Fiat Chrysler's move to recall 1.4 million vehicles this month in response to a dramatic vulnerability discovery by renowned car hackers represents a tipping point in how some major consumer/IoT product vendors have begun to take seriously the risk of hacking. But another piece of key security research -- which like the car hack of a 2014 Jeep Cherokee was revealed at Black Hat USA in Las Vegas last month -- remains at a standstill.
Globalstar, a satellite data service used for personal locator devices, tracking shipping containers, and monitoring SCADA systems such as oil and gas drilling, vehemently dismissed research disclosed at Black Hat about vulnerabilities in its service. The researcher and his firm, Synack, meanwhile, stand by their findings.
Globalstar issued a press statement on August 5 disputing research by Colby Moore, information security officer with Synack, who revealed how he was able to hack the Globalstar Simplex data service with equipment that cost him less than $1,000. Moore says an attacker could intercept, spoof, or interfere with communications between tracking devices, satellites, or ground stations because the Globalstar network for its satellites doesn't use encryption between devices, nor does it digitally sign or authenticate the data packets.
Moore says it's possible to decode the data and view it, as well as spoof it. He recently released on Github proof-of-concept code, which he says he's still working on with the help of other researchers.
"I wrote code that would be able to inject" phony data, he said at Black Hat, but he didn't actually do so in a live test of the service for legal reasons. "The real vulnerability is that it's [the data] in plain text and not encrypted."
That would allow an attacker to spoof information about a shipping container's contents, or a rival energy firm to spy on another firm's oil drilling operation, he says. A criminal could intercept the whereabouts of an armored truck and hijack it, for example, he says, or jam or spoof emergencies over the network.
"These aging satellite networks are a real problem. Their lifecycle in satellite systems is 30 years" or so, and they weren't built with security in mind, he said. "Firmware isn't supported or it's too far out to update, " he said.
It's more about sniffing and manipulating information -- not physical sabotage, however. "This is not going to make a satellite fly sideways--this [network] isn't for control," he said in his presentation.
Moore was able to record the data from his homegrown radio device and record to a file, and interpret it.
Globalstar shot down Moore's research in a press statement the day after his Black Hat presentation. Efforts to reach the company for any updates on their position were unsuccessful. The company says it studied Moore's research and the "claims were either incorrect or implausible in practice."
Globalstar maintained that "many … Globalstar devices have encryption implemented by our integrators, especially where the requirements dictate such because a customer is tracking a high-value asset. Synack was also incorrect when it stated, “the protocol for the communication would have to be re-architected” when in fact, no such re-architecture is required," Globalstar claimed.
The company says its network is not "aging": "[The] … network is the newest second-generation constellation, having recently been completed in August 2013. Many claims by Synack are simply incorrect, self-serving or misinterpret key information."
Synack CEO Jay Kaplan says Globalstar didn't communicate with his firm after Black Hat. "We haven't heard from them," he says.
But vendors that use the Globalstar network and have similar technology are interested in the research and looking at locking down security, according to Kaplan, who declined to name the firms.
"There's a larger systemic problem and it's not just in the satellite industry," he says. "Anyone with a legacy system that was built generations ago and is still widely deployed [will] have a difficult time re-architecting it from the ground up.
"A lot of vendors are pushing out features and not necessarily thinking about the security implications. A lot of this research shines light on how the security standpoint needs to be looked at," he says. "IoT is a very rapidly evolving space."
Globalstar, meanwhile, maintains that security is a priority. The company said in its statement earlier this month:
"We at Globalstar take these security threats seriously and are constantly monitoring the technical landscape and upgrading our systems to protect our customers. Globalstar works with a number of organizations in a variety of industries, including governments and militaries, primarily through our reseller network. These integrators customize the solution to the customer’s needs, including encryption. For certain applications referenced in the article like nuclear materials and high-value shipping containers, encryption is generally a requirement. For individual customers tracking a jet ski or a family camping trip, encryption is generally not a requirement."
Backpackers v Foreign Correspondents
Globalstar's public response was a far cry from the reception Moore says he initially got from them nearly five months ago when he disclosed to the firm his findings. "They were pretty friendly, and seemed pretty concerned," he said.
Given that it's more of a passive attack, he said, it has a very low chance of being detected.
So what can Globalstar customers do in the meantime if they're concerned about security? Moore says it's a matter of risk assessment. "I personally still think that the service Globalstar offers works very well and is still extremely valuable. What is important for consumers is to know how their data is being transmitted," he told Dark Reading.
Vendors such as Globalstar and their integrators should be up-front about whether data is encrypted or not, and how. "Home-brewed or weak encryption is unacceptable," he says. "Users should then think about what data is being transmitted, and is it sensitive."
Integrators of the service can contact Globalstar about updates, or pressure the firm if their customer base has concerns. Or "integrators might want to start taking it upon themselves to add that additional layer of security to devices they are building," he says.
Security and risk depend on the user, he says. A backpacker may not be as worried about the tracking capability being accessed, but a journalist working overseas in a dangerous region might, he says.
[Researchers now have proven -- and shown in grand style -- that you can hack a car remotely. Read Car Hacking Shifts Into High Gear .]
Meanwhile, white-hat car hackers Chris Valasek and Charlie Miller definitely got the attention that they had hoped from Chrysler. The pair demonstrated how they were able to remotely hack the Jeep, via an unnecessarily open port that ultimately allowed them to control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. The hole was in a built-in cellular connection in the vehicle's Harman uConnect infotainment system, which gave them access to the Jeep via their smartphones on the cellular network.
Chrysler initially shipped a security update via a USB stick to Jeep owners, but then quickly issued a voluntary recall spanning 2013 to 2015 Dodge Vipers and Ram pickups; 2014 to 2015 Jeep Grand Cherokee, Cherokees and Dodge Durango SUVs; and 2015 Chrysler 200, Chrysler 300 and Dodge Chargers and Challengers.
"Chrysler handled it well. They took it on the chin and never threatened us," says Valasek, who is director of vehicle security research at IOActive. "Everyone gets to learn a valuable lesson, how a software vulnerability can affect [cars]. And a recall can happen."