it for him to do so.
These two factors are precisely what define security risk. If the cost of breaking a system is greater than the reward for doing so, your security is adequate.
The first question cannot be answered by the Slashdot crowd. There are too many variables. Who are your competitors, and how much to they have to gain by sabotaging you? Could the satellite possibly be used for anything other than its intended purpose if control was usurped? How valuable is the satellite to people other than you if it is only being used for its intended purpose?
Perhaps people here could try to figure out the 'cracker bragging-rights' factor, but I suspect that would not be sufficient motivation to go to the lengths required to break your system (any glaring security holes notwithstanding).
From what it sounds like, the second question can't be answered by anybody. The rule of the day is 'provable security', which is why security by obscurity is frowned upon. It's not that it doesn't work, because sufficient obscurity is indeed security, it's that you can never be sure how well it works. This was the problem with the German Enigma machine in WWII, which ultimately provided the greatest incentive to proving lower bounds on security.
Encryption provides easily quantifiable security, demonstrated by mathematical proof (with the minor caveat being most of these proofs rely on P not equalling NP). The techniques you describe do not sound like they lend themselves to provable security. (Although physical security is usually considered pretty sound, provided it is comprehensive; this includes isolated networks and site protection, as you describe)
How difficult is it to gain access to a powerful radio-antenna? That's a key question. If the satellite is owned by a company in an industry with cutthroat competitors who also have satellites, it might not be difficult at all.
If you look at the GPS sats you will find they transmit a an encrypted signal for military use. If you have the crypt code you can decode the stream and figure out where the 1st bit is which signals the start of a frame. Inside that frame you get enough info to tell how far away you are from it. Someone (at Trimble?) figured out that the last bit of the frame is truncated so the timing packet always starts a the right time. Now the survey grade GPS recivers just look for a bit that is jsut a bit wrong and use that. They pick up the other timing signals from the other frequency and store the data. You can compare that later and do some high precision work (some claim sub mm).
Another thing is the GPS sats used to shift their packets a bit to throw off the Russians (who had a better system). Someone (claiming to be Russian) posted polynomial to usenet describing it. That was a major part of its security. (and I'll have to dig up that post now that google has stuff from the dark ages)
The last secure by obscurity one way hash I cracked took me about 3 days. It wasn't nearly as good as they would have liked.
Based on some of the things I've seen...
give some of my friends a good reason and enough to play with your toys and you might see a cool reentry.
If what your playing with can be a weapon, call your local spooks and explain the situation to them. Its in their best interest not to have your bird go down. The NSA does have a group that may provide some very useful to your company -- they were providing some good ideas on one project I was involved with for a while for a well known company.
Here is a memo that explains the National Policy on Application of Communication Security to U.S. Civil and Commercial Space Systems, NTISSP No. 1.
...Approved techniques as they pertain to space COMSEC equate to National Security Agency (NSA) endorsed encryption and authentication systems....
..Government or Government contractor use of ... commercial satellites ... shall be limited to space systems using accepted techniques necessary to protect the command/control uplink.
http://www.tscm.com/communsec.html
Some excerpts:
The need for and means to protect the command/control uplink associated with civil satellite systems, intended exclusively for unclassified missions, will be determined by the organization responsible for the satellite system in coordination with the National Security Agency....
Basically, if your group is doing as little as what you say they're doing, they may be in violation of law.
--Braddock Gaskill
0) It's not encrypted???? All satellites I have worked with are encrypted at least on the uplink, including science ones. (even deep space science satellites that require big dishes to talk to it.)
1) It might be more useful to look at this scenario from the electronic warfare point of view, not an internet point of view. However, unlike the internet, you need large, dedicated, expensive equipment to uplink. The equipment is not outside the reach of many hackers, but very very few have them.
You need a license to do the kinds of broadcasts needed to command or jam a satellite. because this is a rare event, your best bet is to handle this through FCC and like organizations. (unlike internet hackers, the FCC will take this seriously.)
2) Yes. Especially if you base your spacecraft on a standard bus. If you do, most of the syntax may already be public. And if I have your telemetry database and a decent history of commands and telemetry, I could figure it out. It isn't easy, and it isn't quick, but it could be done.
Besides, chances are, I don't need to send a good command to destroy your satellite. Just turning on one of the rockets and putting it into an uncontrolled spin will do it. There is a non-zero chance that if I get your spacecraft to accept any command that I could destroy it, even if I have no clue what the command did.
3) Most of the protocols are to use internet protocol to form an intranet between the ground control centers and the spacecrafts. This is mostly floated around as a method of constellation management, because CCSDS is just silly with a solid-state spacecraft. No one in their right mine would make a functioning satellite pintable from any moron on the internet.
W
This sounds like another one of those ill-conceived "My boss isn't listening to me, maybe I should prove I'm right" crusades, like the one that got Randal Schwartz in trouble.
My advice: Don't rock the boat, especially in the current economic climate.
Instead, when you get that "management are morons" feeling, just imagine a taxi meter above your desk and calculate how much money you make taking a dump on the company's time.
Well, if the satellite has a few GB of storage...
Given the recent shakeout of the warez scene, I can see many benefits to running a topsite on a hacked satellite. (Assuming, of course, it were possible to conceal the transmitter/receiver antennae required to interface with it).
Or you could just install the latest distro of Slackware on it and post a link to slashdot. Then we could have the first ever slashdotting of a LEO device!
Muwahahaha... er... nevermind.
Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.
The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.
If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.
As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.
-Rob
Seriously. Is it really spam-related?
As most of the people who will read this, I have no hands-on experience with satellites. So basically I don't think you ask your question to the right audience. Then again, you only want opinions, and that I can give you :)
Question 1. I think you can do a DOS attack, provided that you have a strong transmitter. I have no idea what they cost, but I think you must be pretty badly want to do this, since these kind of transmitters probably won't come cheap.
Probably a weaker tranmitter can do the trick if the distance from the receiver is small. If the receiver is standing at large site, and that site is well secured than this probably won't be a problem.
Question 2. Deciphering the command structure will probably not be that difficult. Especially not if you know what you are looking for (kind of data). As you said before, it is not encrypted.
I figure that if you can afford a receiver/transmitter to sniff the connection, or to do a DOS attack, that deciphering the command structure will be peanuts.
Question 3. If you (or your company) is concerned with illegal access than hooking it up directly to the Internet will probably not be a good idea. Furthermore, it would be wise to implement your own level of encryption over IPSec so that you can easly implement stronger encryption when needed.
Most importantly: is it worth it? I think not. Transmitters/receivers are specialised equipment (thus also probably very expensive). When you succeed to hack/crack a satallite then what? You have access to gigabytes of mostly useless data...
This goes for Joe Hacker. If you're talking corporate-espionage that's a completly different story... But I also don't think it is really worth the trouble for them...
Scientific satellites usually don't have much security. I wrote a script in tcl/tk once that created a set of satellite commands. The commands were transfered by ftp (perl) to an ftp-site where it got placed on the command queue.
You don't get much cpu-power in scientific satellites because they have to use CPUs certified for use in space. I might be wrong, but I think we used some Texas Instrument CPU från 1976 (they built the satellite in 1997). That means that ssh or ipsec would be useless.
We lost contact with the satellite after 5 months in space.
When I was working in a sat related field, I was told that huge dishes seen at major telecom companies sites are designed to have enough output to overpower any rogue control signal or DoS attempt. I think that figuring out how to control propulsion system by sniffing the control signal is difficult, if not imposible. One will need access to some serious astronomic equipment. Then he will have to monitor position and speed of the bird for very long time to see how it responds to the command, because firing the engines is a rare event. I doubt that sats can be controlled with precision needed to ram it into another one.
Just a quick comment - I wholeheartedly agree with the "security through obscurity is a bad thing" thought process, but when combined with other security features, as outlined here, it can be valuable. The best way to incorporate hidden features of your security plan is to "open" those features to a peer review of trusted (and NDA-bound) experts for their input. The number of experts is up to you, so make sure you balance "need to keep secret" with "enough insight to be valuable".
This way you can avoid the folly that one person's ideas are failsafe (they never are, after all), while still keeping the details from massive public consumption.
A poor analogy (but the only one I can think of right now) would be the details of the presidential security detail. By not publishing when the motorcades and aircraft will be moving/flying, the Secret Service adds a layer of security to the already armed-to-the-teeth plan. Relying exclusively on one or the other would not be enough to consider bullet-proof (no pun intended), but combining the two offers a degree of synergy, strengthening the overall plan.
breaking into an orbiting satelite would be muchos hard work but imagine the consequences ?! I think the western world would say "how high" if somebody rang up and said something on the lines of "hey, I have control of this satelite, Im aiming it for touch down at xxx location". no encryption in my view is inviteing someone to have a poke arround.
Absolutely. Amateur radio operators have worked earth-moon-earth on 144 and 440mhz for decades - there's no reason someone couldn't build the equipment to do it on your frequency. However, the antennas and such are rather obvious-looking. Any nation's communications commission would be able to spot one of those very easily in case it needs to be hunted down, and it does raise the bar beyond what most crackers are motivated to do.
In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
The mathematical formula for this is Shannon's Law. Run your numbers through it (and keep in mind some modulations have significant inefficiences of their own). I can't imagine missing a couple communications windows with your satellite would be the end of the world, though.
For something with the replacement cost of a satellite, you want guarantees, not estimates of society's intentions. If you want your control center to be the only station capable of transmitting commands to the satellite, your satellite needs a way to make sure it's the control center that's doing the sending. If you want to make sure your telemetry data is from that satellite, you need to make sure it's the satellite that's doing the sending. Note that encryption isn't really needed here (a cracker knowing what you're doing with the satellite doesn't help much, as this is not a spy satellite) but some form of public key signing should be employed. It also guarantees that your control messages won't arrive corrupted (although I'd imagine you'd already have something to protect against that).
Another used method is filling up the connection with "noise" so that the line never is idle. I don't know if it is a good idea in sat. communication. besides from encryption, it always makes it harder for those snooping if the line never idles. So you can't tell from the traffic if there is any actual communication or not.
1) Use some sort of encryption-related technology, like MACs (see my other post)
2) Use some sort of phased array receiving antenna. These can select what direction to listen to a request from. That means that someone would have be in your geographic area or have an EXTREMELY strong antenna (much stronger then yours) to do any sort of DOS or even send legitimate commands.
1. Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
I seem to remember something about the U.S.A. trying to send propaganda via the radio to Cuba, using hugely powerful transmitters, and Castro preventing this with the use of a relatively small jammer. Anyone else remember this? Anyone know of any information sources on it?
2. How many of you think that you could decipher the structure of the command (given the motivation)?
It's very possible. Wasn't AOL's communication protocol private? How many AOL speaking programs are there out there now?
I'd say a better idea is to use Microsoft's Windows XP Embedded. Run IIS on the satelite and use a web-based interface for administration tasks. No special software needed - just your IE 6.0 browser that came pre-installed on the home version of XP you purchased (after all, the browser IS the OS). Plus I've been assured that it's entirely secure.
do not read this line twice.
You MUST secure your satellite command and control system. This is NOT an option, it is a requirement.
Some background for my opinion: I work with these systems, developing satellite command and control - I'm not The Man in this area, but I'm on a team that's competing to build a USAF command and control system, and I'm currently working on developing the network operations center for a comsat system. I'm not Mr. Security, but we've had conversations - get it?
To address your specific concerns - yes, someone can "blind" the command uplink, but you can usually do something about that legally - someone radiating that amount of power gets noticed. It can be done, but there are countermeasure that can be taken - encrypted in-band commanding is popular on comsats. People can decipher command structures, esp. if you're using a COTS satellite bus - and most science missions starting out today use one as a point of departure. In fact, you can probably get hold of the base command structure for some early satellite families and extrapolate from there. The "standards" being worked on are a long way from ready for prime-time - I don't know anyone willing to entrust a hundred-million or billion-dollar comsat to them. The US gov't. controlled encryption systems are still the standard for the command link in the systems I'm seeing (I do work in the US).
Will people hack science birds? Depends on what they do, and how bored the "people" are. There are a lot more gratifying things out there, and hacking a science bird would get a lot of bad press - but some folks live for bad press. Don't just rely on physical plant security - you can't put a security guard on the bird, and remote links are always vulnerable if they're not sufficiently secured. Go do research, and ask some of the COTS command-and-control companies (Integral Systems, or STI (now part of Harris) for advice - they'll try to sell you product, but it's worth it to listen.
Good luck.
8mm tape! LOL
How much cash would it take to make a programmer with access talk?
Very little cf. with the cost of the craft if there like anyone I know!
"Oh no, not again"
I don't know how exactly Satellites communicate with the base stations, but since they have (as far as I know) similar command structures (see the Astra information video: "The SES Astra Command Station in Betzdorf / Luxemburg is able to control satellites in their range on demand and/or in emergencies"). Hacking satellites is not a question if anyone would do it. The question is: "What can we do to prevent it?". You never know what intruders have in mind when doing such things, and you also don't know if they can. I don't know the data capacity of the uplinks/downlinks for satellite control, but isn't it possible to encrypt the data flow with ssl or similar? A well worked-out security concept is a MUST, especially if you think of that satellites cost alot of money (ranges up to unlimited, plus rocket carrier and more).
- Timo
Every problem has a solution, but every solution creates new problems.
Why should anyone want to explicitly hack the sat itself?
With all the posts above (or below.. whatever) describing how hard it would be to talk to a bird, I would say that hacking the ground station is much easier.
Think about ex-employees, some social engineering, exploitable firewalls, stupid proxy flaws, "unguarded" workstations etc etc.
I think it's not how do I secure my sattelite, it's more about how do i secure my office at all, because this IS the weakest point of this chain of communication.
Having the best hardware/software encryption doesn't help much when someone installs such trivial things like keyloggers etc...
1. Jamming the uplink.
Jamming the uplink can be done, however once it's done, it is easy to find out who is doing this and easy to fix the problem. Since you're in the field, I'm sure you know all about squelching on particular rx beam channel (The main rxing antennate is usually as simple as a honeycomb of waveguide).. All military satellites can give a Lat and Long of the jammer if the threshold is set low enough.
All military and major commercial satellites have a redundant, out of band uplink path that's available to the command.. This is usually in the VHF frequency range (as opposed to the GHZ range for comms uplink) and is used for C&C only. This channel usually requires special encryption and commanding sequences, however if both were jammed, you'd be blind until the jammer was brought down. All the satellites that I've worked on has had protection for jamming though.. A few have had systems that would shut off particular beam channels for a given time if they detect a jamming signal.
There is also the issue of communications protocol.. Most of the systems that we worked with didn't only use encryption, but also particular protocols that wern't widely known.. Here's where obscurity can lend a hand.. though everyone's right.. it's not effective.
2. Can it be hacked...
This has already been answered... It probably can, but if the satellite designers had half a mind, it'd be hard... and any attempts to test uplinking would be detected pretty quickly.
3. Satellite Internet Node.
Secure or not, it's just not a good idea. Granted, it'd make it easier to get information across either the atlantic or pacific, but with fiber optic systems and the bandwidth that they'll be capable of transmitting these days, it's more cost effective to use a trans-oceanic fiber (When you consider the cost of funding launch, uplink and downlink equipment, maintence of flight path and satellite system etc...).
If the only thing you want to protect is the commands sent to satellites, use certificates to sign every command (with ad-hoc software on the satellite to check signature) to ensure the satellite won't execute unsigned commands. Else, if everything has to remain secret (I mean both up & down data streams, a public key/private key encryption system is recommended (rsa with at least 4096bit keys should do the stuff safely for at least the next 5 years according to bank security advices). Anyway, avoid any "secret" encryption scheme as those "secret" schemes are not always mathematically proven to be safe. RSA will remain quite secure as long as your key are correctly generated (and no one gets them) and no one discovers a way to factorize big numbers. Bests
Amazing. Utterly amazing. A question about satellite security ends up with a Microsoft bashing comment. You forgot to ask if the satellite is running Linux and if there is enough storage space for a few DivX'd anime episodes...
Physical, keep that network you communicate to the satalite separated from all other networks.
Encryption, I'd recommend encrypting the uplink command stream as a minimum. Encrypting the downlink would also be good. This makes the pool of information about what was done small and thus makes crypto analisys harder. Temper this with the fact that all known encryption methods can be brute forced with enough time and CPUs. The encryption is there to make the job harder.
On going to standard IP protocals for talking to the satalite, I'm not convinced it is needed and may be detrimental security wise as it provides a more common element that can be worked from. On the other hand if the protocals have a good security setup in them that is proven secure, then it would be better than developing your own. At this point any security relaying on digital information can be faked. There is no absolute security in the digital world.
What I would do: Keep the network physically separated from all other networks. Keep the protocal secret as nobody else needs to know. Encrypt the uplink and downlink data streams. For the encryption methods, I would choose well known and throughly checked out methods for setting up and maintaing keys, etc. It would be best if the keys are rotated often. This helps keep down the possibility of a key being brute forced before you stop using it.
1. Yes, someone can execute a DOS attack. It's called jamming and was done in the 80s to HBO by Captain Midnight. You need to check on the specific satellite design and see how the receiver would handle it but bear in mind that generally they will look for the best SNR and go with that. If the transmitter is higher power than you are, the receiver will see your signal as simply noise.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
2. Deciphering the structure of the command is not going to be easy but it can be done. This is not something for script kiddies but the true hackers with sufficient motivation will eventually figure the problem out. Remember, with Real Hackers, simply the doing of something neat is sufficient motivation -- but a Real Hacker also subscribes to the Hacker Ethic of doing no harm.
3. I think the simple cool factor of getting into a "NASA Satellite" would be sufficient motivation for some of the budding anti-social geeks. Satellites are extremely high-value assets and should better security than how we protect our webpages. However, securing them also goes counter to the way most scientists want to work. Luckily, the command and data streams should be using different signalling systems and freqs so you CAN have the best of both worlds.
4. I would not assume your network security works. I seem to remember something about someone getting into ESA's system; it was postulated as a possible reason for one of the Ariane failures resulting from bad design. Personally, I think the French just wanted to toss the blame off on someone else but the more the US government relies on Microsoft systems, the less secure your system will be and your security is only as good as the weakest point of entry.
People here have even less of a clue about satellites than they do about copyright & patent law.
If you are not a troll, then YUO=FUCKED.
Conformity is the jailer of freedom and enemy of growth. -JFK
Yes, this is a bit far-fetched. At some point it will become necessary to put full-time security people on satellites anyway, since other people might try to hijack the satellites. Heh, I guess that would be "physical security". So anyway, this is most probably not a viable suggestion for you, I'm simply prognosticating. Of course, having people on board *would* make it easier to recover from a hack attack (unless someone had bribed the security people).
Never *ever* log in to your satellite using telnet/rsh. Allways use secure shell. And use a password that is *at least* 8 characters long, with both small and capital letters (no qwerty). Yes. That should do it.
Come on now. Electron microscopes hardly involve optics at all. Beside that, I happen to think Natalie Portman has nice breasts. You just don't appreciate a fine work of art.
Note that I didn't type, "6250bpi spool"
Actually since I typed the original note I've been trying to figure out how to work the "sex" angle. I know a few secrets, probably.
That's why you debug using duplicate equipment on the ground. That's how JPL does it. They've reprogrammed interplanetary exploration vehicles such as Galileo, for instance. It's not a nightmare, but the latency (8 hours round trip to Galileo) is a hassle.
Best Slashdot Co
Under 2 hours?? I assume you are planning
just to watch and not be directly involved
in the fixing.
While security through obscurity is stupid
by itself, it is still a valuable component
for an expensive satellite operation.
Probably releasing components of your
protocol and authentication methods
opensource and not leaving a breadcrumb trail
back to your company and business sector
would be best.
1). DOS? Yes, fairly easily. With the programs available now, it is fairly easy to construct an antenna with the sort of gain needed to jam the receiver inputs. The need here is not to take control but deny you control. This can be as simple as just degrading the s/n ratio to the point where you are lost in the noise floor or can't stand out from the crowd. By sending up a signal with noise on it, what you hear is noise. Hard to tell if you're being jammed or just having noisy conditions. In this case you've been jammed, causing DOS and may not even know it. Then there is the case where they just send up a signal with the intent of jamming the input and letting you know that you're being jammed.
What you lack in raw output power can be compensated for with antenna gain. Odds are you're using short wavelengths which allows you to build "death ray" (very high gain) antennas that really aren't very big. Or use several linked together which makes them even smaller. With a combination of high gain and narrow bandwidth, not only can they deny you access to your bird, but they'll be hard to trace because of the narrow beamwidth. Nowadays, with the increased interest in amateur radio satellite operations, the eqipment needed is cheap and easy to obtain and can be masked as a "ham" setup. There are now solid state options that allow a small transmitter to be constructed capable of 100 or more watts that can do the job. I've seen satellites "captured" with 100 watts and a 23db portable antenna.
2). Crack the operating codes? If you're not encrypting the signals, someone is monitoring them and working the issues already. Why? Because it's there. How did people crack the telephone company switch codes? How did mainframes get cracked? Combination of innate human curiosity and revenge by disgruntled, former employees. Don't fool yourself by thinking some combination won't happen to you.
3). Whatever protocols you go with will be subject to cracking. Just like any other asset on the 'Net, you can't just secure it, you have to keep up with changes.
You'll need to use several different techniques to secure the satellite. Polarization, multiple access frequencies,spread spectrum or frequency hopping, encryption that uses both hardware and software, modulation techniques, time based access and others. The use of a proprietary system limits the number of people that will know it, but doesn't eliminate that information getting out. Look at what happened with the "Falcon and the Snowman" where the spy was selling highly classified and sensitive manuals on satellite operation to the Soviets. A straightforward scientific satellite won't even have the cloak of patriotism to wrap itself in to ward off this type of human engineering.
What is the operation of this bird worth to you? What would it be worth to someone to gain control of it? Now, how expensive and how hard do you want to make it to do that? Imagine your house is worth $250,000. You should probably use more than just a low-end lock set on it. You probably don't need Ft. Knox security. You need something in between and that will be determined by how much you are willing to spend balanced against how likely you are to have to use that expense. Think of it like backing up your server. How much will it cost you if it goes down, and how much will it cost you if it goes down and won't come back up?
I can only hope you know more than you're letting on. Otherwise, that's a telling comment on how little your company thinks of the security of it's assets.
You must be the change you wish to see in the world - Ghandi
Sure, but it's called jamming, not DoS. There is plenty of problems with unintentional RF interference on space assets. Actually trying to interfere wouldn't be very difficult given a big enough dish and proximity to the uplink site.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
Contrary to what most slashdotters are probably saying, this would be very difficult. I'm not saying you should count on it though.
The problem is that the feedback loop is pretty open because the attacker may have incomplete access to the downlink (and would have to decipher that as well), and likely doesn't have access to other means to watch what a particular command does to a satellite. You may be trying to send a command to fire a thruster or torque a gyro, but if you don't have the means to assess whether you've tumbled the bird, its just guess work.
Remember when Garth sent Cassandra's performance to Mr Bigg's limo in Waynes World?
He did have that big fat UNIX book and a geek-garth-gurl....
Sending a signal up to a satellite is fairly easy and somthing that ham radio operators have been doing for years. AMSAT is a good place to check out what has already been done as far as getting a signal up to an orbiting target go. Additionally some ham radio operators have opperated at what's called moonbounce or EME (earth-moon-earth) where they send a signal off the moon and back just for a bit of a challenge and the fun of it. There is also information arround on high power transmitters that are used for that. Hams have been able to do that sort of thing for years. Keep in mind though since that information is public others can do the very same thing. Also somone with a malicious intent won't likely be concerned with government communication regulations.
73 de VE6OMJ
It would appear that the current systems will always be vunerable to a strong jamming signal, which may not even be real data. An empty carrier may be enough to mask out your command signal. The only method I can think of that would prevent this would be a CDMA radio link, which can pick out data below the noise floor. Frequency hopping would also be needed to add an aditional layer of security.
Making the satellite's command and control protocols widely available is ridiculous. There's a big difference between relying on obscurity for your security and using it to enhance your security. There's also a big difference between a computer that sits on the Internet to be probed with all responses available for digital capture and a system that can only be accessed through RF transmission, probably using frequency hopping and digital spread spectrum.
The public doesn't have a need to know everything as long as the company(ies) involved don't rely on that obscurity alone to protect them.
Some of the details about the hijacking of HBO by breaking a communications satellite by John R. MacDougall (who had the night shift at a satellite transmission center with the required equipment) can be found at:
http://catless.ncl.ac.uk/Risks/3.24.html#subj3
This was done in 1986, and MacDougall transmitted a few messages and a test pattern over HBO interrupting normal programming. It seems likely to me he just transmitted video on HBO's frequency, so this probably wasn't a command and control hack.
--Braddock Gaskill
here is what I would do.
1) dumpster dive on your trash and hope that you didnt shred all your documentation.
2) get a spectrum analyzer put it in my truck and sit in your parking lot and try and grab some examples of your uplinks. this is great for replay of some of your transmissions. like say regular commands to download data etc.
3) I am sure this particular bird has a command structure that is proprietary but usually no one reinvents the wheel, this is the difference between "copy" and "cp".
4) get a job at your employer and read it for myself. go home and send it into the wrong orbit.
5) private network huh! I bet you have at least 1 dial up modem in your shop that I can find with a war dailer.
replaying a command that I sniffed from your dish continously would probably mess you up pretty bad. fire thrusters, or send queued data. doing this all day could end the life of your little bird.
ps: I have access to a spectrum analyzer and access to a 12m uplink dish. But I have much better things to do with my time than flirt with a felony.
so where is this satelite at? i wannt point my direct tv dish and see if i can get some info intercepted. or atleast some halfway decent cable tv, or really high bandwith for some fragging.
Lizard "Never let them set limits on your mind!"
This is a problem that has already come to cause others harm. Almost three years ago, hackers seized control of a British military satellite and demanded ransom for it. All that is needed to communicate with these satellites is an antenna, and proper knowledge of the protocols involved. While these things are out of reach to script kiddie types, it's not that much of a stretch for the kind of people you really have to worry about (foreign governments and large/resourceful criminal organizations). So, you should think of these systems as being addressable by anyone. Consequently, I would take any and all lessons you can from the ways that people securely authenticate users on publicly-addressable computer systems.
For your security, this post has been encrypted with ROT-13, twice.
It was actually a joke, in reply to the original joke about making it run linux and open-sourcing all of the protocols. Some things are meant to be funny...read up on it sometime. Besides, you don't need storage for anime...it's a satelite for chrissakes, just use it to beam down signals of whatever you want. Twit.
p.s. - yes I realize that I'm replying to an A.C. post and am simply fanning the flames...I just don't care.
do not read this line twice.
Your Biggest threat is not a Cracker or Hacker. I beleive that it would be a rougue employe who was recetly fire/paid off who would cause the most trouble. I would advise looking at creating an encryption authentication just for this reason.
Why would doing anything to a satelite be worthwile? Unles you can eavesdrop onconversation, zoom in on Saray Michelles breasts, or shoot lasers, then it seems pretty useless.
I dont think a satelite can be used to crash, doesnt it burn up as it renenters?
If you ignore ACs because they are anonymous - you're an idiot.
If a hacker can transmit a strong enough signal, "your" signal will be noise to the receiver. The signal strength may be enough to drive the satellite receiver into clipping.I can't tell if this will be the case without knowing something about your modulation and receiver, and I wouldn't do them in public in any case.
A satellite dish is not mandatory. Lack of a parabolic mirror will just mean a larger amplifier. A simple dipole is perfectly ok, provided you don't mind the whole world being able to see where you are, and running the risk of getting malformed children at some time in the future.
Why would I need to? You said yourself that I could snoop on your control signal to find the frequency. I will also need to find the modulation, and then I will have access to the signal itself. Have you seen any cars parked near any of the side/backlobes of your dish lately?
Ok, now for my scenario: What if some absolute bastard readjusts the orbit of your satellite, using your satellite to crash into another. If this is done in a certain way, the whole geostationary orbit could become littered with debris, with no feasible way of clearing up the clutter. Calculating these adjustments is a matter of applying sophomore-level physics.
Are anyone insane enough to do this? Are people insane enough to run an airliner into a building full of people? Who will get taken for everything they have got if their satellite destroys the geostationary orbit, and a postfact inquiry reveals that no security measures were in place?
Your security holes on a website. I suggest keeping this kind of info to yourself. You're on the internet, finding out who you are and where you work is easy these days. By asking such a foolish question on a website you may be advertising for hackers. (are you?)
Further, if your employer's satellites are hacked, you're asking to be on the wrong end of a liable suit.
Good Luck!
It sounds like you are extremely vulnerable to insider attacks or insider leaks. The information you posted in you question is probably more than you should have let out. Given a very motivated person, anything you do will be at risk. It is all about risk management. Good luck and ENCRYPT you signals for crying out loud!!!
-Derek
I have passed this article onto them.
http://ipinspace.gsfc.nasa.gov/
--
Chris Hendrickson
FlightLinux
http://flightlinux.gsfc.nasa.gov/
... but if someone has local access to the satellite, watch out!
;-p
This sig is xenon coated, and will glow red when in the presence of aliens
I would have assumed that's the case, but then I'd have assumed that control links to satellites would use a secure protocol, too...
Also, if you want to defend yourself against rogue states, you can't count on them not being able to build a suitable transmitter. As we've all learned recently, some terrorists have very considerable resources to command, too.
I don't see why not.. as you said, if someone were to find out what frequency you transmit on (though they'd almost have to be within spitting distance of your C&C installation to do so), jamming would be easy. They'd just need to figure out what kind of power you were putting behind the C&C signal and trump it somehow. The exact mechanics of this are beyond me, though..
I'm going to assume that you mean the lexicon of valid commands as well as the options and arguments to said commands here.
Assuming a motivation of "I'm bored..."? Most of Slashdot's readers. All it would take is time to map out which commands are valid and which aren't. Once you've got that, you just need to play with each one to see what it accepts. The major factor (once you've got access to the satellite) is time. If only for the intellectual challenge/bragging rights it would be done given the chance.
In response to your overall question of whether or not it would be worth the time to crack said satellite, I think quite a few people would give it a shot just to see if they could do it, so yes, it would be. The rewards if/when it's all said and done would be knowledge of that satellite's control systems and maybe bragging rights, but sometimes that's all you need to want to do it.
Proteus' Child
Doko ni datte; hito wa, tsunagette iru.
I'll let others speak to the technical issues about the difficulty/cost of sending rogue command messages to a scientific satellite.
I would note, however, that the simplest attack on a system like this (unencrypted or reliant on fixed keys) involves social engineering or the outright corruption of staff who know the details of the protocol and command structure. Do you think there's a chance someone who understands how to command the satellite might part with the information for $100,000? How about $50K? $25K? In any of these cases, the engineering effort required to reverse-engineer the information is likely to be lots more time-consuming and costly than simply bribing someone to give you the information you want.
When you're just trying to guard against the '7337 hax0rs working from home, you can pretty much focus your attention on technical avenues of attack and maybe some basic social engineering, but when considering a determined and well-funded adversary, it's important to take (management buzzword alert!) an integrated, enterprise-wide view of the problem.
did work a bit in this field
basically, if they want to wreck a bird for the fun of it, throwing rocks at your antenna is probably the simplest way to go about it.
as for actually uplinking, they could cause you a lot of hassle just by filling the channel with noise, disrupting your commands
the cost of a bird and it's launch is much much more than the cost of causing you hassle
Do you feel better knowing that you wasted about two minutes of your life replying to, what was in fact, irony on your own joke?
I mean by his own admission the vast majority of people do not have the abilty or technical expertise required to operate a satilite. What advice could he hope to get on slashdot but a bunch of half assed guesses by people whom have no experiance in this field? The hardware on the bird alone will probably rule out most of the sugestions that will be made here. Not to mention the fact that he didn't mention if the data had to be decoded in near real time etc, etc.
Ahh, well I'm not going to debate this any longer
because no one will ever see this post. Plus I'm drunk and tired and my bed is beconing to me.
P.S One final thought: Why is this story listed under spam?
Anyway, there are plenty of secure protocols available, you could take one of them (or even an implementation of them) and use it on your link. You could even review the code, to make sure there are no implementation errors, and should you find a bug you might even *gasp* give back to the community, and submit a patch.
Which would have the benefit that you'd stay in sync with the other people's code, and will probably at least give you a review of the patch.
Attack Trees are a documentation system to identify security priorities, by Bruce Schneier of Counterpane Security and general computer security lore.
Theoretical attack on your satellites' controls:
BAM! In no time, you will have your own secret satellite command center!
Now, with that in mind, think about how you can make each step of this theoretical attack easier/harder. Go read that Attack Tree paper and make a draft-doc for your boss.
--- Nothing clever here: move along now...
Just how secure is it? Are we talking bunker fortress or a couple of hire-a-guards? Are procedures in place to make sure that facilities can be made non-functional in the case of an invasion?
So no one has access to the internet from anywhere in the facility?
Most? Remember Captain Midnight? You're depending on the security not of your facility, but every facility under or near your footprint (which is most everywhere for non-sync satellites). You actually don't need that much power to communicate with a satellite. You do if there is someone else competing. And if the facility is not monitoring it 24x7x365, someone could take control when you are not looking, and you would not be there to grab it back.
Certain high security facilities do not allow employees to take any papers or media in or out that's not specifically approved by many levels of mnagament with procedures in place to handle it. Do you got to this extreme? Ever heard of "disgruntled employee"?
It's a matter of degree. Are the commands checksummed against noise? How strongly? Personally for something as critical as a satellite, even a science satellite, I'd use something quite strong to checksum, like MD5 instead of CRC-32. Sure, it's argueably overkill to use MD5, but I would anyway.
Once someone has your frequency, if they have access to any unsecured facility, they can DOS you. And many ham radio ops have enough facility in their backyards. Then if they got the specs from the disgruntled employee, and enough power to keep you from grabbing it back, they can even 0wn it. Even greater danger exists if the commands include uploading new program code.
For a company I once worked for, I cracked a competitors file format (so we could convert the data to our format) which included a proprietary compression algorithm for which I had no docs. Considering that I would not feel the multi-million dollar loss if command experiments dunked the satellite into the ocean (or worse), if motivated, and had access to doing occaisional commands on the thing, as well as sniffing the command upstream from nearby the uplink in one of the side lobes, I might be able to figure out enough to ... perhaps at least dunk it.
My greatest worry with a lot of these generalized security protocols is not the crypto they provide (IPSEC is plenty solid enough in that area for me), but rather, in the social interface aspects ... the way things get routinely configured after the design is all done, by people who never designed anything secure, is the biggest risk I see. And, IMHO, IPSEC is rather exposed in that area due to the complexity of configuring its setup. Most security is.
Steering a satellite over to hit something like an international space station would seem to be highly unlikely, given the small object sizes and the even larger spatial dimensionals up there. However, the cost of the risk is extremely high. Even so much as having a satellite out of control doing unknown things up there could cause operational impacts, and require aborting missions.
Whatever you design now will be used for how many years? And what will the new security requirements be then? Personally, I would consider every security risk at least in terms of the high cost of impact, and quite likely pretend a high chance of intrusion by a motivated cracker/terrorist. IMHO, it is best to maximize the security everywhere that you can't prove has no risk. And if you have not done so already, take an NRA gun safety class. Then translate the multiple layers of safety you learn there into multiple layers of security, and think like that everywhere.
now we need to go OSS in diesel cars
You're asking a group of hackers... if doing something for the sake of doing it... "would be worth the time?"
You're askign a group of crackers... if performing the ultimate crack, obtaining command control of a satellite... "would be worth the time?"
As you said, the only reason it probably doesn't happen very often is a simple lack of the required tools. To hack into a system on the internet, you wouldn't need much more than an ascii terminal with an internet connection. To hack a satellite, you need some powerful equipment, and the average person who is able to afford such equipment, probably would recognize that the effort isn't worth the potential sacrifice.
Conventional networks were rather insecure in the beginning. But back then, the privilaged few who had access respected the system and didn't have the need or desire to exploit them. Times have changed, so much to the point that IF you are insecure, you WILL get exploited, and its only a matter of time? Satellites may begin to reflect this history soon. Right now, those able to access them have no need or desire to exploit them.
But just give it time.
-Restil
Play with my webcams and lights here
I hate to have to dissapoint, but the command and control structures of many common scientific and commercial satellites have been known and talked about openly in certainly communuities for many long years. Back in the bbs days there were specific sites one could go to that had complete information for command and control sequences for a number of satellites, what frequencies to use, etc. Of course, access to appropriate transmission equipment and the willingness to use it was the only real obstacle otherwise those satellites would have been hacked as much as the phone network long ago.
Security thru obscurity not only failed completely here long ago, but those that needed to most know of this vulnerability did not because they failed to take a proactive approach to this very real problem and so believed in their own imaginary security as appearently this person does to this day. This is the final and fatel flaw in any security thru obscurity regime, that those poor saps believe their secret really is secure because they have nothing to tell them otherwise until the day they are surprised like the emporer who has no clothes.
After all, passwords qualify as security by obscurity.
As for ur question, wether someone would like to crack a science satellite, it depends upon what the satellite does.
If it can give access to the person about a regions weather, landscape.. or it is a remote sensing satellite then yup, some rogue nation would definately be interested.
Moreover this can be done for ransom purposes, a lot of money goes into a satellite, the person may ask a ransom of about 10% of the satellite cost, but not to worry in that regard, u need a real rich hacker.
The biggest danger is that the person may be actually trying a military satellite and uses an ordinary one for dress rehersal.
Lots of possibilities here.. and i agree with slashdot, obscurity is not security. I am not very well versed with satellite protocols, but i think the wireless enginners must be having ideas about security in such situations.
The best way is to encrypt everything and use frequency hopping over a narrow range using an encrypted key. This method can be useful for sensitive places.
My Aurora : http://www.youtube.com/watch?v=o91ZsGwJYyg
FB : https://www.facebook.com/TanveersPhotography
Captain Midnight!
/FoxNewsChannel/MSNBC transponder - "HTTP://INDYMEDIA.ORG - REUTERS AND AP ARE NOT INDEPENDENT MEDIA!"
It's not just a nice "satellite takeover" story, it's also a great "fight the Man!" tale.
I personally wonder if someone could do a Captain-Midnight job on an MTV transponder and send the message "PLAY SOME DAMN MUSIC SOMETIME, LIKE THAT MUCHMUSIC CHANNEL IN CANADA!" Or a CNN
A man can dream...
Someday, you're going to die. Get over it.
Assume the unknowns are ten guys with a budget. If you can keep them out, then the small crackers are no problem.
Undocumented command structure? It's just a weak form of encryption, crackable with time and data. Look up code (not cypher) breaking, basicly the oppositions just matched up what was sent with the satallites behaviour. Denial of service attack? As others have noted, all they have to do is lock out your signal with a stronger one. By the way, what's the implication of the satallite getting a command carrier for 48 hours? 72 hours? Does it automatically transmit back, and how long can it keep it up?
I just wanted to say that your sig qualifies as poetry. When I read it and thought "WTF?" I started coming up with all these completely hilarious explanations --granted though, all in geekish dialect. Congratulations for having high-density humor!
--- Nothing clever here: move along now...
I mean, seriously. If you do work in "the satellite control industry" (that's a seperate industry from the satellite industry?) and are doing the work you claim to be, then you have several problems:
/. crew think 5 minutes on a submitted article before posting?
a) You should already know the answers to questions 1 and 2, and have enough of an understanding of 3 that removes the need to ask it. You should also already know, based on 1 1/2+ years here on the site, that this is *hardly* the forum for a real answer to that question.
b) You just divulged some fairly major security-vulnerability information on the internet equivelent of Prime Time television.
c) I would hope that nobody at your company gets wind of this posting, because it would not take a rocket scientist (*smirk*) to figure out who you are.
I'm really not trying to flame here, but this *really* seems like a horrible, horrible idea. From a security standpoint, if your systems are based on security through obscurity, the *last* thing you want is more attention being drawn to them, especially if the amount of attention being given to the subject matter is by nature usually small (how many people have satellite transmitters?) and prone to mass speculation (how many openly documented satellites are there?). Just by asking this on Slashdot, you've brought more attention on satellite-hacking as a whole, thereby astronomically increasing the chance that someone takes a more "active" interest in figuring out how to send your company's prized birds into a flaming death spiral.
Of course, all this assumes you are what you claim to be. You could very well be (as another poster suggested) a cleverly disguised troll.
I mean, geez. Shame on you for submitting, and shame on Cliff for posting it. Doesn't the
(Moderators, feel free to mod this appropriately. I have more than enough Karma, thank you)
You have got to be kidding. Keep your code locked up and don't give it to anyone unless they have a need to know. Opening code is the stupidest thing you could do. It's kind of like publishing hacking exploits before the patch is released - someone will use it against you. You don't need these yahoos to review your code.
The most obvious example of this principle is in encryption. In both public- and private-key schemes, it is essential that you obscure your keys (or private keys) from view in order to maintain secure communications. It works the same way with other methods, such as keeping the command structure of a sattelite secret. If no one knows the command structure, they might as well be brute forcing an encrypted message, because a command could be just about any length to be valid.
So really, people here should be very careful when speaking in absolutes. It doesn't work when comparing the performance of operating systems, and it certainly doesn't work here.
--
Theo DeRaadt
Founder, OpenBSD project.
OK, any good looking female hackers or spies or whatever mail me at snowiscold2002@yahoo.com
:-)
;-) )
:( )
:-). Then i now another smaller one lying right next to a road. I guess it belongs to the telco there, but they are into cable now. A truck with a hook is enough to get at it...
Back to topic.
I'd hack all weather satellites to get rid of all those rain forecasts
I'd hack a tv sat get it to send UN-encrypted TV (prolly has nothing to do with the sat, but hey
I'd hack a spy sat (or anything with a powerfull cam) to peek at nude beaches etc. (I still want to see a picture of earth made by Hubble...)
I'd hack some telco sats for the bandwidth (thoug the delay is prolly no good for online games
HOW would I hack them?
The freq should be no problem to get. Look at the local freqency plan (public record) mayby even the licenses are public record in your country.
Direct access to the dish is prolly secured, but shooting a line of some sort might go unnoticed for a very long time. When was the last time you physicalle went out there on the lawn to check the dish? (Hey I'll get a temp job as lawnmower!)
I currently am aware of two dishes laying around that might be suitable. My old school has a 18' dish turned updide down occupying part of the lawn. I think that if I tell the principal i can take it of his lawn hell give me some money to do it
The feeder on the other hand will be another problem... I'll try google or wer-liefert-was to order something online through a post box company.
Next step: start sniffin! (using the dish for the downlink and the cable shot into the "official" dish for the uplink)
You can't possibly be working in the industry and posing this kind of question to slashdot.
They stab it with their steely knives,
But they just can't kill the beast.
I used to do support for a satellite system at Schriever Air Force Base. Since all the systems were housed inside sealed 'mods', and the systems themselves where all stand alone, with no circuits to the internet or even siprnet. They take security there very seriously, one time I had three failed access attempts to the 'mod' I was trying to gain access to, and armed guards came around the corner at double time, and put me against the wall like a common criminal. Now thats securtiy.
We are herewith terminating our employment agreement with you. We hope that the officers who execute the warrant issued for your arrest take the time to rough you up on the way in.
This kind of abuse of our intellectual property is inexcusable. To share a critical security issue on a public bulletin board with a group of aging hackers and hacker want-a-be's goes beyond lack of knowledge to the land of criminal intent.
Exposing holes to the world is not your job. Exposing them internally may be. In no event do you have the right or responsibility to expose those holes to any segement of the public. Regardless of corporate policy on security through obscurity you have probably committed more than one crime by publishing any hint that a security hole may exist.
Every hacker that live on earth needs to be profiled. Use trojan software and spy camera on the hackers. Anyone who use computer at cybercafe need to provide identification. They cannot stay anonymous.
yes. yes I do.
do not read this line twice.
Obscurity is some kind of security, but only as long as it stays closed.
But the security is far better if it uses encryption that remains open, and yet unbroken.
I assume it would be really easy to sniff the downlink, but is it also possible to sniff the uplink? If so, then someone can figure out the command structure once they decrypt the signal.
What about pre-programming the satellite to change encryption keys on a schedule or something? What does 802.11 do to generate new keys in a secretive way?
No you don't need to post *your* code and say "hey look at this, if you find the hole in it, you can break my satellite". You can however use a proven technology to secure your link, and yes, for that to be proven it needs to be open.
You can still have your obscurity - you don't need to tell anyone which protocol you are using, even your command structure can stay just as secret as it was before - it's on another protocol layer.
If you were to use (random example) ipsec, and send your SATCOM (made up) protocol over that, and then someone finds a hole in ipsec. Well then you are just as secure, as you are now - the attacker still needs to break SATCOM, as well.
If they're LEO, there will be periods of time during which you will be line-of-sight to the satellites but the attacker will not -- unless the attacker is either at your location or has multiple uplink sites. Even if the attacker has a strong transmitter and can DoS you while he sees the satellite, once he's out of the footprint of the bird and you are in it, you'll be able to command it.
Whenever you have something that's valuable to you, you should protect it as if it is at least as valuable to someone else. I'm sure that there are plenty of people out there who would love to take control of a satelite. Some people would only want to log in. Some people would want to snoop all of your data. Some people would want to take control of the satellite away from you. I bet that there are even some people who would love to change the orbit so that they could see a fireball from their back yard. Why would people want to do these things? For the same reasons that people indulge in shoplifting, vandalism, espionage, fraud, etc. If enough people think that they can, someone will.
Maybe as part of the obscurity is security protection, a jamming signal should be broadcast at the time commands are sent. The jammer would use a vertical dipole to provide bogus packets to sniffers while the high gain antenna reaches the satelite with the valid signal. The dish sidelobes could be easly hidden from sniffers. Has anyone thought of implimenting the jamming the sidelobes?? Any command should have a time code and rolling code included so any record and rebroadcast attack will not be accepted. For as much money that goes into the birds, innexpensive security could save a lot of insurance money.
The truth shall set you free!
He never said he was in charge or responsible for anything. Just tasked with researching what the security risks are, presumably so those who are responsible can make informed decisions.
Jason.
1. DOS attacks can be accomplished, based on the design of your bird. I do not know the particulars of your command reciever, but some designs can be DOSed.
2. It is entirely possible to reverse engineer the telemetry and command databases. I know a guy who used to do this to Soviet satellites for a living. They could control Soviet birds however they willed.
3. I'll let others with more knowlegde on IPSEC to give a specific reccomendation. I am leery of this concept, however, given the historical security of anything attached to the Net.
It's really all just a matter of motivations. People listen to satellite telemetry all the time. Many of them reverse engineer it. Some can get images from the weather birds, but never try to command. Expect some eavesdropping, unless the bird goes really far away and requires >5 meter dishes to get a usable signal.
And remember, the CIA managed to "borrow" a Soviet Luna probe on world tour. They disassembled it, documented the design, and rebuilt it to get it to the destination in a pretty serious all-nighter. The Soviets never gave any indication of knowing.
Oh, and remember - keep the arrays pointed at the Sun.
One thing the submitter failed to say was which type of orbit the satellite in question has obtained. This can make a huge difference. If it's a geosynchronous orbit, you know exactly where your satellite is at all times and (hopefully) you can also point it's dish right back at you. You would want to prevent people from snooping your signal in the first place. People can't reverse engineer a signal that can't be perceived from a convenient location.
My guess, though, is that this particular satellite isn't in such an easy orbit. That's fine, but extra measures should be considered. One neat trick if you're designing a satellite is have the longest wavelength as possible. That makes it very hard to intercept communications (even though they go everywhere, even deep in the ocean). The U.S. Naval command sends messages to submerged submarines using a wavelength on the order of 2 meters. If a really large dish is required just to talk to the satellite in orbit, someone is gonna notice when a guy builds a replica in his back yard.
Okay, that's all for initial designs. Here's what I suggest as something you can change now, without much fuss. Forget about encryption nearly entirely. I'm guessing that the satellite does have a clock (and ideally it sets itself to the GPS signals). Now, the satellite should only obey signals that arrive between pre-set times (though it can behave as though it's really going to act, as a foil attempt). Second, the ground station should send commands followed by a signature--like PGP signatures. The satellite's software should easily be able to confirm that the message is authentic. No need to encrypt--since no one else can reproduce the signature. If the signature is valid, the orders are carried out. If the signature is bogus, the command is logged and relayed back to ground later for inspection.
DOS attacks are more difficult to deal with. My personal feeling, though, is that if this particular satellite must have updates every day or so, you're in trouble anyways. Perhaps you can find a way to ensure about 3 days worth of commands can be in queue, in the event that the satellite is unreachable. That will keep it roughly in its orbit. Then, if a DOS attack does come, you'll have those three days to track the source. That should be plenty of time. Also, and I could be wrong, but most "hackers" or whatever prefer a much more immediate result. They would want to do the DOS attack, see the satellite go down in flames or whatever. Waiting 3 days for something to happen... all the while being searched out... is likely to make the hackers very, very scared. I would be shocked if they transmit more than a day, personally.
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
Yes, the community of open-source satellite operators will be grateful indeed.
With thrusters that can put out about as much as you could fart, only for maybe a few hours tops before they died, you needn't lose any sleep over the prospect of being bopped on the nose by the great-grandson of TIROS I.
Even if you had perfect control over a sat, steering it to do as much as dinging another sat would be like playing billiards on Kennedy Field, starting in opposite corners; or perhaps like blindfolding yourself and trying to pick up the same grain of sand from a beach, by itself, twice running.
To get yourself hijacked, you'd need to hit some turkey on the fine line between smart enough to break it, and dumb enough to think you can drive it like Zidgel from the 3-2-1-Penguins videos does his ship (hint: it's a manual withthree-on-the-tree shift).
``What happened? Did the landing gear fall off or something?'' (-:
Got time? Spend some of it coding or testing
If you transmit enough jiggly pix in your data stream then the script kiddies will forget what they were trying to do.
You never really know how close to the edge you can go until you fall off.
Just for everyone's information, I talk to different satellites on a regular basis using nothing more than a mobile (car mounted) radio and antenna that is less than 6 feet in length. (~60 watts transmitting on 2 meter/70 cm frequencies) (AO 27 and Oscar 14) You do NOT need a huge antenna, but this depends entirely on the satellite. Think 2 way internet via satellite...
I'm sorry, but are you *trying* to miss the point? Encrypting the control link to a satelite is not specific to satelites in any way, it's just another application of encryption. The only part where it becomes satelite-specific is on the payload level of the protocol. Ideally you'd not tell anyone about *that*.
one of the common mantras on /. is that security through obscurity is NOT security.
however, neither is encryption.
encryption and obscurity are MEASURES towards providing the illusion of security.
obscurity is a measure that says "as long as they don't sense this or think of it, we're ok."
encryption is a measure that says "as long as they don't crack this, we're ok."
neither is secure, but both together ARE decent measures, if you combine them right, kinda like front lines in a battle. have an invisibility shield (obscurity), but if that fails, have opaque defenses that are hard to break (encryption).
obscurity means you lose a level of trust with those inside the company - encryption means you lose a level of trust with the outside world.
i'm amazed that i survived - an airbag saved my life.
The guy who started eEye was originally busted for breaking in to the computers that controlled the GPS sats. I saw it on the MTV hacker special, and besides, I used to know the guy.
you may remember back in the 90's when challenger ..... right into the russian spy satellites
went down and the US space program was set back to no more shuttle launches.
meaning their spy satelite programs fell way behind the soviets. well just so happens that some old weather satellites changed their orbits
sorry guys already been done. I could post proof but then i'd have to tell you where it came from and then get shot by MI5 or someone
perl -MIO::Socket -e 'IO::Socket::INET-new(PeerAddr="some.windoze.box:1
IS THERE A RISK OF DOS?
Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.
IS THERE A RISK OF DECIPHERING COMMAND CODES?
Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.
IS PHYSICAL SECURITY ENOUGH?
No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.
Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.
SHOULD THIS INFORMATION BE ENCRYPTED?
Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.
Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.
No one ever had to evacuate a city because the solar panels broke!
and indeed to image a beowulf cluster of the fuckers.
update comments set karma=-1, reason='offtopic' where sid=26315
In radio there are two main things which determine who will win in a contest of signals, they are: Line of sight, and wattage. If the person attempting to stomp on your signal has equal line of site, and superior wattage, yes, he will stomp all over your signal. You might be protected from regions of the world which don't have line of sight to your sattelite, but anyone else... The only good news I have for you is, it's not terribly difficult to triangulate and track down a radio signal if the event were to happen for a sustained period. The problem would be, he could be anywhere that has line of sight. If it ever happens, definitely call the FCC and get manpower, you'll need it.
Freedom is merely privilege extended unless enjoyed by one and all.
Well, I certainly don't think the transmission gear is a barrier to entry. You can most certainly communicate with a satellite with a 100W amplifier and perhaps an 8 foot dish (+45db gain). Mebbe even smaller, it's been years since I've touched the stuff. In fact, I'm sure smaller, but perhaps you'd need a higher power amplifier.
When in the service, we'd regularly use an 8 foot dish (about 45db gain) and transmit anwhere from 5 to 20 watts. You might be able to jam a scientific satellite with a strong signal, but the military jobbers (and prolly the commercial comm sats too) have multi-horned directional antennaes, so the operator can shut off signals from a certain part of the "ground", say, California, but still be able to talk to the rest of it's line of sight.
Anyways, you can get commercial gear for less than $10,000 USD that would give you the capability to communicate with a great many satellites.
Think of it in terms of physical security. You wouldn't leave your office unlocked just because you thought no one knew where the entrance was, or knew how to operate your special door handle which required no key.
Your uplink is publicly accessable, and therefore should require some sort of key. The strength of the lock should be determined by the ratio between needed security and money available for the lock. Sure, it'll cost a few k in development costs to put a better lock on, but think about the money lost if the satellite drifted under the control of a hacker, and you didn't have the fuel to put it back.
Of course. telling a group like this that your satellites are largely unprotected is like telling a kid the candy store is unlocked and no one is watching.
The other issue is that your customers likely have insurance on the sats. It may be that a good encryption system will lower the insurance cost, and thus make your sats more valuable when people start hacking into them.
-Adam
Maybe I missed the point of this 'article' but he seems to anwer his own question when he states the military's solution.
Physical security is very important in order to stop someone from screwing with your bird, and what he laid out seems good, as long as the people supporting it adhere to its design.
If you are broad casting data from a satalite, anyone can pick it up. If it's encrypted, then it becomes difficut to trans lates that data into something meaningful, but people can still recieve it, it is just a radio signal.
The Kruger Dunning explains most post on
Can you imagin the fame that a hacker group wold get if they changed the orbit of any bird?
It would be huge. That alone would be enough for some people, who would do it regardless of laws.
As far as your data is concerened, if this company makes money from the data, then encrypt it otherwise someone else will take it and sell it to whom ever your selling it to, but if it is JUST for research, I say don't encrypt and tell every one where they con point there personal dish to recieve it. The more peope, that receive scientific data, the more likely someone will find something usefull.
The Kruger Dunning explains most post on
I was a payload systems engineer for a major manufacturer of commercial communications satellites (now retired). All our birds had encrypted command links: DES for export or an NSA chip for domestic users. The command link was very narrow band and had a low data rate - everything happens in slow motion in orbit. The uplinks typically used a KW klystron and a 30' dish so jamming or DoS is difficult and would just about have to be an inside job at an earth station or a hostile government. We would never use an internet connection. If commands were sent from off site we would use dedicated phone lines. For launch ops we would set up two leased lines and a dialup.
There was one incident in the early 90s when "Capt. Midnight" broke into a TV channel with a rude message. That was an inside job, but I don't remember if he was caught. It did scare one customer into specifing an elaborate "intruder detection and elimination system" where the birds antenna pattern could be changed to put a null on the intruder.
All I can recommend is to use encryption - it's not that hard, and stay off the internet.
Reverse engineering of your command structure is not necessary unless someone wants real control of the satellite. The ability to record and playback commands is probably enough to do some serious damage.
1. Yes. As someone else has mentioned, satellite receivers link to the most powerful signal. Depending upon the orbit and radio frequency of your satellites, the transmitter may require anything from a simple dish to a huge tracking dish. For most purposes, an old C-band dish would suffice, but would require a transmitter. Tracking systems can be cobbled together from COTS parts, although there are gotchas.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
Consider that a high school science teacher and class in England managed to capture and decode the downlink of the GLONASS (Soviet GPS) satellites. Your downlink is broadcast to anyone listening within the footprint of your satellites' transmitters. If that same someone listens to your uplink (more difficult but there are sidelobes), they can eventually learn your command set from the changes in telementry. BTW, recognizing telemetry is relatively easy. Satellites report on a standard set of characteristics (attitude, power, data) and can be easily understood.
3...Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
I get paid for that. Without more time than I'm willing to
About 3 years ago in a university library I accidentally stumbled upon a stack of documents that described in detail how to build your own receiver to downlink meterological maps from the GOES weather satellite(s). Don't remember if it contained any uplink info as I'm currently 3000 km away from that library :-(
Yes, I had the very same thought. I think that the best way to get them to increase security would be to ditch a couple quarter billion dollar birds in the pacific. Or out the other way; either would have the same effect.
I think the very next day there would be some very frank discussions about security.
He wants to INCREASE security, not eliminate it. In addition, I assume that a satellite cannot be rebooted once per day so NT,2k,xp is out of the question.
Patching a satellite is very risky (what if it doesn't come back up, or blue screens after a patch?)
Since a mature version of linux/unix requires very little patching, and NT needs a patch a week almost... well you get the idea.
Security tips:
1. Write routines that check origination of communication against a known source list.
2. Use strong (A-Z a-z 0-9) alphanumeric passwords of at least 14 characters in length. Don't be afraid to use punctuation.
3. Use at least 128 Bit encryption for all communication. Ensure that the cryptographic keys are not only made in a secure (unpredictable) fashion, but that they don't get comprimised by prying eyes.
For more security tips look up www.securityfocus.com and other similar sites.
l8,
neilio
Uhm, Challenger went down in '86
Shuttle flights resumed in '88, not "back in the 90's"
The shuttle may carry occasional military payloads, but it has never been the preffered LV for these jobs.
Look at the record for weather satellites. No catastrophic failures in this time frame.
I don't have time to get into the astrodynamic & dV arguments.
And finally, I work in the field. It didn't happen. You are so FOS.
If you really want to emphasize that security is extremely important, you might tell your company that, while command and control of commercial and military satellites are protected with strong encryption, the scientific birds are prime targets for the simple reason that they're already in orbit (which is the primary price of entry that prevents space havoc from being done by those who would do it). Now admittedly, you'd have to know a hell of a lot and have very good tracking and targeting, but if you wanted to take out a military/commercial bird, what better way than to do it with a scientific bird already in orbit? At a bare minimum, I know that control of satellites provides top bragging rights in the hacker community... the trick is how do you verify? Knocking something out (independantly verifiable, like PAS2 or some other TV signal repeater) or forcing the Intl. Space Station to move (recently reported in the press) are the only ways...
Technological barriers fall rapidly over time (and this includes encryption... I beleive the military birds are re-keyed regularly) and even minor nation-states (and even some of the more affluent US highschools) can, with a little gumption, overcome simple issues such as having access to a parabolic reflector of the right size and a tranceiver that uses the right frequenc{y,ies} and modulation.
Given the illustrious history of failure the scientific birds have, perhaps the lack of concern over command/control secuirty is well/mis- placed.
What's the IP?
I cannot imagine 2-meter wavelength being referred to as "very long". They may be using signals in the 140mHz range (VHF) to communicate with submarines but the signals are certainly not penetrating the deep ocean.
Last I heard (and it's been a while, I admit) the USN was communicating (one-way) to submerged submarines using a wavelength of about 6000 meters (50kHz) from a million-watt transmitter near Arlington, Washington (Jim Creek). This station was located in a valley in the foothills of the Cascade Mountains that faced WSW and the antennas were strung from one ridge across to the other.
When you drove up to the station you had to park with your bumper against a grounded barricade so that the car wouldn't act as a capacitor and build up a charge which would be discharged (through you!) when you tried to open your car door.
No one ever had to evacuate a city because the solar panels broke!
He's not talking about a CB radio antenna...
He also hasn't told you what satellites, let alone where they are (ever have your DirecTV antenna misaimed by a half degree?), or what frequencies they use. Also, telling us he uses "radio" to communicate with his satellites provides approximately as much information as telling us that the signals are binary encoded.
If you want concrete, real-world examples of how badly-designed (or nonexistent) security systems can fail, see Ross Anderson's book, Security Engineering.
The question to ask is not whether its possible/easy for someone to hack your satellite, it's can you afford it if they did? The answer to that would seem to be no. That means you cannot afford to not use the best protection available to you.
I would presume that any bird flying might be of -some- interest to a hacker, even if it were just flying around and transmitting a beep tone every second.
If your firm genuinely values this satellite, and if this satellite handles data of any value, I wouldn't play any games. If I lacked the in-house knowledge, I would hire a firm with significant satellite experience, e.g. those that have designed several or dozens of satellites, and bring one of them on board for their expertise. Securing this craft shouldn't be seen as a learning experience; any mistakes could be costly, and re-engineering solutions probably wouldn't be met well by senior management later.
If you were planning to build a satellite, I might start a general survey of security techniques, techniques as they apply to your special circumstances, prior to development. Since it is already up, I would get my hands on expert talent (not even just a consultant, but a firm with military satellite experience). Your firm would also learn what it might need for the next craft, and this would be very valuable.
Good luck...
Sam Nitzberg
http://www.iamsam.com
sam@iamsam.com
As mentioned by another poster, unless nobody ever leaves your company and nobody ever talks, you can be vulnerable even if the protocols are never published. It is difficult, but not impossible, to reverse-engineer these protocols. It may be easier with your birds than with the commercial communications satellites I'm familiar with, as the downlinked data is probably more tightly coupled to the operational scenario (i.e.: your commands to the spacecraft will be reflected in the data stream coming down, which probably isn't encrypted.) It's pretty hard to tell the effects of most maintenance commands from the ground unless you have a telemetry receiver, which are expensive, platform-specific, and hard to come by. And you still have to know the protocol to decode the telemetry.
You may have a closed network, but it only takes one moron with a notebook and a modem who forgets to disconnect from the intranet before dialing up their ISP to change that. Or someone with a compromised computer which is then connected to your intranet. *sniff* *sniff*
A DoS attack doesn't have to be deliberate to be effective. The gremlins can get you as well; e.g.: backup command center is offline as online command's HPA fails, and nobody can talk to the bird. You need to be able to deal with these types of outages as well.
The moral of this story: the security issues are simply additional operational scenarios to address, just like a communications, gyro, or power system failure. You try to prevent these as best as you can, but you also must plan on such problems occurring in spite of your best efforts, and be ready to address them. You won't be able to think of every one, but every one you address in advance improves your chances of being able to recover from the incident.
You may want to integrate security breaches into your procedures as another failure mode; e.g.: battery heater fails. Possible causes: (1) failure of heater element, (2) power bus overload; (3) disabled by unauthorized command. Some scenarios may lead to total mission failure. C'est la vie. At least, if you've thought of the scenario in advance, you have the advantage of forethought if and/or when the problem actually occurs.
-- Remove the BOING from my email address if you don't want it to bounce.
No, it seems from the idiocy of your questions that you're looking for a job. Who hired you at the current one, given that you seem to know nothing about it?
Detailed command information should be restricted data. It should only be distributed to those with a need to know.
Engineering and operations personnel should have security clearances.
I would be more worried about unauthorized access to the computer systems and networks used to generate and relay commands to the ground stations for uplink. Why build a ground station when you can use an existing one.
I see a lot of comments saying something like any cracker with an antenna could crack them. By stop and think about what you really need to done this. Telemetry, command and control and antennas on satellites have to be useable at ALL times, otherwise they are useless. Thus this function is typically seperated from the main antennas. If your shiny new satellite is spinning out of control in space due to a bad launch and its main high gain antenna isn't pointing toward the Earth, you want these things to work regardless. Thus the antenna for command and control of the satellite is omni-directional and thus low gain. As a consequence the gain of the antenna on the ground
needs to be larger and thus antenna itself is larger, typically 20m or more in diameter. Thus the equipement required to do this might be available to large government or private interests, its not available to your script kiddies. So if your a running a micro-satellite
thats main reason is scientific research, and you want to share the scientific data in any case, why bother securing it against the few malevolant large organisations that probably 1) have no interest in your system, and 2) would cause a major international scandal if they damaged your system in anyway due to their efforts.
Cheers
David
This is a subject dear and close to my heart. I've worked for many years in this very field and /.
find it fascinating that it has shown up on
Yes it sounds like your current architecture is vulnerable to outside vehicle control. There are ways (besides encryption) to control this.
I'm not comfortable discussing this publically however I would be more than willing to chat/email
privately about it.
If teridon would provide a way to contact directly, I will initiate contact and would enjoy sharing ideas.
All your satellites are belong to us!
Look up the user and previous postings (#931886) is a good one. Oops, there goes the obscurity.
To find out where satelittes are is easy, all you need is to down load the two line element files (tle's) load them in to a satelitte tracker program, most of which can control dishes for tracking purposes and you are away.
Is it easy to do? Yes, couple of days reading on ham sites on the net will tell you all you need to know. Will it be expensive to do? Depends on the size of the dish needed and your electronics knowledge , but $2000 aught to do with some spare.
Do people want to? Sure, more interesting that doing windows for the n'th time...
If you want to read some more about using sattelites ask google about 'Dr Dish'...
Forget about running another cable. While YOU may not check the dish in your backyard very often, you can bet that any extra wires, especially those that don't go to the control center will be found VERY QUICKLY at a large facility. (Perhaps even by the lawnmowing guy.)
However, these dishes are actually large, concave, parabolic mirrors. Might it be possible to bounce a microwave or other radio beam (of the right frequency, of course) off the "official" dish and to the satellite?
Since (presumably) satellite downlinks cover a large area, recieving is not a problem.
As for sighting a satellite, it is possible to actually see quite a few satellites on a clear night in a rural area (or with a light pollution filter). It is possible to determine which satellite you see with only a little not-too-specialized knowledge and what orbit and about where on that orbit a satellite is.
(Sorry for the rambling/runons/etc.)
One SCUD with a paylod of BBs will put the Great Satan out of the satellite business!
-- Saddam
I know, troll, troll, troll...
but I like my unhackable 286 that I threw away after having pulled off all the chips and cracked open the ceramic casing on the CPU, and dismantling the HD and putting the platters on my cork board...
But it proves the points that a system can be unhackable, and it helps the point that there's a balance between hackability and useability.
Whew! I logged in and saw the original message and wondered for a sec... I'm glad that someone found the humor in it and didn't dismiss it as a 'troll' or 'flamebait.' I'm glad I don't have to tell you about the IIS server I ran (I'm not the admin anymore) that has had over a 2 month uptime. Remember, regardless of the OS it's running, if it's set up by a knowledgeable admin that configures things properly and securely <?insert_here(sheepish_grin);?> you'll get good server reliability. And no, before you ask, I don't have a bridge in New York to sell you! :o)
Not the reply I was expecting. Kudos! ;)
heheheh
My suggestion would be:
If the satelite is not streaming data all the time, then I would make it stop transmitting all data when commands are being issued. It would also then need to Tx confirmation to the base station and then receive the appropriate confirmation. In this way all legit users would know that the sat is being tampered with and they could swamp the Rx by transmitting a couple of dB's higher until they had triangulated the hacker and sent the nuke to get him...
You might be able to quite easily get an appropriate signal to the Sat... but to have the appropriate modulation etc might be more difficult. We are assuming that this is not a communications sat, if it was and could receive signals across a range of frequencies it would be fairly easy to prevent the average financially challenged hacker from talking to the sat.
I think it is fairly easy to protect these sats from hacking. I am surprised that this question was even asked, unless it was from a person who had some but not enough information to think that he had discovered that his company's sat was unsafe...
All I need is another 3db or so either by a larger dish or a more powerful transmitter and I can flood most receivers. PLLs will tend to capture my signal rather than yours.
There are radio amateurs with 10m dishes who can put out a few kilowatts. The dish is hard to hide though in an inhabited area. Note that an uplink for a TV remote vehicle is relatively small at about a couple of metres.
There are transmission design techniques, such as that used by GPS that make the signal far more difficult to swamp. The receiver is 'looking' for a pattern in the signals and will reject signals that do not fit that pattern. Such a receiver is far more difficult to swamp.
See my journal, I write things there
Lets look at Iridium as an example:
Motorola controlled the Telemetry Tracking And Control (TTAC) function for Iridium's birds. The satellites were controlled through, of all things, SNMP! Yes, its true. SNMP issued commands controlled the basic functions of the satellite. Commands were issued from TTAC's to the birds as they passed overhead. One can only communicate when the satellite is over the horizon of the transmitting/receiving TTAC, you can't just broadcast a signal from anywhere and hope the satellite gets it. NExt, you can only communicate with a satellite thats listening. Power consumption is a critical issue in satellites (no 120v ac in space.) Therefore, the satellites only listen and transmit when they are overhead of a TTAC. The signal must be coming from or going to the general area of the TTAC (its directional). Because they communicate as they travel overhead, the distance involved, etc, this creates a distorted egg shaped signal "footprint" around the TTAC. When the bird is directly overhead, the footprint is shaped like a circle (for Iridium, approx 20 miles diameter), then back to an egg shape as the bird approaches the far horizen. Any HAM/hacker wanting to snoop or squash the TTAC signal must be in the general vacinity of the TTAC in order to be able to receive or transmit effectively.
Motorola had several issues that are probably prevalent thoughout the commercial sat industry. First, the TTAC stations WERE connected to the rest of the Motorola network, which in turned connected to 3rd party networks, and on an on. Even though Firewalls, ACL's were used, they were based on very general rules, usually restricting to broad networks. Also, dial-in was supported on routers throughout the network for maintenance, so the best way around the Firewalls would simply be Soc. engineering a router password and dial-up the TTAC router/switch.
This could be achieved by: Located the TTACS for the satellite in question, usually public info. Get any phone numbers at that location you can. WAR dial a range of numbers around the TTAC numbers and note any Cisco devices answering. Use the SE'd passwd on the discovered Cisco dialups until you find a winner. Once in, either swipe the control apps for your own transmitter/reviever, or perform a one time attack since you unlikely to get a second chance one they notice.
SIDE NOTE: There is NO chance of anyone ever using a satellite to crash into another bird. It takes motorola several months just to move 1 bird from orbit A into adjacent orbit B. Fuel is extremely limited on these things. Besides, picture the entire earth as a parking lot with 50,100 or even 500 hundred cars continuously driving around on it. What is the likely hood any of them will ever collide, much less run into each other. Now imagine it with each car having 1 gallon of gas to use. The logistics now become very clear.
Bad idea, for the following reasons:
1) It takes more time than that to verify the fixes, test the changes, and upload it to the satelite. Add in insurance costs since one bad opcode could shut down a $50 million satelite and they want to make sure it WORKS first.
2) The entire OSS community will not help out all at once. The people likely to help will be the one's interested.
3) Unless they have an excellent response system already in place, more hacks will be done in the time between fixes (at least in the beginning) than would happen now (through obscurity)
I completely support open standards, but it is sure a lot easier to START with them open, rather than investing a lot of money and effort and then opening them up...
Since the economy is soooo bad, couldn't you just hire someone to sit in the satellite with a joystick in their lap?
Fuck you! And get off my front porch, you young whippersnapper!
Stupid smartass kids. It's pretty obvious from the fact that I'm here that I value my privacy!
You had it unitl you posted here. You no longer have obscurity. Now there are 1000 /.ers tyring to hack your satelites.
When VPNs are outlawed, only outlaws have VPNs.
Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal
It's certainly possible, and it's called "jamming". This costs a lot for plain random troublemaking; it takes a steerable dish and a fairly high powered transmitter, with a big electric bill. It seems rather unlikely someone with that budget would spend it just to mess up a science experiment. But unless considerable effort goes into protecting a satellite, jamming it would be small potatoes for a military operation.
There are some substantial (but very secretive) defense contractors making radio and radar jammers for the US military. To jam a satellite using a fixed command frequency, you just point a dish at it and transmit at the same frequency with at least as much power as the actual command center. (I mean power delivered to the satellite antenna -- that's a product of the actual power and the transmitter dish's directionality.) The two signals basically add together, so if the jammer just sends a non-varying signal it's quite likely that the receiver will still be able to pick the commands off the top. But just about anything that varies without too much predictability will do for a jamming signal -- white noise, classical music, Slim Pickens yodeling, Howard Stern...
The most common method of defeating jamming is to change the frequency. Every so often, computers on the ground and in the satellite compute a psuedo-random number, and change to that frequency. It's easy to do that once or more a second, and the jammer is not going to be able to find the new frequency fast enough. (Assuming the number sequence is secure, against both espionage and cryptographic reverse-engineering.) However, if they _really_ want to knock you off the air, it's possible to transmit a very high powered broad-band signal to jam all the channels at once. If there are 1,000 possible channels, the jammer has to be 1,000 times as powerful. Do that to a US military satellite, and I think you will knock it out for a while, but: (1) in a few minutes the satellite orbit will take it out of view from your dish; (2) unless you're a nuclear power, eventually they'll get permission to send a cruise missile into your ground station; (3) That much broadband power will mess up other communications as well, and get other countries mad at you. There are stories that the Soviets used to play a little with our satellites and vice-versa, but nothing serious because both sides had too much to lose...
Another protection against jamming is to use a very directional receiving antenna, so any jammer would have to be on territory you control. This also substantially reduces the required transmitter strength. The problem is keeping that receiver dish pointed at home. In a satellite, you would have to also have an omnidirectional backup antenna, to use to re-gain control if the satellite tumbles. This makes it more complex and expensive than frequency-hopping.
A laika like dog coud be trained to guard the sat.
DOS attacks seem possible. If an attacker just wanted to lock up the reciever on the bird, the strength of the signal hitting the bird would matter. A large antenna would obviously help, but the antenna gain is only one factor. Another is the power output from your amplifier. One could use a much smaller antenna if one had a powerfull enough amplifier. Building a high power amplifier gets difficult as the frequency goes up. Feeding that power into an antenna, especially at microwave and higher frequencies, requires very precise alignment of waveguides, etc.
Some obvous steps might be to have the satellite only accept commands at certain times of day (but this would be trouble if you have an emergency), or only when commanded on by some series of signals, or the presense of a particular sub-carrier, or some other such notion, i.e. some way to "turn on commanding mode", so the default is to not accept commands and therfor the door isn't always open...
You could/should also employ some sort of command verification step, where the vehicle would echo
the command to be exectuted, and then await confirmation before execution. Confirmation could be via a different uplink frequency, or an encrypted password, etc.
ground antennas to command satellites would probably have a fairly narrow beamwidth in order to be efficient. Anyone transmitting with a high signal strength would be pretty easy to track down -- just fly around with a spectrum analyzer and look for the signal.
A log kept by the satellite of all contacts, commands/times/etc might provide some warning -- If someone was really going to try to control your bird, they'd likely have to make multiple attempts.
You could pre-assemble the commands into a block before actual transmission -- then send it all at once, in seconds. 'Harder to record/analyze/decipher that way...
I mostly want opinions on whether cracking a science satellite would be worth the time.
Let's say some nation (**cough**Iraq) gets tired of American spy satellites watching it. I hope these satellites have pretty secure command authentication. So instead, they take over the steering of other unprotected satellites and try to run them into the spysats. Even if they miss, your experiment schedule is ruined.
If you are depending solely on security through obscurity, cracking it is going to be much easier than getting a shoe full of plastic explosive onto an airliner... Just a few random ideas: (1) Record a few thousand transmissions, and what the satellite does after receiving them. Hire an out of work Russian mathematician to correlate them and reverse engineer the protocol. Heck, I once had to reverse engineer a communications protocol because the developer hadn't completed the documentation; it's not that hard. (2) Get a spy on the payroll. American science researchers love to hire foreign kids with no idea of American pay scales. (3) Go dumpster diving. Chances are you or your customers are printing out command sequences to be checked, and then tossing the printouts in the dumpster.
So you really should be using a cryptographically secure authentication scheme. As it transmits a command, your computer adds a timestamp, computes a hash of the command, timestamp, and a secret key, and appends that; the satellite checks the timestamp is reasonable (within a second or two), then also computes the hash and checks it. If you can keep that one number secret, you are secure as far as taking over the satellite goes.
Yes, you are entirely correct about that, it was inserted on a spacewalk. However, the article mentions that Pentiums wasn't ready for space.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I've worked in the satellite industry as well and there are a few things I can tell you from experience:
- anyone can download the CCSDS PDF documents describing TM/TC links, error correction codes,... And although not many attackers would be courageous enough to implement the whole protocol (I implemented it partially and it was quite lengthy), tiresome bits like reed-solomon and viterbi are freely available from some internet sites. I would say that the protocol aspect is not a security guarantee, since I for instance could develop the protocol stack.
- As for the hardware, you are kind of right saying not many people would have the right antenna. But it must somehow be possible to use compact antennas/modems since you can buy satellite telephone handsets and most telephony satellite are geostationary (> 30,000 Km). Off-the-shelf satellite reception systems exist and are pretty affordable but I don't think the same is true of transmitters. Depending on the kind of modulation used (It's usually QAM, I think) and the availability of commodity hardware, you would have to be a reasonably skilled electronics and telecom enginner to mount such an attack.
- Now, assuming the threat actually exists, I would probably foresee a narrow emergency TC link off the main TC band, so that I can upload emergency commands to the sat. Also, if your TM bandwidth allows it, you may have all TC's echoed to the ground. This way, if someone is attacking your satellite, you would notice it immediately and could possibly also locate him/her. And I don't think you could DoS a satellite for long before getting caught, unless you start using mobile attack equipment: 3 satellite would suffice to locate you and the sidelobes of your antenna could betray you on the ground as well.
What you're telling about unencrypted streams is amazing. Most commercial or scientific satellite I've seen so far use 3DES or a similar symetric algorithm, for uplink at least.
Note: I'm not an experienced space engineer. It's just that I've worked some time in the field. So don't take my suggestions for granted.
grungie.
Most often spacecraft have different uplink/downlink frequencies. In addition, there can be differenct frequencies for "consumer" data and "command/control/telemetry". Thus, "snooping the bird" is probably not what you think it is. Most likely you would be sniffing the wrong frequencies. Also, using spread-spectrum modulation, it is no longer so simple as to scan a wide frequency range looking for a signal....you may never see it - it can be within the noise.
In addition, the uplink and downlink frequencies are RF. In reality, these high frequencies are used as carriers, the data is modulated at an IF level within the spacecraft and groundstations. And then typically, the IF is again converted into synchronous bit streams to the computer systems. Thus, there are a few layers of modulation/demodulation you need to figure out.
Groundstations are not necessarily expensive systems if you build them yourself. However, this can be expensive as far as being time consuming. Many low earth orbiting spacecraft groundstations only need a few watts out of the groundstation to a low gain antenna. This is not the problem, the mixing frequencies are more of the problem.
If you can get this far, then you will have access to the bit stream that most of you think you have easy access to (like snooping a tcp udp packet). Getting to this level is not as easy as it sounds. I suppose here is where things can get easier, especially if you do not use encryption.
Unfortunately, as mentioned a few times in other posts, the frequency of a specific command being sent is probably not as often as you think. And, you would need to "sniff" enough "packets" at the right times to proceed.
Anyhow, to make a point, I suppose if the ground station computer systems are reachable - even indirectly - via the Internet, I would be more concerned about that link since it would be a lot simpler to hack that then the RF/IF/packet. Or, I would be concerned about the groundstations being physically accessed. And, finally, as mentioned already, source code and hardware documentation would be the best stuff to keep "secure" since these are the blueprints to making the system.
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
should read:
"One SCUD with a paylod of BBs will put the Everyone out of the satellite business!"
for as little uplink time that you require a 100GB of one time pad data should suffice. Especially if you use it for critical commands only. (ie. Shutdown, Re-task, Software/Firmware revisions)
Ignored Since 1973
... and that to attempt communication you need a radio antenna.
I can't believe he let that slip either! I mean, really, now everyone knows that his satellite com link isn't a really long ethernet cable.
There probably isn't any real threat from everyday hackers, but even though it's pretty far out, messing with satellites using security flaws wouldn't be out of reach of well funded terrorist or rogue states. I mean, I think the chance of this is remote, but it would be pretty ugly if some group/rogue state managed to disable/fry a bunch of satellites.
In a previous life, I worked for a major American space systems company. I worked on the ground station software for the command and telemetry systems in Intelsat VII and the NTT N-Star series. I had brief affairs with command and telemetry for a few other spacecraft. Those are my bona fides, and my resume is on my web page.
On the issues that concern you:
1. "Can someone effectively execute a denial of service attack by jamming the uplink signal at the analog level?" Yes, but you might be able to make it hard enough that it costs more money than it's worth. Remember that such an attack will have to be launched from near the terrestrial location of the ground control station. There's some steps you can take to use that to your advantage.
2. "Can you decipher the semantics of the command set?" We're assuming I can spoof the uplink and send random command strings and get them executed by the bird? Access to the telemetry would be crucial here. If I can't read the telemetry associated with valid commands, then the best I can hope to do is to upset the bird on my second or third valid command. Actually controlling the bird for a useful end is probably out of the question. (Though, it might be worth billions of dollars just to be able to kill the bird.) So: Encrypt the telemetry. Put the keys in God's Own Safe. But PLEASE don't let script kiddies execute valid, randomly generated command strings on birds they don't own! At least, force them to steal the symmetric keys for encrypting the command strings from the same safe you put the keys for encrypting the telemetry.
3. "Are the standards based approaches secure?" They're basically as secure as the setup you're probably using now. Maybe a little more secure, if the implementations you use are very mature and security experts have been grovelling over every line of their code since Turing was a teenager. You *ARE* planning to make all of the avionics code upgradeable on orbit, right? Security depends on the timely application of patches, you know.
--
jhw
as a military member with some experience with satcom, i can say a few things on this. the first being that in order to even GET the frequencies you are using, you will either have to get right up to the antenna(trespass?) or somehow get in between the line of sight with the sat and your transmitter.(fly around and hope its overhead) secondly, a simple thing is to have a special identity code contained in transmissions to the bird. doesnt even have to change but once a month couldnt hurt. someone would have to de-engineer the command structure to FIND where the ident code is, and then its only good for so long anyhow. not even a encryption key, no SSH, nothing. one of the systems i operated had encrypted uplink/downlink, but then you also needed a identity number, which changed monthly. net control station could remove the identity numbers allowed access. a DOS attack, by using a steady transmit can and WOULD be located quickly. A common problem we saw with improper equipment setup. A sideband was used to re-tune the reciever, i believe. so now you need: a plane, a wideband reciever to try and locate the correct signal, a transmitter and antenna, and some idea WHEN the satellite is overhead. sounds like several people and a good $ backing is needed before you could really go for it, and then whats the purpose? you dont even know what sort of equipment the bird is carrying yet.
I was under the impression that all security is obscurity, just different levels of it.
I mean, isn't encryption just hiding the magic 500 digit number?
Well, this is my first post on SlashDot, eventhough I have been reading it for many years. I couldn't pass up the opportunity to provide some comment on this subject as it pretains directly to what I do for a living. I have designed satellite communication systems (on the ground, and on the spacecraft) for several DOD, NASA/JPL, and commericial programs, and I have a few comments and thoughts to post on satellite security. As to the main question, would it be time worthy? I would have to say No. It would take a significant amount of expertise and knowledge to even know where to begin, not to mention a lot of really expensive hardware. First of all, DOD programs without a doubt are going to be encrypted. Commercial satellites as well are normally going to be encrypted. Nasa/JPL, also uses encryption, though not to the same extent, and not on "all" satellites. But even without encryption (and we will talk about the RF in a minute), there are other factors. Commanding a satellite is not like sending an email. There is a complicated command structure which is invariably different on almost every satellite. This structure would be most definately be difficult to decipher. Commands are also subject to onboard (satellite) logic to determine if the command is real (ie. does it make sense?, is the command sequential with other commands?, does it commence at the right time?). This is done more as a check and balance against ground operators, than "satellite" hackers, but it complicates the matter either way. The downlink is even worse. Even "if" unenecrypted the downlinked data, will most likely use several different data rates, on multiple carrier/subcarrier configurations. The telemetry will most probably be further convolutionally or reed solomon encoded, and lets not even talk about sub-commutated telemetry options in which the format of the telemetry frame will change on some pre-defined basis. Now, as for the RF. Can you "jam" a satellite, to perform sometype of DOS attack. Yes, if you had the proper equipment, and (here's the tricky part) could "out-RF" the people who use the satellite regularly. Lets use a commercial buisness as an example. Buisness A, has probably spent 2+ million dollars, on a 10m+ antenna to talk to their satellite. They are most likely implementing a pricey HPA (high power amplifer), sufficient to provide 30-40 dB of link margin on the uplink. I don't many ham's with access to this type of equipment. As for the physics. Well, theres all kinds of other problems. LEO satellites for example MOVE. Theres the astro-dynamics to consider (ie. where's the satellite you want to talk to). Things like RF doppler shift and antenna pointing accuracy come to mind. Not to mention downlinks will only happen if co-located with a "real" ground station. Geez, there's lots of other problems I dont even have time to mentions. Differences between CCSDS and SGLS, different RF bands, satellite command addressing.... Anyway I guess the bottom line is, I don't loose any sleep at night over satellite security. Laters J
To answer the questions you pose:
Do I have a problem
If you did not before, you do now. Hint, if you rely on security through obscurity to secure a $50 million piece of hardware then best not tell the favourite news site for much of the hacker community.
The threat comes from two sources, one is bored teenagers who can't get a girlfriend, the other is an attack by a well resourced adversary such as a hostile government, a major terrorist group or organised crime. The teen hacker problem is non-negligible but the well resourced adversary is more likely.
Post 9/11 concern about infrastructure attacks is much greater. As a result the insurance syndicates I advise will shortly be requiring you to secure your communications links if you want to insure the bird. There will also be increased pressure from governments, particularly in the US to secure posibly sensistive infrastructure.
Are the existing security measures sufficient
Absolutely not. In the first place by relying on security through obscurity you are putting your employees at risk. A motivated attacker would have no qualms about kidnapping an employee (or a member of their familly) and forcing them to reveal the necessary information.
A more sophisticated attacker could obtain the necessary information simply by discovering the location of your site and visiting it with a suitably sophisticated scanner. Even the best dish does not direct 100% of the signal at the satelite. There is plenty scattered arround the dish. Intercepting the signal is not a major difficulty.
Even if you have a large security perimeter arround your upload point (e.g. at a military site) the attacker could use an aircraft. Even a model plane might be sufficient to detect the carrier frequency.
If the attacker can intercept the signal they will have no difficulty decoding your command sequences. It is quite likely that there is information available to the public in any case. Much of the software used in that type of application is canabalised from one project to the next. You might think you have a one off that is unique but it might well turn out to share 80% of its code with another bird used by some obscure company (or university!).
What should I do
This is not a hard problem for an expert to solve, but I really would not go at it armed with only a copy of Applied Crypto and enthusiasm. Security protocol design is a subtle business. The 802.11b folk who tried the DIY solution failed. If you are going to get your bird insured you will probably end up having to have a recognised expert check the design.
What you really need is a means of authenticating the commands sent to the bird. The easiest and most lightweight means of doing that is to use a message authentication code such as HMAC-SHA1 or one of the AES MAC modes. You need to establish some form of shared secret between the bird and the control station, this is simply a very large random number.
You may or may not want to bother with public key infrastucture. If you want to launch your bird on a Chinese platform you might not want the shared secret to be present on the bird when you launch. So you embed the public component of some private key in the bird and do some form of key exchange (don't do this at home, contact one of the people involved in the IETF design of the IPSEC key agreement protocol).
Incidentaly the attack you are protecting yourself from there is not the Chinese stealling the key (unlikely). A more likely form of attack is some jumped up pipsqueak senator looking to make a name for himself with a grandstanding attack on your perfidy (ask the directors of Loral).
Securing the link is the easy part, securing the shared secret to secure the link is harder. Some form of PK based key splitting scheme may be needed.
In summary, go see a specialist. Someone like Paul Kocher at Cryptography.com, Eric Rescorla at RTFM.com, Derek Atkins (warlord@mit.edu) is also highly competent. Expect to pay a lot more than you expect. The best people charge from $2,500 a day to $5,000. There are some who charge more, you will have great difficulty hiring them.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
I haven't seen anybody come up with a worthwhile satellite hack: here's one.
You introduce 2-3 minutes of digital delay into the video signal, prior to the uplink, on the feed from your local racetrack. Then, you call up your beard at one of the big sportsbooks in Vegas and have him bet, past-post, on the winning horse.
Or, if you can't or won't or are too chicken or can't afford the terabytes of RAM necessary for all that digital delay, this is what you do. You find some rich crook, say Doyle Lonigan. You have somebody, say Robert Redford, convince him that you actually do have 3 minutes of DDL in front of the feed from Aqueduct or Churchill Downs or wherever. You take Lonigan to this big telco-room full of equipment racks and introduce him to Ray Walston who, you explain, is a crooked videotech who is in on the scam. Then you get Paul Newman to set up a "big store" that is an identical replica of the sports book at Caesars. You call Lonigan on his cell phone and give him a convincer (a winning bet). This puts Lonigan "on the send," and he comes back to the store with a wad of dough. You then ring up Lonigan and tell him to place the money on [your favorite horse]. But the horse actually comes in 2nd. When Lonigan complains, you tell him you told him to -place- the money, you idiot. Then bogus cops come in and shoot Redford "dead." Lonigan splits and is never seen again. Redford, Newman, et al. split the take. The best part is, you don't really have to haxor the bird or even buy any RAM.
The three major issues you ask about are ones that the military put much time and effort to address on their satellite programs. Having worked on projects for a military contractor, here are suggestions:
1. DOS attacks - I've actually seen a military site lose all communications to the satellites that it was controlling because of an inadvertant DOS attack. A company near the base had installed a transmitter that was MUCH more powerful than was allowed by the FCC in that area (because of the military base). When they switched it on, it disrupted all the transmitters on the base. The military used specially equipped helicopters to triangulate the source of the signal and deployed a security unit to shutdown the transmitter. The FCC revoked the company's license the same day.
Note: The military did NOT lose command or control of the satellites because they use multiple command and control sites; they simply had another site take master control while the site I was at was disrupted.
2. Deciphering the C&C structure:
This is something that many foreign countries have been active in doing for quite awhile. Don't think it hasn't been tried.
3. SCPS
A really stupid idea; it would be better if the command and control aspect were NOT part of this (keep it separate) and only those things that the public or scientists would be interested in be part of SCPS (Cameras, science instruments, etc). Make C&C accessible from the Internet is just plain foolish.
NOTE: There are three things that the military determined were of the utmost necessity for ANY satellite communications (uplink and downlink):
1. Isolation of command and control networks (NO outside access allowed)
2. Multiple command and control sites that monitor each other and
3. CRYPTO - it's best to do hardware-based crypto on your up and down links. A fool and his satellite communications will be monitored if you don't encrypt your commincations.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
My 2 kopins worth
Any idiot with a sufficiently powerful transmitter can DOS a scientific LEOsat while in the footprint, with less than a thousand bucks of hardware.
For the info of /.ers most LEOsats adjust their attitude with magnetorquers and reaction wheels, they are incapable of changing their orbits even if you snatch control. But you can, over successive orbits, put them into power-draining modes that will cause eventual loss of the bird.
LEOsats are also only commandable from one groundstation for 1-2 slots of 15mins or so per day.
Many scientific satellites use the ESA PUS standard high-level protocol (PPT here) on an AVTEC box or something similar, using CCSDS. It would be trivial to "crack" (since it's not encrypted), given a hundred thousand bucks for the hardware.ROT-13 is harder.
In summary, any moron can make life difficult for researchers. But firebombing chemistry pr CompSci labs would be just as "clever", far easier and cheaper, and even more annoying.
BTW unlike some who think this is a troll, I'm concerned about the issue myself. But given the hardware cost of implementing a reliable CCSDS protocol, only fairly wealthy hackers could do it. The Software is relatively easy for real-time programmers, but script kiddies, VB-jocks or even C coders need not apply, Ada would be the best way to do it with assembler second. The additional security of adding encryption on top would be negligible, as wealthy hackers could be expected to have access (hacked or legit) to arbitrarily large amounts of computing power. And any script kiddie could DOS us with a five-hundred-dollar jammer anyway. For 15 minutes.
Zoe Brain - Rocket Scientist
Generally I'd assume you don't want to run IPSEC or similar for satellite comm. For the same reason you don't want to use PGP for auth. control.
These system have very limited processing power and you don't want to waste bandwidth neither.
So solutions would have to be efficient as well.
It takes motorola several months just to move 1 bird from orbit A into adjacent orbit B. I'm sure MOT's goal is a controlled orbit change. What if the goal weren't a controlled manouvre?
Give serendipity a chance.
Obviously you don't actually run the code on the live system until you're satisfied that there ARE no exploits anymore.
;P
Publishing code to a mission critical system that you know to have exploits is dumb, yes.
Using code that you know to have exploits in it, in a mission critical system at all, is even dumber
Xix.
"Everything is adjustable, provided you have the right tools"
Don't leave a weak link...
It's not as if you can tweak the orbital parameters as easily in real life.
This article uses the piggy spam icon and if you click on it it is listed among the spam articles rather than in the "ask slashdot" catagory. It looks like someone made a mistake that needs fixing, especially since it's a little more than just cosmetic due to the topical indexing error.
Well, having code up for public review will only do you good, if you have a decent security design as a starting point.
*And* if a competent programmer reviews it, *and* if the programmer is familiar with the type of system he's reviewing.
Open Source is a tool, not a solution.
Now I can control a spy sattelite and take a peak at some hot girl showering... heh heh... oh wait... line of site... damn!
I previously worked for a local television station with satellite uplink facilities. We were taught how to uplink for news feeds and were relatively unsupervised between 11:00 pm and 4:00 am. These were positional antennae since we used multiple satellites depending on usage. I don't doubt that with a little bit of knowledge, some free time and available facilities someone could play havoc.
Yes, that's right. Best security you can have is to arm the satellites with lasers so you can shoot anyone running nmap on your bird...
/. readers are experts in satellite security? Why ask here? Must be a REALLY slow news day to post this kind of thing...
Seriously though, how many
I knew this guy who was in the Army and worked at AFN (Armed Forces Network). He told me that they easly take the cnn satilites if something was wrong with there own. I don't know if cnn knows or cares but he put it in a funny way, "CNN is everyware so why make a backup network if all you have to do is borrow someone elses"
I guess a terrorist would not want to attack CNN.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
An unencrypted command link w/a 'secret' command set?! Are you kidding. Did you listen to what you just said here?
First off, if I can get a pringles can yagi to extend my 802.11 link, I can sure as hell work up *something* to pick up your transmission from a nearby hill...
That said, it's UN_ENCRYPTED! What could you possibly be sending/receiving from the sat? There's going to have to be a handshake, an 'authentication' of some sort, then a command... So we capture some traffic... Then the Sat's going to return some info... Oh what could it be? Try running it through any of 20 different algorithms to see what surfaces... Pictures? Plain ole temperature data? Lat/Long data? Sorry for the pun, but that won't be rocket science to figure out...
If I want to DOS it - then again, I can build a small antenna, hide it in a nearby tree, and power it with *something* - I'm sure I could whip up something with an old junk microwave that has it's safety's disabled... Powered by a couple of spare 12V marine batteries and a few converters... OR, if I don't want to broadcast my location - how about a spark gap transmitter that keys in every so often - good luck in finding it... I could even make it solar powered...
Don't get me wrong - I'm not advocating any of this - but it's entirely doable by someone with a weekend of free time. You should encrypt the uplink, downlink, and authenticate all commands - especially ones related to guidance control. Have some other general RF monitoring equip to look for new/odd/strange signals on your band, and try to triangulate so you can have the appropriate authorities check things out... Have your bird default to "DO NOTHING" if it receives a bogus or half-baked command...
And forget the private/self-developed command sets. I just don't see how they could be useful from a security standpoint (even if the connection was encrypted...but that's a different topic). Stick with a standard and extend it if necessary. It'll cut your costs, and make building/setting up new sats easier...
Put your authentication keys in the sat - that would see reasonably secure to me - no one's gonna steal them up there - unless they happen to have a spare shuttle at their disposal...
[From 1992 to mid-1994 I was leading the Motorola Iridium network architecture team defining the Iridium system network protocols and assessing the entire systems's payload bearer performance. Although the below comes across as rah rah Iridium, I am no fan of the Motorola executives who botched the entire Iridium project, costing Motorola and Iridium investors $1B+. I am looking forward to my day in court facing these boneheads one day.]
As someone posted earlier, the Iridium birds are controlled using SNMP semantics, but the poster neglected to mention that these packets are transported inside an uplink control stream. The data streamn is a randomly changing and highly encrypted (I could tell you but then I would have to...etc.) K-band control uplink. The uplink itself is via, er, 'a few', globally linked, fault-tolerant, control stations.
To hijack the satellite control uplink would require access to the physical property of the uplink stations, not to mention having access to the protocol schemes that were devised for this data stream. You are not going to park a truckload of sat gear in the parking lot and go unnoticed. We also spent lots of time determining where best to place these control centers, too, given the geo-political issues.
The originator of this thread is full of angst over the security implications. Bravo! But, rest assured that the subject is not an unknown practice to the aerospace industry. The Iridium system is extremely robust in this particular area, so much so that the revived Iridium system will be carrying lots of DoD traffic. Needless to say, there are always risks when faced with an network attack from a government sponsored or highly funded enemy using equally skilled aerospace technologists.
-- I fear explanations explanatory of things explained.
If you use a grid of (smaller/less powerfull) antennas you could create the same effect as a single high power antenna. So you dont even need to have access to facility with strong antennas except to maybe snoop the protocol...
The Secure Satellite SHell. :)
Fiz
I installed uplinks for satellites.I know what it
.. : )
takes to get into one.First of all it's very
difficult for anyone to get the installation up and running.
Yes you need uplink frequency but you also
need the downlink one too...
Second the modems to access the satellites are
a bit hard to come by..Let alone a microwave
transmitter that you could tune to match the
frequencies. This is no amateur stuff.
Gaining illegal access to a satellite is difficult
at best technically.Financially speaking you
also need to have a good cash flow.The
transmitter and receiver will be an expensive
proposition at best. Of course there is nothing
that will stop organisations from doing it.
For the common folk this is impossible.
Try calling Harris to ask them for a transmitter
receiver that works in the microwave spectrum
I beleive this will raise tons of eyebrows and
probably will end you up in an interrogation
room at the FBI's local headquarters.
But dont take my word for it
Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works?
Never mind things as sophisticated as computers. How secure is the dish used for sending the commands and the cable connecting it to the control centre?
Humpty Dumpty's
A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn
If anyone thinks it is, then consider what happens when an employee has access to what the company wants to be obscure, then later he becomes a disgruntled ex-employee.
Now, your inside friend, is your outside foe, and he knows all of your weaknesses. Here's hoping the security being used was not just obscurity.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?