Slashdot Mirror

← Back to Stories (view on slashdot.org)

Satellite Command Security?

Posted by Cliff on from the preventing-orbital-hacking dept.

teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?

"Three major issues concern me (I'm going to assume that our network security works (grin!):

  1. Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
  2. How many of you think that you could decipher the structure of the command (given the motivation)?
  3. Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
I'm not looking for the Slashdot population to do my research -- I mostly want opinions on whether cracking a science satellite would be worth the time."

23 of 426 comments (clear)

  1. Given enough motivation by Tim+Ward · · Score: 5, Insightful

    How many of you think that you could decipher the structure of the command (given the motivation)?

    Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.

    1. Re:Given enough motivation by liquidsin · · Score: 3, Insightful

      it's along the same lines of 'anything that can be made can be unmade'. It's just one of those natural laws...there is no such thing as 'unhackable'. given enough time and resources, anything can be broken.

      --
      do not read this line twice.
    2. Re:Given enough motivation by Shanep · · Score: 5, Insightful

      Anything can be hacked given enough motivation.

      The key is practicality.

      I think this opinion is based on ego. The hackers think they can hack anything, they just "don't have the motivation" to hack the really hard stuff. The system designers feel that they need to believe and portray this because they fear thier systems will some day be hacked or perhaps keep an open mind about it.

      I also think it is silly to beleive that an unhackable system cannot be designed.

      Although, I agree with the parent poster regarding practicality. I had an MCSE teacher tell the class I was in, that encryption was'nt good because any crypto algorithm could be cracked if the design is known. I wanted to challenge him on the practicalities of it (but I hate always being the arsehole in classes who corrects the teacher). I mean sure, learn the algorithm and brute force the output, but what about the practicality? What if it is an algorithm that is strong enough to realise the full range of a 4096 bit key? How many hundreds of years is it going to take to brute force crack it with the combined effort of all the computers that will ever exist on Earth? Will we (human race) be history by then? Do people in the year 8002 really give a crap about what people in 2002 were trying to hide? Do any humans still live on Earth, having terraformed and populated Mars and some other planets in other galaxies?

      Or how about a cipher text done with a One Time Pad, which could be decrypted with loads of different keys to come out as loads of *different* and *incorrect* yet completely inteligible plain texts!

      The rest of the class justs nods (duh!). It was the same teacher that told me that to boot an NT server off a SCSI disk, on a system that has NO SCSI BIOS, you just had to load an NT SCSI driver. Yeah, OK teach, good one. MCSE's, poor bastards, are given the inflated belief that they are computer experts once they have passed MS's "computer science". It's almost as pathetic as Scientology.

      --
      War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
    3. Re:Given enough motivation by gray+peter · · Score: 2, Insightful

      And given that security was probably not taken into consideration when creating the command structure it's probably optimized for bandwidth, not for obscurity. If security was taken into consideration it would be fairly easy to make it difficult (if virutally imposible) to crack. Odds are, however, that security was assumed to be inherent, and the command structure was designed in such a way that it would be very easy to decypher.

      --
      May no camel spit in your yogurt soup.
    4. Re:Given enough motivation by swillden · · Score: 3, Insightful

      Anything can be hacked given enough motivation.

      Why is this such a widespread belief?

      The problem isn't with the belief, but with the vagueness of the statement. What does "hacked" mean? Depending on the definition of the term, the answer changes.

      If the definition of hacking constrains the attacker to using network-based attacks, and if the system under consideration is simple enough, then, yes, it is possible to build an unhackable system (this depends on the nature of the system to a large degree). If the definition is widened to allow physical attacks on technological infrastructure, then the problem becomes vastly harder. If the definition is widened to permit basic social engineering, then the problem gains another dimension that must be addressed. If the definition is widened to include illegal activities like breaking and entering, theft, bribery, extortion, torture and murder, then as long as some user has legitimate access, the system can be hacked.

      I'm often frustrated by two equally incorrect viewpoints that I run into on this subject, and not just in the realm of security. The first is that everything is possible. The second is that anything is impossible.

      It is not true that everything is possible. The Halting Problem, for example. Finding integers x, y, z and n > 2 such that x^n + y^n = z^n. Copying 10GB of data across a 10Mb ethernet in less than one minute. And so on. Many, many tightly-constrained problems are impossible.

      It is also almost never true that any particular task is impossible, assuming all options are on the table. Many things are impractical, and many more things are too complex to get a handle on, but very few real-world personal and business goals are unachievable. If one appears to be, you probably just need a better understanding of the root goals.

      When I was a young geek, fresh out of school, I was secure in my knowledge that some things could not be asked of me because they were impossible (and I could prove it!) until I came smack up against a young businessman, fresh out of school who was secure in his knowledge that anything was possible because all the great fortunes had been made by people doing the impossible. Tempers flared, sparks flew and we were both enlightened.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Given enough motivation by drrobin_ · · Score: 2, Insightful

      Bah, I defy you to hack into this program, when it's connected to inetd with some load balancing and forking limits:

      int main(void)
      {
      int i;
      for(i=0; i10; putchar(getchar())!=EOF);
      return 0;
      }

      Care to hack it? Har. Can't be done. Why?

      A hack requires an exploitable flaw in a program. The above program does one thing: Reads ten characters from STDIN (stopping at EOF if it shows up early), and puts them on STDOUT. Nothing to exploit. Nada. Zilch.

      Sorry to blast the myth, but sometimes slashdot (and its moderators) need a whacking with the clue stick.

      --
      to accept the praise of personal wisdom is an affront to the very ideal i hold dear.
  2. In a related story: by GigsVT · · Score: 2, Insightful

    I forgot to lock the vault at the bank I manage, and no one is there right now!

    Limited time offer!

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  3. I loved the way that Cliff phrassed that by Bandman · · Score: 3, Insightful

    Did the
    "...this is a lesson that teridon wants his company to learn."
    sound like a veiled threat to anyone else? :)

    Maybe it's the pre-caffeine stage.

    --
    Check out my sysadmin blog!
    1. Re:I loved the way that Cliff phrassed that by Tha_Zanthrax · · Score: 2, Insightful

      I really wonder really if this guy works for the company he says he works for. My guess is they just fired him...

  4. Forget reverse engineering -- who's quit lately? by pointym5 · · Score: 5, Insightful

    Definitely assume that anybody you really don't want knowing your command structures will know them. Do you keep the documentation (or source code) in a locked vault with genuine security (not just "don't tell anybody where the vault is")? Do you have strong entry/exit security (can you take an 8mm tape home with nobody noticing)? Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works? Are you sure none of them wouldn't sell information for a few tens of thousands of dollars (or sex)?

  5. the very fact that you told us how you already... by synchrostart · · Score: 2, Insightful

    ...secure your satellite systems is a huge security breach. You just told us you don't use encryption and that to attempt communication you need a radio antenna. Some people do have access to radio antennas. Heck they aren't that hard to build yourself anyhow, there are specific books and internet articles on them. Pick up most books on HAM radio antennas and they atleast mention it. So given some time and effort could someone exploit your satelittes and crash them into another one?

  6. Re:here's an idea... by ruvreve · · Score: 2, Insightful

    I don't think by asking this question he should be deemed unworthy of securing satellites, instead you should consider it going the extra mile by asking several million? nerds how they would approach the situation. Now if he relied on /. as his primary tool for the succesful completion of his job related duties then I think I want his job.

  7. Obscurity works very well if... by five+dollar+troll · · Score: 1, Insightful

    ...you avoid extending "challenges" like this to the hacker world. Obscurity is only effective when it is TOTAL obscurity. It doesn't work for Microsoft because everyone already knows that they will (after X number of attempts) find some type of hole in their software. For situations like this, however, there is no interest in targeting the satellite, because there is little or no knowledge of its existence. Therefore, it's not a challenge, and won't be considered such by hackers-at-large.

    But now that the cat's out of the bag...look out...

    --

    Reading Slashdot for content is like picking peanuts out of shit.
  8. Huge arrays NOT required. by Cwaig · · Score: 2, Insightful

    I used to work for BAe Space Systems, and once a year we used to teach part of a course at one of the UK's Universitys (cann't remember which). Part of the course was a practical project building a groundstation from scratch using off the shelf kit and making the dish from scrap parts. It's not cheap, but it's within reach of a lot ot western tech heads (but ok, not your average script kidde). I've still got the course notes + designs in my attic....

    --
    +++ BASELINE REALITY FAILURE+++ +++ PLEASE REBOOT UNIVERSE +++
  9. Re:here's an idea... by lucifuge31337 · · Score: 2, Insightful

    The biggest problem I have with this is that he asks whay multiple transmiters hitting the receiver of the satellite will do. No only is that obvious to those who know the RF design of that particular satellite, but it also follows that their engineers already know this information. The question is being asked in the the wrong place.

    --
    Do not fold, spindle or mutilate.
  10. Obscurity and Security by rknop · · Score: 4, Insightful

    Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.

    The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.

    If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.

    As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.

    -Rob

  11. Re:I assume the run of the mill reply to this is.. by Logika · · Score: 3, Insightful

    Making the satellite's command and control protocols widely available is ridiculous. There's a big difference between relying on obscurity for your security and using it to enhance your security. There's also a big difference between a computer that sits on the Internet to be probed with all responses available for digital capture and a system that can only be accessed through RF transmission, probably using frequency hopping and digital spread spectrum.

    The public doesn't have a need to know everything as long as the company(ies) involved don't rely on that obscurity alone to protect them.

  12. Silly question. by Restil · · Score: 3, Insightful

    You're asking a group of hackers... if doing something for the sake of doing it... "would be worth the time?"

    You're askign a group of crackers... if performing the ultimate crack, obtaining command control of a satellite... "would be worth the time?"

    As you said, the only reason it probably doesn't happen very often is a simple lack of the required tools. To hack into a system on the internet, you wouldn't need much more than an ascii terminal with an internet connection. To hack a satellite, you need some powerful equipment, and the average person who is able to afford such equipment, probably would recognize that the effort isn't worth the potential sacrifice.

    Conventional networks were rather insecure in the beginning. But back then, the privilaged few who had access respected the system and didn't have the need or desire to exploit them. Times have changed, so much to the point that IF you are insecure, you WILL get exploited, and its only a matter of time? Satellites may begin to reflect this history soon. Right now, those able to access them have no need or desire to exploit them.

    But just give it time.

    -Restil

    --
    Play with my webcams and lights here
  13. I hope you enjoyed your job... by Palin+Majere · · Score: 3, Insightful

    I mean, seriously. If you do work in "the satellite control industry" (that's a seperate industry from the satellite industry?) and are doing the work you claim to be, then you have several problems:

    a) You should already know the answers to questions 1 and 2, and have enough of an understanding of 3 that removes the need to ask it. You should also already know, based on 1 1/2+ years here on the site, that this is *hardly* the forum for a real answer to that question.

    b) You just divulged some fairly major security-vulnerability information on the internet equivelent of Prime Time television.

    c) I would hope that nobody at your company gets wind of this posting, because it would not take a rocket scientist (*smirk*) to figure out who you are.

    I'm really not trying to flame here, but this *really* seems like a horrible, horrible idea. From a security standpoint, if your systems are based on security through obscurity, the *last* thing you want is more attention being drawn to them, especially if the amount of attention being given to the subject matter is by nature usually small (how many people have satellite transmitters?) and prone to mass speculation (how many openly documented satellites are there?). Just by asking this on Slashdot, you've brought more attention on satellite-hacking as a whole, thereby astronomically increasing the chance that someone takes a more "active" interest in figuring out how to send your company's prized birds into a flaming death spiral.

    Of course, all this assumes you are what you claim to be. You could very well be (as another poster suggested) a cleverly disguised troll.

    I mean, geez. Shame on you for submitting, and shame on Cliff for posting it. Doesn't the /. crew think 5 minutes on a submitted article before posting?

    (Moderators, feel free to mod this appropriately. I have more than enough Karma, thank you)

  14. Re:I assume the run of the mill reply to this is.. by Asic+Eng · · Score: 3, Insightful
    Assuming you haven't managed to implement *any* security, you'd probably be better of, using someone else's system, no?

    No you don't need to post *your* code and say "hey look at this, if you find the hole in it, you can break my satellite". You can however use a proven technology to secure your link, and yes, for that to be proven it needs to be open.

    You can still have your obscurity - you don't need to tell anyone which protocol you are using, even your command structure can stay just as secret as it was before - it's on another protocol layer.

    If you were to use (random example) ipsec, and send your SATCOM (made up) protocol over that, and then someone finds a hole in ipsec. Well then you are just as secure, as you are now - the attacker still needs to break SATCOM, as well.

  15. Satellite security by SwedishChef · · Score: 4, Insightful

    IS THERE A RISK OF DOS?

    Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.

    IS THERE A RISK OF DECIPHERING COMMAND CODES?

    Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.

    IS PHYSICAL SECURITY ENOUGH?

    No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.

    Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.

    SHOULD THIS INFORMATION BE ENCRYPTED?

    Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.

    Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.

    --
    No one ever had to evacuate a city because the solar panels broke!
  16. Re:It's about time... by Merry_B.Buck · · Score: 2, Insightful
    teridon's danger seems even worse that the Brit problem, because he's dealing with science satellites, which release more info to the public than do military ones. His user info suggessts he's discussing the SOHO (Solar & Heliospheric Observatory) satellite, which has already demonstrated a hacker-desirable feature: a buffer overflow in code that caused control problems in the satellite.

    Uplink/Downlink details on SOHO are readily available, e.g.:
    • Uplink Frequency(s) 2067.271 MHz
    • Downlink Frequency(s) 2245.000 MHz
    • Commands: 16Khz subchannel @ 2kbps
    • Uplink transmitters used: Gladstone, Canberra, Madrid
    ..IMHO it would be feasible to decipher the command structure, especially because descriptions of the commands being used are published on NASA "project home pages". Encryption would help, but would have to be extended to cover the the networks that author the commands, i.e. Goddard, JPL, etc.

  17. Re:Not that big of an antenna... by dbateman · · Score: 2, Insightful

    There are typically many antennas on a satellite. You are probably talking to a relatively high gain antenna if you are only using a 6ft antenna. The command antenna has to work even when the satellite is in a spin our of control so that there is some hope of recovering it. Thus the command antenna on a satellite is typically omni-directional and thus you'll need higher gain on the ground (bigger antenna) to talk to it.

    D.