Slashdot Mirror
Satellite Command Security?
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?
"Three major issues concern me (I'm going to assume that our network security works (grin!):
- Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
- How many of you think that you could decipher the structure of the command (given the motivation)?
- Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
..especially if the hacked science satellite had enough manoevering fuel to be used to crash into a GPS or military satellite.
Satellites are getting larger: if the satellite was sufficiently large to enable large lumps to reenter and you could predict reentry then you could attempt to use it as a missile, but this is obviously a very hit and miss affair.
In the light of September 11I don't think you should assume that civilian targets (or civilian satellites) will be left alone by a terrorist.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Obscurity doesn't work. Internet seems to know everything, or know someone who does, it's strange but true.
Where I work we rely on a couple of things for security and they seem to work pretty well, I've been working here for nearly 5 years and I can't remember we ever got cracked.
1. SSH
2. Identity keys and passphrases along with 1.
3. IP filtering, you have to be on an IP in our network before you can reach any critical servers.
If you couple this with a private network I don't see any real threats to the network, unless some kid builds a nuclear powered high frequency mega super radio antenna thingy in his backyard to send the whole thing crashing down to Tora Bora.
-- Si hoc legere scis nimium eruditionis habes.
Just to give you an idea, some crackers during the BB era in southern california were stealing credit cards to buy commercial software, then sold cracked versions to the largest BB in southern CA. They were eventually caught and the FBI took away all the computers. All of them were under-aged, so they didn't do any time. All of them were interested in science, so they would definitely be interested in what your satellite is sending. More interesting is getting control of your satellite.
Also, remember that crackers tend to have parents who have technical careers, but no time to watch their kids. Hackers and crackers have a lot of time, brains and energy to burn. With all the articles recently about amatuer and college programs building their own satellites, it will become a bigger concern. As kids get more technically advanced at a younger age, more systems will get compromised. It's a fact of life.
I would recommend you to read the book Security Engineering by Ross Anderson. :).
It gives you a perspective of security from a lot of different fields.
If you must secure stuff you have to think like an alien.
If people who were supposed to control the Defense satellites
in Britain had thought like an alien, none of their satellites
would have been hijacked,
but that story seems to be untrue
Anyway, secure your babies.
That's probably a bit harsh. You're probably right, but...
He didn't say that he had no idea where to start, nor did he say that this was his only source of information on the issue.
Having done security work in the past, I'd often solicit the advice of other security experts (ok, so maybe Slashdot isn't the place to ask) to see what directions they'd go.
If I prefaced my questions with what *I* thought was important or the Right Way (tm), that could color the thought processes of my resource(s). By keeping my ideas to myself (at least early in the process), I could get their objective opinion, perhaps with ideas that I'd not previously considered.
Just my $.05 (inflation, you know).
- Dave
-- "Other than that, how was the play Mrs. Lincoln?"
General comments:
This type of question is probably best not asked here.
I highly suspect you are whom you say:
1) Why ask questions about such a sensative issue here in such a loose and public forum
2) If your company does indeed control multiple satellites, why do you not have answers to such simple questions as # 1? I would expect you would contact one of your own engineers.
3) This list could go on for quite a while.
I appologize if I'm wrong about the above, but I tend to suspect this is a dupe post by someone either interested in hacking a network or interested in getting people together to hack sat's.
Questions:
1) This would depend to some degree on the com hardware on the bird. Signal jamming is a quite known property of emf communications.
2) Yes. People have deciphered far harder things than a ordered (probably) control protocol.
3) I didn't look at the protocol yet. Yes, folks will want to hack it though. Sat's are l337 d00d.
Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this.
/.er are ebay bidding on dishes right now....)
Wow, really? (imaging how many
As an undergraduate I worked on a small student-built scientific satellite, and even though the satellite barely had any need of an uplink, I seem to recall we still required strong command authentication, and that we also required the ability to be able to turn off the satellite transmitter and receiver in certain regions of the world, and that these requirements came straight from the DoD. My understanding is that we had to be prepared to respond to certain possible DoD advisories. In fact we probably would have done away with the uplink except for them.
The trasmitter turn-off requirement was apparently so that rogue states could not use the bird for navigation purposes or possible sensing.
Now the advising engineers on this project came from a lab (JHU APL) that does a TON of military birds, so it's very possible they were just imposing good practice on us. Maybe someone in the know could tell us more.
--Braddock Gaskill
I'm not going to analyze the up-link protocol or try to brainstorm motivations for cracking your system, but as a security professional let me try to clarify the issue a bit.
You are on the right track with your questions. You are trying to figure out: a) how badly does somebody want to crack it, and b) how difficult is it for him to do so.
These two factors are precisely what define security risk. If the cost of breaking a system is greater than the reward for doing so, your security is adequate.
The first question cannot be answered by the Slashdot crowd. There are too many variables. Who are your competitors, and how much to they have to gain by sabotaging you? Could the satellite possibly be used for anything other than its intended purpose if control was usurped? How valuable is the satellite to people other than you if it is only being used for its intended purpose?
Perhaps people here could try to figure out the 'cracker bragging-rights' factor, but I suspect that would not be sufficient motivation to go to the lengths required to break your system (any glaring security holes notwithstanding).
From what it sounds like, the second question can't be answered by anybody. The rule of the day is 'provable security', which is why security by obscurity is frowned upon. It's not that it doesn't work, because sufficient obscurity is indeed security, it's that you can never be sure how well it works. This was the problem with the German Enigma machine in WWII, which ultimately provided the greatest incentive to proving lower bounds on security.
Encryption provides easily quantifiable security, demonstrated by mathematical proof (with the minor caveat being most of these proofs rely on P not equalling NP). The techniques you describe do not sound like they lend themselves to provable security. (Although physical security is usually considered pretty sound, provided it is comprehensive; this includes isolated networks and site protection, as you describe)
How difficult is it to gain access to a powerful radio-antenna? That's a key question. If the satellite is owned by a company in an industry with cutthroat competitors who also have satellites, it might not be difficult at all.
Here is a memo that explains the National Policy on Application of Communication Security to U.S. Civil and Commercial Space Systems, NTISSP No. 1.
...Approved techniques as they pertain to space COMSEC equate to National Security Agency (NSA) endorsed encryption and authentication systems....
..Government or Government contractor use of ... commercial satellites ... shall be limited to space systems using accepted techniques necessary to protect the command/control uplink.
http://www.tscm.com/communsec.html
Some excerpts:
The need for and means to protect the command/control uplink associated with civil satellite systems, intended exclusively for unclassified missions, will be determined by the organization responsible for the satellite system in coordination with the National Security Agency....
Basically, if your group is doing as little as what you say they're doing, they may be in violation of law.
--Braddock Gaskill
Scientific satellites usually don't have much security. I wrote a script in tcl/tk once that created a set of satellite commands. The commands were transfered by ftp (perl) to an ftp-site where it got placed on the command queue.
You don't get much cpu-power in scientific satellites because they have to use CPUs certified for use in space. I might be wrong, but I think we used some Texas Instrument CPU från 1976 (they built the satellite in 1997). That means that ssh or ipsec would be useless.
We lost contact with the satellite after 5 months in space.
You MUST secure your satellite command and control system. This is NOT an option, it is a requirement.
Some background for my opinion: I work with these systems, developing satellite command and control - I'm not The Man in this area, but I'm on a team that's competing to build a USAF command and control system, and I'm currently working on developing the network operations center for a comsat system. I'm not Mr. Security, but we've had conversations - get it?
To address your specific concerns - yes, someone can "blind" the command uplink, but you can usually do something about that legally - someone radiating that amount of power gets noticed. It can be done, but there are countermeasure that can be taken - encrypted in-band commanding is popular on comsats. People can decipher command structures, esp. if you're using a COTS satellite bus - and most science missions starting out today use one as a point of departure. In fact, you can probably get hold of the base command structure for some early satellite families and extrapolate from there. The "standards" being worked on are a long way from ready for prime-time - I don't know anyone willing to entrust a hundred-million or billion-dollar comsat to them. The US gov't. controlled encryption systems are still the standard for the command link in the systems I'm seeing (I do work in the US).
Will people hack science birds? Depends on what they do, and how bored the "people" are. There are a lot more gratifying things out there, and hacking a science bird would get a lot of bad press - but some folks live for bad press. Don't just rely on physical plant security - you can't put a security guard on the bird, and remote links are always vulnerable if they're not sufficiently secured. Go do research, and ask some of the COTS command-and-control companies (Integral Systems, or STI (now part of Harris) for advice - they'll try to sell you product, but it's worth it to listen.
Good luck.
1. Yes, someone can execute a DOS attack. It's called jamming and was done in the 80s to HBO by Captain Midnight. You need to check on the specific satellite design and see how the receiver would handle it but bear in mind that generally they will look for the best SNR and go with that. If the transmitter is higher power than you are, the receiver will see your signal as simply noise.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
2. Deciphering the structure of the command is not going to be easy but it can be done. This is not something for script kiddies but the true hackers with sufficient motivation will eventually figure the problem out. Remember, with Real Hackers, simply the doing of something neat is sufficient motivation -- but a Real Hacker also subscribes to the Hacker Ethic of doing no harm.
3. I think the simple cool factor of getting into a "NASA Satellite" would be sufficient motivation for some of the budding anti-social geeks. Satellites are extremely high-value assets and should better security than how we protect our webpages. However, securing them also goes counter to the way most scientists want to work. Luckily, the command and data streams should be using different signalling systems and freqs so you CAN have the best of both worlds.
4. I would not assume your network security works. I seem to remember something about someone getting into ESA's system; it was postulated as a possible reason for one of the Ariane failures resulting from bad design. Personally, I think the French just wanted to toss the blame off on someone else but the more the US government relies on Microsoft systems, the less secure your system will be and your security is only as good as the weakest point of entry.
Sure, but it's called jamming, not DoS. There is plenty of problems with unintentional RF interference on space assets. Actually trying to interfere wouldn't be very difficult given a big enough dish and proximity to the uplink site.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
Contrary to what most slashdotters are probably saying, this would be very difficult. I'm not saying you should count on it though.
The problem is that the feedback loop is pretty open because the attacker may have incomplete access to the downlink (and would have to decipher that as well), and likely doesn't have access to other means to watch what a particular command does to a satellite. You may be trying to send a command to fire a thruster or torque a gyro, but if you don't have the means to assess whether you've tumbled the bird, its just guess work.
here is what I would do.
1) dumpster dive on your trash and hope that you didnt shred all your documentation.
2) get a spectrum analyzer put it in my truck and sit in your parking lot and try and grab some examples of your uplinks. this is great for replay of some of your transmissions. like say regular commands to download data etc.
3) I am sure this particular bird has a command structure that is proprietary but usually no one reinvents the wheel, this is the difference between "copy" and "cp".
4) get a job at your employer and read it for myself. go home and send it into the wrong orbit.
5) private network huh! I bet you have at least 1 dial up modem in your shop that I can find with a war dailer.
replaying a command that I sniffed from your dish continously would probably mess you up pretty bad. fire thrusters, or send queued data. doing this all day could end the life of your little bird.
ps: I have access to a spectrum analyzer and access to a 12m uplink dish. But I have much better things to do with my time than flirt with a felony.
The most obvious example of this principle is in encryption. In both public- and private-key schemes, it is essential that you obscure your keys (or private keys) from view in order to maintain secure communications. It works the same way with other methods, such as keeping the command structure of a sattelite secret. If no one knows the command structure, they might as well be brute forcing an encrypted message, because a command could be just about any length to be valid.
So really, people here should be very careful when speaking in absolutes. It doesn't work when comparing the performance of operating systems, and it certainly doesn't work here.
--
Theo DeRaadt
Founder, OpenBSD project.
Theoretically, the technology to send commands is also within the reach of a decent university physics student. They have nice moveable dishes and transmitting equipment.
/your/ network may be secure, and therefore your uplink gear, not everyone's may be as secure as you'd like. Presumably someone with the motivation and persistence would be able to locate an unsecure uplink that could be used to transmit to a thirdparty satellite. Never assume the only doors (access points) are the ones you put in place.
Another point to remember is that while
I believe you are referring to Captain Midnight. I found the story through google, but the site (textfiles.fisher.hu) is down.
Captain Midnight was an employee of a satelite uplink station. He was angry about the impending scrambling of HBO's satelite signals (he was a satelite dish dealer as well). He aimed a transmitter at HBO's satelite and transmitted a total of 2 or 3 seconds. One or two weeks later he did the same thing, this time with text on the transmitted screen instead of only a test pattern. He identified himself as Captain Midnight and expressed his anger (I forget what he had typed).
In the story (written by the man himself) that I read online a year or so ago, he mentions that the reason it took over was that it was a stronger signal than HBO's ground station.
----
On topic, as far as determining the command set, don't forget that everybody can monitor the communication to/from the satelite. A few thoughts, though:
- Is the frequency set in stone? Frequency hopping, split spectrum, etc. Is there a government body that may keep the frequency or range on file, such as the FCC?
- If using encryption, I would recommend an open standard, so that all the bugs have been hammered out.
- Rotate keys and use a large set of keys to make it more difficult to crack.
- Always fill data packets with white 'noise' so that all data packets are the same or random sizes. This make it more difficult to crack, since they never know what is real data and what is junk.
These are standard techniques of course, so I'm sure that teridon has thought of them. But I find this subject quite interesting and want to show how much I know.
On top of all of the above, physical security is indispensable. You might even come up with creative ways to keep each technician from holding all keys, and require multiple techs to do a certain task, since each provides a set of critical data or algorithms. These are also (I assume) standard practice for at least military-grade operations.
Hello little man. I will destroy you!
I was a payload systems engineer for a major manufacturer of commercial communications satellites (now retired). All our birds had encrypted command links: DES for export or an NSA chip for domestic users. The command link was very narrow band and had a low data rate - everything happens in slow motion in orbit. The uplinks typically used a KW klystron and a 30' dish so jamming or DoS is difficult and would just about have to be an inside job at an earth station or a hostile government. We would never use an internet connection. If commands were sent from off site we would use dedicated phone lines. For launch ops we would set up two leased lines and a dialup.
There was one incident in the early 90s when "Capt. Midnight" broke into a TV channel with a rude message. That was an inside job, but I don't remember if he was caught. It did scare one customer into specifing an elaborate "intruder detection and elimination system" where the birds antenna pattern could be changed to put a null on the intruder.
All I can recommend is to use encryption - it's not that hard, and stay off the internet.
1. Yes. As someone else has mentioned, satellite receivers link to the most powerful signal. Depending upon the orbit and radio frequency of your satellites, the transmitter may require anything from a simple dish to a huge tracking dish. For most purposes, an old C-band dish would suffice, but would require a transmitter. Tracking systems can be cobbled together from COTS parts, although there are gotchas.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
Consider that a high school science teacher and class in England managed to capture and decode the downlink of the GLONASS (Soviet GPS) satellites. Your downlink is broadcast to anyone listening within the footprint of your satellites' transmitters. If that same someone listens to your uplink (more difficult but there are sidelobes), they can eventually learn your command set from the changes in telementry. BTW, recognizing telemetry is relatively easy. Satellites report on a standard set of characteristics (attitude, power, data) and can be easily understood.
3...Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
I get paid for that. Without more time than I'm willing to
Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal
It's certainly possible, and it's called "jamming". This costs a lot for plain random troublemaking; it takes a steerable dish and a fairly high powered transmitter, with a big electric bill. It seems rather unlikely someone with that budget would spend it just to mess up a science experiment. But unless considerable effort goes into protecting a satellite, jamming it would be small potatoes for a military operation.
There are some substantial (but very secretive) defense contractors making radio and radar jammers for the US military. To jam a satellite using a fixed command frequency, you just point a dish at it and transmit at the same frequency with at least as much power as the actual command center. (I mean power delivered to the satellite antenna -- that's a product of the actual power and the transmitter dish's directionality.) The two signals basically add together, so if the jammer just sends a non-varying signal it's quite likely that the receiver will still be able to pick the commands off the top. But just about anything that varies without too much predictability will do for a jamming signal -- white noise, classical music, Slim Pickens yodeling, Howard Stern...
The most common method of defeating jamming is to change the frequency. Every so often, computers on the ground and in the satellite compute a psuedo-random number, and change to that frequency. It's easy to do that once or more a second, and the jammer is not going to be able to find the new frequency fast enough. (Assuming the number sequence is secure, against both espionage and cryptographic reverse-engineering.) However, if they _really_ want to knock you off the air, it's possible to transmit a very high powered broad-band signal to jam all the channels at once. If there are 1,000 possible channels, the jammer has to be 1,000 times as powerful. Do that to a US military satellite, and I think you will knock it out for a while, but: (1) in a few minutes the satellite orbit will take it out of view from your dish; (2) unless you're a nuclear power, eventually they'll get permission to send a cruise missile into your ground station; (3) That much broadband power will mess up other communications as well, and get other countries mad at you. There are stories that the Soviets used to play a little with our satellites and vice-versa, but nothing serious because both sides had too much to lose...
Another protection against jamming is to use a very directional receiving antenna, so any jammer would have to be on territory you control. This also substantially reduces the required transmitter strength. The problem is keeping that receiver dish pointed at home. In a satellite, you would have to also have an omnidirectional backup antenna, to use to re-gain control if the satellite tumbles. This makes it more complex and expensive than frequency-hopping.
Xix.
"Everything is adjustable, provided you have the right tools"