Incident Response, TDR, Vulnerability Management

Researchers uncover critical flaws impacting satellite communications

A security firm found that widely used satellite communications (SATCOM) terminals, which are often used by the military, government and industrial sectors, were vulnerable to a number of critical vulnerabilities.

Ruben Santamarta, principal security consultant for IOActive, authored a white paper, published Thursday, on the threat. The 25-page report, called “A Wake-up Call for SATCOM Security,” (PDF) compiled findings gleaned from three months of research, from October to December of last year.

Throughout the months, analysts reverse engineered publicly available firmware updates for popular SATCOM technologies from vendors Harris, Hughes, JRC, Iridium, Thuraya and Cobham. As a result, IOActive researchers found critical flaws in all of the device firmware – namely, issues that could be exploited to intercept, alter, or block sensitive satellite communications.

Some issues found were backdoors, defined in the paper as “mechanisms used to access undocumented features or interfaces not intended for users.” In addition, other vulnerabilities were uncovered, such as the use of hardcoded credentials, insecure protocols and weak encryption algorithms.

In the paper, researchers detailed attack scenarios that could be leveraged through exploit.

In one case, IOActive found that Cobham's SAILOR 6000 Series communications suite left ship security alert systems (SSAS) vulnerable to compromise.

“An attacker can install malicious firmware in order to control devices, spoof data or disrupt communications,” the white paper said, later explaining that SSAS aids in maritime security and thwarting acts of terrorism and piracy.

Ultimately, the SAILOR 6000 vulnerabilities, which included insecure protocols and hardcoded credentials, could be leveraged to spoof or delete incoming communications, like distress calls from other ships or weather warnings, the paper revealed.

In addition, spurious information could be sent to ship crew, impacting their intended route. An attacker could even remotely disable safety systems, so as to scale a physical attack against a ship, the paper said.

On Thursday, IOActive's Santamarta told in an interview that most of the attack scenarios in the report were likely to originate from a well-resourced actor, if carried out, such as a nation state.

“If we are talking about targets, like ships, aircrafts, and other transportation, we are mainly talking about nation state actors,” Santamarta said.

He later added that, depending on the technology, that firmware updates could be installed automatically via servers. In other cases, remediating the issue could require a painstaking process, he continued.

“The [fix] could be a critical task, where you need to update one hundred or 1,000 airplanes, which is time consuming,” Santamarta said.

The report revealed that, with the exception of McLean, Va.-based Iridium, vendors “did not engage in addressing this situation.” IOActive alerted the companies of the vulnerabilities with the help of the CERT Coordination Center.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.