Feeds

Satellite systems hackable – study

Unencrypted uplinks invite hijinks

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Critical commercial satellite systems relied upon by federal agencies, civilians and the Pentagon are potentially vulnerable to a variety of sophisticated hack attacks that could cause service disruptions, or even send a satellite spinning out of control, according to a new report by the General Accounting Office, the investigative arm of Congress.

The GAO report, dated August 30th but not released publicly until Thursday, criticizes the White House for not taking the vulnerabilities into account in its national cybersecurity planning, a criticism it also extends back to the Clinton administration.

The focus of the report is on satellite systems which are used extensively by the federal government, but like many critical infrastructures are in the hands of the private sector.

Among the weaknesses investigators found: some satellite companies don't encrypt the tracking and control uplinks through which the satellites are controlled from the ground, making them vulnerable to spoofing, with potentially dire results. "If false commands could be inserted into a satellite's command receiver (spoofing the receiver), they could cause the spacecraft to tumble or otherwise destroy itself," reads the report.

"It is also feasible to insert false information or computer viruses into the terrestrial computer networks associated with a space system, either remotely or through an on-site connection," the GAO found. "Such an attack could lead to space system degradation or even complete loss of spacecraft utility."

Such an attack could impact military operations, the report claims, citing a Department of Defense (DOD) study that found that commercial satellites were used for 45 percent of all communications between the U.S. and forces in the Persian Gulf region during Desert Storm. "The importance of commercial satellites for DOD is evident during times of conflict," the GAO concluded.

The study does not attempt to rate the likelihood of such an attack, and found that there are some significant safeguards in place -- for example, some companies deliberately use extremely high-power transmitters to control their satellites, making it unlikely an attacker could overpower the authentic signal with a fake one.

Regulations Ignored

But the level of security varies significantly, the report found, and with little regulation governing satellite security, commercial providers have little incentive to invest in costly solutions.

One federal policy initiated in January 2001 theoretically requires satellite providers handling national security communications to meet minimal cybersecurity standards, but the report found that not a single company was entirely compliant with the directive, which is missing an enforcement mechanism.

"Some satellite service providers view compliance ... as not necessary for selling services to the government, since in the past agencies have used satellites that did not comply with prior security policy," the report found. "For example, DOD has contracted for services on satellites that were not compliant with the previous and existing policy for various reasons. However, at times, noncompliant satellites have been DOD's only option."

The GAO lists several past satellite glitches, intentional and accidental, beginning with the 1986 "Captain Midnight" hack, in which a worker at a commercial satellite transmission center in Florida briefly took over HBO, interrupting an airing of the Falcon and the Snowman with a text message protesting the pay TV channel's new scrambling system.

In 1998, the accidental failure of the Galaxy IV satellite disrupted over 35 million pagers across the United States for two to four days, and blocked credit card authorization of point of sale terminals.

The report notes that, except for GPS vulnerabilities, satellite systems were ignored in President Clinton's cybersecurity efforts, and are faring no better under the Bush administration's cybersecurity push.

"Given the importance of satellites to the national economy, the federal government's growing reliance on them, and the many threats that face them, failure to explicitly include satellites in the national approach to [critical infrastructure protection] leaves a critical aspect of the national infrastructure without focused attention," the GAO concludes.

A spokesperson for the President's Critical Infrastructure Protection Board didn't immediately return a phone call on the report Thursday.

The report was produced shortly before last month's unveiling of the White House's draft National Strategy to Secure Cyberspace, which doesn't address satellite system vulnerabilities, but generally eschews any new regulation of critical infrastructure providers.

© 2002 SecurityFocus.com, all rights reserved.

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.