Satellite Command Security? 426
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?
"Three major issues concern me (I'm going to assume that our network security works (grin!):
- Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
- How many of you think that you could decipher the structure of the command (given the motivation)?
- Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
Given enough motivation (Score:5, Insightful)
Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.
In a related story: (Score:2, Insightful)
Limited time offer!
I loved the way that Cliff phrassed that (Score:3, Insightful)
"...this is a lesson that teridon wants his company to learn."
sound like a veiled threat to anyone else?
Maybe it's the pre-caffeine stage.
Re:I loved the way that Cliff phrassed that (Score:2, Insightful)
Forget reverse engineering -- who's quit lately? (Score:5, Insightful)
the very fact that you told us how you already... (Score:2, Insightful)
Re:here's an idea... (Score:2, Insightful)
Obscurity works very well if... (Score:1, Insightful)
But now that the cat's out of the bag...look out...
Huge arrays NOT required. (Score:2, Insightful)
Re:here's an idea... (Score:2, Insightful)
Obscurity and Security (Score:4, Insightful)
Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.
The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.
If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.
As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.
-Rob
Re:Given enough motivation (Score:3, Insightful)
Re:I assume the run of the mill reply to this is.. (Score:3, Insightful)
The public doesn't have a need to know everything as long as the company(ies) involved don't rely on that obscurity alone to protect them.
Re:Given enough motivation (Score:5, Insightful)
The key is practicality.
I think this opinion is based on ego. The hackers think they can hack anything, they just "don't have the motivation" to hack the really hard stuff. The system designers feel that they need to believe and portray this because they fear thier systems will some day be hacked or perhaps keep an open mind about it.
I also think it is silly to beleive that an unhackable system cannot be designed.
Although, I agree with the parent poster regarding practicality. I had an MCSE teacher tell the class I was in, that encryption was'nt good because any crypto algorithm could be cracked if the design is known. I wanted to challenge him on the practicalities of it (but I hate always being the arsehole in classes who corrects the teacher). I mean sure, learn the algorithm and brute force the output, but what about the practicality? What if it is an algorithm that is strong enough to realise the full range of a 4096 bit key? How many hundreds of years is it going to take to brute force crack it with the combined effort of all the computers that will ever exist on Earth? Will we (human race) be history by then? Do people in the year 8002 really give a crap about what people in 2002 were trying to hide? Do any humans still live on Earth, having terraformed and populated Mars and some other planets in other galaxies?
Or how about a cipher text done with a One Time Pad, which could be decrypted with loads of different keys to come out as loads of *different* and *incorrect* yet completely inteligible plain texts!
The rest of the class justs nods (duh!). It was the same teacher that told me that to boot an NT server off a SCSI disk, on a system that has NO SCSI BIOS, you just had to load an NT SCSI driver. Yeah, OK teach, good one. MCSE's, poor bastards, are given the inflated belief that they are computer experts once they have passed MS's "computer science". It's almost as pathetic as Scientology.
Silly question. (Score:3, Insightful)
You're askign a group of crackers... if performing the ultimate crack, obtaining command control of a satellite... "would be worth the time?"
As you said, the only reason it probably doesn't happen very often is a simple lack of the required tools. To hack into a system on the internet, you wouldn't need much more than an ascii terminal with an internet connection. To hack a satellite, you need some powerful equipment, and the average person who is able to afford such equipment, probably would recognize that the effort isn't worth the potential sacrifice.
Conventional networks were rather insecure in the beginning. But back then, the privilaged few who had access respected the system and didn't have the need or desire to exploit them. Times have changed, so much to the point that IF you are insecure, you WILL get exploited, and its only a matter of time? Satellites may begin to reflect this history soon. Right now, those able to access them have no need or desire to exploit them.
But just give it time.
-Restil
Re:Given enough motivation (Score:2, Insightful)
I hope you enjoyed your job... (Score:3, Insightful)
a) You should already know the answers to questions 1 and 2, and have enough of an understanding of 3 that removes the need to ask it. You should also already know, based on 1 1/2+ years here on the site, that this is *hardly* the forum for a real answer to that question.
b) You just divulged some fairly major security-vulnerability information on the internet equivelent of Prime Time television.
c) I would hope that nobody at your company gets wind of this posting, because it would not take a rocket scientist (*smirk*) to figure out who you are.
I'm really not trying to flame here, but this *really* seems like a horrible, horrible idea. From a security standpoint, if your systems are based on security through obscurity, the *last* thing you want is more attention being drawn to them, especially if the amount of attention being given to the subject matter is by nature usually small (how many people have satellite transmitters?) and prone to mass speculation (how many openly documented satellites are there?). Just by asking this on Slashdot, you've brought more attention on satellite-hacking as a whole, thereby astronomically increasing the chance that someone takes a more "active" interest in figuring out how to send your company's prized birds into a flaming death spiral.
Of course, all this assumes you are what you claim to be. You could very well be (as another poster suggested) a cleverly disguised troll.
I mean, geez. Shame on you for submitting, and shame on Cliff for posting it. Doesn't the
(Moderators, feel free to mod this appropriately. I have more than enough Karma, thank you)
Re:I assume the run of the mill reply to this is.. (Score:3, Insightful)
No you don't need to post *your* code and say "hey look at this, if you find the hole in it, you can break my satellite". You can however use a proven technology to secure your link, and yes, for that to be proven it needs to be open.
You can still have your obscurity - you don't need to tell anyone which protocol you are using, even your command structure can stay just as secret as it was before - it's on another protocol layer.
If you were to use (random example) ipsec, and send your SATCOM (made up) protocol over that, and then someone finds a hole in ipsec. Well then you are just as secure, as you are now - the attacker still needs to break SATCOM, as well.
Satellite security (Score:4, Insightful)
Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.
IS THERE A RISK OF DECIPHERING COMMAND CODES?
Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.
IS PHYSICAL SECURITY ENOUGH?
No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.
Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.
SHOULD THIS INFORMATION BE ENCRYPTED?
Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.
Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.
Re:It's about time... (Score:2, Insightful)
Uplink/Downlink details on SOHO are readily available, e.g.:
Re:Not that big of an antenna... (Score:2, Insightful)
D.
Re:Given enough motivation (Score:3, Insightful)
Anything can be hacked given enough motivation.
The problem isn't with the belief, but with the vagueness of the statement. What does "hacked" mean? Depending on the definition of the term, the answer changes.
If the definition of hacking constrains the attacker to using network-based attacks, and if the system under consideration is simple enough, then, yes, it is possible to build an unhackable system (this depends on the nature of the system to a large degree). If the definition is widened to allow physical attacks on technological infrastructure, then the problem becomes vastly harder. If the definition is widened to permit basic social engineering, then the problem gains another dimension that must be addressed. If the definition is widened to include illegal activities like breaking and entering, theft, bribery, extortion, torture and murder, then as long as some user has legitimate access, the system can be hacked.
I'm often frustrated by two equally incorrect viewpoints that I run into on this subject, and not just in the realm of security. The first is that everything is possible. The second is that anything is impossible.
It is not true that everything is possible. The Halting Problem, for example. Finding integers x, y, z and n > 2 such that x^n + y^n = z^n. Copying 10GB of data across a 10Mb ethernet in less than one minute. And so on. Many, many tightly-constrained problems are impossible.
It is also almost never true that any particular task is impossible, assuming all options are on the table. Many things are impractical, and many more things are too complex to get a handle on, but very few real-world personal and business goals are unachievable. If one appears to be, you probably just need a better understanding of the root goals.
When I was a young geek, fresh out of school, I was secure in my knowledge that some things could not be asked of me because they were impossible (and I could prove it!) until I came smack up against a young businessman, fresh out of school who was secure in his knowledge that anything was possible because all the great fortunes had been made by people doing the impossible. Tempers flared, sparks flew and we were both enlightened.
Re:Given enough motivation (Score:2, Insightful)
int main(void)
{
int i;
for(i=0; i10; putchar(getchar())!=EOF);
return 0;
}
Care to hack it? Har. Can't be done. Why?
A hack requires an exploitable flaw in a program. The above program does one thing: Reads ten characters from STDIN (stopping at EOF if it shows up early), and puts them on STDOUT. Nothing to exploit. Nada. Zilch.
Sorry to blast the myth, but sometimes slashdot (and its moderators) need a whacking with the clue stick.