Satellite communication systems rife with security flaws, vulnerable to remote hacks

Researchers found critical vulnerabilities in satellite communications devices used in the defense, maritime, aerospace and other sectors

Security researchers have found that many satellite communication systems have vulnerabilities and design flaws that can let remote attackers intercept, manipulate, block and in some cases take full control of critical communications.

Between October and December last year, researchers from IOActive analyzed the firmware of popular satellite communications (SATCOM) devices that are used in the military, aerospace, maritime, critical infrastructure and other sectors. The research covered products manufactured or marketed by Harris, Hughes Network Systems, Cobham, Thuraya Telecommunications, Japan Radio Company (JRC) and Iridium Communications. The analysis focused on SATCOM terminals that are used on ground, in the air and at sea, not satellite communications equipment in space.

"IOActive found that all devices within the scope of this research could be abused by a malicious actor," the IOActive researchers said in a report published Thursday. "We uncovered what would appear to be multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms."

"These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products," the researchers said. "In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."

For example, vulnerabilities that IOActive claims to have found in mobile Harris BGAN terminals would allow attackers to install malicious firmware or execute arbitrary code. Such terminals may be used by the military to coordinate attacks between different units and are common within the forces of the North Atlantic Treaty Organization (NATO), the researchers said.

In an attack scenario described by the IOActive team, malware running on a laptop connected to a BGAN terminal could inject malicious code into the device that would use its GPS to monitor its geographic location.

"This would allow the attacker to compare the systems position with a fixed area (target zone) where an attack from enemy forces is planned," the researchers said. The code could then disable communications from the device when it enters the target zone, hindering the ability to call for support or organize a counter-attack, the researchers said.

The Hughes BGAN M2M terminals, which are used in the utilities, oil and gas, retail banking and environment monitoring sectors, also contain vulnerabilities that could allow attackers to perform fraud, launch denial-of-service attacks, cause physical damage and spoof data, according to IOActive. These satellite user terminals can be controlled remotely via SMS messages, the company's researchers said.

IOActive also claims to have identified vulnerabilities in marine VSAT and FB terminals from Cobham, like Cobham SAILOR 900 VSAT, Cobham Sailor FB and JRC JUE-250/500 FB, that could give attackers full control over communications passing through a ship's satellite link. This link is used for a variety of services including telephone, broadband Internet, email and file transfer, video conferencing, weather forecasts, maritime/port regulations, vessel routing, cargo management and emergency communications.

Another Cobham satellite communications suite for vessels called Cobham SAILOR 6000 uses an insecure thraneLINK protocol that can be used by attackers to take full control of the suite, the IOActive researchers said. Cobham SAILOR 6000 handles Global Maritime Distress and Safety System (GMDSS) communications which includes transmitting or receiving ship-to-shore, shore-to-ship and ship-to-ship distress alerts; as well as rescue coordinating communications; on-scene communications; signals for localization and maritime safety information among other things.

Compromising the Cobham SAILOR 6000 communications suite poses a critical threat to the ship's safety, the researchers said.

According to IOActive, another vulnerable satellite communications system is Cobham AVIATOR 700, which is used on aircraft, including military craft. The system is available in two versions certified for the lowest levels of risk that their failure might pose to the aircraft, crew and passengers -- levels E (no effect) and D (minor).

"IOActive was able to demonstrate that it is possible to compromise a system certified for level D that interacts with devices certified for level A [catastrophic risk], potentially putting the level A devices integrity at risk," the researchers said.

"More specifically, a successful attack could compromise control of the satellite link channel used by the Future Air Navigation System (FANS), Controller Pilot Data Link Communications (CPDLC) or Aircraft Communications Addressing and Reporting System (ACARS)," the researchers said. "A malfunction of these subsystems could pose a safety threat for the entire aircraft."

The published paper does not contain any technical details about the identified flaws in order to avoid their exploitation by malicious parties. However, the researchers plan to release such details later this year.

IOActive claims that it worked with the CERT Coordination Center (CERT/CC) to alert affected vendors about the vulnerabilities in their products.

"Unfortunately, except for Iridium, the vendors did not engage in addressing this situation," the researchers said. "They did not respond to a series of requests sent by the CERT Coordination Center and/or its partners."

The team recommends that SATCOM terminals manufacturers and resellers remove publicly accessible copies of the device firmware updates from their websites and strictly control access to such software in the future in order to prevent others from identifying the same or other vulnerabilities.

"If one of these affected devices can be compromised, the entire SATCOM infrastructure could be at risk," the researchers said. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities."

"Iridium has been in contact with CERT since they brought these concerns to our attention and we have taken the necessary steps in the Iridium network to alleviate the issue," Iridium Communications said in an emailed statement. "After extensive research internally, we have determined that the risk to Iridium subscribers is minimal, but we are taking precautionary measures to safeguard our users."

Harris, Hughes Network Systems, Cobham, Thuraya Telecommunications, JRC did not immediately respond to requests for comment on Friday.

Join the CSO newsletter!

Error: Please check your email address.

Tags Thuraya TelecommunicationsharrisIridium CommunicationsAccess control and authenticationencryptionExploits / vulnerabilitiesJapan Radio CompanyIOActiveintrusionHughes Network SystemsCobhamsecurity

More about CERT AustraliaHughes Network SystemsIridiumIridiumLink CommunicationsNATOThuraya

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place