Major security flaws threaten satellite communications

An analysis of satellite communication gear from more than a half-dozen major manufacturers has uncovered critical vulnerabilities that could be exploited to disrupt military operations and ship and aircraft communications.

The flaws were found in software and ground-based satellite systems used worldwide and manufactured by U.S.-based Harris Corp., Hughes and Iridium Communications; U.K.-based Cobham and Inmarsat; Thuraya, headquartered in Dubai, United Arab Emirates, and the Japan Radio Co., security firm IOActive reported in a technical white paper released this week.

Satellite communication (SATCOM) networks are critical in aeronautics, the energy and maritime industries, emergency services and the media. Government agencies and the military also depend on such networks.

From October to December 2013, IOActive researchers reversed engineered the publicly available firmware updates of SATCOM products from the manufacturers. What the researchers found were major vulnerabilities that could let a cyberattacker intercept, manipulate or block communications, and in some cases, remotely take control of the physical device.

The findings were serious enough for the vendor to recommend that SATCOM manufacturers and resellers “immediately remove all publicly accessible copies of device firmware updates from their websites, if possible, and strictly control access to updates in the future.”

IOActive has notified the vendors of the flaws and is working with the government CERT Coordination Center. CERT, which stands for Computer Emergency Response Team, is a part of the Software Engineering Institute (SEI), which is a U.S.-funded research and development center at the Carnegie Mellon University.

Specific details needed to replicate or test the vulnerabilities will not be released publicly until the second half of the year to give the vendors time to develop patches for their products.

So far, only Iridium was working on a fix, Cesar Cerrudo, chief technology officer for IOActive Labs, said Friday. “Government agencies are aware of the situation, but we don’t know how hard they are pressuring vendors to get the vulnerabilities fixed.”

The classes of vulnerabilities uncovered by IOActive included hardcoded credentials, undocumented protocols, insecure protocols and backdoors.

Many of the problems were discovered in Broadband Global Area Network satellite receivers. BGAN is an Internet and voice network often used in military operations. The system was used is efforts to locate the Malaysian passenger plane that crashed last month.

The equipment analyzed was also used in accessing Inmarsat-C and FleetBroadband, both maritime communication systems; SwiftBroadband, an IP-based data and voice aeronautical system that has been approved by the International Civil Aviation Organization (ICAO) for aircraft safety services; and Classic Aero Service, an aeronautical system used for voice, fax and data services.

To exploit the vulnerabilities, an attacker would have to first compromise or gain physical access to a PC connected to one of the above networks, Cerrudo, chief technology officer for IOActive Labs, said. Once in the control of the attacker, the computer could then be used to compromise vulnerable devices without needing a user name or password.

“The impact will depend on the scenario, if the devices are compromised when they are really needed then the impact would be bigger and maybe cause accidents,” Cerrudo said.