Satellite Command Security?

teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?

"Three major issues concern me (I'm going to assume that our network security works (grin!):

1. Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
2. How many of you think that you could decipher the structure of the command (given the motivation)?
3. Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.

I'm not looking for the Slashdot population to do my research -- I mostly want opinions on whether cracking a science satellite would be worth the time."

Given enough motivation

[Tim+Ward]

How many of you think that you could decipher the structure of the command (given the motivation)?

Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.

Re:Given enough motivation

[Shanep]

Anything can be hacked given enough motivation.

The key is practicality.

I think this opinion is based on ego. The hackers think they can hack anything, they just "don't have the motivation" to hack the really hard stuff. The system designers feel that they need to believe and portray this because they fear thier systems will some day be hacked or perhaps keep an open mind about it.

I also think it is silly to beleive that an unhackable system cannot be designed.

Although, I agree with the parent poster regarding practicality. I had an MCSE teacher tell the class I was in, that encryption was'nt good because any crypto algorithm could be cracked if the design is known. I wanted to challenge him on the practicalities of it (but I hate always being the arsehole in classes who corrects the teacher). I mean sure, learn the algorithm and brute force the output, but what about the practicality? What if it is an algorithm that is strong enough to realise the full range of a 4096 bit key? How many hundreds of years is it going to take to brute force crack it with the combined effort of all the computers that will ever exist on Earth? Will we (human race) be history by then? Do people in the year 8002 really give a crap about what people in 2002 were trying to hide? Do any humans still live on Earth, having terraformed and populated Mars and some other planets in other galaxies?

Or how about a cipher text done with a One Time Pad, which could be decrypted with loads of different keys to come out as loads of *different* and *incorrect* yet completely inteligible plain texts!

The rest of the class justs nods (duh!). It was the same teacher that told me that to boot an NT server off a SCSI disk, on a system that has NO SCSI BIOS, you just had to load an NT SCSI driver. Yeah, OK teach, good one. MCSE's, poor bastards, are given the inflated belief that they are computer experts once they have passed MS's "computer science". It's almost as pathetic as Scientology.

Forget reverse engineering -- who's quit lately?

[pointym5]

Definitely assume that anybody you really don't want knowing your command structures will know them. Do you keep the documentation (or source code) in a locked vault with genuine security (not just "don't tell anybody where the vault is")? Do you have strong entry/exit security (can you take an 8mm tape home with nobody noticing)? Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works? Are you sure none of them wouldn't sell information for a few tens of thousands of dollars (or sex)?

Obscurity and Security

[rknop]

Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.

The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.

If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.

As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.

-Rob

Satellite security

[SwedishChef]

IS THERE A RISK OF DOS?

Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.

IS THERE A RISK OF DECIPHERING COMMAND CODES?

Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.

IS PHYSICAL SECURITY ENOUGH?

No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.

Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.

SHOULD THIS INFORMATION BE ENCRYPTED?

Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.

Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.