I could spoof Globalstar satellite messages, boasts infosec bod
'We've never been hacked so everything's fine' says hacked firm
Black Hat 2015 Intercepting and spoofing satellite communications carried over the Globalstar network is possible with modest technical skills and an investment of just $1,000, according to new research due to be unveiled at Black Hat.
Globalstar is downplaying the threat, stating that its system isn’t getting hacked.
Globalstar's consumer-focused SPOT asset-tracking service is used for a variety of applications, including people-tracking systems for search-and-rescue. The technology is increasingly used by corporates, for applications including remote monitoring of satellite connected SCADA (industrial control) systems and location tracking of trucks, containers and ships.
Colby Moore – security research engineer at security firm Synack – investigated the technology and discovered that communications were not encrypted. Using a PN number (different from a PIN, stands for "pseudo-random sequence"), Moore was able to spread (but not decode) the signals. The PN code was the same across all devices.
Moore was still left with the task of understanding the syntax and "grammar" of Globalstar's simplex satcom protocol. After gleaning an understanding of the content of communications (which Moore likened to SMS messages), he was able to see that a range of attacks were possible, ranging from signals intelligence collection to message spoofing. The system operates on only one frequency and does not attempt to conceal data – no dummy data is sent.
Design and implementation flaws make it possible to intercept, spoof, falsify and intelligently jam communications, according to Moore. He added that transmissions are not authenticated. As a result, millions of devices, critical infrastructure, emergency services and high-value assets are potentially at risk, he said.
The same terminals are used in consumer and commercial systems, and the flaws are virtually unpatchable in all but the most modern terminals, according to Moore, as firmware upgrades are not allowed in older kit. However, mitigation is possible by re-architecting the system and putting in another layer of encryption.
"It was more difficult to apply encryption at the outset than it is today," Moore told El Reg. "When this technology was first introduced around 2000, satellite data bandwidth came at a premium."
Moore's August 5 Black Hat talk is billed as offering a step-by-step guide from reverse engineering to exploitation of the Globalstar simplex satcom protocol. Attacks might include simulating critical conditions in satellite-connected SCADA systems. The talk will be repeated at DEF CON on Saturday, August 8.
The security researcher notified Globalstar about his research and told it about the vulnerabilities he'd uncovered. Globalstar responded to our request for comment with a statement essentially saying it had everything under control. It monitors its systems and hacking has "never been an issue", it said.
Like all companies and industries in the 21st century, including those that Wired reported on this week to expose hacking vulnerabilities like Chrysler, GM, Brinks and others, Globalstar monitors the technical landscape and its systems to protect our customers.
Our engineers would know quickly if any person or entity was hacking our system in a material way and this type of situation has never been an issue to date. We are in the business of saving lives daily and will continue to optimize our offerings for security concerns and immediately address any illegal actions taken against our company.
Previous research in satellite comms security by IOActive focused on software vulnerabilities on terminals whereas Moore investigated security weaknesses in the communication protocols themselves.
Part of the satellite comms hacking rig built by Moore
Moore spent about $1,000 to put together a communication rig to intercept data from a tracking device. Hackers and fellow security researchers would be able to do something similar with a proper antenna, amplifier and software-defined radio peripheral, again for a cost of around $1,000.
Moore wants to encourage other hackers and security researchers to look at other satellite comms systems. ®
Globalstar sent The Register a link to a further emphatic denial, which can be viewed here.