Forwarded from: The Unknown Security Person http://online.wsj.com/article/SB115825338124263225.html Satellite Interference Indonesian Hackers Show How Easy It Is To Get Data From the Sky September 15, 2006 JAKARTA, Indonesia -- How safe is your satellite? Satellites are nothing new: They've been in orbit for nearly half a century, since the Soviets launched Sputnik 1 in 1957. The first commercial geosynchronous satellite -- hovering in the same place above the earth's surface and allowing transmission of telephone, television and radio -- was launched in 1965. They keep us in touch with each other. But they aren't invulnerable. A couple of Indonesian hackers -- computer geeks who like to test other people's defenses -- have found a way into a commercial satellite and have published some details of how they did it. While some are skeptical about the hackers' claims, they raise some questions because our data, whether phone conversations, Internet traffic, flight reservations or even banking transactions, are carried by satellites, often without encryption. The hackers' point: While satellite communication systems have made enormous advances in capability and performance, security hasn't kept pace, leaving current satellite systems vulnerable. The problem is this: A satellite is just another way to get information from point A to B, like your telephone line, a message in a cleft stick, or a fiber-optic cable. It's still about data moving from one point to another, with the possibility that a bad guy may try to intercept it. The only difference is that it's in the sky. That introduces some problems, to companies using satellites and to hackers trying to get into them. Until recently, the advantage lay with the former, but that may no longer be the case. Let me introduce the hackers: Jim Geovedi, a 28-year-old from Jakarta-based security consultancy PT Bellua Asia Pacific; and Raditya Iryandi, a 26-year-old hacker. On Aug. 17, they set up a satellite dish in the garden of a house in the Java hill city of Bandung and, amid $2,000-worth of cabling, computer screens and what looked like kitchen scales, captured data being transmitted by a commercial satellite. A video of what they did shows this data scrolling across a computer screen; there's nothing sensitive in there, but there could be. They're keen to stress they didn't do anything with the data, but they've proved they can access it. "If someone knows the basics of setting up a network and...a little bit about satellites and, the most important thing, (has) the right equipment, he or she could do the same thing as I did," Mr. Geovedi says. Mr. Geovedi informed Indonesian law enforcement agencies before conducting the experiment, Fetri Miftach, director for professional services at Bellua, said. Indeed, the hackers have also held discussions with law enforcement officials since about improving satellite security against possible terrorist attacks. Mr. Fetri said that as far as the company knows there is no Indonesian law that would cover hacking a satellite. So how hard is what they did? Mr. Geovedi won't go into detail, but says not very. They used a 3.7-meter dish, but could have used an ordinary satellite-TV dish. (They had to use the bigger one because of a problem with a neighbor's house blocking the signal, he explains.) A Web site lists all the nonmilitary satellites in orbit, along with identification numbers and frequencies. If you know which companies use which satellites, you're already some of the way to tapping into their data streams. This, Mr. Geovedi says, is easy in Indonesia since its geography -- a string of islands -- makes satellites the cheapest and most practical way for companies' branches to communicate with each other. The last piece of the puzzle, Mr. Geovedi says, is to take advantage of human error, where a backdoor is left open by a misconfiguration, or a factory setting is left unchanged. If it's this easy, why hasn't it been done before? It has, says John Pironti, principal security consultant at Pennsylvania-based technology-services company Unisys Corp., which has worked on security issues for clients that use satellite communications -- but it's not "as well publicized as (ordinary) Internet attacks because it is not as well understood." Mr. Pironti declines to give more detail, except to say targets have been commercial satellites rather than military. Hackers, he says, tend to go for the easiest and cheapest way into data, and satellites aren't at the top of that list. Mr. Geovedi would seem to confirm that. He says he and others have known how to do this for several years, and only decided to do it now because he felt the public needed to know about it. It's worth stressing that no sensitive data was found or captured. Neither was anything loaded into the satellite's computer -- false data, or an attempt to hijack the satellite itself and throw it off course. But all these things are possible. Even data such as transactions from automatic teller machines are based on the same protocols as ordinary Internet traffic and so aren't that hard to interpret, says Mr. Geovedi. And Mr. Pironti says that in places where landline connectivity such as copper wire or fiber-optic cable isn't available or cost-effective, companies and governments use satellites to communicate all sorts of data. The other thing to stress is that there are a lot of old satellites up there -- satellites have an average lifespan of between 10 and 15 years -- and it was one of those that Mr. Geovedi was targeting. More modern satellites are better protected, although probably not invulnerable. The problem, Mr. Pironti says, is twofold. First, it's expensive to send technicians into orbit to upgrade the hardware, meaning that we'll be relying on some elderly tin cans for a few years to come. Secondly, sending data via satellite is more expensive than sending it via land, so those doing the sending are keen to keep costs low. This means sending the smallest amount of data they can, leaving off any encryption that swells the size of what they transmit. David Kennedy, a senior consultant at Ohio-based technology security consultants SecureState, says that while in theory all data being transmitted by satellite are vulnerable, he would be shocked if sensitive data such as ATM traffic weren't fully encrypted and hard for hackers to get into. Says Wicak Soegijoko, Singapore-based commercial head for data services at Asian mobile phone satellite operator ACeS International: "It's possible, just, that most satellites are protected against" the kind of attack the Indonesian hackers showed. That said, we should be concerned. This kind of attack may not be new, or particularly sophisticated, but it does undermine the conventional wisdom that hacking into a satellite is something only the big boys, with lots of money, equipment and power, can do. As satellite use grows, as hackers get more adventurous, and as prices for the tools involved fall, these kinds of attacks are bound to increase. "Hackers are always looking for the easiest ways to capture information," says Mr. Pironti of Unisys, "and as terrestrial systems become more complicated and as encryption becomes more widely used, a motivated and capable adversary will look to see where else can they go for that is a weak link in the chain. The satellite is that weak link." _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/
This archive was generated by hypermail 2.1.3 : Sun Sep 17 2006 - 22:34:30 PDT