Vulnerabilities / Threats // Advanced Threats
8/7/2014
10:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

No Fixes In Sight For Satellite Terminal Flaws

At Black Hat USA, a researcher who in April revealed weaknesses in popular satellite ground terminal equipment found on air, land and sea, demonstrates possible attack scenarios.

BLACK HAT USA -- Las Vegas -- Back in April, when security researcher Ruben Santamarta first went public with serious security flaws in the firmware of satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations, only one of the affected vendors had responded to his findings.

Santamarta in a presentation on his research here Thursday at Black Hat USA said the satellite terminal vendors with gaping holes in their products have no plans to patch or fix the shortcomings, which include hardcoded passwords, backdoors, insecure protocols and undocumented protocols. Some contend that the issues are not flaws but acceptable features in their products. Santamarta reported his findings to the CERT Coordination Center, which then alerted the satellite vendors in January of this year.

Hughes, for example, stated that the digital backdoors are a "normal" and common practice in commercial products for retrieving lost or forgotten passwords, says Santamarta, principal security consultant with IOActive.

"I expected to find some security issues [with these devices] but the backdoors and ability to upload software without authentication, these things are very" serious, Santamarta told Dark Reading.

Specifically, he found that an attacker could completely compromise the systems, run malware, install malicious firmware and even send an SMS text to spoof the communication to a ship, for example. "They can spoof messages and trick the ship to follow a certain path, or to rescue another ship. They can disrupt communications... if a vessel can't send a distress signal, that's the worst scenario, if a ship can't communicate," Santamarta explained in an April interview after his initial findings were first published.

In the case of an airplane, the in-flight airline WiFi network is vulnerable to malicious behavior, he says, because the Cobham AVIATOR 700 satellite terminals sit on the WiFi network. The danger, he says, is an attacker gaining control over the Satellite Data Unit or the SwiftBroadband Unit interface by taking advantage of the weak password reset feature, hardcoded credentials or the insecure protocols in the AVIATOR 700.

"More specifically, a successful attack could compromise control of the satellite link channel used by the Future Air Navigation System (FANS), Controller Pilot Data Link Communications (CPDLC) or Aircraft Communications Addressing and Reporting System (ACARS). A malfunction of these subsystems could pose a safety threat for the entire aircraft," writes Santamarta in his white paper on the findings.

But "we're not crashing planes here," Santamarta says. Even so, disrupting ACARS messaging could pose a safety risk, he says.

Cobham said an attacker would need physical access, or the network would have to have been improperly installed, for the attack scenarios Santamarta presented. The company also said over-the-air communications requires user authentication, and hardcoded passwords cannot be used.

With any of the vulnerabilities in the various satellite terminals, the attackers would have to have some knowledge of the inherent firmware and its weaknesses, as well as how to exploit them.

Santamarta's findings mirror that of many other so-called embedded commercial systems. Billy Rios, director of threat intelligence at Qualys, here yesterday revealed his latest findings on Transportation Safety Administration (TSA) checkpoint systems, namely that the TSA's Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, contains two different hardcoded passwords that can only be changed by the vendor.

"A lot of embedded systems have lame vulnerabilities. Name your embedded system, it's going to have" some basic security weakness, says Marc Maiffret, CTO at BeyondTrust.

[From Google hacking to ATM "jackpotting" to the NSA -- Black Hat has had some memorable moments over the years. Read 10 Dramatic Moments In Black Hat History.]

Santamarta studied and reverse-engineered the firmware of satellite terminal equipment from Cobham, Hughes, Inmarsat, JRC, Iridium, and Thuraya. 

"If you have physical access to any of these devices, it's over," Santamarta says. "You can compromise all the devices" on that network, he says.

Security experts say hardcoded credentials in hardware is a recipe for disaster. "Using hard-coded username and passwords from hardware manufacturers without another layer of protection is security suicide," says Ken Balich, CISO at Authentify. "All of these vulnerabilities and breaches stem from two things:  failures in network security thinking to understand and counter emerging threats, and following the old adage 'I don't need more security until something happens.'  Unfortunately that's too late and many can pay a steep price."

Santamarta's full report is available here (PDF).

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/12/2014 | 12:29:38 PM
Re: distressing and depressing
Indeed! I do think, though, that this is a case where the good guys are trying to get ahead of the bad guys. Let's hope that the industry in question here gets the message and offers fixes before the bad guys start to figure this out.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/12/2014 | 12:19:58 PM
distressing and depressing
It's one thing when an organization is slow fixing vulnerabilities; it's another when they flat out say that they're not going to fix vulnerabilities. Or won't recognize that they're vulnerabilities.  Here's hoping that Ruben's findings really are worst case scenario and that they won't be manipulated by the bad guys.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.