Caroline Haskins, writing for The Outline: Hundreds of multi-ton liabilities -- soaring faster than the speed of sound, miles above the surface of the earth -- are operating on Windows-95. They're satellites, responsible for everything from GPS positioning, to taking weather measurements, to carrying cell signals, to providing television and internet. For the countries that own these satellites, they're invaluable resources. Even though they're old, it's more expensive to take satellites down than it is to just leave them up. So they stay up. Unfortunately, these outdated systems makes old satellites prime targets for cyber attacks. [...]
A malicious actor could fake their IP address, which gives information about a user's computer and its location. This person could then get access to the satellite's computer system, and manipulate where the satellite goes or what it does. Alternatively, an actor could jam the satellite's radio transmissions with earth, essentially disabling it. The cost of such an attack could be huge. If a satellite doesn't work, life-saving GPS or online information could be withheld to people on earth when they need it most. What's worse, if part of a satellite -- or an entire satellite -- is knocked out of its orbit from an attack, the debris could create a domino effect and cause extreme damage to other satellites.
Say what? (Score:2)
Re: (Score:2)
Was thinking the same thing. I am sure there is no satellite (other than perhaps a modern amateur microsat) running anything bearing any resemblance to a desktop operating system. The control system may be running Windows 95, but that's a different problem.
Windows 95? (Score:4, Interesting)
Windows 95 is a consumer desktop OS? Does the author means that the control software for the satellites runs on Win 95?
I'd imagine that the satellites themselves would use a real-time or server OS i.e. QNX, NT, or a Unixoid OS. Running a desktop OS on hardware with no direct display would be stupid, and satellite engineers aren't likely to be stupid.
Re: (Score:2)
Have real doubts about this. (Score:3)
NT I Could See
Back in the day, NT was actually a pretty good OS, and used in a number of mission critical applications. (Including some I worked on.)
But... 95? Really?
That was certainly not MILSPEC approved for that sort of thing. And NASA had even tighter requirements and a higher specification bar.
I really suspect that the author has their facts a bit scrambled.
Not all can be hijacked (Score:2)
As some are having their BSOD
Re: (Score:2)
Windows 95 didn't really have a BSOD. That was (is) an NT thing.
Security / Jamming (Score:2)
I'd be surprised if modern satellites don't have some sort of protection built into them after the legendary HBO Satellite hack that resulted in the words "HBO Sucks" displayed across North America. Jamming is always a possibility with a high powered transmitter although doing so would be the equivalent of putting a giant bulls-eye on your back since it's hard to hide a massive signal. There's also a huge question of why as well. Some of these hacks require some not so trivial equipment so it's sort of h
Re: (Score:3)
Naw, the vast majority of commercial communications satellites are still dumb bent-pipe repeaters. There's no security on them, save for nulling antennas and similar techniques.
I used to work for a company that built flyaway VSAT systems, so I know this stuff pretty intimately. A number of years ago, SES Americom (one of the big operators in North America) called me up for help in locating a wildcat transmitter that was causing interference with one of their birds. They called us because they knew we built
BULLSH@# (Score:1)
There has never been a microsoft flight certified any thing.
And no intel stuff that i know of.
those birds were designed in the 60s for GPS and more than likely use some version of the IBM AGC for the apollo missions.
I could find no evidence for the claim about Win95 (Score:4, Informative)
I read the article and while it makes the claim about Win95, it doesn't go into detail about it or support it with facts. I find that claim somewhat incredulous as most satellites would never use a GUI based desktop OS. Maybe some control systems on the ground use Win95 and have ever been updated.
I would agree with the basic premise that many satellites especially older ones are not hardened against cyber attacks.
Re: (Score:2)
The actual command/control of the spacecraft themselves is protected by reasonably heavy Cryptography. When a Long March rocket failed in China while launching Intelsat 708, Intelsat failed to recover the cryptographic equipment from the wreckage, despite significant risks taken by their crew.
The SKY IS FALLING.... (Score:3)
Literally... Chicken little has confirmed it!
Um... Yea, a lot of stuff is POSSIBLE, but the question really is about how practical it is. What's the actual level of risk? Pretty low.
These things are expensive. Older satellites might be vulnerable to exploits launched from the Web, but I've got to believe that such "over the web" control systems are quite well protected and monitored. Disrupting over the AIR (I.E. RF links) are going to require specialized equipment and some specialized knowledge about what you are doing (not all satellites use the same control uplink frequencies), and actually taking CONTROL is like to require insider knowledge of expected modulation techniques, telemetry formats, encryption keys and a lot of other things.
There are a lot of places that have the uplink equipment, though it's not that long of a list and most of that equipment is already being used for commercial applications. An uplink setup is prohibitively expensive for an individual to build and commercial companies that own them like to keep track of when they are used. You could possibly arrange to use one by stealing a mobile unit or breaking into one and using it, but you will get discovered pretty quick.
All this to say, Disruption is easy, so doing a denial of service attack is pretty high risk, you just need to access the right equipment. DOS attacks (and uplink mistakes) happen all the time now. Taking control? Not very likely, very low risk. State actors might have the resources, but apart from that, it's not going to be worth the effort and costs.