The Dismal State of SATCOM Security

An anonymous reader writes "Satellite Communications (SATCOM) play a vital role in the global telecommunications system, but the security of the devices used leaves much to be desired. The list of security weaknesses IOActive found while analyzing and reverse-engineering firmware used on the most widely deployed Inmarsat and Iridium SATCOM terminals does not include only design flaws but also features in the devices themselves that could be of use to attackers. The uncovered vulnerabilities include multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products. In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."

ignorance was bliss

[Anonymous Coward]

Isn't it great how security went from a concern, to an afterthought, to completely irrelevant over the span of twenty years? Only to be magically resurrected as a hot button issue of worldwide concern for every other news story for arguably the next 5 years. And all because big corps, with all their endless offshoring, cost cutting, profit seeking, litigation circumvention, and merciless assault on tax avoidance will continue to skip to the loo with endless payrolls, blaming all of this all the while on "outside forces". It makes me feel like IT Security is as fun a joke in the boardroom as GAAP. We don't even have a real ruling body anymore according to IETF sources. Is there anything that isn't a mucked up mocked up half assed attempt at stopping this all?

Re:Aren't those guys rocket scientists?

[cusco]

The problem is that reliability has always been considered as paramount in these devices, for very good reasons, and inserting a security layer in the stack increase the likelihood of problems and increases their complexity. There are satellite phones out there which have been in almost continuous use for 15 years, good luck flashing that firmware to handle encryption or to obfuscate that hard-coded password. For most satellite communications users I don't foresee the situation changing any time soon. They guy running a gold dredge in the upper Amazon isn't going to want to cough up for a new phone when his current one has been working fine for the last decade, nor is the tribal chief in New Guinea or the crab boat captain in the the Bering Straight. What they have works, and they don't give a shit whether the phone can be hacked as long as it works when they really need it. The commodities speculator in his Lear jet might be concerned, let him pay for the system upgrades, but leave the rest of the system backwards compatible for those people who need reliability overall.