Slashdot Mirror
Satellite Command Security?
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?
"Three major issues concern me (I'm going to assume that our network security works (grin!):
- Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
- How many of you think that you could decipher the structure of the command (given the motivation)?
- Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
How many of you think that you could decipher the structure of the command (given the motivation)?
Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.
I forgot to lock the vault at the bank I manage, and no one is there right now!
Limited time offer!
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Did the :)
"...this is a lesson that teridon wants his company to learn."
sound like a veiled threat to anyone else?
Maybe it's the pre-caffeine stage.
Check out my sysadmin blog!
"Make publicly available all the source code and documentation of the satellite's protocols. Then the entire Open Source community can have any and all bugs fixed in under 2 hours. Also, by making it Open Source, bugs in the code that would make it vulnerable to cracking can be found more quickly, and thus sealed up. The idea that all your protocols should be classified and confidential is ludicrous. Just look at Microsoft, they close their stuff up and look at all the holes in their software! You must release everything to the public."
...this might sound obvious to some, but maybe if you need to ask this type of question, you shouldn't be in charge of securing a satellite...
Just a thought.
..especially if the hacked science satellite had enough manoevering fuel to be used to crash into a GPS or military satellite.
Satellites are getting larger: if the satellite was sufficiently large to enable large lumps to reenter and you could predict reentry then you could attempt to use it as a missile, but this is obviously a very hit and miss affair.
In the light of September 11I don't think you should assume that civilian targets (or civilian satellites) will be left alone by a terrorist.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Oohh boy, here's an article that's just begging for "expert" slashdot advice.
"While I've never actually worked on a satellite system, I did hack encryption into my walkie-talkies when I was 8..."
I don't like the idea of some big freaking satellite bombing down on my apartment, so heres my input.
I like the idea of encryption. It will turn away most of the little script kiddies, but then again so does obscurity for the most part.
most crackers don't have access to a huge radio antenna with which to transmit
Never Underestimate!!! I don't know much about RF communications with satellites, or how powerfull it has to be or whatnot, but I'm pretty sure if someone was determined enough, they could hack something togather. Or if they work at a radio station in a small town that goes off air at night. *shrugs* who knows.
Obscurity is a great thing in some cases, but I don't think it comes anywhere close to actuall good security. Then add confidentiality to it, and awesome physical security, and your in the right direction.
Just my small view on it.
Can all fish swim?
Obscurity doesn't work. Internet seems to know everything, or know someone who does, it's strange but true.
Where I work we rely on a couple of things for security and they seem to work pretty well, I've been working here for nearly 5 years and I can't remember we ever got cracked.
1. SSH
2. Identity keys and passphrases along with 1.
3. IP filtering, you have to be on an IP in our network before you can reach any critical servers.
If you couple this with a private network I don't see any real threats to the network, unless some kid builds a nuclear powered high frequency mega super radio antenna thingy in his backyard to send the whole thing crashing down to Tora Bora.
-- Si hoc legere scis nimium eruditionis habes.
Just to give you an idea, some crackers during the BB era in southern california were stealing credit cards to buy commercial software, then sold cracked versions to the largest BB in southern CA. They were eventually caught and the FBI took away all the computers. All of them were under-aged, so they didn't do any time. All of them were interested in science, so they would definitely be interested in what your satellite is sending. More interesting is getting control of your satellite.
Also, remember that crackers tend to have parents who have technical careers, but no time to watch their kids. Hackers and crackers have a lot of time, brains and energy to burn. With all the articles recently about amatuer and college programs building their own satellites, it will become a bigger concern. As kids get more technically advanced at a younger age, more systems will get compromised. It's a fact of life.
The simplest system for ensuring that two entities are talking to each other, without a complex system involving third parties, seems to me to be PKI. Just embed a private key in hardware on the satellite (or perhaps several) and then use PKI as normal. This key never leaves the satellite so the risk of being "hacked" is equivalent to cracking PKI. This of course could be strengthened (or weakened??) by coupling with precise data only known through obscure methods involving lots of precise scientific hardware, e.g. stuff the crackers won't have.
It's 10 PM. Do you know if you're un-American?
I would recommend you to read the book Security Engineering by Ross Anderson. :).
It gives you a perspective of security from a lot of different fields.
If you must secure stuff you have to think like an alien.
If people who were supposed to control the Defense satellites
in Britain had thought like an alien, none of their satellites
would have been hijacked,
but that story seems to be untrue
Anyway, secure your babies.
Definitely assume that anybody you really don't want knowing your command structures will know them. Do you keep the documentation (or source code) in a locked vault with genuine security (not just "don't tell anybody where the vault is")? Do you have strong entry/exit security (can you take an 8mm tape home with nobody noticing)? Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works? Are you sure none of them wouldn't sell information for a few tens of thousands of dollars (or sex)?
Complete security is impossible. If someone wants access, they will eventually get it.
d wa re_token.html
The most secure authentication scheme I've seen in a while is talked about in great detail here:
http://www.rsasecurity.com/products/securid/har
The idea is that if you need a physical token, and some knowledge to authenticate, you have added another level of security. These tokens are (from my understanding) REALLY hard to reverse engineer. They generate a number (that looks random, but isn't) every minute. On the other side of the connection, the same pseudo-random number is generated. If they match at authentication time, you get access, if they don't, try again.
The other thing you were wondering about was DOS attacks. Go read this article on GRC:
http://grc.com/dos/intro.htm
It boils down to this: if it's distributed there is little you can do.
On the flip side, since these signals would require massive antenae, you can triangulate the source in a matter of seconds, and send some guys (cops, navy, army, etc) over to shut them down.
Either way it goes, this is an interesting problem. Keep us posted with the results.
Beware TPB
If that is the case, then you really only need to change the format slightly to include timestamped (or sequentially numbered), signed messages rather than unauthenticated ones (timestamps to prevent simple retransmission of commands as a "cut and paste" control system). There are plenty of PK signature solutions out there - but I assume uploading a new program may be a problem - debugging would be a nightmare ;)
-=DaveHowe=-
As for new satellites under design, just encrypt the channel, stupid! Its not like its rocket science or anything.
...secure your satellite systems is a huge security breach. You just told us you don't use encryption and that to attempt communication you need a radio antenna. Some people do have access to radio antennas. Heck they aren't that hard to build yourself anyhow, there are specific books and internet articles on them. Pick up most books on HAM radio antennas and they atleast mention it. So given some time and effort could someone exploit your satelittes and crash them into another one?
In general case any single channel signal can be drowned with another signal at the same freq. and with a comparable power.
Gentlemen, you can't fight in here, this is the War Room!
General comments:
This type of question is probably best not asked here.
I highly suspect you are whom you say:
1) Why ask questions about such a sensative issue here in such a loose and public forum
2) If your company does indeed control multiple satellites, why do you not have answers to such simple questions as # 1? I would expect you would contact one of your own engineers.
3) This list could go on for quite a while.
I appologize if I'm wrong about the above, but I tend to suspect this is a dupe post by someone either interested in hacking a network or interested in getting people together to hack sat's.
Questions:
1) This would depend to some degree on the com hardware on the bird. Signal jamming is a quite known property of emf communications.
2) Yes. People have deciphered far harder things than a ordered (probably) control protocol.
3) I didn't look at the protocol yet. Yes, folks will want to hack it though. Sat's are l337 d00d.
Many years ago HBO's satellite was overtaken for a few hours by someone in the "northwest quadrant" of the continental US. My electronics teacher at the time told me that most satellites would lock into the strongest signal being transmitted to them, and that most control centers used the least amount of power to get a lock-in. So apparently this guy just used a stronger signal than they were using.
As for hacking the command set? You better believe it. Get four engineers and a large blackboard and you might be amazed at how useless "security through obscurity" really is.
"Hello, World", 17 errors, 31 warnings
Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this.
/.er are ebay bidding on dishes right now....)
Wow, really? (imaging how many
As an undergraduate I worked on a small student-built scientific satellite, and even though the satellite barely had any need of an uplink, I seem to recall we still required strong command authentication, and that we also required the ability to be able to turn off the satellite transmitter and receiver in certain regions of the world, and that these requirements came straight from the DoD. My understanding is that we had to be prepared to respond to certain possible DoD advisories. In fact we probably would have done away with the uplink except for them.
The trasmitter turn-off requirement was apparently so that rogue states could not use the bird for navigation purposes or possible sensing.
Now the advising engineers on this project came from a lab (JHU APL) that does a TON of military birds, so it's very possible they were just imposing good practice on us. Maybe someone in the know could tell us more.
--Braddock Gaskill
You have just unvielded a great new target for all the script kiddies out there...
"Hey man, lets go hack a satalight and use it to spy on GIRLS!"
"What, do you think I can access it with my 802.11 Airport?"
"We could crash it into the Whithouse like in that movie!"
I saw Independence Day - I know just how easily "they" can upload a virus to an orbital device :-)
Enjoy Y2K? Roll-on Year 2037!
Military Sats use encryption for two reasons, one to make sure they can't be cracked, two to make sure they can't be listened two. The second is the more important. As long as the command sequence to the sat is tied to a physical device (which I'd hope at the very least) then your fine as long as you don't get invaded.
The easiest way to secure these systems is to ensure that there is a closed VPN which is tied to two devices, one on the sat, one on the ground. Redundant nodes come into play but its again only the physical that matters.
It takes a hell of a rich hacker to set up the transmission equipment to crack a satellite, and then the sat should just be saying "who are you ?" standard H/W ident stuff should block them off.
Physical rules, if you aren't using H/W paired security then its very worrying as its very simple to do and very standard (I assume it is as anyone with half a brain is going to do that) from then on its just a matter of how important is the information and does it need to be encrypted as listening is miles easier than transmitting.
An Eye for an Eye will make the whole world blind - Gandhi
I used to work for BAe Space Systems, and once a year we used to teach part of a course at one of the UK's Universitys (cann't remember which). Part of the course was a practical project building a groundstation from scratch using off the shelf kit and making the dish from scrap parts. It's not cheap, but it's within reach of a lot ot western tech heads (but ok, not your average script kidde). I've still got the course notes + designs in my attic....
+++ BASELINE REALITY FAILURE+++ +++ PLEASE REBOOT UNIVERSE +++
Depending on how the protocol's set up, this may not even be necessary. If replaying a previous set of movement commands causes the satellite to move some more, you've already lost that battle. The net result is that an attacker can drive the satellite off course and deplete its fuel reserves, making it a floating piece of junk.
Of course it may be that there's a sequence number in the commands that needs to be updated (most likely to prevent inadvertent duplicates due to transmission problems). In that case, it'd actually require some deciphering effort. Still, remember that you lose as soon as someone figures out enough of your protocol to move the satellite around. An attacker doesn't need to figure out every little detail.
Finally, there's always the social engineering approach. If the attacker can get the protocol by creatively lying to people at your organization (or just by getting a job there), then not only do you lose, but the attacker would have enough information to theoretically do something really fun (like trying to get the satellite to reenter the atmosphere in such a way that the attacker can watch the light show). That further cranks up the attacker's motivation to carry out the plan.
I'm not going to analyze the up-link protocol or try to brainstorm motivations for cracking your system, but as a security professional let me try to clarify the issue a bit.
You are on the right track with your questions. You are trying to figure out: a) how badly does somebody want to crack it, and b) how difficult is it for him to do so.
These two factors are precisely what define security risk. If the cost of breaking a system is greater than the reward for doing so, your security is adequate.
The first question cannot be answered by the Slashdot crowd. There are too many variables. Who are your competitors, and how much to they have to gain by sabotaging you? Could the satellite possibly be used for anything other than its intended purpose if control was usurped? How valuable is the satellite to people other than you if it is only being used for its intended purpose?
Perhaps people here could try to figure out the 'cracker bragging-rights' factor, but I suspect that would not be sufficient motivation to go to the lengths required to break your system (any glaring security holes notwithstanding).
From what it sounds like, the second question can't be answered by anybody. The rule of the day is 'provable security', which is why security by obscurity is frowned upon. It's not that it doesn't work, because sufficient obscurity is indeed security, it's that you can never be sure how well it works. This was the problem with the German Enigma machine in WWII, which ultimately provided the greatest incentive to proving lower bounds on security.
Encryption provides easily quantifiable security, demonstrated by mathematical proof (with the minor caveat being most of these proofs rely on P not equalling NP). The techniques you describe do not sound like they lend themselves to provable security. (Although physical security is usually considered pretty sound, provided it is comprehensive; this includes isolated networks and site protection, as you describe)
How difficult is it to gain access to a powerful radio-antenna? That's a key question. If the satellite is owned by a company in an industry with cutthroat competitors who also have satellites, it might not be difficult at all.
If you look at the GPS sats you will find they transmit a an encrypted signal for military use. If you have the crypt code you can decode the stream and figure out where the 1st bit is which signals the start of a frame. Inside that frame you get enough info to tell how far away you are from it. Someone (at Trimble?) figured out that the last bit of the frame is truncated so the timing packet always starts a the right time. Now the survey grade GPS recivers just look for a bit that is jsut a bit wrong and use that. They pick up the other timing signals from the other frequency and store the data. You can compare that later and do some high precision work (some claim sub mm).
Another thing is the GPS sats used to shift their packets a bit to throw off the Russians (who had a better system). Someone (claiming to be Russian) posted polynomial to usenet describing it. That was a major part of its security. (and I'll have to dig up that post now that google has stuff from the dark ages)
The last secure by obscurity one way hash I cracked took me about 3 days. It wasn't nearly as good as they would have liked.
Based on some of the things I've seen...
give some of my friends a good reason and enough to play with your toys and you might see a cool reentry.
If what your playing with can be a weapon, call your local spooks and explain the situation to them. Its in their best interest not to have your bird go down. The NSA does have a group that may provide some very useful to your company -- they were providing some good ideas on one project I was involved with for a while for a well known company.
Here is a memo that explains the National Policy on Application of Communication Security to U.S. Civil and Commercial Space Systems, NTISSP No. 1.
...Approved techniques as they pertain to space COMSEC equate to National Security Agency (NSA) endorsed encryption and authentication systems....
..Government or Government contractor use of ... commercial satellites ... shall be limited to space systems using accepted techniques necessary to protect the command/control uplink.
http://www.tscm.com/communsec.html
Some excerpts:
The need for and means to protect the command/control uplink associated with civil satellite systems, intended exclusively for unclassified missions, will be determined by the organization responsible for the satellite system in coordination with the National Security Agency....
Basically, if your group is doing as little as what you say they're doing, they may be in violation of law.
--Braddock Gaskill
No, it was clearly the stunning power of the Mac Powerbook and Jeff Goldblum's incredible intelligence that made this possible.
It hurts when I pee.
Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.
The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.
If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.
As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.
-Rob
Just a quick comment - I wholeheartedly agree with the "security through obscurity is a bad thing" thought process, but when combined with other security features, as outlined here, it can be valuable. The best way to incorporate hidden features of your security plan is to "open" those features to a peer review of trusted (and NDA-bound) experts for their input. The number of experts is up to you, so make sure you balance "need to keep secret" with "enough insight to be valuable".
This way you can avoid the folly that one person's ideas are failsafe (they never are, after all), while still keeping the details from massive public consumption.
A poor analogy (but the only one I can think of right now) would be the details of the presidential security detail. By not publishing when the motorcades and aircraft will be moving/flying, the Secret Service adds a layer of security to the already armed-to-the-teeth plan. Relying exclusively on one or the other would not be enough to consider bullet-proof (no pun intended), but combining the two offers a degree of synergy, strengthening the overall plan.
Absolutely. Amateur radio operators have worked earth-moon-earth on 144 and 440mhz for decades - there's no reason someone couldn't build the equipment to do it on your frequency. However, the antennas and such are rather obvious-looking. Any nation's communications commission would be able to spot one of those very easily in case it needs to be hunted down, and it does raise the bar beyond what most crackers are motivated to do.
In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
The mathematical formula for this is Shannon's Law. Run your numbers through it (and keep in mind some modulations have significant inefficiences of their own). I can't imagine missing a couple communications windows with your satellite would be the end of the world, though.
For something with the replacement cost of a satellite, you want guarantees, not estimates of society's intentions. If you want your control center to be the only station capable of transmitting commands to the satellite, your satellite needs a way to make sure it's the control center that's doing the sending. If you want to make sure your telemetry data is from that satellite, you need to make sure it's the satellite that's doing the sending. Note that encryption isn't really needed here (a cracker knowing what you're doing with the satellite doesn't help much, as this is not a spy satellite) but some form of public key signing should be employed. It also guarantees that your control messages won't arrive corrupted (although I'd imagine you'd already have something to protect against that).
1) Use some sort of encryption-related technology, like MACs (see my other post)
2) Use some sort of phased array receiving antenna. These can select what direction to listen to a request from. That means that someone would have be in your geographic area or have an EXTREMELY strong antenna (much stronger then yours) to do any sort of DOS or even send legitimate commands.
I'd say a better idea is to use Microsoft's Windows XP Embedded. Run IIS on the satelite and use a web-based interface for administration tasks. No special software needed - just your IE 6.0 browser that came pre-installed on the home version of XP you purchased (after all, the browser IS the OS). Plus I've been assured that it's entirely secure.
do not read this line twice.
1. Jamming the uplink.
Jamming the uplink can be done, however once it's done, it is easy to find out who is doing this and easy to fix the problem. Since you're in the field, I'm sure you know all about squelching on particular rx beam channel (The main rxing antennate is usually as simple as a honeycomb of waveguide).. All military satellites can give a Lat and Long of the jammer if the threshold is set low enough.
All military and major commercial satellites have a redundant, out of band uplink path that's available to the command.. This is usually in the VHF frequency range (as opposed to the GHZ range for comms uplink) and is used for C&C only. This channel usually requires special encryption and commanding sequences, however if both were jammed, you'd be blind until the jammer was brought down. All the satellites that I've worked on has had protection for jamming though.. A few have had systems that would shut off particular beam channels for a given time if they detect a jamming signal.
There is also the issue of communications protocol.. Most of the systems that we worked with didn't only use encryption, but also particular protocols that wern't widely known.. Here's where obscurity can lend a hand.. though everyone's right.. it's not effective.
2. Can it be hacked...
This has already been answered... It probably can, but if the satellite designers had half a mind, it'd be hard... and any attempts to test uplinking would be detected pretty quickly.
3. Satellite Internet Node.
Secure or not, it's just not a good idea. Granted, it'd make it easier to get information across either the atlantic or pacific, but with fiber optic systems and the bandwidth that they'll be capable of transmitting these days, it's more cost effective to use a trans-oceanic fiber (When you consider the cost of funding launch, uplink and downlink equipment, maintence of flight path and satellite system etc...).
Physical, keep that network you communicate to the satalite separated from all other networks.
Encryption, I'd recommend encrypting the uplink command stream as a minimum. Encrypting the downlink would also be good. This makes the pool of information about what was done small and thus makes crypto analisys harder. Temper this with the fact that all known encryption methods can be brute forced with enough time and CPUs. The encryption is there to make the job harder.
On going to standard IP protocals for talking to the satalite, I'm not convinced it is needed and may be detrimental security wise as it provides a more common element that can be worked from. On the other hand if the protocals have a good security setup in them that is proven secure, then it would be better than developing your own. At this point any security relaying on digital information can be faked. There is no absolute security in the digital world.
What I would do: Keep the network physically separated from all other networks. Keep the protocal secret as nobody else needs to know. Encrypt the uplink and downlink data streams. For the encryption methods, I would choose well known and throughly checked out methods for setting up and maintaing keys, etc. It would be best if the keys are rotated often. This helps keep down the possibility of a key being brute forced before you stop using it.
1. Yes, someone can execute a DOS attack. It's called jamming and was done in the 80s to HBO by Captain Midnight. You need to check on the specific satellite design and see how the receiver would handle it but bear in mind that generally they will look for the best SNR and go with that. If the transmitter is higher power than you are, the receiver will see your signal as simply noise.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
2. Deciphering the structure of the command is not going to be easy but it can be done. This is not something for script kiddies but the true hackers with sufficient motivation will eventually figure the problem out. Remember, with Real Hackers, simply the doing of something neat is sufficient motivation -- but a Real Hacker also subscribes to the Hacker Ethic of doing no harm.
3. I think the simple cool factor of getting into a "NASA Satellite" would be sufficient motivation for some of the budding anti-social geeks. Satellites are extremely high-value assets and should better security than how we protect our webpages. However, securing them also goes counter to the way most scientists want to work. Luckily, the command and data streams should be using different signalling systems and freqs so you CAN have the best of both worlds.
4. I would not assume your network security works. I seem to remember something about someone getting into ESA's system; it was postulated as a possible reason for one of the Ariane failures resulting from bad design. Personally, I think the French just wanted to toss the blame off on someone else but the more the US government relies on Microsoft systems, the less secure your system will be and your security is only as good as the weakest point of entry.
People here have even less of a clue about satellites than they do about copyright & patent law.
If you are not a troll, then YUO=FUCKED.
Conformity is the jailer of freedom and enemy of growth. -JFK
That's why you debug using duplicate equipment on the ground. That's how JPL does it. They've reprogrammed interplanetary exploration vehicles such as Galileo, for instance. It's not a nightmare, but the latency (8 hours round trip to Galileo) is a hassle.
Best Slashdot Co
Making the satellite's command and control protocols widely available is ridiculous. There's a big difference between relying on obscurity for your security and using it to enhance your security. There's also a big difference between a computer that sits on the Internet to be probed with all responses available for digital capture and a system that can only be accessed through RF transmission, probably using frequency hopping and digital spread spectrum.
The public doesn't have a need to know everything as long as the company(ies) involved don't rely on that obscurity alone to protect them.
Some of the details about the hijacking of HBO by breaking a communications satellite by John R. MacDougall (who had the night shift at a satellite transmission center with the required equipment) can be found at:
http://catless.ncl.ac.uk/Risks/3.24.html#subj3
This was done in 1986, and MacDougall transmitted a few messages and a test pattern over HBO interrupting normal programming. It seems likely to me he just transmitted video on HBO's frequency, so this probably wasn't a command and control hack.
--Braddock Gaskill
This is a problem that has already come to cause others harm. Almost three years ago, hackers seized control of a British military satellite and demanded ransom for it. All that is needed to communicate with these satellites is an antenna, and proper knowledge of the protocols involved. While these things are out of reach to script kiddie types, it's not that much of a stretch for the kind of people you really have to worry about (foreign governments and large/resourceful criminal organizations). So, you should think of these systems as being addressable by anyone. Consequently, I would take any and all lessons you can from the ways that people securely authenticate users on publicly-addressable computer systems.
For your security, this post has been encrypted with ROT-13, twice.
It sounds like you are extremely vulnerable to insider attacks or insider leaks. The information you posted in you question is probably more than you should have let out. Given a very motivated person, anything you do will be at risk. It is all about risk management. Good luck and ENCRYPT you signals for crying out loud!!!
-Derek
I would have assumed that's the case, but then I'd have assumed that control links to satellites would use a secure protocol, too...
Also, if you want to defend yourself against rogue states, you can't count on them not being able to build a suitable transmitter. As we've all learned recently, some terrorists have very considerable resources to command, too.
I'll let others speak to the technical issues about the difficulty/cost of sending rogue command messages to a scientific satellite.
I would note, however, that the simplest attack on a system like this (unencrypted or reliant on fixed keys) involves social engineering or the outright corruption of staff who know the details of the protocol and command structure. Do you think there's a chance someone who understands how to command the satellite might part with the information for $100,000? How about $50K? $25K? In any of these cases, the engineering effort required to reverse-engineer the information is likely to be lots more time-consuming and costly than simply bribing someone to give you the information you want.
When you're just trying to guard against the '7337 hax0rs working from home, you can pretty much focus your attention on technical avenues of attack and maybe some basic social engineering, but when considering a determined and well-funded adversary, it's important to take (management buzzword alert!) an integrated, enterprise-wide view of the problem.
Anyway, there are plenty of secure protocols available, you could take one of them (or even an implementation of them) and use it on your link. You could even review the code, to make sure there are no implementation errors, and should you find a bug you might even *gasp* give back to the community, and submit a patch.
Which would have the benefit that you'd stay in sync with the other people's code, and will probably at least give you a review of the patch.
Just how secure is it? Are we talking bunker fortress or a couple of hire-a-guards? Are procedures in place to make sure that facilities can be made non-functional in the case of an invasion?
So no one has access to the internet from anywhere in the facility?
Most? Remember Captain Midnight? You're depending on the security not of your facility, but every facility under or near your footprint (which is most everywhere for non-sync satellites). You actually don't need that much power to communicate with a satellite. You do if there is someone else competing. And if the facility is not monitoring it 24x7x365, someone could take control when you are not looking, and you would not be there to grab it back.
Certain high security facilities do not allow employees to take any papers or media in or out that's not specifically approved by many levels of mnagament with procedures in place to handle it. Do you got to this extreme? Ever heard of "disgruntled employee"?
It's a matter of degree. Are the commands checksummed against noise? How strongly? Personally for something as critical as a satellite, even a science satellite, I'd use something quite strong to checksum, like MD5 instead of CRC-32. Sure, it's argueably overkill to use MD5, but I would anyway.
Once someone has your frequency, if they have access to any unsecured facility, they can DOS you. And many ham radio ops have enough facility in their backyards. Then if they got the specs from the disgruntled employee, and enough power to keep you from grabbing it back, they can even 0wn it. Even greater danger exists if the commands include uploading new program code.
For a company I once worked for, I cracked a competitors file format (so we could convert the data to our format) which included a proprietary compression algorithm for which I had no docs. Considering that I would not feel the multi-million dollar loss if command experiments dunked the satellite into the ocean (or worse), if motivated, and had access to doing occaisional commands on the thing, as well as sniffing the command upstream from nearby the uplink in one of the side lobes, I might be able to figure out enough to ... perhaps at least dunk it.
My greatest worry with a lot of these generalized security protocols is not the crypto they provide (IPSEC is plenty solid enough in that area for me), but rather, in the social interface aspects ... the way things get routinely configured after the design is all done, by people who never designed anything secure, is the biggest risk I see. And, IMHO, IPSEC is rather exposed in that area due to the complexity of configuring its setup. Most security is.
Steering a satellite over to hit something like an international space station would seem to be highly unlikely, given the small object sizes and the even larger spatial dimensionals up there. However, the cost of the risk is extremely high. Even so much as having a satellite out of control doing unknown things up there could cause operational impacts, and require aborting missions.
Whatever you design now will be used for how many years? And what will the new security requirements be then? Personally, I would consider every security risk at least in terms of the high cost of impact, and quite likely pretend a high chance of intrusion by a motivated cracker/terrorist. IMHO, it is best to maximize the security everywhere that you can't prove has no risk. And if you have not done so already, take an NRA gun safety class. Then translate the multiple layers of safety you learn there into multiple layers of security, and think like that everywhere.
now we need to go OSS in diesel cars
You're asking a group of hackers... if doing something for the sake of doing it... "would be worth the time?"
You're askign a group of crackers... if performing the ultimate crack, obtaining command control of a satellite... "would be worth the time?"
As you said, the only reason it probably doesn't happen very often is a simple lack of the required tools. To hack into a system on the internet, you wouldn't need much more than an ascii terminal with an internet connection. To hack a satellite, you need some powerful equipment, and the average person who is able to afford such equipment, probably would recognize that the effort isn't worth the potential sacrifice.
Conventional networks were rather insecure in the beginning. But back then, the privilaged few who had access respected the system and didn't have the need or desire to exploit them. Times have changed, so much to the point that IF you are insecure, you WILL get exploited, and its only a matter of time? Satellites may begin to reflect this history soon. Right now, those able to access them have no need or desire to exploit them.
But just give it time.
-Restil
Play with my webcams and lights here
Captain Midnight!
/FoxNewsChannel/MSNBC transponder - "HTTP://INDYMEDIA.ORG - REUTERS AND AP ARE NOT INDEPENDENT MEDIA!"
It's not just a nice "satellite takeover" story, it's also a great "fight the Man!" tale.
I personally wonder if someone could do a Captain-Midnight job on an MTV transponder and send the message "PLAY SOME DAMN MUSIC SOMETIME, LIKE THAT MUCHMUSIC CHANNEL IN CANADA!" Or a CNN
A man can dream...
Someday, you're going to die. Get over it.
I mean, seriously. If you do work in "the satellite control industry" (that's a seperate industry from the satellite industry?) and are doing the work you claim to be, then you have several problems:
/. crew think 5 minutes on a submitted article before posting?
a) You should already know the answers to questions 1 and 2, and have enough of an understanding of 3 that removes the need to ask it. You should also already know, based on 1 1/2+ years here on the site, that this is *hardly* the forum for a real answer to that question.
b) You just divulged some fairly major security-vulnerability information on the internet equivelent of Prime Time television.
c) I would hope that nobody at your company gets wind of this posting, because it would not take a rocket scientist (*smirk*) to figure out who you are.
I'm really not trying to flame here, but this *really* seems like a horrible, horrible idea. From a security standpoint, if your systems are based on security through obscurity, the *last* thing you want is more attention being drawn to them, especially if the amount of attention being given to the subject matter is by nature usually small (how many people have satellite transmitters?) and prone to mass speculation (how many openly documented satellites are there?). Just by asking this on Slashdot, you've brought more attention on satellite-hacking as a whole, thereby astronomically increasing the chance that someone takes a more "active" interest in figuring out how to send your company's prized birds into a flaming death spiral.
Of course, all this assumes you are what you claim to be. You could very well be (as another poster suggested) a cleverly disguised troll.
I mean, geez. Shame on you for submitting, and shame on Cliff for posting it. Doesn't the
(Moderators, feel free to mod this appropriately. I have more than enough Karma, thank you)
The most obvious example of this principle is in encryption. In both public- and private-key schemes, it is essential that you obscure your keys (or private keys) from view in order to maintain secure communications. It works the same way with other methods, such as keeping the command structure of a sattelite secret. If no one knows the command structure, they might as well be brute forcing an encrypted message, because a command could be just about any length to be valid.
So really, people here should be very careful when speaking in absolutes. It doesn't work when comparing the performance of operating systems, and it certainly doesn't work here.
--
Theo DeRaadt
Founder, OpenBSD project.
You can't possibly be working in the industry and posing this kind of question to slashdot.
They stab it with their steely knives,
But they just can't kill the beast.
yes. yes I do.
do not read this line twice.
I assume it would be really easy to sniff the downlink, but is it also possible to sniff the uplink? If so, then someone can figure out the command structure once they decrypt the signal.
What about pre-programming the satellite to change encryption keys on a schedule or something? What does 802.11 do to generate new keys in a secretive way?
No you don't need to post *your* code and say "hey look at this, if you find the hole in it, you can break my satellite". You can however use a proven technology to secure your link, and yes, for that to be proven it needs to be open.
You can still have your obscurity - you don't need to tell anyone which protocol you are using, even your command structure can stay just as secret as it was before - it's on another protocol layer.
If you were to use (random example) ipsec, and send your SATCOM (made up) protocol over that, and then someone finds a hole in ipsec. Well then you are just as secure, as you are now - the attacker still needs to break SATCOM, as well.
Maybe as part of the obscurity is security protection, a jamming signal should be broadcast at the time commands are sent. The jammer would use a vertical dipole to provide bogus packets to sniffers while the high gain antenna reaches the satelite with the valid signal. The dish sidelobes could be easly hidden from sniffers. Has anyone thought of implimenting the jamming the sidelobes?? Any command should have a time code and rolling code included so any record and rebroadcast attack will not be accepted. For as much money that goes into the birds, innexpensive security could save a lot of insurance money.
The truth shall set you free!
1. DOS attacks can be accomplished, based on the design of your bird. I do not know the particulars of your command reciever, but some designs can be DOSed.
2. It is entirely possible to reverse engineer the telemetry and command databases. I know a guy who used to do this to Soviet satellites for a living. They could control Soviet birds however they willed.
3. I'll let others with more knowlegde on IPSEC to give a specific reccomendation. I am leery of this concept, however, given the historical security of anything attached to the Net.
It's really all just a matter of motivations. People listen to satellite telemetry all the time. Many of them reverse engineer it. Some can get images from the weather birds, but never try to command. Expect some eavesdropping, unless the bird goes really far away and requires >5 meter dishes to get a usable signal.
And remember, the CIA managed to "borrow" a Soviet Luna probe on world tour. They disassembled it, documented the design, and rebuilt it to get it to the destination in a pretty serious all-nighter. The Soviets never gave any indication of knowing.
Oh, and remember - keep the arrays pointed at the Sun.
One thing the submitter failed to say was which type of orbit the satellite in question has obtained. This can make a huge difference. If it's a geosynchronous orbit, you know exactly where your satellite is at all times and (hopefully) you can also point it's dish right back at you. You would want to prevent people from snooping your signal in the first place. People can't reverse engineer a signal that can't be perceived from a convenient location.
My guess, though, is that this particular satellite isn't in such an easy orbit. That's fine, but extra measures should be considered. One neat trick if you're designing a satellite is have the longest wavelength as possible. That makes it very hard to intercept communications (even though they go everywhere, even deep in the ocean). The U.S. Naval command sends messages to submerged submarines using a wavelength on the order of 2 meters. If a really large dish is required just to talk to the satellite in orbit, someone is gonna notice when a guy builds a replica in his back yard.
Okay, that's all for initial designs. Here's what I suggest as something you can change now, without much fuss. Forget about encryption nearly entirely. I'm guessing that the satellite does have a clock (and ideally it sets itself to the GPS signals). Now, the satellite should only obey signals that arrive between pre-set times (though it can behave as though it's really going to act, as a foil attempt). Second, the ground station should send commands followed by a signature--like PGP signatures. The satellite's software should easily be able to confirm that the message is authentic. No need to encrypt--since no one else can reproduce the signature. If the signature is valid, the orders are carried out. If the signature is bogus, the command is logged and relayed back to ground later for inspection.
DOS attacks are more difficult to deal with. My personal feeling, though, is that if this particular satellite must have updates every day or so, you're in trouble anyways. Perhaps you can find a way to ensure about 3 days worth of commands can be in queue, in the event that the satellite is unreachable. That will keep it roughly in its orbit. Then, if a DOS attack does come, you'll have those three days to track the source. That should be plenty of time. Also, and I could be wrong, but most "hackers" or whatever prefer a much more immediate result. They would want to do the DOS attack, see the satellite go down in flames or whatever. Waiting 3 days for something to happen... all the while being searched out... is likely to make the hackers very, very scared. I would be shocked if they transmit more than a day, personally.
Long, cute, or funny Sigs are just another form of over compensation, used by geeks, nerdz, etc.
Yes, the community of open-source satellite operators will be grateful indeed.
With thrusters that can put out about as much as you could fart, only for maybe a few hours tops before they died, you needn't lose any sleep over the prospect of being bopped on the nose by the great-grandson of TIROS I.
Even if you had perfect control over a sat, steering it to do as much as dinging another sat would be like playing billiards on Kennedy Field, starting in opposite corners; or perhaps like blindfolding yourself and trying to pick up the same grain of sand from a beach, by itself, twice running.
To get yourself hijacked, you'd need to hit some turkey on the fine line between smart enough to break it, and dumb enough to think you can drive it like Zidgel from the 3-2-1-Penguins videos does his ship (hint: it's a manual withthree-on-the-tree shift).
``What happened? Did the landing gear fall off or something?'' (-:
Got time? Spend some of it coding or testing
If you transmit enough jiggly pix in your data stream then the script kiddies will forget what they were trying to do.
You never really know how close to the edge you can go until you fall off.
Just for everyone's information, I talk to different satellites on a regular basis using nothing more than a mobile (car mounted) radio and antenna that is less than 6 feet in length. (~60 watts transmitting on 2 meter/70 cm frequencies) (AO 27 and Oscar 14) You do NOT need a huge antenna, but this depends entirely on the satellite. Think 2 way internet via satellite...
IS THERE A RISK OF DOS?
Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.
IS THERE A RISK OF DECIPHERING COMMAND CODES?
Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.
IS PHYSICAL SECURITY ENOUGH?
No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.
Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.
SHOULD THIS INFORMATION BE ENCRYPTED?
Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.
Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.
No one ever had to evacuate a city because the solar panels broke!
Well, I certainly don't think the transmission gear is a barrier to entry. You can most certainly communicate with a satellite with a 100W amplifier and perhaps an 8 foot dish (+45db gain). Mebbe even smaller, it's been years since I've touched the stuff. In fact, I'm sure smaller, but perhaps you'd need a higher power amplifier.
When in the service, we'd regularly use an 8 foot dish (about 45db gain) and transmit anwhere from 5 to 20 watts. You might be able to jam a scientific satellite with a strong signal, but the military jobbers (and prolly the commercial comm sats too) have multi-horned directional antennaes, so the operator can shut off signals from a certain part of the "ground", say, California, but still be able to talk to the rest of it's line of sight.
Anyways, you can get commercial gear for less than $10,000 USD that would give you the capability to communicate with a great many satellites.
Think of it in terms of physical security. You wouldn't leave your office unlocked just because you thought no one knew where the entrance was, or knew how to operate your special door handle which required no key.
Your uplink is publicly accessable, and therefore should require some sort of key. The strength of the lock should be determined by the ratio between needed security and money available for the lock. Sure, it'll cost a few k in development costs to put a better lock on, but think about the money lost if the satellite drifted under the control of a hacker, and you didn't have the fuel to put it back.
Of course. telling a group like this that your satellites are largely unprotected is like telling a kid the candy store is unlocked and no one is watching.
The other issue is that your customers likely have insurance on the sats. It may be that a good encryption system will lower the insurance cost, and thus make your sats more valuable when people start hacking into them.
-Adam
Maybe I missed the point of this 'article' but he seems to anwer his own question when he states the military's solution.
Physical security is very important in order to stop someone from screwing with your bird, and what he laid out seems good, as long as the people supporting it adhere to its design.
If you are broad casting data from a satalite, anyone can pick it up. If it's encrypted, then it becomes difficut to trans lates that data into something meaningful, but people can still recieve it, it is just a radio signal.
The Kruger Dunning explains most post on
Can you imagin the fame that a hacker group wold get if they changed the orbit of any bird?
It would be huge. That alone would be enough for some people, who would do it regardless of laws.
As far as your data is concerened, if this company makes money from the data, then encrypt it otherwise someone else will take it and sell it to whom ever your selling it to, but if it is JUST for research, I say don't encrypt and tell every one where they con point there personal dish to recieve it. The more peope, that receive scientific data, the more likely someone will find something usefull.
The Kruger Dunning explains most post on
I was a payload systems engineer for a major manufacturer of commercial communications satellites (now retired). All our birds had encrypted command links: DES for export or an NSA chip for domestic users. The command link was very narrow band and had a low data rate - everything happens in slow motion in orbit. The uplinks typically used a KW klystron and a 30' dish so jamming or DoS is difficult and would just about have to be an inside job at an earth station or a hostile government. We would never use an internet connection. If commands were sent from off site we would use dedicated phone lines. For launch ops we would set up two leased lines and a dialup.
There was one incident in the early 90s when "Capt. Midnight" broke into a TV channel with a rude message. That was an inside job, but I don't remember if he was caught. It did scare one customer into specifing an elaborate "intruder detection and elimination system" where the birds antenna pattern could be changed to put a null on the intruder.
All I can recommend is to use encryption - it's not that hard, and stay off the internet.
1. Yes. As someone else has mentioned, satellite receivers link to the most powerful signal. Depending upon the orbit and radio frequency of your satellites, the transmitter may require anything from a simple dish to a huge tracking dish. For most purposes, an old C-band dish would suffice, but would require a transmitter. Tracking systems can be cobbled together from COTS parts, although there are gotchas.
2. How many of you think that you could decipher the structure of the command (given the motivation)?
Consider that a high school science teacher and class in England managed to capture and decode the downlink of the GLONASS (Soviet GPS) satellites. Your downlink is broadcast to anyone listening within the footprint of your satellites' transmitters. If that same someone listens to your uplink (more difficult but there are sidelobes), they can eventually learn your command set from the changes in telementry. BTW, recognizing telemetry is relatively easy. Satellites report on a standard set of characteristics (attitude, power, data) and can be easily understood.
3...Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
I get paid for that. Without more time than I'm willing to
I cannot imagine 2-meter wavelength being referred to as "very long". They may be using signals in the 140mHz range (VHF) to communicate with submarines but the signals are certainly not penetrating the deep ocean.
Last I heard (and it's been a while, I admit) the USN was communicating (one-way) to submerged submarines using a wavelength of about 6000 meters (50kHz) from a million-watt transmitter near Arlington, Washington (Jim Creek). This station was located in a valley in the foothills of the Cascade Mountains that faced WSW and the antennas were strung from one ridge across to the other.
When you drove up to the station you had to park with your bumper against a grounded barricade so that the car wouldn't act as a capacitor and build up a charge which would be discharged (through you!) when you tried to open your car door.
No one ever had to evacuate a city because the solar panels broke!
Whew! I logged in and saw the original message and wondered for a sec... I'm glad that someone found the humor in it and didn't dismiss it as a 'troll' or 'flamebait.' I'm glad I don't have to tell you about the IIS server I ran (I'm not the admin anymore) that has had over a 2 month uptime. Remember, regardless of the OS it's running, if it's set up by a knowledgeable admin that configures things properly and securely <?insert_here(sheepish_grin);?> you'll get good server reliability. And no, before you ask, I don't have a bridge in New York to sell you! :o)
All I need is another 3db or so either by a larger dish or a more powerful transmitter and I can flood most receivers. PLLs will tend to capture my signal rather than yours.
There are radio amateurs with 10m dishes who can put out a few kilowatts. The dish is hard to hide though in an inhabited area. Note that an uplink for a TV remote vehicle is relatively small at about a couple of metres.
There are transmission design techniques, such as that used by GPS that make the signal far more difficult to swamp. The receiver is 'looking' for a pattern in the signals and will reject signals that do not fit that pattern. Such a receiver is far more difficult to swamp.
See my journal, I write things there
Lets look at Iridium as an example:
Motorola controlled the Telemetry Tracking And Control (TTAC) function for Iridium's birds. The satellites were controlled through, of all things, SNMP! Yes, its true. SNMP issued commands controlled the basic functions of the satellite. Commands were issued from TTAC's to the birds as they passed overhead. One can only communicate when the satellite is over the horizon of the transmitting/receiving TTAC, you can't just broadcast a signal from anywhere and hope the satellite gets it. NExt, you can only communicate with a satellite thats listening. Power consumption is a critical issue in satellites (no 120v ac in space.) Therefore, the satellites only listen and transmit when they are overhead of a TTAC. The signal must be coming from or going to the general area of the TTAC (its directional). Because they communicate as they travel overhead, the distance involved, etc, this creates a distorted egg shaped signal "footprint" around the TTAC. When the bird is directly overhead, the footprint is shaped like a circle (for Iridium, approx 20 miles diameter), then back to an egg shape as the bird approaches the far horizen. Any HAM/hacker wanting to snoop or squash the TTAC signal must be in the general vacinity of the TTAC in order to be able to receive or transmit effectively.
Motorola had several issues that are probably prevalent thoughout the commercial sat industry. First, the TTAC stations WERE connected to the rest of the Motorola network, which in turned connected to 3rd party networks, and on an on. Even though Firewalls, ACL's were used, they were based on very general rules, usually restricting to broad networks. Also, dial-in was supported on routers throughout the network for maintenance, so the best way around the Firewalls would simply be Soc. engineering a router password and dial-up the TTAC router/switch.
This could be achieved by: Located the TTACS for the satellite in question, usually public info. Get any phone numbers at that location you can. WAR dial a range of numbers around the TTAC numbers and note any Cisco devices answering. Use the SE'd passwd on the discovered Cisco dialups until you find a winner. Once in, either swipe the control apps for your own transmitter/reviever, or perform a one time attack since you unlikely to get a second chance one they notice.
SIDE NOTE: There is NO chance of anyone ever using a satellite to crash into another bird. It takes motorola several months just to move 1 bird from orbit A into adjacent orbit B. Fuel is extremely limited on these things. Besides, picture the entire earth as a parking lot with 50,100 or even 500 hundred cars continuously driving around on it. What is the likely hood any of them will ever collide, much less run into each other. Now imagine it with each car having 1 gallon of gas to use. The logistics now become very clear.
Bad idea, for the following reasons:
1) It takes more time than that to verify the fixes, test the changes, and upload it to the satelite. Add in insurance costs since one bad opcode could shut down a $50 million satelite and they want to make sure it WORKS first.
2) The entire OSS community will not help out all at once. The people likely to help will be the one's interested.
3) Unless they have an excellent response system already in place, more hacks will be done in the time between fixes (at least in the beginning) than would happen now (through obscurity)
I completely support open standards, but it is sure a lot easier to START with them open, rather than investing a lot of money and effort and then opening them up...
Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal
It's certainly possible, and it's called "jamming". This costs a lot for plain random troublemaking; it takes a steerable dish and a fairly high powered transmitter, with a big electric bill. It seems rather unlikely someone with that budget would spend it just to mess up a science experiment. But unless considerable effort goes into protecting a satellite, jamming it would be small potatoes for a military operation.
There are some substantial (but very secretive) defense contractors making radio and radar jammers for the US military. To jam a satellite using a fixed command frequency, you just point a dish at it and transmit at the same frequency with at least as much power as the actual command center. (I mean power delivered to the satellite antenna -- that's a product of the actual power and the transmitter dish's directionality.) The two signals basically add together, so if the jammer just sends a non-varying signal it's quite likely that the receiver will still be able to pick the commands off the top. But just about anything that varies without too much predictability will do for a jamming signal -- white noise, classical music, Slim Pickens yodeling, Howard Stern...
The most common method of defeating jamming is to change the frequency. Every so often, computers on the ground and in the satellite compute a psuedo-random number, and change to that frequency. It's easy to do that once or more a second, and the jammer is not going to be able to find the new frequency fast enough. (Assuming the number sequence is secure, against both espionage and cryptographic reverse-engineering.) However, if they _really_ want to knock you off the air, it's possible to transmit a very high powered broad-band signal to jam all the channels at once. If there are 1,000 possible channels, the jammer has to be 1,000 times as powerful. Do that to a US military satellite, and I think you will knock it out for a while, but: (1) in a few minutes the satellite orbit will take it out of view from your dish; (2) unless you're a nuclear power, eventually they'll get permission to send a cruise missile into your ground station; (3) That much broadband power will mess up other communications as well, and get other countries mad at you. There are stories that the Soviets used to play a little with our satellites and vice-versa, but nothing serious because both sides had too much to lose...
Another protection against jamming is to use a very directional receiving antenna, so any jammer would have to be on territory you control. This also substantially reduces the required transmitter strength. The problem is keeping that receiver dish pointed at home. In a satellite, you would have to also have an omnidirectional backup antenna, to use to re-gain control if the satellite tumbles. This makes it more complex and expensive than frequency-hopping.
I mostly want opinions on whether cracking a science satellite would be worth the time.
Let's say some nation (**cough**Iraq) gets tired of American spy satellites watching it. I hope these satellites have pretty secure command authentication. So instead, they take over the steering of other unprotected satellites and try to run them into the spysats. Even if they miss, your experiment schedule is ruined.
If you are depending solely on security through obscurity, cracking it is going to be much easier than getting a shoe full of plastic explosive onto an airliner... Just a few random ideas: (1) Record a few thousand transmissions, and what the satellite does after receiving them. Hire an out of work Russian mathematician to correlate them and reverse engineer the protocol. Heck, I once had to reverse engineer a communications protocol because the developer hadn't completed the documentation; it's not that hard. (2) Get a spy on the payroll. American science researchers love to hire foreign kids with no idea of American pay scales. (3) Go dumpster diving. Chances are you or your customers are printing out command sequences to be checked, and then tossing the printouts in the dumpster.
So you really should be using a cryptographically secure authentication scheme. As it transmits a command, your computer adds a timestamp, computes a hash of the command, timestamp, and a secret key, and appends that; the satellite checks the timestamp is reasonable (within a second or two), then also computes the hash and checks it. If you can keep that one number secret, you are secure as far as taking over the satellite goes.
Yes, you are entirely correct about that, it was inserted on a spacewalk. However, the article mentions that Pentiums wasn't ready for space.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I've worked in the satellite industry as well and there are a few things I can tell you from experience:
- anyone can download the CCSDS PDF documents describing TM/TC links, error correction codes,... And although not many attackers would be courageous enough to implement the whole protocol (I implemented it partially and it was quite lengthy), tiresome bits like reed-solomon and viterbi are freely available from some internet sites. I would say that the protocol aspect is not a security guarantee, since I for instance could develop the protocol stack.
- As for the hardware, you are kind of right saying not many people would have the right antenna. But it must somehow be possible to use compact antennas/modems since you can buy satellite telephone handsets and most telephony satellite are geostationary (> 30,000 Km). Off-the-shelf satellite reception systems exist and are pretty affordable but I don't think the same is true of transmitters. Depending on the kind of modulation used (It's usually QAM, I think) and the availability of commodity hardware, you would have to be a reasonably skilled electronics and telecom enginner to mount such an attack.
- Now, assuming the threat actually exists, I would probably foresee a narrow emergency TC link off the main TC band, so that I can upload emergency commands to the sat. Also, if your TM bandwidth allows it, you may have all TC's echoed to the ground. This way, if someone is attacking your satellite, you would notice it immediately and could possibly also locate him/her. And I don't think you could DoS a satellite for long before getting caught, unless you start using mobile attack equipment: 3 satellite would suffice to locate you and the sidelobes of your antenna could betray you on the ground as well.
What you're telling about unencrypted streams is amazing. Most commercial or scientific satellite I've seen so far use 3DES or a similar symetric algorithm, for uplink at least.
Note: I'm not an experienced space engineer. It's just that I've worked some time in the field. So don't take my suggestions for granted.
grungie.
... and that to attempt communication you need a radio antenna.
I can't believe he let that slip either! I mean, really, now everyone knows that his satellite com link isn't a really long ethernet cable.
To answer the questions you pose:
Do I have a problem
If you did not before, you do now. Hint, if you rely on security through obscurity to secure a $50 million piece of hardware then best not tell the favourite news site for much of the hacker community.
The threat comes from two sources, one is bored teenagers who can't get a girlfriend, the other is an attack by a well resourced adversary such as a hostile government, a major terrorist group or organised crime. The teen hacker problem is non-negligible but the well resourced adversary is more likely.
Post 9/11 concern about infrastructure attacks is much greater. As a result the insurance syndicates I advise will shortly be requiring you to secure your communications links if you want to insure the bird. There will also be increased pressure from governments, particularly in the US to secure posibly sensistive infrastructure.
Are the existing security measures sufficient
Absolutely not. In the first place by relying on security through obscurity you are putting your employees at risk. A motivated attacker would have no qualms about kidnapping an employee (or a member of their familly) and forcing them to reveal the necessary information.
A more sophisticated attacker could obtain the necessary information simply by discovering the location of your site and visiting it with a suitably sophisticated scanner. Even the best dish does not direct 100% of the signal at the satelite. There is plenty scattered arround the dish. Intercepting the signal is not a major difficulty.
Even if you have a large security perimeter arround your upload point (e.g. at a military site) the attacker could use an aircraft. Even a model plane might be sufficient to detect the carrier frequency.
If the attacker can intercept the signal they will have no difficulty decoding your command sequences. It is quite likely that there is information available to the public in any case. Much of the software used in that type of application is canabalised from one project to the next. You might think you have a one off that is unique but it might well turn out to share 80% of its code with another bird used by some obscure company (or university!).
What should I do
This is not a hard problem for an expert to solve, but I really would not go at it armed with only a copy of Applied Crypto and enthusiasm. Security protocol design is a subtle business. The 802.11b folk who tried the DIY solution failed. If you are going to get your bird insured you will probably end up having to have a recognised expert check the design.
What you really need is a means of authenticating the commands sent to the bird. The easiest and most lightweight means of doing that is to use a message authentication code such as HMAC-SHA1 or one of the AES MAC modes. You need to establish some form of shared secret between the bird and the control station, this is simply a very large random number.
You may or may not want to bother with public key infrastucture. If you want to launch your bird on a Chinese platform you might not want the shared secret to be present on the bird when you launch. So you embed the public component of some private key in the bird and do some form of key exchange (don't do this at home, contact one of the people involved in the IETF design of the IPSEC key agreement protocol).
Incidentaly the attack you are protecting yourself from there is not the Chinese stealling the key (unlikely). A more likely form of attack is some jumped up pipsqueak senator looking to make a name for himself with a grandstanding attack on your perfidy (ask the directors of Loral).
Securing the link is the easy part, securing the shared secret to secure the link is harder. Some form of PK based key splitting scheme may be needed.
In summary, go see a specialist. Someone like Paul Kocher at Cryptography.com, Eric Rescorla at RTFM.com, Derek Atkins (warlord@mit.edu) is also highly competent. Expect to pay a lot more than you expect. The best people charge from $2,500 a day to $5,000. There are some who charge more, you will have great difficulty hiring them.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Xix.
"Everything is adjustable, provided you have the right tools"
Well, having code up for public review will only do you good, if you have a decent security design as a starting point.
*And* if a competent programmer reviews it, *and* if the programmer is familiar with the type of system he's reviewing.
Open Source is a tool, not a solution.
I knew this guy who was in the Army and worked at AFN (Armed Forces Network). He told me that they easly take the cnn satilites if something was wrong with there own. I don't know if cnn knows or cares but he put it in a funny way, "CNN is everyware so why make a backup network if all you have to do is borrow someone elses"
I guess a terrorist would not want to attack CNN.
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works?
Never mind things as sophisticated as computers. How secure is the dish used for sending the commands and the cable connecting it to the control centre?
A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn
If anyone thinks it is, then consider what happens when an employee has access to what the company wants to be obscure, then later he becomes a disgruntled ex-employee.
Now, your inside friend, is your outside foe, and he knows all of your weaknesses. Here's hoping the security being used was not just obscurity.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?