LAS VEGAS — How hard is it to hack into satellite communications? Not that hard, according to researcher Ruben Santamarta of Seattle-based security company IOActive. He’s found a number of flaws in several widely-used satellite communication (SATCOM) terminals, the ground-based devices that communicate with orbiting satellites.
Speaking at the Black Hat security conference in Las Vegas yesterday (August 7), Santamarta showed how SATCOM devices work and what kinds of flaws, including hard-coded credentials, backdoors and insecure and undocumented protocols, are present in them.
The average person may never connect directly to a SATCOM network, but people in the maritime, industrial, military and aerospace sectors do on a regular basis. On a commercial aircraft, both pilots and passengers, at least those who use on-board Wi-Fi, connect to SATCOM-based networks while in the air. SATCOM is used in emergency services, and media personnel use SATCOM connections to access the Internet while reporting from the field.
With the SAILOR 6006 marine SATCOM terminal made by British vendor Cobham, attackers could remotely access the device via a communication protocol called thraneLINK. Attackers could then pretend to be upgrading the targeted SAILOR’s firmware, but actually replace that firmware with a malicious variant.
The Cobham AVIATOR 700 is a SATCOM device used on airplanes for important communications as well as the passengers’ in-flight Wi-Fi. A passenger might be able to use the in-flight Wi-Fi connection, in addition to other authentication bypass flaws Santamarta found in the device, to interfere with pilots’ ability to communicate or to send and receive distress signals.
Many other devices require operators to use passwords hard-coded into the devices’ firmware, making the passwords impossible to change. Anyone with physical access (or in some cases, remote access) could easily find the passwords within the device’s code.
Santamarta also found hard-coded passwords and security backdoors in some SATCOM devices, including several devices made by Germantown, Maryland-based vendor Hughes Communications. Designed for use by Hughes administrators, the backdoors could nevertheless be used by attackers to gain remote access to the devices via simply an SMS message.
“The NSA is really happy with this,” Santamarta said sarcastically.
Santamarta’s talk comes just months after Malaysian Airlines flight MH370 mysteriously disappeared over the Indian Ocean, and there has been speculation that the plane could have been hacked. IOActive said it’s extremely unlikely that someone used the same bugs that Santamarta documented to affect MH370.
SATCOM device flaws can’t be used to seize control of an airplane’s navigation, IOActive’s Craig Brophy told Tom’s Guide. IOActive has no evidence any of Santamarta’s flaws have been exploited in the wild.
Santamarta said he disclosed all the bugs he found to the SATCOM devices vendors. Some were skeptical of his findings, pointing out that his tests were all conducted in a laboratory setting and would probably be harder to accomplish in real life.
“Cobham devices can therefore only be subject to attacks if the attacker has either physical access to the device or the network has been installed incorrectly,” Santamarta said a Cobham representative told him.
Hughes acknowledged its devices had hard-coded passwords and backdoors, but said that was “common practice” and that the passwords were “not intended to be a terminal security mechanism.”
“If someone can remotely or physically reach your SATCOM devices, it’s over,” Santamarta concluded.