SATCOM Attacks: Hijacking Antennas and Frying Electronics

LAS VEGAS—In 2022, Ruben Santamarta presented a talk at Blackness Lid that outlined potential vulnerabilities in satellite communications systems (SATCOM). Four years afterwards, Santamarta returned with some sobering news: his proof-of-concepts from 2022 were far more conservative than the truth.

In the class of his research, he found the GPS coordinates of armed forces SATCOM systems, botnets on boats, and aircrafts inflight that were remotely attainable from the cyberspace. Along the way, he discovered that it's possible to weaponize hijacked SATCOM systems.

Santamarta, principal security consultant the security company IOActive, previewed his talk before at Black Hat. He revealed his broad conclusions, and outlined some of the consequences his attacks could take. He didn't reveal the full telescopic of the vulnerabilities until subsequently in the briefing.

The issues Santamarta found were serious enough that he and his colleagues have withheld some information until vendors and relevant authorities agencies are able to implement mitigations or fixes. Santamarta also stressed that while his research involves commercial aircraft, after working with industry and regulatory agencies he determined that information technology wasn't possible to affect the safety of shipping, fifty-fifty in-flight.

Only don't worry, it's still scary and exciting.

Hacking a Moving Target, That's Also Flight

Santamarta has a groundwork in attacking SATCOM systems, but the story of this research goes back a year ago to when he took a flight from Madrid to Copenhagen.

The airline offered free Wi-Fi, then Santamarta did what whatever good researcher would do: he fired upwards Wireshark and started looking at the traffic on the public network. "I noticed I was receiving some random scans from the net on my estimator," which seemed awfully odd considering he was at least 10,000 feet higher up the ground.

It seemed like these airplanes were direct attainable from the cyberspace. Back on the ground, Santamarta confirmed his suspicions. A quick search on Shodan, a search engine for devices connected to the internet, pulled up several airplanes currently in the air. "I was able to verify that the fleets from Southwest, Norwegian, and Icelandair were exposed to the internet," he said. It's crucial to note that these systems are only in functioning when the plane is in the air; they're disabled on the ground.

Santamarta noticed that several of the devices he was seeing were from connected device and managed network provider Hughes. "In 2022, I discovered several backdoors in Hughes products," he explained. "When I saw this product was from Hughes, it was suspicious." Indeed, he found several backdoors that allowed him to gain deep command of the SATCOM system, letting him read and write to memory and install arbitrary firmware.

What Santamarta discovered was a major security risk, only not a chance to the safety of the aircraft. From the ground, he was able to access many onboard systems inclujding the in-flight Wi-Fi. That meant he could potentially attack and compromise coiffure and customer devices connected to the Wi-Fi. He wasn't, however, able to gain access to whatsoever safety systems like airplane pilot communication or navigation.

All the same, there were other threats. Santamarta found an Internet of Things (IoT) botnet attempting to install itself on the plane. Clearly, he said, this botnet didn't await to notice itself on an airplane, and wasn't successful. It wasn't the terminal botnet Santamarta would come across.

Going Armed services

After his success with commercial aviation systems, Santamarta turned his attending to military SATCOM systems. The results were not encouraging.

"I institute military machine SATCOM systems exposed to the internet, and these had a GPS unit fastened," he said. Worse, some of these systems were located in conflict zones. Being able to achieve military systems from the internet is very bad, merely beingness able to determine the precise location of that system is even worse.

"Unfortunately, this trouble is not completely fixed," said Santamarta. "[I'thousand] not providing further details until we are sure it is completely mitigated."

Maritime Commotion

By far, the worst vulnerabilities Santamarta discovered were in the maritime sector. Here, he focused on Intellian SATCOM systems.

Things did not bode well when he went to the company'southward website looking to download a copy of the firmware and discovered that their Amazon S3 buckets were completely exposed. That turned out to exist reflected in the company's SATCOM systems, which were chock full of backdoors, insecure protocols, and buffer overflows.

"You lot can get root in hundreds of means, so that's no problem," quipped Santamarta. Many of these SATCOM systems were accessible from the internet. "There are dozens — hundreds of [Antenna Control Units] exposed," he said.

Every bit with the commercial shipping, these devices were already under attack. "It was worse," he said. "In this example, it was already exposed to the Mirai botnet," said Santamarta. "They were using an insecure password that was implemented [in the botnet]."

On phase with Santamarta was one such maritime SATCOM system. To demonstrate the kind of control he was able to exert over these devices, Santamarta had the communications dish mimic the movements he fabricated onscreen while playing a game nigh shooting Nazis.

Demonstrating that he had control over a SATCOM unit, Santamarta used it to kill (virtual) Nazis at #BlackHat2018
Also notable, he could potentially utilise the SATCOM antenna every bit a weapon, maybe burning skin or causing electronics to malfunction. pic.twitter.com/ZlrmibEXAf

— Bitter, Tired, and Sweaty (@wmaxeddy) Baronial ix, 2022

Unlike the other vendors and agencies Santamarta and his team worked with, the maritime sector was less responsive. "Nosotros were unable to contact Intellian," he said. We can assume that these systems are still vulnerable to attack.

Frying Skin and Electronics With SATCOM

Any arrangement connected to the internet when it doesn't demand to be is bad, but SATCOM systems offer unique opportunities.

"An antenna is only a way to expose or transmit radio frequencies, which is electromagnetic free energy," explained Santamarta. If he could increment the output, information technology would be possible to plough the transmitter into an offensive weapon. "We have the ability to transmit whatever we want, to command the antenna positioning," he said.

Exposure to loftier-levels of electromagnetic (EM) radiation has consequences for both humans and electrical systems. "We can potentially fire people, or we tin potentially create [a] malfunction in electrical systems," Santamarta explained. Looking at pictures of antenna placement on cargo and cruise ships, he theorized that compromised antennas could be used to burn passengers or crew, and potentially cripple critical shipboard electronics.

I'm and so pumped for this. #BlackHat2018 moving-picture show.twitter.com/NHGgf5ngms

— Biting, Tired, and Sweaty (@wmaxeddy) Baronial ix, 2022

Proving it is another matter. Broadcasting outside of certain frequencies can get you in problem with regulatory agencies, which is a big trouble. However, Santamarta found the equations used to calculate the operational ranges of these devices on the FCC website. Using these, he was able to mathematically model antenna functioning and conclude that, indeed, these antennas could be pushed across their intended output. At that place are supposed to exist software blocks to prevent this, simply Santamarta evaded them hands.

That's not the case for commercial aircraft, still. Because of government regulations, at that place's a required distance between aircraft at airports. "At this distance in that location is no risk for the safety of people or instruments," explained Santamarta.

Part of this is because high-powered radio antennas take been used in airports for decades. "They have been exposed to high intensity radio frequencies for years," Santamarta said. "They have developed the compensating controls and the mitigation for whatsoever kind of problems with RF attacks."

Aircrafts are designed with this in mind. "The regulatory level that the aircrafts comply with is higher than the electric field we can accomplish," said Santamarta. "Co-ordinate to our figures, co-ordinate to the input we have received from the manufacture, we concluded there is no safe risk for the shipping."

"Even if nosotros consider we have compromised hundreds of antennas and we are pointed at the aircraft [...] we should exist prophylactic," he said.

Santamarta did mention that a scenario with multiple compromised SATCOM systems could have another target: the satellites themselves. "Every bit we command hundreds of these SATCOM terminals, it is possible to perform a disruption attack against a satellite transponder," he said.

Source: https://sea.pcmag.com/news/28821/satcom-attacks-hijacking-antennas-and-frying-electronics

Posted by: gossstrable.blogspot.com

Share this post