[ISN] Report: Satellites at Risk of Hacks

From: InfoSec News (isnat_private)
Date: Fri Oct 04 2002 - 02:23:34 PDT

  • Next message: InfoSec News: "[ISN] Microsoft Issues Four Security Bulletins"

    By Kevin Poulsen
    Oct. 3, 2002 
    Critical commercial satellite systems relied upon by federal agencies,
    civilians and the Pentagon are potentially vulnerable to a variety of
    sophisticated hack attacks that could cause service disruptions, or
    even send a satellite spinning out of control, according to a new
    report by the General Accounting Office, the investigative arm of
    The GAO report, dated August 30th but not released publicly until
    Thursday, criticizes the White House for not taking the
    vulnerabilities into account in its national cybersecurity planning, a
    criticism it also extends back to the Clinton administration.
    The focus of the report is on satellite systems which are used
    extensively by the federal government, but like many critical
    infrastructures are in the hands of the private sector.
    Among the weaknesses investigators found: some satellite companies
    don't encrypt the tracking and control uplinks through which the
    satellites are controlled from the ground, making them vulnerable to
    spoofing, with potentially dire results. "If false commands could be
    inserted into a satellite's command receiver (spoofing the receiver),
    they could cause the spacecraft to tumble or otherwise destroy
    itself," reads the report.
    "It is also feasible to insert false information or computer viruses
    into the terrestrial computer networks associated with a space system,
    either remotely or through an on-site connection," the GAO found.  
    "Such an attack could lead to space system degradation or even
    complete loss of spacecraft utility."
    Such an attack could impact military operations, the report claims,
    citing a Department of Defense (DOD) study that found that commercial
    satellites were used for 45 percent of all communications between the
    U.S. and forces in the Persian Gulf region during Desert Storm. "The
    importance of commercial satellites for DOD is evident during times of
    conflict," the GAO concluded.
    The study does not attempt to rate the likelihood of such an attack,
    and found that there are some significant safeguards in place -- for
    example, some companies deliberately use extremely high-power
    transmitters to control their satellites, making it unlikely an
    attacker could overpower the authentic signal with a fake one.
    Regulations Ignored
    But the level of security varies significantly, the report found, and
    with little regulation governing satellite security, commercial
    providers have little incentive to invest in costly solutions.
    One federal policy initiated in January 2001 theoretically requires
    satellite providers handling national security communications to meet
    minimal cybersecurity standards, but the report found that not a
    single company was entirely compliant with the directive, which is
    missing an enforcement mechanism.
    "Some satellite service providers view compliance ... as not necessary
    for selling services to the government, since in the past agencies
    have used satellites that did not comply with prior security policy,"  
    the report found. "For example, DOD has contracted for services on
    satellites that were not compliant with the previous and existing
    policy for various reasons. However, at times, noncompliant satellites
    have been DOD's only option."
    The GAO lists several past satellite glitches, intentional and
    accidental, beginning with the 1986 "Captain Midnight" hack, in which
    a worker at a commercial satellite transmission center in Florida
    briefly took over HBO, interrupting an airing of the Falcon and the
    Snowman with a text message protesting the pay TV channel's new
    scrambling system.
    In 1998, the accidental failure of the Galaxy IV satellite disrupted
    over 35 million pagers across the United States for two to four days,
    and blocked credit card authorization of point of sale terminals.
    The report notes that, except for GPS vulnerabilities, satellite
    systems were ignored in President Clinton's cybersecurity efforts, and
    are faring no better under the Bush administration's cybersecurity
    "Given the importance of satellites to the national economy, the
    federal government's growing reliance on them, and the many threats
    that face them, failure to explicitly include satellites in the
    national approach to [critical infrastructure protection] leaves a
    critical aspect of the national infrastructure without focused
    attention," the GAO concludes.
    A spokesperson for the President's Critical Infrastructure Protection
    Board didn't immediately return a phone call on the report Thursday.
    The report was produced shortly before last month's unveiling of the
    White House's draft National Strategy to Secure Cyberspace, which
    doesn't address satellite system vulnerabilities, but generally
    eschews any new regulation of critical infrastructure providers.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 05:10:48 PDT