Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 PM
Connect Directly

A Tale Of Two IoT Security Outcomes

Commandeered Jeep gets fixed but a 'hijacked' satellite network does not? Why Internet of Things security remains a work in progress.

Fiat Chrysler's move to recall 1.4 million vehicles this month in response to a dramatic vulnerability discovery by renowned car hackers represents a tipping point in how some major consumer/IoT product vendors have begun to take seriously the risk of hacking. But another piece of key security research -- which like the car hack of a 2014 Jeep Cherokee was revealed at Black Hat USA in Las Vegas last month -- remains at a standstill.

Globalstar, a satellite data service used for personal locator devices, tracking shipping containers, and monitoring SCADA systems such as oil and gas drilling, vehemently dismissed research disclosed at Black Hat about vulnerabilities in its service. The researcher and his firm, Synack, meanwhile, stand by their findings.

Globalstar issued a press statement on August 5 disputing research by Colby Moore, information security officer with Synack, who revealed how he was able to hack the Globalstar Simplex data service with equipment that cost him less than $1,000. Moore says an attacker could intercept, spoof, or interfere with communications between tracking devices, satellites, or ground stations because the Globalstar network for its satellites doesn't use encryption between devices, nor does it digitally sign or authenticate the data packets.

Moore says it's possible to decode the data and view it, as well as spoof it. He recently released on Github proof-of-concept code, which he says he's still working on with the help of other researchers.

"I wrote code that would be able to inject" phony data, he said at Black Hat, but he didn't actually do so in a live test of the service for legal reasons. "The real vulnerability is that it's [the data] in plain text and not encrypted."

That would allow an attacker to spoof information about a shipping container's contents, or a rival energy firm to spy on another firm's oil drilling operation, he says. A criminal could intercept the whereabouts of an armored truck and hijack it, for example, he says, or jam or spoof emergencies over the network.

"These aging satellite networks are a real problem. Their lifecycle in satellite systems is 30 years" or so, and they weren't built with security in mind, he said. "Firmware isn't supported or it's too far out to update, " he said.

It's more about sniffing and manipulating information -- not physical sabotage, however. "This is not going to make a satellite fly sideways--this [network] isn't for control," he said in his presentation.

Moore was able to record the data from his homegrown radio device and record to a file, and interpret it.

Globalstar shot down Moore's research in a press statement the day after his Black Hat presentation. Efforts to reach the company for any updates on their position were unsuccessful. The company says it studied Moore's research and the "claims were either incorrect or implausible in practice."

Globalstar maintained that "many … Globalstar devices have encryption implemented by our integrators, especially where the requirements dictate such because a customer is tracking a high-value asset. Synack was also incorrect when it stated, “the protocol for the communication would have to be re-architected” when in fact, no such re-architecture is required," Globalstar claimed.

The company says its network is not "aging":  "[The] … network is the newest second-generation constellation, having recently been completed in August 2013. Many claims by Synack are simply incorrect, self-serving or misinterpret key information."

Synack CEO Jay Kaplan says Globalstar didn't communicate with his firm after Black Hat. "We haven't heard from them," he says.

But vendors that use the Globalstar network and have similar technology are interested in the research and looking at locking down security, according to Kaplan, who declined to name the firms.

"There's a larger systemic problem and it's not just in the satellite industry," he says. "Anyone with a legacy system that was built generations ago and is still widely deployed [will] have a difficult time re-architecting it from the ground up.

"A lot of vendors are pushing out features and not necessarily thinking about the security implications. A lot of this research shines light on how the security standpoint needs to be looked at," he says. "IoT is a very rapidly evolving space."

Globalstar, meanwhile, maintains that security is a priority.  The company said in its statement earlier this month: 

"We at Globalstar take these security threats seriously and are constantly monitoring the technical landscape and upgrading our systems to protect our customers. Globalstar works with a number of organizations in a variety of industries, including governments and militaries, primarily through our reseller network. These integrators customize the solution to the customer’s needs, including encryption. For certain applications referenced in the article like nuclear materials and high-value shipping containers, encryption is generally a requirement. For individual customers tracking a jet ski or a family camping trip, encryption is generally not a requirement."

Backpackers v Foreign Correspondents

Globalstar's public response was a far cry from the reception Moore says he initially got from them nearly five months ago when he disclosed to the firm his findings. "They were pretty friendly, and seemed pretty concerned," he said.

Given that it's more of a passive attack, he said, it has a very low chance of being detected.

So what can Globalstar customers do in the meantime if they're concerned about security? Moore says it's a matter of risk assessment. "I personally still think that the service Globalstar offers works very well and is still extremely valuable. What is important for consumers is to know how their data is being transmitted," he told Dark Reading.

Vendors such as Globalstar and their integrators should be up-front about whether data is encrypted or not, and how. "Home-brewed or weak encryption is unacceptable," he says. "Users should then think about what data is being transmitted, and is it sensitive."

Integrators of the service can contact Globalstar about updates, or pressure the firm if their customer base has concerns. Or "integrators might want to start taking it upon themselves to add that additional layer of security to devices they are building," he says.

Security and risk depend on the user, he says. A backpacker may not be as worried about the tracking capability being accessed, but a journalist working overseas in a dangerous region might, he says.

[Researchers now have proven -- and shown in grand style -- that you can hack a car remotely. Read Car Hacking Shifts Into High Gear .]

Meanwhile, white-hat car hackers Chris Valasek and Charlie Miller definitely got the attention that they had hoped from Chrysler. The pair demonstrated how they were able to remotely hack the Jeep, via an unnecessarily open port that ultimately allowed them to control the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. The hole was in a built-in cellular connection in the vehicle's Harman uConnect infotainment system, which gave them access to the Jeep via their smartphones on the cellular network.

Chrysler initially shipped a security update via a USB stick to Jeep owners, but then quickly issued a voluntary recall spanning 2013 to 2015 Dodge Vipers and Ram pickups; 2014 to 2015 Jeep Grand Cherokee, Cherokees and Dodge Durango SUVs; and 2015 Chrysler 200, Chrysler 300 and Dodge Chargers and Challengers.

"Chrysler handled it well. They took it on the chin and never threatened us," says Valasek, who is director of vehicle security research at IOActive. "Everyone gets to learn a valuable lesson, how a software vulnerability can affect [cars]. And a recall can happen."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Some Guy
Some Guy,
User Rank: Moderator
9/8/2015 | 12:08:17 PM
Jeep Fix Available, but hardly Deployed
1.4M vehicles is a lot of service work, and a general hassle for the owners because, unlike Tesla, there is no over-the-air-update capability. (Maybe they should contract with Chris Valasek and Charlie Miller to do it for them. ;)

While we can claim Jeep got a fix, how many Chrysler vehicles affected by the hack have *actually* been updated? I think the best we can say is that a fix for this hack is available. I expect in the automotive industry's 8D, 8-step problem resolution model, this is really only step D3: interim containment. It's not even fully deployed, let alone verified as a permanent corrective action.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/27/2015 | 7:33:04 PM
IoT makers
This is the inherent problem with IoT.  IoT-enabled device manufacturers are not tech companies proper, lack the security mindset/culture of tech companies (not to mention the capability), and simply don't give two darns.  Perhaps that will change in the next five to ten years...or perhaps they'll keep trying to tell us that those kittens roasting in the oven are really biscuits.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).