Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Dismal State of SATCOM Security

Posted by timothy on from the my-sputnik-or-yours dept.

An anonymous reader writes "Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."

9 of 54 comments (clear)

  1. ignorance was bliss by Anonymous Coward · · Score: 2, Insightful

    Isn't it great how security went from a concern, to an afterthought, to completely irrelevant over the span of twenty years? Only to be magically resurrected as a hot button issue of worldwide concern for every other news story for arguably the next 5 years. And all because big corps, with all their endless offshoring, cost cutting, profit seeking, litigation circumvention, and merciless assault on tax avoidance will continue to skip to the loo with endless payrolls, blaming all of this all the while on "outside forces". It makes me feel like IT Security is as fun a joke in the boardroom as GAAP. We don't even have a real ruling body anymore according to IETF sources. Is there anything that isn't a mucked up mocked up half assed attempt at stopping this all?

  2. As a SATCOM professional... by DeTech · · Score: 3, Informative

    LDR services like Inmarsat were never meant to be secure. Now if this was about AEHF that would be news.

    1. Re:As a SATCOM professional... by DeTech · · Score: 2

      Well, unless you can point someone at this list of vulnerabilities and say "it's not meant to be secure", and still make your sale, of course.

      That of course is the kicker. The customer base for Inmarsat and Iridium is not the SHIELD/HYDRA community the OP has in his head. This is more the western union /pay-as-you-go-phone crowd.

  3. Re:Encryption by Anonymous Coward · · Score: 2, Informative

    That won't protect you from denial of service attacks.

    And in quite a lot of the use cases, the reaction won't be "Bummer, can't get to slashdot" but will be:
    - "Bummer, can't warn the train driver there are boulders on the rail"
    - "Bummer, can't contact search and rescue and the ship is sinking"
    - "Bummer, can't contact HQ and request Air support to help with these guys shooting rpgs on my convoy"
    Note: Substitute "Bummer" with appropriate four letter word.

    Also,
    type 1 encryption devices won't be available to most users (certainly not to civilians outside the US).

  4. Why would you think otherwise? by mveloso · · Score: 2

    Anyone talking on a sat phone is by definition interesting to the government - any government. Why would you think that these would be secure?

  5. OSS security debate by janoc · · Score: 3, Interesting

    Wasn't it just yesterday that someone has posted a flamebait summary about the Heartbleed bug changing the "Open source is safer" discussion?

    This is a great evidence of what happens when you rely on security by obscurity in proprietary software. Nobody is forced to fix things, sloppy coding is the norm and there are backdoors galore ...

    Unfortunately, the bad guys laugh, the vendors play ostrich with the heads in sand and everyone else is suffering the consequences ...

  6. Re:They will take it seriously by janoc · · Score: 2

    Which is happening routinely. Many older birds don't require any authentication nor anything - they simply retransmit whatever they hear on one frequency on another one: http://spectregroup.wordpress....

    And those are US NAVY (!!!) satellites!

    Doing that with Iridium or Inmarsat hardware is a bit more complex, because the protocols are mostly digital, but not impossible neither.

  7. Re:Aren't those guys rocket scientists? by cusco · · Score: 3, Insightful

    The problem is that reliability has always been considered as paramount in these devices, for very good reasons, and inserting a security layer in the stack increase the likelihood of problems and increases their complexity. There are satellite phones out there which have been in almost continuous use for 15 years, good luck flashing that firmware to handle encryption or to obfuscate that hard-coded password. For most satellite communications users I don't foresee the situation changing any time soon. They guy running a gold dredge in the upper Amazon isn't going to want to cough up for a new phone when his current one has been working fine for the last decade, nor is the tribal chief in New Guinea or the crab boat captain in the the Bering Straight. What they have works, and they don't give a shit whether the phone can be hacked as long as it works when they really need it. The commodities speculator in his Lear jet might be concerned, let him pay for the system upgrades, but leave the rest of the system backwards compatible for those people who need reliability overall.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  8. Re:Encryption by K.+S.+Kyosuke · · Score: 2

    Be a contrarian - go for Type i encryption devices!

    --
    Ezekiel 23:20