DUBAI–When new technologies or platforms emerge, they tend to follow a familiar trajectory in terms of security. The evolution typically goes through something like the following stages: Hey, look what we built; huh, no, we didn’t think about that problem; we’re very serious about security; ok, now we’re actually serious about security.
This is the path that virtually all platforms have followed, including the Internet itself, the commercial Web and, more recently, mobile systems. The amount of time that the full evolution takes has sped up greatly over the years, moving from the decades that it took with the Internet to a decade and a half or so with the Web to a few years with smartphones. This time compression has much to do with the acceleration of technology itself, but it also is dependent upon the amount and quality of attention that each platform has received from the security research community. As more and better researchers take an interest in a given platform, say iOS or Android, more issues are revealed, leading (hopefully) to improvements and hardening.
While this evolution continues for all of the above platforms, a new–or rather, quite old–one is beginning to draw the attention of researchers: satellite communications. Satellites predate any of the other common communications platforms we use today, save landlines, but for much of their existence, they have been the province of governments and their contractors. The inner workings of these systems were known to a relatively small number of people, and that’s the way the manufacturers and operators liked it. Security through obscurity worked in their favor for decades. But the recent democratization of the technology has led to an increase in the number of small, private operators, and, perhaps more importantly, the availability of technical specifications, firmware and other tools that have enabled researchers to take a serious look at the security of these systems.
At first blush, what they’ve found is neither surprising nor especially encouraging. Ruben Santamarta of IOActive last month published a paper that detailed his findings after reverse engineering the firmware of a number of commercial satellite terminals from a variety of vendors. And that was without having access to the physical terminals themselves; he only looked at the firmware.
“IOActive found that malicious actors could abuse all of the devices within the scope of this study. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks,” he wrote in the paper.
“The current status of the products IOActive analyzed makes it almost impossible to guarantee the integrity of thousands of SATCOM devices. Appropriate action to mitigate these vulnerabilities should be taken.”
Santamarta and IOActive reported the flaws through the CERT CC, but said that only one vendor, Iridium, responded. For anyone who has written or read a security advisory in the last 20 years, that response will come as no surprise. This is the same cycle that traditional software vendors, mobile platform makers, and most recently, SCADA vendors, have been going through. Some respond well, some don’t.
There is some good news, however. Despite the lack of public acknowledgment and attention for Santamarta’s paper, satellite manufacturers and operators are quickly realizing the serious risk that such security problems pose to their businesses. At the World Space Risk Forum here this week, executives from large insurers, manufacturers and operators gathered to discuss the major issues they’re facing and cyber risk in general, and Santamarta’s paper specifically, were a major topic of conversation. Many of the insurance executives I spoke with during the week are in the process of rapidly getting up to speed on cybersecurity threats and risks and are trying to get a handle on exactly how big the problem is.
Right now, the risks to these systems from cyber attacks is probably relatively low. Many of the attacks that Santamarta identified require physical access to a terminal, which is a hurdle in many cases. And attacking the ground stations that operate the satellites presents another set of challenges, but neither one is impossible. Nor is attacking the other link in the chain: the people. A poll of the audience during the session on cybersecurity risk identified people as the biggest vulnerability right now.
That may be the case for now, but it won’t be for long if other researchers begin to build on the work of Santamarta and others who have come before him in this field. This has been the pattern for decades now as each new platform takes its turn in the spotlight. While satellites are anything but new, security research on the platforms is in its early stages. But with Santamarta’s paper as a road map, expect others to follow suit quickly.
The sentiment I got from the assembled executives here was that they realize cybersecurity represents a major potential problem for them, and they’re trying to acquire as much talent and knowledge as they can right now to address it. Let’s hope they’ve learned from the mistakes of others in the past and meet the challenge head-on.
Image from Flickr photos of The Dead Pixel.