Last week, we tasked Kyle from our Research and Development team with covering some common themes discussed at Black Hat and DEF CON. We want to bring these issues to both the security community that was in Vegas at the cons and those who kept an eye on the action from the outside.
The speed of light is too damn low! Anyone who’s ever had satellite Internet knows it. Satellite technology is one of the older wireless communication media that is still frequently used. From TV to GPS to satphones, satellite equipment and components have reached consumer size, power and cost requirements.
As has often been the case with old technology that stays in use in the modern era, several concrete hacks have been demonstrated against satellite communication technology. While rumors and allegations of hacks have been abound for years (US Landsat and Terra AM-1 allegedly hacked by China, UK SkyNet, etc.), few attacks have been discussed publicly. However, this year’s Black Hat conference contributes to the public discussion of satellite tech.
Hacked Satellite Devices
Colby Moore (@colbymoore) from Synack took a look at some of the most portable and versatile satellite devices: GlobalStar devices marketed under the SPOT brand. These are used for a diverse set of applications, such as asset tracking, distress beacons and oil pipeline monitoring. SPOT devices have been previously hacked to, among other things, encode altitude data into the reported GPS coordinates.
He demonstrated proof of concept of his attack to Wired a few weeks ago. With the tools he will be releasing, anyone with $1000 in hardware can passively listen to these devices as they transmit to a satellite (though it requires a high vantage point), allowing the attacker to spoof the device. With a substantially pricier setup to account for, e.g., Doppler effects, an attacker could presumably listen in to all communications in a 2000-mile radius (the range of any other GlobalStar base station).
Attacks Against Gas Pump Monitoring Systems
In a similar vein of attack against embedded devices that have minimal security, aside from that afforded by obscurity of device profile and documentation, Stephen Hilt (@sjhilt) and Kyle Wilhoit (@lowcalspam) from Trend Micro set up gas tank honeypots, spurred by the automated tank gauge report from HD Moore.
Moore found about 5800 automated tank gauges exposed to the Internet with no password set. These are often used to monitor the status of gas station tanks, pipeline terminal stations and backup generators. Trend Micro’s honeypots were running a simple Python script (which they have released on GitHub) that implements several commands that they thought would be most interesting to potential attackers, such as “change tank name” (perhaps for industrial sabotage) and “modify tank status” (perhaps to manipulate gas markets by artificially creating a shortage by having all tanks report full always, thus draining them). They observed a small amount of activity on the honeypots, but felt that some of it merited further attention.
While attribution is difficult with only simple honeypot interactions, their analysis suggested that perhaps Anonymous, the Syrian Electronic Army, and Iran Dark Coders had a presence, based on the text used, such as changing a tank name to “WE_ARE_LEGION”, a common Anonymous slogan. On the other hand, perhaps the pointers to these groups just came from “someone dicking around with shodan”, which they admitted they can’t disprove -- though the IPs used were, in many cases, previously associated with these hacker groups.
Regardless of the attribution and motive, the fact remains that these, and many more SCADA systems, are just sitting on the Internet with zero security to protect them. This is surely a byproduct of systems that were never intended to be publicly accessible, but instead were put on the Internet for the ease of automation.
SCADA hacks were primarily the domain of nation-state actors just a few years ago, as we saw with Stuxnet, but, with devices just sitting vulnerable and open on the Internet, there’s little reason why smaller groups couldn’t also exploit them. This theme is sure to repeat in the (very) near future, as hacking groups of various motivations and levels of sophistication start looking at SCADA.
The security community owes it to our user communities to take a closer look at the protocols and implementation of older technologies, particularly as the barrier to entry of embedded protocol hacking is reduced in both cost and obscurity of documentation and tools.
This applies doubly so for technology that’s used for life-critical applications, like the satellite beacons. This critical look can, and should, come both from manufacturers attacking their own products, as well as security researchers doing what they do best, even if no trendy buzzwords are involved.