Satellite Command Security? 426
teridon asks: "I work in the satellite control industry, and I've been asked to present mission safety with regards to command security. In other words, how do we ensure that 'unknowns' don't command the satellite. Military and commerical birds often employ encryption on both the uplink and the downlink. However, it seems that none of the science-oriented satellites my company operates do this. We rely on physical security (access to the control center), network security (we use closed networks), technology (most crackers don't have access to a huge radio antenna with which to transmit), and obscurity (each satellite has its own command structure, not publicly documented). Many satellites use CCSDS frames to uplink commands; only the command data is obscured by lack of public info." A common mantra heard from Slashdot is "obscurity is not security", and this is a lesson that teridon wants his company to learn, in addition to other steps they can take to improve the security of their system. What suggestions might you have when it comes to improving security on satellite systems, especially if you have experience from some of the mistakes that you may have seen in production?
"Three major issues concern me (I'm going to assume that our network security works (grin!):
- Can someone effectively execute a DOS attack by uplinking to the satellite with a powerful signal (the frequency would be easy to 'snoop' from our transmitting antenna), thus preventing us from commanding it? In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
- How many of you think that you could decipher the structure of the command (given the motivation)?
- Standards being developed (like SCPS) intend to make satellites 'just another node on the Internet.' Take a look at the security protocol (which is based on IPSEC, et. al) and tell me if you think it is secure, or whether you'd want to crack it.
Given enough motivation (Score:5, Insightful)
Anything can be hacked given enough motivation. That's why different levels of security are applied to different perceived threats - you guess how much motivation the opposition are likely to muster and decide how much to invest in security accordingly.
Re:Given enough motivation (Score:5, Informative)
Why is this such a widespread belief? Has it been proven somehow? Has everything in the world that could possibly be hacked been hacked?
The deduction seems to me the following: everything that has been hacked is hackable => therefore everything is hackable. Where's the logic in that? We don't walk around saying that 10 miles high building cannot be built because we have never built one, do we?
I don't want to come off like a troll, but I'm getting a bit weary of the conclusion that just because noone have proved the existence of an unhackable system no such system can exist.
Re:Given enough motivation (Score:3, Insightful)
Re:Given enough motivation (Score:5, Insightful)
The key is practicality.
I think this opinion is based on ego. The hackers think they can hack anything, they just "don't have the motivation" to hack the really hard stuff. The system designers feel that they need to believe and portray this because they fear thier systems will some day be hacked or perhaps keep an open mind about it.
I also think it is silly to beleive that an unhackable system cannot be designed.
Although, I agree with the parent poster regarding practicality. I had an MCSE teacher tell the class I was in, that encryption was'nt good because any crypto algorithm could be cracked if the design is known. I wanted to challenge him on the practicalities of it (but I hate always being the arsehole in classes who corrects the teacher). I mean sure, learn the algorithm and brute force the output, but what about the practicality? What if it is an algorithm that is strong enough to realise the full range of a 4096 bit key? How many hundreds of years is it going to take to brute force crack it with the combined effort of all the computers that will ever exist on Earth? Will we (human race) be history by then? Do people in the year 8002 really give a crap about what people in 2002 were trying to hide? Do any humans still live on Earth, having terraformed and populated Mars and some other planets in other galaxies?
Or how about a cipher text done with a One Time Pad, which could be decrypted with loads of different keys to come out as loads of *different* and *incorrect* yet completely inteligible plain texts!
The rest of the class justs nods (duh!). It was the same teacher that told me that to boot an NT server off a SCSI disk, on a system that has NO SCSI BIOS, you just had to load an NT SCSI driver. Yeah, OK teach, good one. MCSE's, poor bastards, are given the inflated belief that they are computer experts once they have passed MS's "computer science". It's almost as pathetic as Scientology.
Re:Given enough motivation (Score:2, Informative)
It is generally believed that if, say, the US government really wanted to hack something and was prepared to expend unlimited resources on the effort it would in due course succeed (if only by doing something as crude as conscripting every publicly-owned computer in the US and doing a distributed brute force attack).
In this particular instance they could, if they really wanted to, design and build and launch another satellite which sat next to the target one and snooped all the traffic in both directions - yer average script kiddie isn't about to do this, so the threat is different.
Anyone who doesn't try that hard doesn't have "enough" motivation and you're safe from them.
It's generally considered that silly children (the type of hacker usually discussed here) don't try that hard, industrial spies try rather harder and enemy governments in wartime try even harder.
You meet the threat accordingly. There's no point in wasting money trying to protect an SME's payroll system against an enemy government, for example.
Re:Given enough motivation (Score:3, Insightful)
Anything can be hacked given enough motivation.
The problem isn't with the belief, but with the vagueness of the statement. What does "hacked" mean? Depending on the definition of the term, the answer changes.
If the definition of hacking constrains the attacker to using network-based attacks, and if the system under consideration is simple enough, then, yes, it is possible to build an unhackable system (this depends on the nature of the system to a large degree). If the definition is widened to allow physical attacks on technological infrastructure, then the problem becomes vastly harder. If the definition is widened to permit basic social engineering, then the problem gains another dimension that must be addressed. If the definition is widened to include illegal activities like breaking and entering, theft, bribery, extortion, torture and murder, then as long as some user has legitimate access, the system can be hacked.
I'm often frustrated by two equally incorrect viewpoints that I run into on this subject, and not just in the realm of security. The first is that everything is possible. The second is that anything is impossible.
It is not true that everything is possible. The Halting Problem, for example. Finding integers x, y, z and n > 2 such that x^n + y^n = z^n. Copying 10GB of data across a 10Mb ethernet in less than one minute. And so on. Many, many tightly-constrained problems are impossible.
It is also almost never true that any particular task is impossible, assuming all options are on the table. Many things are impractical, and many more things are too complex to get a handle on, but very few real-world personal and business goals are unachievable. If one appears to be, you probably just need a better understanding of the root goals.
When I was a young geek, fresh out of school, I was secure in my knowledge that some things could not be asked of me because they were impossible (and I could prove it!) until I came smack up against a young businessman, fresh out of school who was secure in his knowledge that anything was possible because all the great fortunes had been made by people doing the impossible. Tempers flared, sparks flew and we were both enlightened.
Re:Given enough motivation (Score:2, Insightful)
Re:Given enough motivation (Score:2, Interesting)
Another point to remember is that while
In a related story: (Score:2, Insightful)
Limited time offer!
I loved the way that Cliff phrassed that (Score:3, Insightful)
"...this is a lesson that teridon wants his company to learn."
sound like a veiled threat to anyone else?
Maybe it's the pre-caffeine stage.
Re:I loved the way that Cliff phrassed that (Score:2, Insightful)
I assume the run of the mill reply to this is... (Score:2, Troll)
Re:I assume the run of the mill reply to this is.. (Score:2)
Re:I assume the run of the mill reply to this is.. (Score:2)
Re:I assume the run of the mill reply to this is.. (Score:3, Insightful)
The public doesn't have a need to know everything as long as the company(ies) involved don't rely on that obscurity alone to protect them.
Re:I assume the run of the mill reply to this is.. (Score:2)
Anyway, there are plenty of secure protocols available, you could take one of them (or even an implementation of them) and use it on your link. You could even review the code, to make sure there are no implementation errors, and should you find a bug you might even *gasp* give back to the community, and submit a patch.
Which would have the benefit that you'd stay in sync with the other people's code, and will probably at least give you a review of the patch.
Re:I assume the run of the mill reply to this is.. (Score:2)
Yes, the community of open-source satellite operators will be grateful indeed.
Re:I assume the run of the mill reply to this is.. (Score:3, Insightful)
No you don't need to post *your* code and say "hey look at this, if you find the hole in it, you can break my satellite". You can however use a proven technology to secure your link, and yes, for that to be proven it needs to be open.
You can still have your obscurity - you don't need to tell anyone which protocol you are using, even your command structure can stay just as secret as it was before - it's on another protocol layer.
If you were to use (random example) ipsec, and send your SATCOM (made up) protocol over that, and then someone finds a hole in ipsec. Well then you are just as secure, as you are now - the attacker still needs to break SATCOM, as well.
here's an idea... (Score:5, Funny)
Just a thought.
Re:here's an idea... (Score:5, Interesting)
He didn't say that he had no idea where to start, nor did he say that this was his only source of information on the issue.
Having done security work in the past, I'd often solicit the advice of other security experts (ok, so maybe Slashdot isn't the place to ask) to see what directions they'd go.
If I prefaced my questions with what *I* thought was important or the Right Way (tm), that could color the thought processes of my resource(s). By keeping my ideas to myself (at least early in the process), I could get their objective opinion, perhaps with ideas that I'd not previously considered.
Just my $.05 (inflation, you know).
- Dave
Re:here's an idea... (Score:2, Insightful)
Re:here's an idea... (Score:2, Insightful)
May have military use... (Score:5, Interesting)
Satellites are getting larger: if the satellite was sufficiently large to enable large lumps to reenter and you could predict reentry then you could attempt to use it as a missile, but this is obviously a very hit and miss affair.
In the light of September 11I don't think you should assume that civilian targets (or civilian satellites) will be left alone by a terrorist.
Re:May have military use... (Score:2, Informative)
The availability of the large R/F transmitters would also be a large hurdle (it would not be possible to make an FM/AM radio station into the ranges). However, I'm just kinda startled that various security methods (encryption, basically) wasn't designed into the satellites. Satellites are HUGE investments. It boggles the mind how much they cost to produce and send into space. Kind quirky to leave it to closed protocols alone to protect such an investment.
Conclusion: highly unlikely, but possible.
Re:May have military use... (Score:3, Interesting)
Hubble upgrade (Score:3, Informative)
Yes, you are entirely correct [space.com] about that, it was inserted on a spacewalk. However, the article mentions that Pentiums wasn't ready for space.
Re:May have military use... (Score:2)
Experts (Score:2, Funny)
"While I've never actually worked on a satellite system, I did hack encryption into my walkie-talkies when I was 8..."
EEP! The sky is falling! (Score:2, Informative)
I like the idea of encryption. It will turn away most of the little script kiddies, but then again so does obscurity for the most part.
most crackers don't have access to a huge radio antenna with which to transmit
Never Underestimate!!! I don't know much about RF communications with satellites, or how powerfull it has to be or whatnot, but I'm pretty sure if someone was determined enough, they could hack something togather. Or if they work at a radio station in a small town that goes off air at night. *shrugs* who knows.
Obscurity is a great thing in some cases, but I don't think it comes anywhere close to actuall good security. Then add confidentiality to it, and awesome physical security, and your in the right direction.
Just my small view on it.
Re:EEP! The sky is falling! (Score:2)
In my (limited) experience with crackers, the ones that are actually breaking protocols (rather than running scripts) tend to be older and with good resources ... typically high school or undergrad.
In either of these positions (but esp. undergrad in elec.eng or similar) such folk are likely to have access (or be able to access without too much trouble) school of university facilities. Certainly most of the universities here have some fairly powerful transmitters available.
Anyone listening in on the command streams and watching intently enough will be able to piece together the protocol in time ... by experimenting they risk damaging things but can speed up the process.
A couple of ideas (Score:2, Interesting)
Where I work we rely on a couple of things for security and they seem to work pretty well, I've been working here for nearly 5 years and I can't remember we ever got cracked.
1. SSH
2. Identity keys and passphrases along with 1.
3. IP filtering, you have to be on an IP in our network before you can reach any critical servers.
If you couple this with a private network I don't see any real threats to the network, unless some kid builds a nuclear powered high frequency mega super radio antenna thingy in his backyard to send the whole thing crashing down to Tora Bora.
Re:A couple of ideas (Score:2)
It doesn't? Maybe it does work, but you just don't know about it.
The first step in shutting down a satellite via hacking is to submit a story on slashdot pointing out the security holes, thus planting the idea in a lot of peoples' heads. And no, the script kiddies aren't the only ones who do this sort of stuff. As much as people don't want to hear it, there are plenty of morally bankrupt but tech-savvy people who know what they're doing, and have the mentality of teenage vandals.
Go with the new standard, worth hacking (Score:5, Interesting)
Just to give you an idea, some crackers during the BB era in southern california were stealing credit cards to buy commercial software, then sold cracked versions to the largest BB in southern CA. They were eventually caught and the FBI took away all the computers. All of them were under-aged, so they didn't do any time. All of them were interested in science, so they would definitely be interested in what your satellite is sending. More interesting is getting control of your satellite.
Also, remember that crackers tend to have parents who have technical careers, but no time to watch their kids. Hackers and crackers have a lot of time, brains and energy to burn. With all the articles recently about amatuer and college programs building their own satellites, it will become a bigger concern. As kids get more technically advanced at a younger age, more systems will get compromised. It's a fact of life.
PKI (Score:2)
Re:PKI (Score:2)
Re:PKI (Score:5, Informative)
Do you really mean PKI or simply Public Key Encryption? Do you actually picture a root certificate authority, subordinate certificate authorities, directories, certificate revocation lists, and authority revocation lists being used to secure a satellite's command & control?
PKI is a great choice when you have lots of parties that need to randomly communicate with each other. It provides a great key distribution. However, PKI seems like overkill when one (or, at most, two) ground stations will be talking to a satelite. In this case, distributing a shared secret really isn't that difficult - probably much easier then building a PKI network and keeping it secure! Of course it does depend on if you trust your internal computer systems to keep the key private. If you don't, then PKI might solve some of your problems.
I would suggest a very lightweight approach. Privacy of data is not required for this application, IMHO. Maybe I'm wrong, in which case, you should investigate other options. This sounds like a good case for a MAC (Message Authentication Code). You don't even need to use encryption - just hashing - to do this.
Basically, each end has a shared secret, "S".
You have a packet containing data, "D".
Each packet has a timestamp (to prevent replay attacks) "T".
All packets consist of: D+T+MD5(D+T+S)
Of course, you can use some sort of hash besides MD5. You can also program the satelite with a few thousand secrets, which expire every so often - if you give it 100 years of secrets at launch, you should be fine.
The satelite receives this packet, does the MD5 of D+T+S, and compares the numbers. It doesn't let you use a packet with an old T (T should be very close to the current time and T should be greater then the most recent T).
This code has the benefit of taking very little memory space compared to a PKI solution. It's also much easier on the uplink/downlink channels.
The most important thing to remember, though, is that this shared secret has to be kept secret. It should not be used by your normal programmers to write control software. Instead, it should be an external module that runs on a secure box (I.E. no remote administration capabilities, only allows connections via a secure interface, and adds on the MAC as the messages pass through it). If you can afford a satellite, you can afford one secure server! I would definately investigate commercial encryption devices which add on a MAC using a shared secret - at least on the ground-station end. They of course may function differently then the method I described above, but the basics remain the same.
Of course all of this has been solved before. ATMs and banks have long needed to authenticate the other end. (ATMs, BTW, do not use public key cryptography, but simply a split key pair - that is, a random string of numbers is one part of the pair and that string XORed with the real key is the other pair - each part is given to a different person who keys it into the ATM seperately from the other person - you might also incorporate this type of system). Since this has been solved before, I recommend that you hire some sort of encryption expert to help you (you are NOT looking for a computer security person - chances are you are not running a default install of W2K on your satellite!).
As for IP, I would think that you would want to ensure there was no way for someone outside the control room to use your equipment to send command and control messages to your satellites! At the very least, this means that the control room should probably have an air-gap between it and the rest of your network. Sure, a little inconvienient, but how much command and control data do you really have to share with people outside that room? Not much most likely - certainly not too much to retype.
Security Engineering (Score:3, Interesting)
It gives you a perspective of security from a lot of different fields.
If you must secure stuff you have to think like an alien.
If people who were supposed to control the Defense satellites
in Britain had thought like an alien, none of their satellites
would have been hijacked [landfield.com],
but that story seems to be untrue
Anyway, secure your babies.
Forget reverse engineering -- who's quit lately? (Score:5, Insightful)
Complete security (Score:4, Informative)
The most secure authentication scheme I've seen in a while is talked about in great detail here:
http://www.rsasecurity.com/products/securid/har
The idea is that if you need a physical token, and some knowledge to authenticate, you have added another level of security. These tokens are (from my understanding) REALLY hard to reverse engineer. They generate a number (that looks random, but isn't) every minute. On the other side of the connection, the same pseudo-random number is generated. If they match at authentication time, you get access, if they don't, try again.
The other thing you were wondering about was DOS attacks. Go read this article on GRC:
http://grc.com/dos/intro.htm
It boils down to this: if it's distributed there is little you can do.
On the flip side, since these signals would require massive antenae, you can triangulate the source in a matter of seconds, and send some guys (cops, navy, army, etc) over to shut them down.
Either way it goes, this is an interesting problem. Keep us posted with the results.
Beware TPB
Re:Complete security (Score:2)
My understanding is that this "problem" is primarily for communications between trusted computers - i.e. base station to bird, and making sure that neither (particularly the base station) could be impersonated. In this case SecureID isn't really appropriate - it's great for dialin (most big companies use it for this) and for authenticating _people_, but I don't imagine you want each controller to have to authenticate him/herself directly with the bird. There are plenty of hardware based heavy encryptionk devices around, I think IBM make some. Basically a custom chip and some eeprom encased in polymer, along with some tamper-detection sensors. Encrypt the whole stream (or just the commands themselves) with a shared-secret key algorithm (don't bother with public key) and bung one of these hardware units at each end. Voila
Oh and tale EVERYTHING you read at grc.com with a pinch of salt. Or better yet don't read anything at grc.com. Still, he is right when he says that anything internet based is liable to DOS, it's the way routing works. Until someone comes up with a clever way to fix it..
Re:Complete security (Score:2)
The cards themselves have some tamperproofing that protects them from casual disassembly, but it doesn't look like something that's designed to withstand a determined attack. I think it'd be much harder, though, to access the internals of the card in a way that wouldn't leave obvious visible evidence of tampering--I'm guessing this was the design goal, not total tamperproofing.
The algorithm used by the cards isn't something that RSA publishes, but it's been out in the open [securityfocus.com] for a while now.
The cards are each preloaded with a secret key, which is also loaded onto the SecurID server that does the authentication. Without the secret key, the algorithm doesn't do you that much good so long as it isn't easily possible to derive the secret key from a sequence of the displayed number. The jury is still out [linuxsecurity.com] as to whether this is possible. But assuming there aren't obvious holes in the algorithm, one has to obtain the keying material from the server (where it's presumably closely guarded) or from the physical token itself. Doing the latter would require theft of the token or tampering in a way that would be obvious to the user.
Security or authentication? (Score:2)
If that is the case, then you really only need to change the format slightly to include timestamped (or sequentially numbered), signed messages rather than unauthenticated ones (timestamps to prevent simple retransmission of commands as a "cut and paste" control system). There are plenty of PK signature solutions out there - but I assume uploading a new program may be a problem - debugging would be a nightmare ;)
Uploading (Score:2)
That's why you debug using duplicate equipment on the ground. That's how JPL does it. They've reprogrammed interplanetary exploration vehicles such as Galileo, for instance. It's not a nightmare, but the latency (8 hours round trip to Galileo) is a hassle.
Signatures? (Score:2)
As for new satellites under design, just encrypt the channel, stupid! Its not like its rocket science or anything.
the very fact that you told us how you already... (Score:2, Insightful)
issue 1 (Score:2)
In general case any single channel signal can be drowned with another signal at the same freq. and with a comparable power.
Sat Security (Score:2, Interesting)
This type of question is probably best not asked here.
I highly suspect you are whom you say:
1) Why ask questions about such a sensative issue here in such a loose and public forum
2) If your company does indeed control multiple satellites, why do you not have answers to such simple questions as # 1? I would expect you would contact one of your own engineers.
3) This list could go on for quite a while.
I appologize if I'm wrong about the above, but I tend to suspect this is a dupe post by someone either interested in hacking a network or interested in getting people together to hack sat's.
Questions:
1) This would depend to some degree on the com hardware on the bird. Signal jamming is a quite known property of emf communications.
2) Yes. People have deciphered far harder things than a ordered (probably) control protocol.
3) I didn't look at the protocol yet. Yes, folks will want to hack it though. Sat's are l337 d00d.
Remember HBO? (Score:5, Informative)
As for hacking the command set? You better believe it. Get four engineers and a large blackboard and you might be amazed at how useless "security through obscurity" really is.
Cheap karma-whoring link (Score:3, Informative)
It's not just a nice "satellite takeover" story, it's also a great "fight the Man!" tale.
I personally wonder if someone could do a Captain-Midnight job on an MTV transponder and send the message "PLAY SOME DAMN MUSIC SOMETIME, LIKE THAT MUCHMUSIC CHANNEL IN CANADA!" Or a CNN
A man can dream...
Re:Remember HBO? (Score:4, Interesting)
Captain Midnight was an employee of a satelite uplink station. He was angry about the impending scrambling of HBO's satelite signals (he was a satelite dish dealer as well). He aimed a transmitter at HBO's satelite and transmitted a total of 2 or 3 seconds. One or two weeks later he did the same thing, this time with text on the transmitted screen instead of only a test pattern. He identified himself as Captain Midnight and expressed his anger (I forget what he had typed).
In the story (written by the man himself) that I read online a year or so ago, he mentions that the reason it took over was that it was a stronger signal than HBO's ground station.
----
On topic, as far as determining the command set, don't forget that everybody can monitor the communication to/from the satelite. A few thoughts, though:
- Is the frequency set in stone? Frequency hopping, split spectrum, etc. Is there a government body that may keep the frequency or range on file, such as the FCC?
- If using encryption, I would recommend an open standard, so that all the bugs have been hammered out.
- Rotate keys and use a large set of keys to make it more difficult to crack.
- Always fill data packets with white 'noise' so that all data packets are the same or random sizes. This make it more difficult to crack, since they never know what is real data and what is junk.
These are standard techniques of course, so I'm sure that teridon has thought of them. But I find this subject quite interesting and want to show how much I know.
On top of all of the above, physical security is indispensable. You might even come up with creative ways to keep each technician from holding all keys, and require multiple techs to do a certain task, since each provides a set of critical data or algorithms. These are also (I assume) standard practice for at least military-grade operations.
Requirements we had on small science satellite (Score:5, Interesting)
Wow, really? (imaging how many
As an undergraduate I worked on a small student-built scientific satellite, and even though the satellite barely had any need of an uplink, I seem to recall we still required strong command authentication, and that we also required the ability to be able to turn off the satellite transmitter and receiver in certain regions of the world, and that these requirements came straight from the DoD. My understanding is that we had to be prepared to respond to certain possible DoD advisories. In fact we probably would have done away with the uplink except for them.
The trasmitter turn-off requirement was apparently so that rogue states could not use the bird for navigation purposes or possible sensing.
Now the advising engineers on this project came from a lab (JHU APL) that does a TON of military birds, so it's very possible they were just imposing good practice on us. Maybe someone in the know could tell us more.
--Braddock Gaskill
Oh Great.... (Score:2)
"Hey man, lets go hack a satalight and use it to spy on GIRLS!"
"What, do you think I can access it with my 802.11 Airport?"
"We could crash it into the Whithouse like in that movie!"
Zap 'em a virus... (Score:2)
Physical security is the best anyway... (Score:3, Informative)
Military Sats use encryption for two reasons, one to make sure they can't be cracked, two to make sure they can't be listened two. The second is the more important. As long as the command sequence to the sat is tied to a physical device (which I'd hope at the very least) then your fine as long as you don't get invaded.
The easiest way to secure these systems is to ensure that there is a closed VPN which is tied to two devices, one on the sat, one on the ground. Redundant nodes come into play but its again only the physical that matters.
It takes a hell of a rich hacker to set up the transmission equipment to crack a satellite, and then the sat should just be saying "who are you ?" standard H/W ident stuff should block them off.
Physical rules, if you aren't using H/W paired security then its very worrying as its very simple to do and very standard (I assume it is as anyone with half a brain is going to do that) from then on its just a matter of how important is the information and does it need to be encrypted as listening is miles easier than transmitting.
Re:Physical security is the best anyway... (Score:2)
Re:Physical security is the best anyway... (Score:2)
How can you have H/W ident stuff when you have no physical connection?
Sure could, but how are you going to get the keys? The great thing about HW ident stuff is that the secret key is in the hardware and never leaves. Trying to get it out is likely to destroy the device.
Re:Physical security is the best anyway... (Score:2)
Unique key stuff, two pieces of hardware driven off the same algorithm with the same base, odds of matching it are practically zero. Physical connection isn't required its about the integrity of the two devices.
Re:Physical security is the best anyway... (Score:2)
Re:Physical security is the best anyway... (Score:2)
Sure Redundant nodes are essential. How stupid would you feel (and how quickly would you be fired) if a box on the ground died for whatever reason (hardware failure, fire, someone tossed the wrong box) and you couldn't control the bird any more.
So - as a social engineering sort of hacker, probably the easier goal is to go for one of these backup devices - expecially since it's less likely they'll notice it's gone (hard to hide the fact that the primary box is off-line!)
Of course a sensible shop will have secured the backups in a vault somewhere - and I don't even need to mention proper authentication procedures for _removing_ this thing from the vault - so I can't turn up with a stolen uniform pinched at the cleaners and lift int.
Re:Physical security is the best anyway... (Score:2)
Err the normal configuration is to have all nodes in a redundant loop so their isn't a single point of failure. But you bet it will be noticed if the number of nodes in the ring goes down by one.
Big flashing lights
Huge arrays NOT required. (Score:2, Insightful)
Is deciphering necessary? (Score:2)
Depending on how the protocol's set up, this may not even be necessary. If replaying a previous set of movement commands causes the satellite to move some more, you've already lost that battle. The net result is that an attacker can drive the satellite off course and deplete its fuel reserves, making it a floating piece of junk.
Of course it may be that there's a sequence number in the commands that needs to be updated (most likely to prevent inadvertent duplicates due to transmission problems). In that case, it'd actually require some deciphering effort. Still, remember that you lose as soon as someone figures out enough of your protocol to move the satellite around. An attacker doesn't need to figure out every little detail.
Finally, there's always the social engineering approach. If the attacker can get the protocol by creatively lying to people at your organization (or just by getting a job there), then not only do you lose, but the attacker would have enough information to theoretically do something really fun (like trying to get the satellite to reenter the atmosphere in such a way that the attacker can watch the light show). That further cranks up the attacker's motivation to carry out the plan.
Security analysis (Score:5, Interesting)
I'm not going to analyze the up-link protocol or try to brainstorm motivations for cracking your system, but as a security professional let me try to clarify the issue a bit.
You are on the right track with your questions. You are trying to figure out: a) how badly does somebody want to crack it, and b) how difficult is it for him to do so.
These two factors are precisely what define security risk. If the cost of breaking a system is greater than the reward for doing so, your security is adequate.
The first question cannot be answered by the Slashdot crowd. There are too many variables. Who are your competitors, and how much to they have to gain by sabotaging you? Could the satellite possibly be used for anything other than its intended purpose if control was usurped? How valuable is the satellite to people other than you if it is only being used for its intended purpose?
Perhaps people here could try to figure out the 'cracker bragging-rights' factor, but I suspect that would not be sufficient motivation to go to the lengths required to break your system (any glaring security holes notwithstanding).
From what it sounds like, the second question can't be answered by anybody. The rule of the day is 'provable security', which is why security by obscurity is frowned upon. It's not that it doesn't work, because sufficient obscurity is indeed security, it's that you can never be sure how well it works. This was the problem with the German Enigma machine in WWII, which ultimately provided the greatest incentive to proving lower bounds on security.
Encryption provides easily quantifiable security, demonstrated by mathematical proof (with the minor caveat being most of these proofs rely on P not equalling NP). The techniques you describe do not sound like they lend themselves to provable security. (Although physical security is usually considered pretty sound, provided it is comprehensive; this includes isolated networks and site protection, as you describe)
How difficult is it to gain access to a powerful radio-antenna? That's a key question. If the satellite is owned by a company in an industry with cutthroat competitors who also have satellites, it might not be difficult at all.
Has it already be done? (Score:2)
Another thing is the GPS sats used to shift their packets a bit to throw off the Russians (who had a better system). Someone (claiming to be Russian) posted polynomial to usenet describing it. That was a major part of its security. (and I'll have to dig up that post now that google has stuff from the dark ages)
The last secure by obscurity one way hash I cracked took me about 3 days. It wasn't nearly as good as they would have liked.
Based on some of the things I've seen...
give some of my friends a good reason and enough to play with your toys and you might see a cool reentry.
If what your playing with can be a weapon, call your local spooks and explain the situation to them. Its in their best interest not to have your bird go down. The NSA does have a group that may provide some very useful to your company -- they were providing some good ideas on one project I was involved with for a while for a well known company.
NASA Memo explaining COMSEC requirements (Score:2, Interesting)
http://www.tscm.com/communsec.html [tscm.com]
Some excerpts:
The need for and means to protect the command/control uplink associated with civil satellite systems, intended exclusively for unclassified missions, will be determined by the organization responsible for the satellite system in coordination with the National Security Agency....
Basically, if your group is doing as little as what you say they're doing, they may be in violation of law.
--Braddock Gaskill
Re:NASA Memo explaining COMSEC requirements (Score:2)
Only if it's a US company. Most commerical satellites are launched by ESA, which obviously doesn't follow NASA regulations.
Obscurity and Security (Score:4, Insightful)
Obscurity really is security, if it is true Obscurity. For instance, if you've written a custom server with a set of commands, and you run it on a single computer somewhere on some random port, chances are it's not going to be hacked unless somebody smart and dedicated specifically targets you. Yes, you'd be more secure if you wrote the thing to encrypt its communications and made damn sure that it was robost-- but saying "probably nobody will notice me" has something to it if really nobody likely will notice you.
The problem with companies like Microsoft arguing that obscurity is security is that they don't have real obscurity. Their operating system is absolutely all over the place, both physically and in terms of network connectivity. As such, there is both ample opportunity and ample motive to find out hidden facts about it. While those facts may be hidden, the OS is not, so there's no real obscurity, just a thin veil of obfuscation.
If you're building one new high-tech stealth bomber, and you do it in a hidden valley in some very remote site, and completely underground, chances are it's not going to be seen. On the other hand, if you build several prototypes in downtown parking lots of major cities, and just drape a cloth over them with a sign "no plane here", that's just the illusion of obscurity (and hence the illusion of security). Major OSes that are widely distributed but which hide their source code are much more in the latter category.
As for Satellites-- their obscurity probably is worth something. It's only one link, and the need to have the broadcasting station is a huge barrier. On the other hand, they can be highly visible targets, and I'd suspect that they aren't as obscure as one would really like to be to think it grants you some security. They probably ought to start using, as a matter of course, real secure protocols.
-Rob
Comment in the obscurity vein (Score:2)
This way you can avoid the folly that one person's ideas are failsafe (they never are, after all), while still keeping the details from massive public consumption.
A poor analogy (but the only one I can think of right now) would be the details of the presidential security detail. By not publishing when the motorcades and aircraft will be moving/flying, the Secret Service adds a layer of security to the already armed-to-the-teeth plan. Relying exclusively on one or the other would not be enough to consider bullet-proof (no pun intended), but combining the two offers a degree of synergy, strengthening the overall plan.
Real answers... (Score:2)
Absolutely. Amateur radio operators have worked earth-moon-earth on 144 and 440mhz for decades - there's no reason someone couldn't build the equipment to do it on your frequency. However, the antennas and such are rather obvious-looking [dokidoki.ne.jp]. Any nation's communications commission would be able to spot one of those very easily in case it needs to be hunted down, and it does raise the bar beyond what most crackers are motivated to do.
In general, how do receivers handle multiple command carriers (would there be too much noise to command)?
The mathematical formula for this is Shannon's Law [google.com]. Run your numbers through it (and keep in mind some modulations have significant inefficiences of their own). I can't imagine missing a couple communications windows with your satellite would be the end of the world, though.
For something with the replacement cost of a satellite, you want guarantees, not estimates of society's intentions. If you want your control center to be the only station capable of transmitting commands to the satellite, your satellite needs a way to make sure it's the control center that's doing the sending. If you want to make sure your telemetry data is from that satellite, you need to make sure it's the satellite that's doing the sending. Note that encryption isn't really needed here (a cracker knowing what you're doing with the satellite doesn't help much, as this is not a spy satellite) but some form of public key signing should be employed. It also guarantees that your control messages won't arrive corrupted (although I'd imagine you'd already have something to protect against that).
Two solutions (Score:2)
2) Use some sort of phased array receiving antenna. These can select what direction to listen to a request from. That means that someone would have be in your geographic area or have an EXTREMELY strong antenna (much stronger then yours) to do any sort of DOS or even send legitimate commands.
Your three questions (Score:2, Informative)
1. Jamming the uplink.
Jamming the uplink can be done, however once it's done, it is easy to find out who is doing this and easy to fix the problem. Since you're in the field, I'm sure you know all about squelching on particular rx beam channel (The main rxing antennate is usually as simple as a honeycomb of waveguide).. All military satellites can give a Lat and Long of the jammer if the threshold is set low enough.
All military and major commercial satellites have a redundant, out of band uplink path that's available to the command.. This is usually in the VHF frequency range (as opposed to the GHZ range for comms uplink) and is used for C&C only. This channel usually requires special encryption and commanding sequences, however if both were jammed, you'd be blind until the jammer was brought down. All the satellites that I've worked on has had protection for jamming though.. A few have had systems that would shut off particular beam channels for a given time if they detect a jamming signal.
There is also the issue of communications protocol.. Most of the systems that we worked with didn't only use encryption, but also particular protocols that wern't widely known.. Here's where obscurity can lend a hand.. though everyone's right.. it's not effective.
2. Can it be hacked...
This has already been answered... It probably can, but if the satellite designers had half a mind, it'd be hard... and any attempts to test uplinking would be detected pretty quickly.
3. Satellite Internet Node.
Secure or not, it's just not a good idea. Granted, it'd make it easier to get information across either the atlantic or pacific, but with fiber optic systems and the bandwidth that they'll be capable of transmitting these days, it's more cost effective to use a trans-oceanic fiber (When you consider the cost of funding launch, uplink and downlink equipment, maintence of flight path and satellite system etc...).
Security in depth (Score:2)
Physical, keep that network you communicate to the satalite separated from all other networks.
Encryption, I'd recommend encrypting the uplink command stream as a minimum. Encrypting the downlink would also be good. This makes the pool of information about what was done small and thus makes crypto analisys harder. Temper this with the fact that all known encryption methods can be brute forced with enough time and CPUs. The encryption is there to make the job harder.
On going to standard IP protocals for talking to the satalite, I'm not convinced it is needed and may be detrimental security wise as it provides a more common element that can be worked from. On the other hand if the protocals have a good security setup in them that is proven secure, then it would be better than developing your own. At this point any security relaying on digital information can be faked. There is no absolute security in the digital world.
What I would do: Keep the network physically separated from all other networks. Keep the protocal secret as nobody else needs to know. Encrypt the uplink and downlink data streams. For the encryption methods, I would choose well known and throughly checked out methods for setting up and maintaing keys, etc. It would be best if the keys are rotated often. This helps keep down the possibility of a key being brute forced before you stop using it.
Satellite Security (Score:2, Interesting)
2. How many of you think that you could decipher the structure of the command (given the motivation)?
2. Deciphering the structure of the command is not going to be easy but it can be done. This is not something for script kiddies but the true hackers with sufficient motivation will eventually figure the problem out. Remember, with Real Hackers, simply the doing of something neat is sufficient motivation -- but a Real Hacker also subscribes to the Hacker Ethic of doing no harm.
3. I think the simple cool factor of getting into a "NASA Satellite" would be sufficient motivation for some of the budding anti-social geeks. Satellites are extremely high-value assets and should better security than how we protect our webpages. However, securing them also goes counter to the way most scientists want to work. Luckily, the command and data streams should be using different signalling systems and freqs so you CAN have the best of both worlds.
4. I would not assume your network security works. I seem to remember something about someone getting into ESA's system; it was postulated as a possible reason for one of the Ariane failures resulting from bad design. Personally, I think the French just wanted to toss the blame off on someone else but the more the US government relies on Microsoft systems, the less secure your system will be and your security is only as good as the weakest point of entry.
You're asking this on Slashdot?? (Score:2, Flamebait)
If you are not a troll, then YUO=FUCKED.
Details of HBO Satellite hack by Captain Midnight (Score:2)
http://catless.ncl.ac.uk/Risks/3.24.html#subj3 [ncl.ac.uk]
This was done in 1986, and MacDougall transmitted a few messages and a test pattern over HBO interrupting normal programming. It seems likely to me he just transmitted video on HBO's frequency, so this probably wasn't a command and control hack.
--Braddock Gaskill
It's about time... (Score:5, Informative)
Re:It's about time... (Score:3, Informative)
Insider attacks (Score:2)
-Derek
Access to transmitters (Score:2)
I would have assumed that's the case, but then I'd have assumed that control links to satellites would use a secure protocol, too...
Also, if you want to defend yourself against rogue states, you can't count on them not being able to build a suitable transmitter. As we've all learned recently, some terrorists have very considerable resources to command, too.
The most likely attack may not be technical (Score:2)
I would note, however, that the simplest attack on a system like this (unencrypted or reliant on fixed keys) involves social engineering or the outright corruption of staff who know the details of the protocol and command structure. Do you think there's a chance someone who understands how to command the satellite might part with the information for $100,000? How about $50K? $25K? In any of these cases, the engineering effort required to reverse-engineer the information is likely to be lots more time-consuming and costly than simply bribing someone to give you the information you want.
When you're just trying to guard against the '7337 hax0rs working from home, you can pretty much focus your attention on technical avenues of attack and maybe some basic social engineering, but when considering a determined and well-funded adversary, it's important to take (management buzzword alert!) an integrated, enterprise-wide view of the problem.
I would consider this a high risk regardless (Score:2)
Just how secure is it? Are we talking bunker fortress or a couple of hire-a-guards? Are procedures in place to make sure that facilities can be made non-functional in the case of an invasion?
So no one has access to the internet from anywhere in the facility?
Most? Remember Captain Midnight? You're depending on the security not of your facility, but every facility under or near your footprint (which is most everywhere for non-sync satellites). You actually don't need that much power to communicate with a satellite. You do if there is someone else competing. And if the facility is not monitoring it 24x7x365, someone could take control when you are not looking, and you would not be there to grab it back.
Certain high security facilities do not allow employees to take any papers or media in or out that's not specifically approved by many levels of mnagament with procedures in place to handle it. Do you got to this extreme? Ever heard of "disgruntled employee"?
It's a matter of degree. Are the commands checksummed against noise? How strongly? Personally for something as critical as a satellite, even a science satellite, I'd use something quite strong to checksum, like MD5 instead of CRC-32. Sure, it's argueably overkill to use MD5, but I would anyway.
Once someone has your frequency, if they have access to any unsecured facility, they can DOS you. And many ham radio ops have enough facility in their backyards. Then if they got the specs from the disgruntled employee, and enough power to keep you from grabbing it back, they can even 0wn it. Even greater danger exists if the commands include uploading new program code.
For a company I once worked for, I cracked a competitors file format (so we could convert the data to our format) which included a proprietary compression algorithm for which I had no docs. Considering that I would not feel the multi-million dollar loss if command experiments dunked the satellite into the ocean (or worse), if motivated, and had access to doing occaisional commands on the thing, as well as sniffing the command upstream from nearby the uplink in one of the side lobes, I might be able to figure out enough to ... perhaps at least dunk it.
My greatest worry with a lot of these generalized security protocols is not the crypto they provide (IPSEC is plenty solid enough in that area for me), but rather, in the social interface aspects ... the way things get routinely configured after the design is all done, by people who never designed anything secure, is the biggest risk I see. And, IMHO, IPSEC is rather exposed in that area due to the complexity of configuring its setup. Most security is.
Steering a satellite over to hit something like an international space station would seem to be highly unlikely, given the small object sizes and the even larger spatial dimensionals up there. However, the cost of the risk is extremely high. Even so much as having a satellite out of control doing unknown things up there could cause operational impacts, and require aborting missions.
Whatever you design now will be used for how many years? And what will the new security requirements be then? Personally, I would consider every security risk at least in terms of the high cost of impact, and quite likely pretend a high chance of intrusion by a motivated cracker/terrorist. IMHO, it is best to maximize the security everywhere that you can't prove has no risk. And if you have not done so already, take an NRA gun safety class. Then translate the multiple layers of safety you learn there into multiple layers of security, and think like that everywhere.
Silly question. (Score:3, Insightful)
You're askign a group of crackers... if performing the ultimate crack, obtaining command control of a satellite... "would be worth the time?"
As you said, the only reason it probably doesn't happen very often is a simple lack of the required tools. To hack into a system on the internet, you wouldn't need much more than an ascii terminal with an internet connection. To hack a satellite, you need some powerful equipment, and the average person who is able to afford such equipment, probably would recognize that the effort isn't worth the potential sacrifice.
Conventional networks were rather insecure in the beginning. But back then, the privilaged few who had access respected the system and didn't have the need or desire to exploit them. Times have changed, so much to the point that IF you are insecure, you WILL get exploited, and its only a matter of time? Satellites may begin to reflect this history soon. Right now, those able to access them have no need or desire to exploit them.
But just give it time.
-Restil
I hope you enjoyed your job... (Score:3, Insightful)
a) You should already know the answers to questions 1 and 2, and have enough of an understanding of 3 that removes the need to ask it. You should also already know, based on 1 1/2+ years here on the site, that this is *hardly* the forum for a real answer to that question.
b) You just divulged some fairly major security-vulnerability information on the internet equivelent of Prime Time television.
c) I would hope that nobody at your company gets wind of this posting, because it would not take a rocket scientist (*smirk*) to figure out who you are.
I'm really not trying to flame here, but this *really* seems like a horrible, horrible idea. From a security standpoint, if your systems are based on security through obscurity, the *last* thing you want is more attention being drawn to them, especially if the amount of attention being given to the subject matter is by nature usually small (how many people have satellite transmitters?) and prone to mass speculation (how many openly documented satellites are there?). Just by asking this on Slashdot, you've brought more attention on satellite-hacking as a whole, thereby astronomically increasing the chance that someone takes a more "active" interest in figuring out how to send your company's prized birds into a flaming death spiral.
Of course, all this assumes you are what you claim to be. You could very well be (as another poster suggested) a cleverly disguised troll.
I mean, geez. Shame on you for submitting, and shame on Cliff for posting it. Doesn't the
(Moderators, feel free to mod this appropriately. I have more than enough Karma, thank you)
Security through obscurity is essential (Score:2, Interesting)
The most obvious example of this principle is in encryption. In both public- and private-key schemes, it is essential that you obscure your keys (or private keys) from view in order to maintain secure communications. It works the same way with other methods, such as keeping the command structure of a sattelite secret. If no one knows the command structure, they might as well be brute forcing an encrypted message, because a command could be just about any length to be valid.
So really, people here should be very careful when speaking in absolutes. It doesn't work when comparing the performance of operating systems, and it certainly doesn't work here.
Your professor said to do your own homework (Score:3, Funny)
Sniff the connection? (Score:2)
What about pre-programming the satellite to change encryption keys on a schedule or something? What does 802.11 do to generate new keys in a secretive way?
Smokescreen (Score:2)
Maybe as part of the obscurity is security protection, a jamming signal should be broadcast at the time commands are sent. The jammer would use a vertical dipole to provide bogus packets to sniffers while the high gain antenna reaches the satelite with the valid signal. The dish sidelobes could be easly hidden from sniffers. Has anyone thought of implimenting the jamming the sidelobes?? Any command should have a time code and rolling code included so any record and rebroadcast attack will not be accepted. For as much money that goes into the birds, innexpensive security could save a lot of insurance money.
Some Answers from a Sat Engr (Score:2)
2. It is entirely possible to reverse engineer the telemetry and command databases. I know a guy who used to do this to Soviet satellites for a living. They could control Soviet birds however they willed.
3. I'll let others with more knowlegde on IPSEC to give a specific reccomendation. I am leery of this concept, however, given the historical security of anything attached to the Net.
It's really all just a matter of motivations. People listen to satellite telemetry all the time. Many of them reverse engineer it. Some can get images from the weather birds, but never try to command. Expect some eavesdropping, unless the bird goes really far away and requires >5 meter dishes to get a usable signal.
And remember, the CIA managed to "borrow" a Soviet Luna probe on world tour. They disassembled it, documented the design, and rebuilt it to get it to the destination in a pretty serious all-nighter. The Soviets never gave any indication of knowing.
Oh, and remember - keep the arrays pointed at the Sun.
It's not just the data (Score:2)
One thing the submitter failed to say was which type of orbit the satellite in question has obtained. This can make a huge difference. If it's a geosynchronous orbit, you know exactly where your satellite is at all times and (hopefully) you can also point it's dish right back at you. You would want to prevent people from snooping your signal in the first place. People can't reverse engineer a signal that can't be perceived from a convenient location.
My guess, though, is that this particular satellite isn't in such an easy orbit. That's fine, but extra measures should be considered. One neat trick if you're designing a satellite is have the longest wavelength as possible. That makes it very hard to intercept communications (even though they go everywhere, even deep in the ocean). The U.S. Naval command sends messages to submerged submarines using a wavelength on the order of 2 meters. If a really large dish is required just to talk to the satellite in orbit, someone is gonna notice when a guy builds a replica in his back yard.
Okay, that's all for initial designs. Here's what I suggest as something you can change now, without much fuss. Forget about encryption nearly entirely. I'm guessing that the satellite does have a clock (and ideally it sets itself to the GPS signals). Now, the satellite should only obey signals that arrive between pre-set times (though it can behave as though it's really going to act, as a foil attempt). Second, the ground station should send commands followed by a signature--like PGP signatures. The satellite's software should easily be able to confirm that the message is authentic. No need to encrypt--since no one else can reproduce the signature. If the signature is valid, the orders are carried out. If the signature is bogus, the command is logged and relayed back to ground later for inspection.
DOS attacks are more difficult to deal with. My personal feeling, though, is that if this particular satellite must have updates every day or so, you're in trouble anyways. Perhaps you can find a way to ensure about 3 days worth of commands can be in queue, in the event that the satellite is unreachable. That will keep it roughly in its orbit. Then, if a DOS attack does come, you'll have those three days to track the source. That should be plenty of time. Also, and I could be wrong, but most "hackers" or whatever prefer a much more immediate result. They would want to do the DOS attack, see the satellite go down in flames or whatever. Waiting 3 days for something to happen... all the while being searched out... is likely to make the hackers very, very scared. I would be shocked if they transmit more than a day, personally.
Security through Obscenity (Score:2, Funny)
Not that big of an antenna... (Score:2, Informative)
Satellite security (Score:4, Insightful)
Yes, absolutely! Ham radio operators have done moonbounce and many of them routinely communicate via satellite (transmitting to a satellite and receiving signals from someone else transmitting to a satellite - "hamsat"). There are also RF amplifier designs that would surely overwhelm (or at least degrade) your signals. Anyone with technical knowledge of RF and some skills at putting a system together could DOS you. Of course, these signals could be traced so that the DOS could not last very long without serious risk to the perpetrator.
IS THERE A RISK OF DECIPHERING COMMAND CODES?
Again, yes. In order to decipher these codes all a one has to do is locate in the vicinity of your physical command center, buy (or build) a receiver capable of detecting the frequencies you use, and put up an antenna (under the guise of amateur radio if necessary). Now they can sniff your uplink and downlink. Once you have access to both of these it's only a matter of time and intelligence before they determine your data structure.
IS PHYSICAL SECURITY ENOUGH?
No. Information within a company can be likened to a conspiracy and no conspiracy is ever safe. Someone, at some time, will see their own self-interest as higher priority than the group's interest. A perfect example of this is CIA's Project Jennifer (the Hughes Glomar Explorer). The newsworthiness of the project overwhelmed some of the participants with a sense of their own self-interest and they told news agencies.
Someone at your facility has probably already told someone else NOT at your facility enough details to allow them to do your system harm, if they wished.
SHOULD THIS INFORMATION BE ENCRYPTED?
Yes, absolutely! What's more, it should be encrypted under a method that will allow the key to be changed on a regular basis.
Given the expense of losing control of a satellite, the costs of security would be a pittance in comparison. Given what you've told us about the signals security at your facility, I imagine that the physical security and network security (does anyone have a modem in their desktop so they can work from home?) is likewise not very good. I would recommend a thorough analysis of all of these.
Transmitter not a barrier to entry... (Score:2)
When in the service, we'd regularly use an 8 foot dish (about 45db gain) and transmit anwhere from 5 to 20 watts. You might be able to jam a scientific satellite with a strong signal, but the military jobbers (and prolly the commercial comm sats too) have multi-horned directional antennaes, so the operator can shut off signals from a certain part of the "ground", say, California, but still be able to talk to the rest of it's line of sight.
Anyways, you can get commercial gear for less than $10,000 USD that would give you the capability to communicate with a great many satellites.
Think of it in terms of physical security (Score:2)
Your uplink is publicly accessable, and therefore should require some sort of key. The strength of the lock should be determined by the ratio between needed security and money available for the lock. Sure, it'll cost a few k in development costs to put a better lock on, but think about the money lost if the satellite drifted under the control of a hacker, and you didn't have the fuel to put it back.
Of course. telling a group like this that your satellites are largely unprotected is like telling a kid the candy store is unlocked and no one is watching.
The other issue is that your customers likely have insurance on the sats. It may be that a good encryption system will lower the insurance cost, and thus make your sats more valuable when people start hacking into them.
-Adam
thats too far. (Score:2)
Physical security is very important in order to stop someone from screwing with your bird, and what he laid out seems good, as long as the people supporting it adhere to its design.
If you are broad casting data from a satalite, anyone can pick it up. If it's encrypted, then it becomes difficut to trans lates that data into something meaningful, but people can still recieve it, it is just a radio signal.
TTAC Locations and timing required to hack a bird (Score:5, Informative)
Motorola controlled the Telemetry Tracking And Control (TTAC) function for Iridium's birds. The satellites were controlled through, of all things, SNMP! Yes, its true. SNMP issued commands controlled the basic functions of the satellite. Commands were issued from TTAC's to the birds as they passed overhead. One can only communicate when the satellite is over the horizon of the transmitting/receiving TTAC, you can't just broadcast a signal from anywhere and hope the satellite gets it. NExt, you can only communicate with a satellite thats listening. Power consumption is a critical issue in satellites (no 120v ac in space.) Therefore, the satellites only listen and transmit when they are overhead of a TTAC. The signal must be coming from or going to the general area of the TTAC (its directional). Because they communicate as they travel overhead, the distance involved, etc, this creates a distorted egg shaped signal "footprint" around the TTAC. When the bird is directly overhead, the footprint is shaped like a circle (for Iridium, approx 20 miles diameter), then back to an egg shape as the bird approaches the far horizen. Any HAM/hacker wanting to snoop or squash the TTAC signal must be in the general vacinity of the TTAC in order to be able to receive or transmit effectively.
Motorola had several issues that are probably prevalent thoughout the commercial sat industry. First, the TTAC stations WERE connected to the rest of the Motorola network, which in turned connected to 3rd party networks, and on an on. Even though Firewalls, ACL's were used, they were based on very general rules, usually restricting to broad networks. Also, dial-in was supported on routers throughout the network for maintenance, so the best way around the Firewalls would simply be Soc. engineering a router password and dial-up the TTAC router/switch.
This could be achieved by: Located the TTACS for the satellite in question, usually public info. Get any phone numbers at that location you can. WAR dial a range of numbers around the TTAC numbers and note any Cisco devices answering. Use the SE'd passwd on the discovered Cisco dialups until you find a winner. Once in, either swipe the control apps for your own transmitter/reviever, or perform a one time attack since you unlikely to get a second chance one they notice.
SIDE NOTE: There is NO chance of anyone ever using a satellite to crash into another bird. It takes motorola several months just to move 1 bird from orbit A into adjacent orbit B. Fuel is extremely limited on these things. Besides, picture the entire earth as a parking lot with 50,100 or even 500 hundred cars continuously driving around on it. What is the likely hood any of them will ever collide, much less run into each other. Now imagine it with each car having 1 gallon of gas to use. The logistics now become very clear.
jamming (Score:5, Interesting)
It's certainly possible, and it's called "jamming". This costs a lot for plain random troublemaking; it takes a steerable dish and a fairly high powered transmitter, with a big electric bill. It seems rather unlikely someone with that budget would spend it just to mess up a science experiment. But unless considerable effort goes into protecting a satellite, jamming it would be small potatoes for a military operation.
There are some substantial (but very secretive) defense contractors making radio and radar jammers for the US military. To jam a satellite using a fixed command frequency, you just point a dish at it and transmit at the same frequency with at least as much power as the actual command center. (I mean power delivered to the satellite antenna -- that's a product of the actual power and the transmitter dish's directionality.) The two signals basically add together, so if the jammer just sends a non-varying signal it's quite likely that the receiver will still be able to pick the commands off the top. But just about anything that varies without too much predictability will do for a jamming signal -- white noise, classical music, Slim Pickens yodeling, Howard Stern...
The most common method of defeating jamming is to change the frequency. Every so often, computers on the ground and in the satellite compute a psuedo-random number, and change to that frequency. It's easy to do that once or more a second, and the jammer is not going to be able to find the new frequency fast enough. (Assuming the number sequence is secure, against both espionage and cryptographic reverse-engineering.) However, if they _really_ want to knock you off the air, it's possible to transmit a very high powered broad-band signal to jam all the channels at once. If there are 1,000 possible channels, the jammer has to be 1,000 times as powerful. Do that to a US military satellite, and I think you will knock it out for a while, but: (1) in a few minutes the satellite orbit will take it out of view from your dish; (2) unless you're a nuclear power, eventually they'll get permission to send a cruise missile into your ground station; (3) That much broadband power will mess up other communications as well, and get other countries mad at you. There are stories that the Soviets used to play a little with our satellites and vice-versa, but nothing serious because both sides had too much to lose...
Another protection against jamming is to use a very directional receiving antenna, so any jammer would have to be on territory you control. This also substantially reduces the required transmitter strength. The problem is keeping that receiver dish pointed at home. In a satellite, you would have to also have an omnidirectional backup antenna, to use to re-gain control if the satellite tumbles. This makes it more complex and expensive than frequency-hopping.
An example of GPS DOS (Score:3, Interesting)
Xix.
Re:Protect the satellites (Score:2, Funny)
Is your satellite steered by an SSME or Energia? (Score:2)
With thrusters that can put out about as much as you could fart, only for maybe a few hours tops before they died, you needn't lose any sleep over the prospect of being bopped on the nose by the great-grandson of TIROS I.
Even if you had perfect control over a sat, steering it to do as much as dinging another sat would be like playing billiards on Kennedy Field, starting in opposite corners; or perhaps like blindfolding yourself and trying to pick up the same grain of sand from a beach, by itself, twice running.
To get yourself hijacked, you'd need to hit some turkey on the fine line between smart enough to break it, and dumb enough to think you can drive it like Zidgel from the 3-2-1-Penguins videos does his ship (hint: it's a manual withthree-on-the-tree shift).
``What happened? Did the landing gear fall off or something?'' (-: