Satellite Command Security? 426
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?
"Three major issues concern me (I'm going to assume that our network security works (grin!):
- Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
- How many of you think that you could decipher the structure of the command (given the motivation)?
- Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
EEP! The sky is falling! (Score:2, Informative)
I like the idea of encryption. It will turn away most of the little script kiddies, but then again so does obscurity for the most part.
most crackers don't have access to a huge radio antenna with which to transmit
Never Underestimate!!! I don't know much about RF communications with satellites, or how powerfull it has to be or whatnot, but I'm pretty sure if someone was determined enough, they could hack something togather. Or if they work at a radio station in a small town that goes off air at night. *shrugs* who knows.
Obscurity is a great thing in some cases, but I don't think it comes anywhere close to actuall good security. Then add confidentiality to it, and awesome physical security, and your in the right direction.
Just my small view on it.
Complete security (Score:4, Informative)
The most secure authentication scheme I've seen in a while is talked about in great detail here:
http://www.rsasecurity.com/products/securid/har
The idea is that if you need a physical token, and some knowledge to authenticate, you have added another level of security. These tokens are (from my understanding) REALLY hard to reverse engineer. They generate a number (that looks random, but isn't) every minute. On the other side of the connection, the same pseudo-random number is generated. If they match at authentication time, you get access, if they don't, try again.
The other thing you were wondering about was DOS attacks. Go read this article on GRC:
http://grc.com/dos/intro.htm
It boils down to this: if it's distributed there is little you can do.
On the flip side, since these signals would require massive antenae, you can triangulate the source in a matter of seconds, and send some guys (cops, navy, army, etc) over to shut them down.
Either way it goes, this is an interesting problem. Keep us posted with the results.
Beware TPB
Re:May have military use... (Score:2, Informative)
The availability of the large R/F transmitters would also be a large hurdle (it would not be possible to make an FM/AM radio station into the ranges). However, I'm just kinda startled that various security methods (encryption, basically) wasn't designed into the satellites. Satellites are HUGE investments. It boggles the mind how much they cost to produce and send into space. Kind quirky to leave it to closed protocols alone to protect such an investment.
Conclusion: highly unlikely, but possible.
The correct answers are: (Score:1, Informative)
uplinking to the satellite with a powerful signal
(the frequency would be easy to 'snoop' from our
transmitting antenna), thus preventing us from
commanding it? In general, how do receivers handle
multiple command carriers (would there be too much
noise to command)?
No need to execute DOS attacks, an overpowering RF
signal would do the trick.
If the story is still around, and (iirc) look for
the story of UOSAT-18, how it was given up for
'dead', and how a
restored it
2.How many of you think that you could decipher
the structure of the command (given the
motivation)?
See # 1. Taking it out and gaining control are
two different things and (imo) gaining control is
useless.
3.Standards being developed (like SCPS) intend to
make satellites 'just another node on the
Internet.' Take a look at the security protocol
(which is based on IPSEC, et. al) and tell me if
you think it is secure, or whether you'd want to
crack it.
See # 1 and read up on "Project ALOHA"
Addendum:
Going above the RF problem, you might consider L.
Brett Glass's paper on bipolar quadrature
amplitude modulation (using a constellation
pattern) and using a form of FEC that gets the
header/etc. decoded locally.
Remember HBO? (Score:5, Informative)
As for hacking the command set? You better believe it. Get four engineers and a large blackboard and you might be amazed at how useless "security through obscurity" really is.
Physical security is the best anyway... (Score:3, Informative)
Military Sats use encryption for two reasons, one to make sure they can't be cracked, two to make sure they can't be listened two. The second is the more important. As long as the command sequence to the sat is tied to a physical device (which I'd hope at the very least) then your fine as long as you don't get invaded.
The easiest way to secure these systems is to ensure that there is a closed VPN which is tied to two devices, one on the sat, one on the ground. Redundant nodes come into play but its again only the physical that matters.
It takes a hell of a rich hacker to set up the transmission equipment to crack a satellite, and then the sat should just be saying "who are you ?" standard H/W ident stuff should block them off.
Physical rules, if you aren't using H/W paired security then its very worrying as its very simple to do and very standard (I assume it is as anyone with half a brain is going to do that) from then on its just a matter of how important is the information and does it need to be encrypted as listening is miles easier than transmitting.
Re:Given enough motivation (Score:5, Informative)
Why is this such a widespread belief? Has it been proven somehow? Has everything in the world that could possibly be hacked been hacked?
The deduction seems to me the following: everything that has been hacked is hackable => therefore everything is hackable. Where's the logic in that? We don't walk around saying that 10 miles high building cannot be built because we have never built one, do we?
I don't want to come off like a troll, but I'm getting a bit weary of the conclusion that just because noone have proved the existence of an unhackable system no such system can exist.
Re:PKI (Score:5, Informative)
Do you really mean PKI or simply Public Key Encryption? Do you actually picture a root certificate authority, subordinate certificate authorities, directories, certificate revocation lists, and authority revocation lists being used to secure a satellite's command & control?
PKI is a great choice when you have lots of parties that need to randomly communicate with each other. It provides a great key distribution. However, PKI seems like overkill when one (or, at most, two) ground stations will be talking to a satelite. In this case, distributing a shared secret really isn't that difficult - probably much easier then building a PKI network and keeping it secure! Of course it does depend on if you trust your internal computer systems to keep the key private. If you don't, then PKI might solve some of your problems.
I would suggest a very lightweight approach. Privacy of data is not required for this application, IMHO. Maybe I'm wrong, in which case, you should investigate other options. This sounds like a good case for a MAC (Message Authentication Code). You don't even need to use encryption - just hashing - to do this.
Basically, each end has a shared secret, "S".
You have a packet containing data, "D".
Each packet has a timestamp (to prevent replay attacks) "T".
All packets consist of: D+T+MD5(D+T+S)
Of course, you can use some sort of hash besides MD5. You can also program the satelite with a few thousand secrets, which expire every so often - if you give it 100 years of secrets at launch, you should be fine.
The satelite receives this packet, does the MD5 of D+T+S, and compares the numbers. It doesn't let you use a packet with an old T (T should be very close to the current time and T should be greater then the most recent T).
This code has the benefit of taking very little memory space compared to a PKI solution. It's also much easier on the uplink/downlink channels.
The most important thing to remember, though, is that this shared secret has to be kept secret. It should not be used by your normal programmers to write control software. Instead, it should be an external module that runs on a secure box (I.E. no remote administration capabilities, only allows connections via a secure interface, and adds on the MAC as the messages pass through it). If you can afford a satellite, you can afford one secure server! I would definately investigate commercial encryption devices which add on a MAC using a shared secret - at least on the ground-station end. They of course may function differently then the method I described above, but the basics remain the same.
Of course all of this has been solved before. ATMs and banks have long needed to authenticate the other end. (ATMs, BTW, do not use public key cryptography, but simply a split key pair - that is, a random string of numbers is one part of the pair and that string XORed with the real key is the other pair - each part is given to a different person who keys it into the ATM seperately from the other person - you might also incorporate this type of system). Since this has been solved before, I recommend that you hire some sort of encryption expert to help you (you are NOT looking for a computer security person - chances are you are not running a default install of W2K on your satellite!).
As for IP, I would think that you would want to ensure there was no way for someone outside the control room to use your equipment to send command and control messages to your satellites! At the very least, this means that the control room should probably have an air-gap between it and the rest of your network. Sure, a little inconvienient, but how much command and control data do you really have to share with people outside that room? Not much most likely - certainly not too much to retype.
Your three questions (Score:2, Informative)
1. Jamming the uplink.
Jamming the uplink can be done, however once it's done, it is easy to find out who is doing this and easy to fix the problem. Since you're in the field, I'm sure you know all about squelching on particular rx beam channel (The main rxing antennate is usually as simple as a honeycomb of waveguide).. All military satellites can give a Lat and Long of the jammer if the threshold is set low enough.
All military and major commercial satellites have a redundant, out of band uplink path that's available to the command.. This is usually in the VHF frequency range (as opposed to the GHZ range for comms uplink) and is used for C&C only. This channel usually requires special encryption and commanding sequences, however if both were jammed, you'd be blind until the jammer was brought down. All the satellites that I've worked on has had protection for jamming though.. A few have had systems that would shut off particular beam channels for a given time if they detect a jamming signal.
There is also the issue of communications protocol.. Most of the systems that we worked with didn't only use encryption, but also particular protocols that wern't widely known.. Here's where obscurity can lend a hand.. though everyone's right.. it's not effective.
2. Can it be hacked...
This has already been answered... It probably can, but if the satellite designers had half a mind, it'd be hard... and any attempts to test uplinking would be detected pretty quickly.
3. Satellite Internet Node.
Secure or not, it's just not a good idea. Granted, it'd make it easier to get information across either the atlantic or pacific, but with fiber optic systems and the bandwidth that they'll be capable of transmitting these days, it's more cost effective to use a trans-oceanic fiber (When you consider the cost of funding launch, uplink and downlink equipment, maintence of flight path and satellite system etc...).
It's about time... (Score:5, Informative)
Cheap karma-whoring link (Score:3, Informative)
It's not just a nice "satellite takeover" story, it's also a great "fight the Man!" tale.
I personally wonder if someone could do a Captain-Midnight job on an MTV transponder and send the message "PLAY SOME DAMN MUSIC SOMETIME, LIKE THAT MUCHMUSIC CHANNEL IN CANADA!" Or a CNN
A man can dream...
Re:It's about time... (Score:3, Informative)
Re:Given enough motivation (Score:2, Informative)
It is generally believed that if, say, the US government really wanted to hack something and was prepared to expend unlimited resources on the effort it would in due course succeed (if only by doing something as crude as conscripting every publicly-owned computer in the US and doing a distributed brute force attack).
In this particular instance they could, if they really wanted to, design and build and launch another satellite which sat next to the target one and snooped all the traffic in both directions - yer average script kiddie isn't about to do this, so the threat is different.
Anyone who doesn't try that hard doesn't have "enough" motivation and you're safe from them.
It's generally considered that silly children (the type of hacker usually discussed here) don't try that hard, industrial spies try rather harder and enemy governments in wartime try even harder.
You meet the threat accordingly. There's no point in wasting money trying to protect an SME's payroll system against an enemy government, for example.
Not that big of an antenna... (Score:2, Informative)
Doh! - And the company he works for is.... (Score:1, Informative)
To find out where satelittes are is easy, all you need is to down load the two line element files (tle's) load them in to a satelitte tracker program, most of which can control dishes for tracking purposes and you are away.
Is it easy to do? Yes, couple of days reading on ham sites on the net will tell you all you need to know. Will it be expensive to do? Depends on the size of the dish needed and your electronics knowledge , but $2000 aught to do with some spare.
Do people want to? Sure, more interesting that doing windows for the n'th time...
If you want to read some more about using sattelites ask google about 'Dr Dish'...
TTAC Locations and timing required to hack a bird (Score:5, Informative)
Motorola controlled the Telemetry Tracking And Control (TTAC) function for Iridium's birds. The satellites were controlled through, of all things, SNMP! Yes, its true. SNMP issued commands controlled the basic functions of the satellite. Commands were issued from TTAC's to the birds as they passed overhead. One can only communicate when the satellite is over the horizon of the transmitting/receiving TTAC, you can't just broadcast a signal from anywhere and hope the satellite gets it. NExt, you can only communicate with a satellite thats listening. Power consumption is a critical issue in satellites (no 120v ac in space.) Therefore, the satellites only listen and transmit when they are overhead of a TTAC. The signal must be coming from or going to the general area of the TTAC (its directional). Because they communicate as they travel overhead, the distance involved, etc, this creates a distorted egg shaped signal "footprint" around the TTAC. When the bird is directly overhead, the footprint is shaped like a circle (for Iridium, approx 20 miles diameter), then back to an egg shape as the bird approaches the far horizen. Any HAM/hacker wanting to snoop or squash the TTAC signal must be in the general vacinity of the TTAC in order to be able to receive or transmit effectively.
Motorola had several issues that are probably prevalent thoughout the commercial sat industry. First, the TTAC stations WERE connected to the rest of the Motorola network, which in turned connected to 3rd party networks, and on an on. Even though Firewalls, ACL's were used, they were based on very general rules, usually restricting to broad networks. Also, dial-in was supported on routers throughout the network for maintenance, so the best way around the Firewalls would simply be Soc. engineering a router password and dial-up the TTAC router/switch.
This could be achieved by: Located the TTACS for the satellite in question, usually public info. Get any phone numbers at that location you can. WAR dial a range of numbers around the TTAC numbers and note any Cisco devices answering. Use the SE'd passwd on the discovered Cisco dialups until you find a winner. Once in, either swipe the control apps for your own transmitter/reviever, or perform a one time attack since you unlikely to get a second chance one they notice.
SIDE NOTE: There is NO chance of anyone ever using a satellite to crash into another bird. It takes motorola several months just to move 1 bird from orbit A into adjacent orbit B. Fuel is extremely limited on these things. Besides, picture the entire earth as a parking lot with 50,100 or even 500 hundred cars continuously driving around on it. What is the likely hood any of them will ever collide, much less run into each other. Now imagine it with each car having 1 gallon of gas to use. The logistics now become very clear.
Hubble upgrade (Score:3, Informative)
Yes, you are entirely correct [space.com] about that, it was inserted on a spacewalk. However, the article mentions that Pentiums wasn't ready for space.
A few suggestions... (Score:2, Informative)
- anyone can download the CCSDS PDF documents describing TM/TC links, error correction codes,... And although not many attackers would be courageous enough to implement the whole protocol (I implemented it partially and it was quite lengthy), tiresome bits like reed-solomon and viterbi are freely available from some internet sites. I would say that the protocol aspect is not a security guarantee, since I for instance could develop the protocol stack.
- As for the hardware, you are kind of right saying not many people would have the right antenna. But it must somehow be possible to use compact antennas/modems since you can buy satellite telephone handsets and most telephony satellite are geostationary (> 30,000 Km). Off-the-shelf satellite reception systems exist and are pretty affordable but I don't think the same is true of transmitters. Depending on the kind of modulation used (It's usually QAM, I think) and the availability of commodity hardware, you would have to be a reasonably skilled electronics and telecom enginner to mount such an attack.
- Now, assuming the threat actually exists, I would probably foresee a narrow emergency TC link off the main TC band, so that I can upload emergency commands to the sat. Also, if your TM bandwidth allows it, you may have all TC's echoed to the ground. This way, if someone is attacking your satellite, you would notice it immediately and could possibly also locate him/her. And I don't think you could DoS a satellite for long before getting caught, unless you start using mobile attack equipment: 3 satellite would suffice to locate you and the sidelobes of your antenna could betray you on the ground as well.
What you're telling about unencrypted streams is amazing. Most commercial or scientific satellite I've seen so far use 3DES or a similar symetric algorithm, for uplink at least.
Note: I'm not an experienced space engineer. It's just that I've worked some time in the field. So don't take my suggestions for granted.
grungie.