Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security

Satellite Command Security? 426

Posted by Cliff
from the preventing-orbital-hacking dept.
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?

"Three major issues concern me (I'm going to assume that our network security works (grin!):

  1. Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
  2. How many of you think that you could decipher the structure of the command (given the motivation)?
  3. Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
I'm not looking for the Slashdot population to do my research -- I mostly want opinions on whether cracking a science satellite would be worth the time."
This discussion has been archived. No new comments can be posted.

Satellite Command Security?

Comments Filter:
  • by Tim Ward (514198) on Wednesday January 02, 2002 @08:59AM (#2773470) Homepage
    How many of you think that you could decipher the structure of the command (given the motivation)?

    Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.
    • by Theodore Logan (139352) on Wednesday January 02, 2002 @09:44AM (#2773636)
      Anything can be hacked given enough motivation.

      Why is this such a widespread belief? Has it been proven somehow? Has everything in the world that could possibly be hacked been hacked?

      The deduction seems to me the following: everything that has been hacked is hackable => therefore everything is hackable. Where's the logic in that? We don't walk around saying that 10 miles high building cannot be built because we have never built one, do we?

      I don't want to come off like a troll, but I'm getting a bit weary of the conclusion that just because noone have proved the existence of an unhackable system no such system can exist.

      • it's along the same lines of 'anything that can be made can be unmade'. It's just one of those natural laws...there is no such thing as 'unhackable'. given enough time and resources, anything can be broken.
      • by Shanep (68243) on Wednesday January 02, 2002 @10:26AM (#2773800) Homepage
        Anything can be hacked given enough motivation.

        The key is practicality.

        I think this opinion is based on ego. The hackers think they can hack anything, they just "don't have the motivation" to hack the really hard stuff. The system designers feel that they need to believe and portray this because they fear thier systems will some day be hacked or perhaps keep an open mind about it.

        I also think it is silly to beleive that an unhackable system cannot be designed.

        Although, I agree with the parent poster regarding practicality. I had an MCSE teacher tell the class I was in, that encryption was'nt good because any crypto algorithm could be cracked if the design is known. I wanted to challenge him on the practicalities of it (but I hate always being the arsehole in classes who corrects the teacher). I mean sure, learn the algorithm and brute force the output, but what about the practicality? What if it is an algorithm that is strong enough to realise the full range of a 4096 bit key? How many hundreds of years is it going to take to brute force crack it with the combined effort of all the computers that will ever exist on Earth? Will we (human race) be history by then? Do people in the year 8002 really give a crap about what people in 2002 were trying to hide? Do any humans still live on Earth, having terraformed and populated Mars and some other planets in other galaxies?

        Or how about a cipher text done with a One Time Pad, which could be decrypted with loads of different keys to come out as loads of *different* and *incorrect* yet completely inteligible plain texts!

        The rest of the class justs nods (duh!). It was the same teacher that told me that to boot an NT server off a SCSI disk, on a system that has NO SCSI BIOS, you just had to load an NT SCSI driver. Yeah, OK teach, good one. MCSE's, poor bastards, are given the inflated belief that they are computer experts once they have passed MS's "computer science". It's almost as pathetic as Scientology.
      • Why is this such a widespread belief?

        It is generally believed that if, say, the US government really wanted to hack something and was prepared to expend unlimited resources on the effort it would in due course succeed (if only by doing something as crude as conscripting every publicly-owned computer in the US and doing a distributed brute force attack).

        In this particular instance they could, if they really wanted to, design and build and launch another satellite which sat next to the target one and snooped all the traffic in both directions - yer average script kiddie isn't about to do this, so the threat is different.

        Anyone who doesn't try that hard doesn't have "enough" motivation and you're safe from them.

        It's generally considered that silly children (the type of hacker usually discussed here) don't try that hard, industrial spies try rather harder and enemy governments in wartime try even harder.

        You meet the threat accordingly. There's no point in wasting money trying to protect an SME's payroll system against an enemy government, for example.
      • Anything can be hacked given enough motivation.

        Why is this such a widespread belief?

        The problem isn't with the belief, but with the vagueness of the statement. What does "hacked" mean? Depending on the definition of the term, the answer changes.

        If the definition of hacking constrains the attacker to using network-based attacks, and if the system under consideration is simple enough, then, yes, it is possible to build an unhackable system (this depends on the nature of the system to a large degree). If the definition is widened to allow physical attacks on technological infrastructure, then the problem becomes vastly harder. If the definition is widened to permit basic social engineering, then the problem gains another dimension that must be addressed. If the definition is widened to include illegal activities like breaking and entering, theft, bribery, extortion, torture and murder, then as long as some user has legitimate access, the system can be hacked.

        I'm often frustrated by two equally incorrect viewpoints that I run into on this subject, and not just in the realm of security. The first is that everything is possible. The second is that anything is impossible.

        It is not true that everything is possible. The Halting Problem, for example. Finding integers x, y, z and n > 2 such that x^n + y^n = z^n. Copying 10GB of data across a 10Mb ethernet in less than one minute. And so on. Many, many tightly-constrained problems are impossible.

        It is also almost never true that any particular task is impossible, assuming all options are on the table. Many things are impractical, and many more things are too complex to get a handle on, but very few real-world personal and business goals are unachievable. If one appears to be, you probably just need a better understanding of the root goals.

        When I was a young geek, fresh out of school, I was secure in my knowledge that some things could not be asked of me because they were impossible (and I could prove it!) until I came smack up against a young businessman, fresh out of school who was secure in his knowledge that anything was possible because all the great fortunes had been made by people doing the impossible. Tempers flared, sparks flew and we were both enlightened.

  • by GigsVT (208848)
    I forgot to lock the vault at the bank I manage, and no one is there right now!

    Limited time offer!
  • by Bandman (86149) <bandman@ g m a i l . com> on Wednesday January 02, 2002 @09:01AM (#2773477) Homepage
    Did the
    "...this is a lesson that teridon wants his company to learn."
    sound like a veiled threat to anyone else? :)

    Maybe it's the pre-caffeine stage.
  • "Make publicly available all the source code and documentation of the satellite's protocols. Then the entire Open Source community can have any and all bugs fixed in under 2 hours. Also, by making it Open Source, bugs in the code that would make it vulnerable to cracking can be found more quickly, and thus sealed up. The idea that all your protocols should be classified and confidential is ludicrous. Just look at Microsoft, they close their stuff up and look at all the holes in their software! You must release everything to the public."
    • I'd say a better idea is to use Microsoft's Windows XP Embedded. Run IIS on the satelite and use a web-based interface for administration tasks. No special software needed - just your IE 6.0 browser that came pre-installed on the home version of XP you purchased (after all, the browser IS the OS). Plus I've been assured that it's entirely secure.
    • Making the satellite's command and control protocols widely available is ridiculous. There's a big difference between relying on obscurity for your security and using it to enhance your security. There's also a big difference between a computer that sits on the Internet to be probed with all responses available for digital capture and a system that can only be accessed through RF transmission, probably using frequency hopping and digital spread spectrum.

      The public doesn't have a need to know everything as long as the company(ies) involved don't rely on that obscurity alone to protect them.
    • Well, having code up for public review will only do you good, if you have a decent security design as a starting point. If you already know, that all which protects you, is an obscure command set, then you won't get anything new out of this review.

      Anyway, there are plenty of secure protocols available, you could take one of them (or even an implementation of them) and use it on your link. You could even review the code, to make sure there are no implementation errors, and should you find a bug you might even *gasp* give back to the community, and submit a patch.

      Which would have the benefit that you'd stay in sync with the other people's code, and will probably at least give you a review of the patch.

      • You could even review the code, to make sure there are no implementation errors, and should you find a bug you might even *gasp* give back to the community, and submit a patch.

        Yes, the community of open-source satellite operators will be grateful indeed.

  • by turbine216 (458014) <turbine216.gmail@com> on Wednesday January 02, 2002 @09:03AM (#2773490)
    ...this might sound obvious to some, but maybe if you need to ask this type of question, you shouldn't be in charge of securing a satellite...

    Just a thought.
    • Re:here's an idea... (Score:5, Interesting)

      by Amarok.Org (514102) on Wednesday January 02, 2002 @09:13AM (#2773532)
      That's probably a bit harsh. You're probably right, but...

      He didn't say that he had no idea where to start, nor did he say that this was his only source of information on the issue.

      Having done security work in the past, I'd often solicit the advice of other security experts (ok, so maybe Slashdot isn't the place to ask) to see what directions they'd go.

      If I prefaced my questions with what *I* thought was important or the Right Way (tm), that could color the thought processes of my resource(s). By keeping my ideas to myself (at least early in the process), I could get their objective opinion, perhaps with ideas that I'd not previously considered.

      Just my $.05 (inflation, you know).

      - Dave
    • by ruvreve (216004)
      I don't think by asking this question he should be deemed unworthy of securing satellites, instead you should consider it going the extra mile by asking several million? nerds how they would approach the situation. Now if he relied on /. as his primary tool for the succesful completion of his job related duties then I think I want his job.
    • The biggest problem I have with this is that he asks whay multiple transmiters hitting the receiver of the satellite will do. No only is that obvious to those who know the RF design of that particular satellite, but it also follows that their engineers already know this information. The question is being asked in the the wrong place.
  • by maroberts (15852) on Wednesday January 02, 2002 @09:03AM (#2773491) Homepage Journal
    ..especially if the hacked science satellite had enough manoevering fuel to be used to crash into a GPS or military satellite.

    Satellites are getting larger: if the satellite was sufficiently large to enable large lumps to reenter and you could predict reentry then you could attempt to use it as a missile, but this is obviously a very hit and miss affair.

    In the light of September 11I don't think you should assume that civilian targets (or civilian satellites) will be left alone by a terrorist.
    • The feasibility of retasking a hijacked satelitte onto a collision course with a target is small, but in the right circumstances possible. Keep in mind that the satellites have a very limited maeneverability and retasking in itself is very rare. Fuel is also very limited (which is why retasking is such a loathed task in the satellite industry, it costs hundreds of thousands of dollars.) It might be possible to create a new orbit where the sat 'runs into' another. But considering GPS and mil sats, there are tons of redundancy in these systems.


      The availability of the large R/F transmitters would also be a large hurdle (it would not be possible to make an FM/AM radio station into the ranges). However, I'm just kinda startled that various security methods (encryption, basically) wasn't designed into the satellites. Satellites are HUGE investments. It boggles the mind how much they cost to produce and send into space. Kind quirky to leave it to closed protocols alone to protect such an investment.


      Conclusion: highly unlikely, but possible.

      • I think mostly this is because computational resources are _VERY_ limited on a satelite. Most sats use a space hardened 8086 or similar. Only the huge projects get any computational power (eg iirc hubble has a 486). And of course better CPUs or specialized encryption hardware would eat precious power. I have not personally worked on a satelite, but have sat in the back of a couple of design reviews for a satelite and seen people fight over tiny fractions of a watt.
  • Experts (Score:2, Funny)

    by Anonymous Coward
    Oohh boy, here's an article that's just begging for "expert" slashdot advice.

    "While I've never actually worked on a satellite system, I did hack encryption into my walkie-talkies when I was 8..."
  • by rmadmin (532701)
    I don't like the idea of some big freaking satellite bombing down on my apartment, so heres my input.

    I like the idea of encryption. It will turn away most of the little script kiddies, but then again so does obscurity for the most part.

    most crackers don't have access to a huge radio antenna with which to transmit

    Never Underestimate!!! I don't know much about RF communications with satellites, or how powerfull it has to be or whatnot, but I'm pretty sure if someone was determined enough, they could hack something togather. Or if they work at a radio station in a small town that goes off air at night. *shrugs* who knows.

    Obscurity is a great thing in some cases, but I don't think it comes anywhere close to actuall good security. Then add confidentiality to it, and awesome physical security, and your in the right direction.
    Just my small view on it.
    • In my (limited) experience with crackers, the ones that are actually breaking protocols (rather than running scripts) tend to be older and with good resources ... typically high school or undergrad.

      In either of these positions (but esp. undergrad in elec.eng or similar) such folk are likely to have access (or be able to access without too much trouble) school of university facilities. Certainly most of the universities here have some fairly powerful transmitters available.

      Anyone listening in on the command streams and watching intently enough will be able to piece together the protocol in time ... by experimenting they risk damaging things but can speed up the process.

  • A couple of ideas (Score:2, Interesting)

    by Neorej (398404)
    Obscurity doesn't work. Internet seems to know everything, or know someone who does, it's strange but true.

    Where I work we rely on a couple of things for security and they seem to work pretty well, I've been working here for nearly 5 years and I can't remember we ever got cracked.

    1. SSH
    2. Identity keys and passphrases along with 1.
    3. IP filtering, you have to be on an IP in our network before you can reach any critical servers.

    If you couple this with a private network I don't see any real threats to the network, unless some kid builds a nuclear powered high frequency mega super radio antenna thingy in his backyard to send the whole thing crashing down to Tora Bora.
    • Obscurity doesn't work.

      It doesn't? Maybe it does work, but you just don't know about it.

      The first step in shutting down a satellite via hacking is to submit a story on slashdot pointing out the security holes, thus planting the idea in a lot of peoples' heads. And no, the script kiddies aren't the only ones who do this sort of stuff. As much as people don't want to hear it, there are plenty of morally bankrupt but tech-savvy people who know what they're doing, and have the mentality of teenage vandals.
  • by f00zbll (526151) on Wednesday January 02, 2002 @09:08AM (#2773513)
    If you want to know if hackers will find it interesting, the answer is yes. I grew up around hackers and crackers and both would be interested for several reasons. The biggest one is because they can and they have time. I know plenty of teenagers who know 4+ languages including assembly and know more at 13 than I did at 22. I'm not embarrased to admit it, since these kids are smart. Some are misguided, but most stop at 18. I have first hand experience with friends who hacked and got caught by the FBI and crackers are determined to get in.

    Just to give you an idea, some crackers during the BB era in southern california were stealing credit cards to buy commercial software, then sold cracked versions to the largest BB in southern CA. They were eventually caught and the FBI took away all the computers. All of them were under-aged, so they didn't do any time. All of them were interested in science, so they would definitely be interested in what your satellite is sending. More interesting is getting control of your satellite.

    Also, remember that crackers tend to have parents who have technical careers, but no time to watch their kids. Hackers and crackers have a lot of time, brains and energy to burn. With all the articles recently about amatuer and college programs building their own satellites, it will become a bigger concern. As kids get more technically advanced at a younger age, more systems will get compromised. It's a fact of life.

  • by Hard_Code (49548)
    The simplest system for ensuring that two entities are talking to each other, without a complex system involving third parties, seems to me to be PKI. Just embed a private key in hardware on the satellite (or perhaps several) and then use PKI as normal. This key never leaves the satellite so the risk of being "hacked" is equivalent to cracking PKI. This of course could be strengthened (or weakened??) by coupling with precise data only known through obscure methods involving lots of precise scientific hardware, e.g. stuff the crackers won't have.
    • "If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography." -- Bruce Schneier
      And that goes much stronger for PKI. Do you even know what Public Key Infrastructure means? In this case, just get a good, solid shared secret key. There's no reason for asymetric keys.
    • Re:PKI (Score:5, Informative)

      by jmaslak (39422) on Wednesday January 02, 2002 @09:53AM (#2773663)
      I do PKI for a living. Actually, in this case, it might not be the right choice.

      Do you really mean PKI or simply Public Key Encryption? Do you actually picture a root certificate authority, subordinate certificate authorities, directories, certificate revocation lists, and authority revocation lists being used to secure a satellite's command & control?

      PKI is a great choice when you have lots of parties that need to randomly communicate with each other. It provides a great key distribution. However, PKI seems like overkill when one (or, at most, two) ground stations will be talking to a satelite. In this case, distributing a shared secret really isn't that difficult - probably much easier then building a PKI network and keeping it secure! Of course it does depend on if you trust your internal computer systems to keep the key private. If you don't, then PKI might solve some of your problems.

      I would suggest a very lightweight approach. Privacy of data is not required for this application, IMHO. Maybe I'm wrong, in which case, you should investigate other options. This sounds like a good case for a MAC (Message Authentication Code). You don't even need to use encryption - just hashing - to do this.

      Basically, each end has a shared secret, "S".

      You have a packet containing data, "D".

      Each packet has a timestamp (to prevent replay attacks) "T".

      All packets consist of: D+T+MD5(D+T+S)
      Of course, you can use some sort of hash besides MD5. You can also program the satelite with a few thousand secrets, which expire every so often - if you give it 100 years of secrets at launch, you should be fine.

      The satelite receives this packet, does the MD5 of D+T+S, and compares the numbers. It doesn't let you use a packet with an old T (T should be very close to the current time and T should be greater then the most recent T).

      This code has the benefit of taking very little memory space compared to a PKI solution. It's also much easier on the uplink/downlink channels.

      The most important thing to remember, though, is that this shared secret has to be kept secret. It should not be used by your normal programmers to write control software. Instead, it should be an external module that runs on a secure box (I.E. no remote administration capabilities, only allows connections via a secure interface, and adds on the MAC as the messages pass through it). If you can afford a satellite, you can afford one secure server! I would definately investigate commercial encryption devices which add on a MAC using a shared secret - at least on the ground-station end. They of course may function differently then the method I described above, but the basics remain the same.

      Of course all of this has been solved before. ATMs and banks have long needed to authenticate the other end. (ATMs, BTW, do not use public key cryptography, but simply a split key pair - that is, a random string of numbers is one part of the pair and that string XORed with the real key is the other pair - each part is given to a different person who keys it into the ATM seperately from the other person - you might also incorporate this type of system). Since this has been solved before, I recommend that you hire some sort of encryption expert to help you (you are NOT looking for a computer security person - chances are you are not running a default install of W2K on your satellite!).

      As for IP, I would think that you would want to ensure there was no way for someone outside the control room to use your equipment to send command and control messages to your satellites! At the very least, this means that the control room should probably have an air-gap between it and the rest of your network. Sure, a little inconvienient, but how much command and control data do you really have to share with people outside that room? Not much most likely - certainly not too much to retype.
  • Security Engineering (Score:3, Interesting)

    by FullClip (139644) on Wednesday January 02, 2002 @09:12AM (#2773525)
    I would recommend you to read the book Security Engineering [amazon.com] by Ross Anderson.
    It gives you a perspective of security from a lot of different fields.
    If you must secure stuff you have to think like an alien.
    If people who were supposed to control the Defense satellites
    in Britain had thought like an alien, none of their satellites
    would have been hijacked [landfield.com],
    but that story seems to be untrue :).
    Anyway, secure your babies.
  • by pointym5 (128908) on Wednesday January 02, 2002 @09:13AM (#2773530)
    Definitely assume that anybody you really don't want knowing your command structures will know them. Do you keep the documentation (or source code) in a locked vault with genuine security (not just "don't tell anybody where the vault is")? Do you have strong entry/exit security (can you take an 8mm tape home with nobody noticing)? Are your internal machines firewalled completely from the public Internet? Most importantly, how much do you trust the people who know how it works? Are you sure none of them wouldn't sell information for a few tens of thousands of dollars (or sex)?
  • Complete security (Score:4, Informative)

    by ThePurpleBuffalo (111594) on Wednesday January 02, 2002 @09:13AM (#2773531)
    Complete security is impossible. If someone wants access, they will eventually get it.

    The most secure authentication scheme I've seen in a while is talked about in great detail here:
    http://www.rsasecurity.com/products/securid/hard wa re_token.html

    The idea is that if you need a physical token, and some knowledge to authenticate, you have added another level of security. These tokens are (from my understanding) REALLY hard to reverse engineer. They generate a number (that looks random, but isn't) every minute. On the other side of the connection, the same pseudo-random number is generated. If they match at authentication time, you get access, if they don't, try again.

    The other thing you were wondering about was DOS attacks. Go read this article on GRC:
    http://grc.com/dos/intro.htm
    It boils down to this: if it's distributed there is little you can do.

    On the flip side, since these signals would require massive antenae, you can triangulate the source in a matter of seconds, and send some guys (cops, navy, army, etc) over to shut them down.

    Either way it goes, this is an interesting problem. Keep us posted with the results.

    Beware TPB

    • My understanding is that this "problem" is primarily for communications between trusted computers - i.e. base station to bird, and making sure that neither (particularly the base station) could be impersonated. In this case SecureID isn't really appropriate - it's great for dialin (most big companies use it for this) and for authenticating _people_, but I don't imagine you want each controller to have to authenticate him/herself directly with the bird. There are plenty of hardware based heavy encryptionk devices around, I think IBM make some. Basically a custom chip and some eeprom encased in polymer, along with some tamper-detection sensors. Encrypt the whole stream (or just the commands themselves) with a shared-secret key algorithm (don't bother with public key) and bung one of these hardware units at each end. Voila ;-) Easily better security than the ATM networks, and no-one has (publicly) cracked those yet.

      Oh and tale EVERYTHING you read at grc.com with a pinch of salt. Or better yet don't read anything at grc.com. Still, he is right when he says that anything internet based is liable to DOS, it's the way routing works. Until someone comes up with a clever way to fix it..
    • The SecurID tokens work pretty well; they represent a nice balance of security and ease of use for the inexperienced user. The server software is a hulking piece of difficult-to-manage bloatware (it was when I last used it two years ago, in any case), but it's generally being installed and used by experienced folks.

      The cards themselves have some tamperproofing that protects them from casual disassembly, but it doesn't look like something that's designed to withstand a determined attack. I think it'd be much harder, though, to access the internals of the card in a way that wouldn't leave obvious visible evidence of tampering--I'm guessing this was the design goal, not total tamperproofing.

      The algorithm used by the cards isn't something that RSA publishes, but it's been out in the open [securityfocus.com] for a while now.

      The cards are each preloaded with a secret key, which is also loaded onto the SecurID server that does the authentication. Without the secret key, the algorithm doesn't do you that much good so long as it isn't easily possible to derive the secret key from a sequence of the displayed number. The jury is still out [linuxsecurity.com] as to whether this is possible. But assuming there aren't obvious holes in the algorithm, one has to obtain the keying material from the server (where it's presumably closely guarded) or from the physical token itself. Doing the latter would require theft of the token or tampering in a way that would be obvious to the user.
  • Not sure what the requirements here are - but it seems you are more concerned with correctly authenticating a command to the satellite than concealing the content of the commands.

    If that is the case, then you really only need to change the format slightly to include timestamped (or sequentially numbered), signed messages rather than unauthenticated ones (timestamps to prevent simple retransmission of commands as a "cut and paste" control system). There are plenty of PK signature solutions out there - but I assume uploading a new program may be a problem - debugging would be a nightmare ;)

    • uploading a new program may be a problem - debugging would be a nightmare

      That's why you debug using duplicate equipment on the ground. That's how JPL does it. They've reprogrammed interplanetary exploration vehicles such as Galileo, for instance. It's not a nightmare, but the latency (8 hours round trip to Galileo) is a hassle.

  • I'm assuming you're worried about satellites already in orbit. If their software can be modified by upload, how about at least adding a routine to check a digital signature appended to each command packet. That could help prevent some script kiddie with a hacked DSS dish from rooting your spacecraft.

    As for new satellites under design, just encrypt the channel, stupid! Its not like its rocket science or anything.

  • ...secure your satellite systems is a huge security breach. You just told us you don't use encryption and that to attempt communication you need a radio antenna. Some people do have access to radio antennas. Heck they aren't that hard to build yourself anyhow, there are specific books and internet articles on them. Pick up most books on HAM radio antennas and they atleast mention it. So given some time and effort could someone exploit your satelittes and crash them into another one?
  • yes, they can prevent you from commanding the sat iff they can track and transmit to it from somewhere near your base. I'm not aware of any non-directed sat antennas, but then again I'm not an expert either.

    In general case any single channel signal can be drowned with another signal at the same freq. and with a comparable power.

  • Sat Security (Score:2, Interesting)

    by Mr. Buckaroo (75837)
    General comments:
    This type of question is probably best not asked here.

    I highly suspect you are whom you say:
    1) Why ask questions about such a sensative issue here in such a loose and public forum
    2) If your company does indeed control multiple satellites, why do you not have answers to such simple questions as # 1? I would expect you would contact one of your own engineers.
    3) This list could go on for quite a while.

    I appologize if I'm wrong about the above, but I tend to suspect this is a dupe post by someone either interested in hacking a network or interested in getting people together to hack sat's.

    Questions:
    1) This would depend to some degree on the com hardware on the bird. Signal jamming is a quite known property of emf communications.

    2) Yes. People have deciphered far harder things than a ordered (probably) control protocol.

    3) I didn't look at the protocol yet. Yes, folks will want to hack it though. Sat's are l337 d00d.
  • Remember HBO? (Score:5, Informative)

    by millwood (542462) on Wednesday January 02, 2002 @09:30AM (#2773581) Homepage
    Many years ago HBO's satellite was overtaken for a few hours by someone in the "northwest quadrant" of the continental US. My electronics teacher at the time told me that most satellites would lock into the strongest signal being transmitted to them, and that most control centers used the least amount of power to get a lock-in. So apparently this guy just used a stronger signal than they were using.

    As for hacking the command set? You better believe it. Get four engineers and a large blackboard and you might be amazed at how useless "security through obscurity" really is.
    • Captain Midnight [textfiles.com]!

      It's not just a nice "satellite takeover" story, it's also a great "fight the Man!" tale.

      I personally wonder if someone could do a Captain-Midnight job on an MTV transponder and send the message "PLAY SOME DAMN MUSIC SOMETIME, LIKE THAT MUCHMUSIC CHANNEL IN CANADA!" Or a CNN /FoxNewsChannel/MSNBC transponder - "HTTP://INDYMEDIA.ORG - REUTERS AND AP ARE NOT INDEPENDENT MEDIA!"

      A man can dream...
    • Re:Remember HBO? (Score:4, Interesting)

      by RobNich (85522) on Wednesday January 02, 2002 @11:13AM (#2774008) Homepage
      I believe you are referring to Captain Midnight. I found the story through google, but the site (textfiles.fisher.hu) is down.

      Captain Midnight was an employee of a satelite uplink station. He was angry about the impending scrambling of HBO's satelite signals (he was a satelite dish dealer as well). He aimed a transmitter at HBO's satelite and transmitted a total of 2 or 3 seconds. One or two weeks later he did the same thing, this time with text on the transmitted screen instead of only a test pattern. He identified himself as Captain Midnight and expressed his anger (I forget what he had typed).

      In the story (written by the man himself) that I read online a year or so ago, he mentions that the reason it took over was that it was a stronger signal than HBO's ground station.

      ----

      On topic, as far as determining the command set, don't forget that everybody can monitor the communication to/from the satelite. A few thoughts, though:
      - Is the frequency set in stone? Frequency hopping, split spectrum, etc. Is there a government body that may keep the frequency or range on file, such as the FCC?
      - If using encryption, I would recommend an open standard, so that all the bugs have been hammered out.
      - Rotate keys and use a large set of keys to make it more difficult to crack.
      - Always fill data packets with white 'noise' so that all data packets are the same or random sizes. This make it more difficult to crack, since they never know what is real data and what is junk.

      These are standard techniques of course, so I'm sure that teridon has thought of them. But I find this subject quite interesting and want to show how much I know.

      On top of all of the above, physical security is indispensable. You might even come up with creative ways to keep each technician from holding all keys, and require multiple techs to do a certain task, since each provides a set of critical data or algorithms. These are also (I assume) standard practice for at least military-grade operations.
  • by braddock (78796) on Wednesday January 02, 2002 @09:34AM (#2773594)
    Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this.

    Wow, really? (imaging how many /.er are ebay bidding on dishes right now....)

    As an undergraduate I worked on a small student-built scientific satellite, and even though the satellite barely had any need of an uplink, I seem to recall we still required strong command authentication, and that we also required the ability to be able to turn off the satellite transmitter and receiver in certain regions of the world, and that these requirements came straight from the DoD. My understanding is that we had to be prepared to respond to certain possible DoD advisories. In fact we probably would have done away with the uplink except for them.

    The trasmitter turn-off requirement was apparently so that rogue states could not use the bird for navigation purposes or possible sensing.

    Now the advising engineers on this project came from a lab (JHU APL) that does a TON of military birds, so it's very possible they were just imposing good practice on us. Maybe someone in the know could tell us more.

    --Braddock Gaskill
  • You have just unvielded a great new target for all the script kiddies out there...

    "Hey man, lets go hack a satalight and use it to spy on GIRLS!"

    "What, do you think I can access it with my 802.11 Airport?"

    "We could crash it into the Whithouse like in that movie!"
  • I saw Independence Day - I know just how easily "they" can upload a virus to an orbital device :-)
  • by MosesJones (55544) on Wednesday January 02, 2002 @09:38AM (#2773613) Homepage

    Military Sats use encryption for two reasons, one to make sure they can't be cracked, two to make sure they can't be listened two. The second is the more important. As long as the command sequence to the sat is tied to a physical device (which I'd hope at the very least) then your fine as long as you don't get invaded.

    The easiest way to secure these systems is to ensure that there is a closed VPN which is tied to two devices, one on the sat, one on the ground. Redundant nodes come into play but its again only the physical that matters.

    It takes a hell of a rich hacker to set up the transmission equipment to crack a satellite, and then the sat should just be saying "who are you ?" standard H/W ident stuff should block them off.

    Physical rules, if you aren't using H/W paired security then its very worrying as its very simple to do and very standard (I assume it is as anyone with half a brain is going to do that) from then on its just a matter of how important is the information and does it need to be encrypted as listening is miles easier than transmitting.
    • How can you have H/W ident stuff when you have no physical connection? H/W ident stuff could be emulated.

    • How much more physically secure can you get?!?! The thing's in outer-fucking-space!!!
    • The easiest way to secure these systems is to ensure that there is a closed VPN which is tied to two devices, one on the sat, one on the ground. Redundant nodes come into play but its again only the physical that matters.

      Sure Redundant nodes are essential. How stupid would you feel (and how quickly would you be fired) if a box on the ground died for whatever reason (hardware failure, fire, someone tossed the wrong box) and you couldn't control the bird any more.

      So - as a social engineering sort of hacker, probably the easier goal is to go for one of these backup devices - expecially since it's less likely they'll notice it's gone (hard to hide the fact that the primary box is off-line!)

      Of course a sensible shop will have secured the backups in a vault somewhere - and I don't even need to mention proper authentication procedures for _removing_ this thing from the vault - so I can't turn up with a stolen uniform pinched at the cleaners and lift int.
  • by Cwaig (152883)
    I used to work for BAe Space Systems, and once a year we used to teach part of a course at one of the UK's Universitys (cann't remember which). Part of the course was a practical project building a groundstation from scratch using off the shelf kit and making the dish from scrap parts. It's not cheap, but it's within reach of a lot ot western tech heads (but ok, not your average script kidde). I've still got the course notes + designs in my attic....
  • "2. How many of you think that you could decipher the structure of the command (given the motivation)?"

    Depending on how the protocol's set up, this may not even be necessary. If replaying a previous set of movement commands causes the satellite to move some more, you've already lost that battle. The net result is that an attacker can drive the satellite off course and deplete its fuel reserves, making it a floating piece of junk.

    Of course it may be that there's a sequence number in the commands that needs to be updated (most likely to prevent inadvertent duplicates due to transmission problems). In that case, it'd actually require some deciphering effort. Still, remember that you lose as soon as someone figures out enough of your protocol to move the satellite around. An attacker doesn't need to figure out every little detail.

    Finally, there's always the social engineering approach. If the attacker can get the protocol by creatively lying to people at your organization (or just by getting a job there), then not only do you lose, but the attacker would have enough information to theoretically do something really fun (like trying to get the satellite to reenter the atmosphere in such a way that the attacker can watch the light show). That further cranks up the attacker's motivation to carry out the plan.

  • Security analysis (Score:5, Interesting)

    by Proaxiom (544639) on Wednesday January 02, 2002 @09:52AM (#2773658)
    I'm not looking for the Slashdot population to do my research -- I mostly want opinions on whether cracking a science satellite would be worth the time.

    I'm not going to analyze the up-link protocol or try to brainstorm motivations for cracking your system, but as a security professional let me try to clarify the issue a bit.

    You are on the right track with your questions. You are trying to figure out: a) how badly does somebody want to crack it, and b) how difficult is it for him to do so.

    These two factors are precisely what define security risk. If the cost of breaking a system is greater than the reward for doing so, your security is adequate.

    The first question cannot be answered by the Slashdot crowd. There are too many variables. Who are your competitors, and how much to they have to gain by sabotaging you? Could the satellite possibly be used for anything other than its intended purpose if control was usurped? How valuable is the satellite to people other than you if it is only being used for its intended purpose?

    Perhaps people here could try to figure out the 'cracker bragging-rights' factor, but I suspect that would not be sufficient motivation to go to the lengths required to break your system (any glaring security holes notwithstanding).

    From what it sounds like, the second question can't be answered by anybody. The rule of the day is 'provable security', which is why security by obscurity is frowned upon. It's not that it doesn't work, because sufficient obscurity is indeed security, it's that you can never be sure how well it works. This was the problem with the German Enigma machine in WWII, which ultimately provided the greatest incentive to proving lower bounds on security.

    Encryption provides easily quantifiable security, demonstrated by mathematical proof (with the minor caveat being most of these proofs rely on P not equalling NP). The techniques you describe do not sound like they lend themselves to provable security. (Although physical security is usually considered pretty sound, provided it is comprehensive; this includes isolated networks and site protection, as you describe)

    How difficult is it to gain access to a powerful radio-antenna? That's a key question. If the satellite is owned by a company in an industry with cutthroat competitors who also have satellites, it might not be difficult at all.

  • If you look at the GPS sats you will find they transmit a an encrypted signal for military use. If you have the crypt code you can decode the stream and figure out where the 1st bit is which signals the start of a frame. Inside that frame you get enough info to tell how far away you are from it. Someone (at Trimble?) figured out that the last bit of the frame is truncated so the timing packet always starts a the right time. Now the survey grade GPS recivers just look for a bit that is jsut a bit wrong and use that. They pick up the other timing signals from the other frequency and store the data. You can compare that later and do some high precision work (some claim sub mm).

    Another thing is the GPS sats used to shift their packets a bit to throw off the Russians (who had a better system). Someone (claiming to be Russian) posted polynomial to usenet describing it. That was a major part of its security. (and I'll have to dig up that post now that google has stuff from the dark ages)

    The last secure by obscurity one way hash I cracked took me about 3 days. It wasn't nearly as good as they would have liked.

    Based on some of the things I've seen...
    give some of my friends a good reason and enough to play with your toys and you might see a cool reentry.

    If what your playing with can be a weapon, call your local spooks and explain the situation to them. Its in their best interest not to have your bird go down. The NSA does have a group that may provide some very useful to your company -- they were providing some good ideas on one project I was involved with for a while for a well known company.
  • Here is a memo that explains the National Policy on Application of Communication Security to U.S. Civil and Commercial Space Systems, NTISSP No. 1.

    http://www.tscm.com/communsec.html [tscm.com]

    Some excerpts:

    The need for and means to protect the command/control uplink associated with civil satellite systems, intended exclusively for unclassified missions, will be determined by the organization responsible for the satellite system in coordination with the National Security Agency....

    ...Approved techniques as they pertain to space COMSEC equate to National Security Agency (NSA) endorsed encryption and authentication systems....

    ..Government or Government contractor use of ... commercial satellites ... shall be limited to space systems using accepted techniques necessary to protect the command/control uplink.

    Basically, if your group is doing as little as what you say they're doing, they may be in violation of law.

    --Braddock Gaskill
  • by rknop (240417) on Wednesday January 02, 2002 @09:57AM (#2773684) Homepage

    Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.

    The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.

    If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.

    As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.

    -Rob

  • Just a quick comment - I wholeheartedly agree with the "security through obscurity is a bad thing" thought process, but when combined with other security features, as outlined here, it can be valuable. The best way to incorporate hidden features of your security plan is to "open" those features to a peer review of trusted (and NDA-bound) experts for their input. The number of experts is up to you, so make sure you balance "need to keep secret" with "enough insight to be valuable".
    This way you can avoid the folly that one person's ideas are failsafe (they never are, after all), while still keeping the details from massive public consumption.
    A poor analogy (but the only one I can think of right now) would be the details of the presidential security detail. By not publishing when the motorcades and aircraft will be moving/flying, the Secret Service adds a layer of security to the already armed-to-the-teeth plan. Relying exclusively on one or the other would not be enough to consider bullet-proof (no pun intended), but combining the two offers a degree of synergy, strengthening the overall plan.
  • Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it?

    Absolutely. Amateur radio operators have worked earth-moon-earth on 144 and 440mhz for decades - there's no reason someone couldn't build the equipment to do it on your frequency. However, the antennas and such are rather obvious-looking [dokidoki.ne.jp]. Any nation's communications commission would be able to spot one of those very easily in case it needs to be hunted down, and it does raise the bar beyond what most crackers are motivated to do.

    In general, how do receivers handle multiple command carriers (would there be too much noise to command)?

    The mathematical formula for this is Shannon's Law [google.com]. Run your numbers through it (and keep in mind some modulations have significant inefficiences of their own). I can't imagine missing a couple communications windows with your satellite would be the end of the world, though.

    ...tell me if you think it is secure, or whether you'd want to crack it.

    For something with the replacement cost of a satellite, you want guarantees, not estimates of society's intentions. If you want your control center to be the only station capable of transmitting commands to the satellite, your satellite needs a way to make sure it's the control center that's doing the sending. If you want to make sure your telemetry data is from that satellite, you need to make sure it's the satellite that's doing the sending. Note that encryption isn't really needed here (a cracker knowing what you're doing with the satellite doesn't help much, as this is not a spy satellite) but some form of public key signing should be employed. It also guarantees that your control messages won't arrive corrupted (although I'd imagine you'd already have something to protect against that).

  • 1) Use some sort of encryption-related technology, like MACs (see my other post)

    2) Use some sort of phased array receiving antenna. These can select what direction to listen to a request from. That means that someone would have be in your geographic area or have an EXTREMELY strong antenna (much stronger then yours) to do any sort of DOS or even send legitimate commands.
  • Your three questions (Score:2, Informative)

    by Dunall (470871)
    With also being in Satellite control field (military) I can offer insite as to how we addressed these problems.



    1. Jamming the uplink.

    Jamming the uplink can be done, however once it's done, it is easy to find out who is doing this and easy to fix the problem. Since you're in the field, I'm sure you know all about squelching on particular rx beam channel (The main rxing antennate is usually as simple as a honeycomb of waveguide).. All military satellites can give a Lat and Long of the jammer if the threshold is set low enough.

    All military and major commercial satellites have a redundant, out of band uplink path that's available to the command.. This is usually in the VHF frequency range (as opposed to the GHZ range for comms uplink) and is used for C&C only. This channel usually requires special encryption and commanding sequences, however if both were jammed, you'd be blind until the jammer was brought down. All the satellites that I've worked on has had protection for jamming though.. A few have had systems that would shut off particular beam channels for a given time if they detect a jamming signal.

    There is also the issue of communications protocol.. Most of the systems that we worked with didn't only use encryption, but also particular protocols that wern't widely known.. Here's where obscurity can lend a hand.. though everyone's right.. it's not effective.

    2. Can it be hacked...

    This has already been answered... It probably can, but if the satellite designers had half a mind, it'd be hard... and any attempts to test uplinking would be detected pretty quickly.

    3. Satellite Internet Node.

    Secure or not, it's just not a good idea. Granted, it'd make it easier to get information across either the atlantic or pacific, but with fiber optic systems and the bandwidth that they'll be capable of transmitting these days, it's more cost effective to use a trans-oceanic fiber (When you consider the cost of funding launch, uplink and downlink equipment, maintence of flight path and satellite system etc...).

  • Use security in depth. I would recommend using all the layers of security you can.

    Physical, keep that network you communicate to the satalite separated from all other networks.

    Encryption, I'd recommend encrypting the uplink command stream as a minimum. Encrypting the downlink would also be good. This makes the pool of information about what was done small and thus makes crypto analisys harder. Temper this with the fact that all known encryption methods can be brute forced with enough time and CPUs. The encryption is there to make the job harder.

    On going to standard IP protocals for talking to the satalite, I'm not convinced it is needed and may be detrimental security wise as it provides a more common element that can be worked from. On the other hand if the protocals have a good security setup in them that is proven secure, then it would be better than developing your own. At this point any security relaying on digital information can be faked. There is no absolute security in the digital world.

    What I would do: Keep the network physically separated from all other networks. Keep the protocal secret as nobody else needs to know. Encrypt the uplink and downlink data streams. For the encryption methods, I would choose well known and throughly checked out methods for setting up and maintaing keys, etc. It would be best if the keys are rotated often. This helps keep down the possibility of a key being brute forced before you stop using it.

  • Satellite Security (Score:2, Interesting)

    by Logika (162624)
    1. Yes, someone can execute a DOS attack. It's called jamming and was done in the 80s to HBO by Captain Midnight. You need to check on the specific satellite design and see how the receiver would handle it but bear in mind that generally they will look for the best SNR and go with that. If the transmitter is higher power than you are, the receiver will see your signal as simply noise.

    2. How many of you think that you could decipher the structure of the command (given the motivation)?

    2. Deciphering the structure of the command is not going to be easy but it can be done. This is not something for script kiddies but the true hackers with sufficient motivation will eventually figure the problem out. Remember, with Real Hackers, simply the doing of something neat is sufficient motivation -- but a Real Hacker also subscribes to the Hacker Ethic of doing no harm.

    3. I think the simple cool factor of getting into a "NASA Satellite" would be sufficient motivation for some of the budding anti-social geeks. Satellites are extremely high-value assets and should better security than how we protect our webpages. However, securing them also goes counter to the way most scientists want to work. Luckily, the command and data streams should be using different signalling systems and freqs so you CAN have the best of both worlds.

    4. I would not assume your network security works. I seem to remember something about someone getting into ESA's system; it was postulated as a possible reason for one of the Ariane failures resulting from bad design. Personally, I think the French just wanted to toss the blame off on someone else but the more the US government relies on Microsoft systems, the less secure your system will be and your security is only as good as the weakest point of entry.
  • People here have even less of a clue about satellites than they do about copyright & patent law.

    If you are not a troll, then YUO=FUCKED.
  • Some of the details about the hijacking of HBO by breaking a communications satellite by John R. MacDougall (who had the night shift at a satellite transmission center with the required equipment) can be found at:

    http://catless.ncl.ac.uk/Risks/3.24.html#subj3 [ncl.ac.uk]

    This was done in 1986, and MacDougall transmitted a few messages and a test pattern over HBO interrupting normal programming. It seems likely to me he just transmitted video on HBO's frequency, so this probably wasn't a command and control hack.

    --Braddock Gaskill
  • It's about time... (Score:5, Informative)

    by Shoten (260439) on Wednesday January 02, 2002 @10:28AM (#2773805)
    This is a problem that has already come to cause others harm. Almost three years ago, hackers seized control of a British military satellite [anu.edu.au] and demanded ransom for it. All that is needed to communicate with these satellites is an antenna, and proper knowledge of the protocols involved. While these things are out of reach to script kiddie types, it's not that much of a stretch for the kind of people you really have to worry about (foreign governments and large/resourceful criminal organizations). So, you should think of these systems as being addressable by anyone. Consequently, I would take any and all lessons you can from the ways that people securely authenticate users on publicly-addressable computer systems.
    • by devnullkac (223246)
      I'm not sure I understand this comment. The very link [anu.edu.au] you reference states that there is no chance the purported takeover ever happened. I agree that governments are the groups you really have to worry about, but it's not clear that weaknesses of this type have already been exploited.
  • It sounds like you are extremely vulnerable to insider attacks or insider leaks. The information you posted in you question is probably more than you should have let out. Given a very motivated person, anything you do will be at risk. It is all about risk management. Good luck and ENCRYPT you signals for crying out loud!!!

    -Derek
  • The statement most crackers don't have access to a huge radio antenna with which to transmit relies on the applicable transmitters (all of them) to be secured properly.

    I would have assumed that's the case, but then I'd have assumed that control links to satellites would use a secure protocol, too...

    Also, if you want to defend yourself against rogue states, you can't count on them not being able to build a suitable transmitter. As we've all learned recently, some terrorists have very considerable resources to command, too.

  • I'll let others speak to the technical issues about the difficulty/cost of sending rogue command messages to a scientific satellite.

    I would note, however, that the simplest attack on a system like this (unencrypted or reliant on fixed keys) involves social engineering or the outright corruption of staff who know the details of the protocol and command structure. Do you think there's a chance someone who understands how to command the satellite might part with the information for $100,000? How about $50K? $25K? In any of these cases, the engineering effort required to reverse-engineer the information is likely to be lots more time-consuming and costly than simply bribing someone to give you the information you want.

    When you're just trying to guard against the '7337 hax0rs working from home, you can pretty much focus your attention on technical avenues of attack and maybe some basic social engineering, but when considering a determined and well-funded adversary, it's important to take (management buzzword alert!) an integrated, enterprise-wide view of the problem.
  • physical security (access to the control center)

    Just how secure is it? Are we talking bunker fortress or a couple of hire-a-guards? Are procedures in place to make sure that facilities can be made non-functional in the case of an invasion?

    network security (we use closed networks)

    So no one has access to the internet from anywhere in the facility?

    technology (most crackers don't have access to a huge radio antenna with which to transmit)

    Most? Remember Captain Midnight? You're depending on the security not of your facility, but every facility under or near your footprint (which is most everywhere for non-sync satellites). You actually don't need that much power to communicate with a satellite. You do if there is someone else competing. And if the facility is not monitoring it 24x7x365, someone could take control when you are not looking, and you would not be there to grab it back.

    obscurity (each satellite has its own command structure, not publicly documented

    Certain high security facilities do not allow employees to take any papers or media in or out that's not specifically approved by many levels of mnagament with procedures in place to handle it. Do you got to this extreme? Ever heard of "disgruntled employee"?

    execute a DOS attack

    It's a matter of degree. Are the commands checksummed against noise? How strongly? Personally for something as critical as a satellite, even a science satellite, I'd use something quite strong to checksum, like MD5 instead of CRC-32. Sure, it's argueably overkill to use MD5, but I would anyway.

    Once someone has your frequency, if they have access to any unsecured facility, they can DOS you. And many ham radio ops have enough facility in their backyards. Then if they got the specs from the disgruntled employee, and enough power to keep you from grabbing it back, they can even 0wn it. Even greater danger exists if the commands include uploading new program code.

    How many of you think that you could decipher the structure of the command (given the motivation)?

    For a company I once worked for, I cracked a competitors file format (so we could convert the data to our format) which included a proprietary compression algorithm for which I had no docs. Considering that I would not feel the multi-million dollar loss if command experiments dunked the satellite into the ocean (or worse), if motivated, and had access to doing occaisional commands on the thing, as well as sniffing the command upstream from nearby the uplink in one of the side lobes, I might be able to figure out enough to ... perhaps at least dunk it.

    Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.'

    My greatest worry with a lot of these generalized security protocols is not the crypto they provide (IPSEC is plenty solid enough in that area for me), but rather, in the social interface aspects ... the way things get routinely configured after the design is all done, by people who never designed anything secure, is the biggest risk I see. And, IMHO, IPSEC is rather exposed in that area due to the complexity of configuring its setup. Most security is.

    I'm not looking for the Slashdot population to do my research -- I mostly want opinions on whether cracking a science satellite would be worth the time."

    Steering a satellite over to hit something like an international space station would seem to be highly unlikely, given the small object sizes and the even larger spatial dimensionals up there. However, the cost of the risk is extremely high. Even so much as having a satellite out of control doing unknown things up there could cause operational impacts, and require aborting missions.

    Whatever you design now will be used for how many years? And what will the new security requirements be then? Personally, I would consider every security risk at least in terms of the high cost of impact, and quite likely pretend a high chance of intrusion by a motivated cracker/terrorist. IMHO, it is best to maximize the security everywhere that you can't prove has no risk. And if you have not done so already, take an NRA gun safety class. Then translate the multiple layers of safety you learn there into multiple layers of security, and think like that everywhere.

  • Silly question. (Score:3, Insightful)

    by Restil (31903) on Wednesday January 02, 2002 @10:54AM (#2773919) Homepage
    You're asking a group of hackers... if doing something for the sake of doing it... "would be worth the time?"

    You're askign a group of crackers... if performing the ultimate crack, obtaining command control of a satellite... "would be worth the time?"

    As you said, the only reason it probably doesn't happen very often is a simple lack of the required tools. To hack into a system on the internet, you wouldn't need much more than an ascii terminal with an internet connection. To hack a satellite, you need some powerful equipment, and the average person who is able to afford such equipment, probably would recognize that the effort isn't worth the potential sacrifice.

    Conventional networks were rather insecure in the beginning. But back then, the privilaged few who had access respected the system and didn't have the need or desire to exploit them. Times have changed, so much to the point that IF you are insecure, you WILL get exploited, and its only a matter of time? Satellites may begin to reflect this history soon. Right now, those able to access them have no need or desire to exploit them.

    But just give it time.

    -Restil
  • by Palin Majere (4000) on Wednesday January 02, 2002 @11:00AM (#2773953)
    I mean, seriously. If you do work in "the satellite control industry" (that's a seperate industry from the satellite industry?) and are doing the work you claim to be, then you have several problems:

    a) You should already know the answers to questions 1 and 2, and have enough of an understanding of 3 that removes the need to ask it. You should also already know, based on 1 1/2+ years here on the site, that this is *hardly* the forum for a real answer to that question.

    b) You just divulged some fairly major security-vulnerability information on the internet equivelent of Prime Time television.

    c) I would hope that nobody at your company gets wind of this posting, because it would not take a rocket scientist (*smirk*) to figure out who you are.

    I'm really not trying to flame here, but this *really* seems like a horrible, horrible idea. From a security standpoint, if your systems are based on security through obscurity, the *last* thing you want is more attention being drawn to them, especially if the amount of attention being given to the subject matter is by nature usually small (how many people have satellite transmitters?) and prone to mass speculation (how many openly documented satellites are there?). Just by asking this on Slashdot, you've brought more attention on satellite-hacking as a whole, thereby astronomically increasing the chance that someone takes a more "active" interest in figuring out how to send your company's prized birds into a flaming death spiral.

    Of course, all this assumes you are what you claim to be. You could very well be (as another poster suggested) a cleverly disguised troll.

    I mean, geez. Shame on you for submitting, and shame on Cliff for posting it. Doesn't the /. crew think 5 minutes on a submitted article before posting?

    (Moderators, feel free to mod this appropriately. I have more than enough Karma, thank you)
  • I often read here on Slashdot that security through obscurity is no security at all. This is just another convenient mantra that people like to parade around when they want other people to think that they know something. The truth is that obscurity is an essential part of any electronic security scheme.

    The most obvious example of this principle is in encryption. In both public- and private-key schemes, it is essential that you obscure your keys (or private keys) from view in order to maintain secure communications. It works the same way with other methods, such as keeping the command structure of a sattelite secret. If no one knows the command structure, they might as well be brute forcing an encrypted message, because a command could be just about any length to be valid.

    So really, people here should be very careful when speaking in absolutes. It doesn't work when comparing the performance of operating systems, and it certainly doesn't work here.

  • by owlmeat (197799) on Wednesday January 02, 2002 @11:03AM (#2773964)
    You can't possibly be working in the industry and posing this kind of question to slashdot.
  • I assume it would be really easy to sniff the downlink, but is it also possible to sniff the uplink? If so, then someone can figure out the command structure once they decrypt the signal.

    What about pre-programming the satellite to change encryption keys on a schedule or something? What does 802.11 do to generate new keys in a secretive way?
  • Sometimes all it would take to mess up a satelite requires very little knowledge of the command structure. All that is needed is someone to capture station keeping packets and retransmit them at a later time. This hack has been used by thieves to shut off car alarms and open garrage doors. That is why rolling codes are now used on most car alarms and door openers. Overcorrection may put the satelite out of orbit and deplete the station keeping fuel.

    Maybe as part of the obscurity is security protection, a jamming signal should be broadcast at the time commands are sent. The jammer would use a vertical dipole to provide bogus packets to sniffers while the high gain antenna reaches the satelite with the valid signal. The dish sidelobes could be easly hidden from sniffers. Has anyone thought of implimenting the jamming the sidelobes?? Any command should have a time code and rolling code included so any record and rebroadcast attack will not be accepted. For as much money that goes into the birds, innexpensive security could save a lot of insurance money.

  • 1. DOS attacks can be accomplished, based on the design of your bird. I do not know the particulars of your command reciever, but some designs can be DOSed.

    2. It is entirely possible to reverse engineer the telemetry and command databases. I know a guy who used to do this to Soviet satellites for a living. They could control Soviet birds however they willed.

    3. I'll let others with more knowlegde on IPSEC to give a specific reccomendation. I am leery of this concept, however, given the historical security of anything attached to the Net.

    It's really all just a matter of motivations. People listen to satellite telemetry all the time. Many of them reverse engineer it. Some can get images from the weather birds, but never try to command. Expect some eavesdropping, unless the bird goes really far away and requires >5 meter dishes to get a usable signal.

    And remember, the CIA managed to "borrow" a Soviet Luna probe on world tour. They disassembled it, documented the design, and rebuilt it to get it to the destination in a pretty serious all-nighter. The Soviets never gave any indication of knowing.

    Oh, and remember - keep the arrays pointed at the Sun.
  • One thing the submitter failed to say was which type of orbit the satellite in question has obtained. This can make a huge difference. If it's a geosynchronous orbit, you know exactly where your satellite is at all times and (hopefully) you can also point it's dish right back at you. You would want to prevent people from snooping your signal in the first place. People can't reverse engineer a signal that can't be perceived from a convenient location.

    My guess, though, is that this particular satellite isn't in such an easy orbit. That's fine, but extra measures should be considered. One neat trick if you're designing a satellite is have the longest wavelength as possible. That makes it very hard to intercept communications (even though they go everywhere, even deep in the ocean). The U.S. Naval command sends messages to submerged submarines using a wavelength on the order of 2 meters. If a really large dish is required just to talk to the satellite in orbit, someone is gonna notice when a guy builds a replica in his back yard.

    Okay, that's all for initial designs. Here's what I suggest as something you can change now, without much fuss. Forget about encryption nearly entirely. I'm guessing that the satellite does have a clock (and ideally it sets itself to the GPS signals). Now, the satellite should only obey signals that arrive between pre-set times (though it can behave as though it's really going to act, as a foil attempt). Second, the ground station should send commands followed by a signature--like PGP signatures. The satellite's software should easily be able to confirm that the message is authentic. No need to encrypt--since no one else can reproduce the signature. If the signature is valid, the orders are carried out. If the signature is bogus, the command is logged and relayed back to ground later for inspection.

    DOS attacks are more difficult to deal with. My personal feeling, though, is that if this particular satellite must have updates every day or so, you're in trouble anyways. Perhaps you can find a way to ensure about 3 days worth of commands can be in queue, in the event that the satellite is unreachable. That will keep it roughly in its orbit. Then, if a DOS attack does come, you'll have those three days to track the source. That should be plenty of time. Also, and I could be wrong, but most "hackers" or whatever prefer a much more immediate result. They would want to do the DOS attack, see the satellite go down in flames or whatever. Waiting 3 days for something to happen... all the while being searched out... is likely to make the hackers very, very scared. I would be shocked if they transmit more than a day, personally.

  • If you transmit enough jiggly pix in your data stream then the script kiddies will forget what they were trying to do.
  • Just for everyone's information, I talk to different satellites on a regular basis using nothing more than a mobile (car mounted) radio and antenna that is less than 6 feet in length. (~60 watts transmitting on 2 meter/70 cm frequencies) (AO 27 and Oscar 14) You do NOT need a huge antenna, but this depends entirely on the satellite. Think 2 way internet via satellite...
  • Satellite security (Score:4, Insightful)

    by SwedishChef (69313) <craig@networke[ ... t ['sse' in gap]> on Wednesday January 02, 2002 @11:39AM (#2774100) Homepage Journal
    IS THERE A RISK OF DOS?

    Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.

    IS THERE A RISK OF DECIPHERING COMMAND CODES?

    Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.

    IS PHYSICAL SECURITY ENOUGH?

    No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.

    Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.

    SHOULD THIS INFORMATION BE ENCRYPTED?

    Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.

    Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.
  • Well, I certainly don't think the transmission gear is a barrier to entry. You can most certainly communicate with a satellite with a 100W amplifier and perhaps an 8 foot dish (+45db gain). Mebbe even smaller, it's been years since I've touched the stuff. In fact, I'm sure smaller, but perhaps you'd need a higher power amplifier.

    When in the service, we'd regularly use an 8 foot dish (about 45db gain) and transmit anwhere from 5 to 20 watts. You might be able to jam a scientific satellite with a strong signal, but the military jobbers (and prolly the commercial comm sats too) have multi-horned directional antennaes, so the operator can shut off signals from a certain part of the "ground", say, California, but still be able to talk to the rest of it's line of sight.

    Anyways, you can get commercial gear for less than $10,000 USD that would give you the capability to communicate with a great many satellites.

  • Think of it in terms of physical security. You wouldn't leave your office unlocked just because you thought no one knew where the entrance was, or knew how to operate your special door handle which required no key.

    Your uplink is publicly accessable, and therefore should require some sort of key. The strength of the lock should be determined by the ratio between needed security and money available for the lock. Sure, it'll cost a few k in development costs to put a better lock on, but think about the money lost if the satellite drifted under the control of a hacker, and you didn't have the fuel to put it back.

    Of course. telling a group like this that your satellites are largely unprotected is like telling a kid the candy store is unlocked and no one is watching.

    The other issue is that your customers likely have insurance on the sats. It may be that a good encryption system will lower the insurance cost, and thus make your sats more valuable when people start hacking into them.

    -Adam
  • Maybe I missed the point of this 'article' but he seems to anwer his own question when he states the military's solution.
    Physical security is very important in order to stop someone from screwing with your bird, and what he laid out seems good, as long as the people supporting it adhere to its design.
    If you are broad casting data from a satalite, anyone can pick it up. If it's encrypted, then it becomes difficut to trans lates that data into something meaningful, but people can still recieve it, it is just a radio signal.
  • by Alascom (95042) on Wednesday January 02, 2002 @01:37PM (#2774539)
    Lets look at Iridium as an example:
    Motorola controlled the Telemetry Tracking And Control (TTAC) function for Iridium's birds. The satellites were controlled through, of all things, SNMP! Yes, its true. SNMP issued commands controlled the basic functions of the satellite. Commands were issued from TTAC's to the birds as they passed overhead. One can only communicate when the satellite is over the horizon of the transmitting/receiving TTAC, you can't just broadcast a signal from anywhere and hope the satellite gets it. NExt, you can only communicate with a satellite thats listening. Power consumption is a critical issue in satellites (no 120v ac in space.) Therefore, the satellites only listen and transmit when they are overhead of a TTAC. The signal must be coming from or going to the general area of the TTAC (its directional). Because they communicate as they travel overhead, the distance involved, etc, this creates a distorted egg shaped signal "footprint" around the TTAC. When the bird is directly overhead, the footprint is shaped like a circle (for Iridium, approx 20 miles diameter), then back to an egg shape as the bird approaches the far horizen. Any HAM/hacker wanting to snoop or squash the TTAC signal must be in the general vacinity of the TTAC in order to be able to receive or transmit effectively.

    Motorola had several issues that are probably prevalent thoughout the commercial sat industry. First, the TTAC stations WERE connected to the rest of the Motorola network, which in turned connected to 3rd party networks, and on an on. Even though Firewalls, ACL's were used, they were based on very general rules, usually restricting to broad networks. Also, dial-in was supported on routers throughout the network for maintenance, so the best way around the Firewalls would simply be Soc. engineering a router password and dial-up the TTAC router/switch.

    This could be achieved by: Located the TTACS for the satellite in question, usually public info. Get any phone numbers at that location you can. WAR dial a range of numbers around the TTAC numbers and note any Cisco devices answering. Use the SE'd passwd on the discovered Cisco dialups until you find a winner. Once in, either swipe the control apps for your own transmitter/reviever, or perform a one time attack since you unlikely to get a second chance one they notice.

    SIDE NOTE: There is NO chance of anyone ever using a satellite to crash into another bird. It takes motorola several months just to move 1 bird from orbit A into adjacent orbit B. Fuel is extremely limited on these things. Besides, picture the entire earth as a parking lot with 50,100 or even 500 hundred cars continuously driving around on it. What is the likely hood any of them will ever collide, much less run into each other. Now imagine it with each car having 1 gallon of gas to use. The logistics now become very clear.
  • jamming (Score:5, Interesting)

    by markmoss (301064) on Wednesday January 02, 2002 @02:00PM (#2774701)
    Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal

    It's certainly possible, and it's called "jamming". This costs a lot for plain random troublemaking; it takes a steerable dish and a fairly high powered transmitter, with a big electric bill. It seems rather unlikely someone with that budget would spend it just to mess up a science experiment. But unless considerable effort goes into protecting a satellite, jamming it would be small potatoes for a military operation.

    There are some substantial (but very secretive) defense contractors making radio and radar jammers for the US military. To jam a satellite using a fixed command frequency, you just point a dish at it and transmit at the same frequency with at least as much power as the actual command center. (I mean power delivered to the satellite antenna -- that's a product of the actual power and the transmitter dish's directionality.) The two signals basically add together, so if the jammer just sends a non-varying signal it's quite likely that the receiver will still be able to pick the commands off the top. But just about anything that varies without too much predictability will do for a jamming signal -- white noise, classical music, Slim Pickens yodeling, Howard Stern...

    The most common method of defeating jamming is to change the frequency. Every so often, computers on the ground and in the satellite compute a psuedo-random number, and change to that frequency. It's easy to do that once or more a second, and the jammer is not going to be able to find the new frequency fast enough. (Assuming the number sequence is secure, against both espionage and cryptographic reverse-engineering.) However, if they _really_ want to knock you off the air, it's possible to transmit a very high powered broad-band signal to jam all the channels at once. If there are 1,000 possible channels, the jammer has to be 1,000 times as powerful. Do that to a US military satellite, and I think you will knock it out for a while, but: (1) in a few minutes the satellite orbit will take it out of view from your dish; (2) unless you're a nuclear power, eventually they'll get permission to send a cruise missile into your ground station; (3) That much broadband power will mess up other communications as well, and get other countries mad at you. There are stories that the Soviets used to play a little with our satellites and vice-versa, but nothing serious because both sides had too much to lose...

    Another protection against jamming is to use a very directional receiving antenna, so any jammer would have to be on territory you control. This also substantially reduces the required transmitter strength. The problem is keeping that receiver dish pointed at home. In a satellite, you would have to also have an omnidirectional backup antenna, to use to re-gain control if the satellite tumbles. This makes it more complex and expensive than frequency-hopping.

Riches: A gift from Heaven signifying, "This is my beloved son, in whom I am well pleased." -- John D. Rockefeller, (slander by Ambrose Bierce)

Working...