Hackable satellite signals may be impossible to patch
Security researcher Colby Moore plans to demonstrate this week at the Black Hat security conference how to intercept and even fake location-tracking satellite signals. The vulnerability could give thieves new ways to steal valuable cargo.
It's the middle of the night. Police dispatchers receive a frantic call from a shipping company – one of their drivers triggered a silent alarm to indicate thieves were stealing his cargo. But when officers arrive, they don’t find anything or anyone there. That's because, in movie-like fashion, thieves tampered with the satellite signal transmitting the truck's location and sent officers to the wrong location. Ten miles away, at the actual scene of the crime, robbers are moving the cargo into their own truck
That hypothetical situation is a real concern, says Colby Moore, research engineer at the cybersecurity firm Synack. On Wednesday, he'll present research at the Black Hat security conference detailing how to hack devices using the Globalstar satellite system; devices used to track assets including armored cars, airplanes, boats, cargo, and even people. Globalstar and similar systems use "spread spectrum" communications that quickly switch frequencies so that it's difficult for any would-be eavesdroppers to track signals. But Mr. Moore developed a way around that safeguard to intercept Globalstar signals and, potentially, broadcast his own – an attack method that may never be patched in many legacy systems.
Passcode spoke with Moore about Globalstar, the state of satellite hacking research, and what this means for the future of other devices that transmit and receive location data from broadcast signals. Edited transcripts follow.
Passcode: This isn’t the first talk someone has given about satellite hacking, but it’s one of the first ones to give practical instructions on how to do it on a specific system.
Moore: I have always been a little frustrated that the talks about satellites were kind of the same, the same software stuff year in, year out. The security aspects are always theoretical. So I wanted to take a stab at it myself and see what we could do.
Globalstar's consumer product offerings are things like personal asset trackers and personal locator beacons – the beacons for when you're out hiking in the woods or out sailing, so that emergency responders can come find you. Asset trackers track your vehicle in case it gets stolen or something like that. And the same chips from their consumer products are used across the board in a bunch of commercial and military products, as well.
It's used in a lot of data systems, reporting statuses for remote stations like dams, oil driller operations, and other stuff that's located where there's no cell phone coverage. It's used in emergency response services – so if you're a terrorist who wants to take the ship that uses the system, you could report a false emergency for the ship 100 miles away while you sink the ship, and send emergency responders to the wrong spot.
But I think the more interesting scenario is going to be transit of high value assets: armored cars, shipping containers, things like that. You can easily see that this device stops at the bank every day. It's clearly an armored car. You could enable your own transmitter to show the truck was on track when in reality you're taking it off somewhere else.
The chips are meant to be integrated by third parties, so there are going to be lots of types we don't know. But, for me, the doomsday scenario would be a war. These devices really are used to track shipping of critical aid to troops. I would hate to see a foreign adversary using this technology to target the fly lines and things like that.
Passcode: How would someone do that? How do you hack a Globalstar signal?
Moore: The Globalstar satellites are what's called a "bent-pipe" architecture. Any data transmitted up is simply repeated by the satellite back down. Ground locations on the earth receive the data and process it to the Internet, where the consumer retrieves it. So it's only a one-way channel from the device to Globalstar.
It means the signal going up is really the same little signal comes back, so if you intercept it on the up-going, you can intercept it on the down way. You need a little more equipment and a little more engineering to do it on the down link, so I just focused on intercepting on the uplink for now and the next phase will be intercepting data on the downlink.
Globalstar uses spread spectrum broadcasts, but that’s not really a form of encryption. I think a lot of manufacturers rely on this as kind of security. There's no encryption, there's no signing [to authenticate a transmission came from the right source], there's no security on these packets at all. Essentially we reverse engineered the data format and the check sum, we can recreate our own packets.
If you were to set up at one of the ground stations, you could really monitor transmissions for a 2,000-mile radius. That's good enough to cover a whole country.
I really believe this vulnerability to be unpatchable. I think they can do better going forward and they can reengineer a new protocol or a new layer on top of the system they already have, but it's going to be impossible to patch all the devices in the field, many of which don't even support firmware upgrades. They're going to have to support, continue to support these legacy systems indefinitely.
Passcode: Is Globalstar aware this might be unpatchable?
Moore: I contacted Globalstar about 180 days ago. I got an e-mail from someone in the engineering division saying this is really interesting research, we're obviously interested in hearing more, send us more details. I send him more details but never heard back. So I don't really know where it stands. They knew I was going to disclose at the conference, I told them I was going to talk about all of this and they didn't put up a fuss about that to me. It will be interesting to see if they reach out, if they make any sort of public statement.
Passcode: If I am a Globalstar customer, what do I do?
Moore: At this point, there's really nothing the average consumer can do. I think that they should be alerted that this vulnerability exists. I think people tend to assume that all communications are secure. Your average Joe may not be concerned about this, but if you're Bill Gates you may not want someone knowing where you are at all times, so Globalstar needs to at least be transparent that this data isn't secured in transit.
If you're a corporation using these devices, you probably need to talk to whoever is integrating this stuff for you. Integrators really kind of have the power going forward. They're the ones that control how the data is formatted and sent over the air. Globalstar has a suggested protocol that works with their back-end system. But if created your own back-end system, you'd be able to use an authentication algorithm and implement your own encryption on top of this Globalstar data packet layer.
I guess you just need to accept that the risk is there, that it's probably not going to be patched or at least anytime soon.
Passcode: Is it worth changing satellite providers?
Moore: Honestly, I can't comment on that. But I tend to be pretty skeptical. I bet half of them out there have the same issue.
Passcode: For these satellite companies – or anyone – is it negligent to not have a patchable system?
Moore: Yes and no. I think the answer has changed over time. When these systems were initially introduced around 2000, I don't think it was negligent because I think it would have been much more costly, both to solve and to use in an attack. Going forward, I do think it's negligent with how cheap just flash memory is and how easy it is to upgrade things.
These providers – any industrial communications device, tracking device, or even the Internet of Things – need to build for continuous updates. There's a lot of systems on planes, for example, that the only way to upgrade the software is to put the airplane in a maintenance bay and have a tech come out with a USB drive. That just doesn't scale. You have all these kind of critical infrastructure providers not thinking about the upgrade path going forward.
Passcode: So, what now for this research?
Moore: I'm starting to hit the limits of my time and it's all my knowledge. So I'm reaching out to kind of the security community to maybe partner up on this. I'm releasing all this code that I want to collaborate on. It's time-intensive research – I've been working on this for nine months nights and weekends. I really just want to get more eyes on it. At that point the goals are to intercept data on the downlink as well as the uplink and then way we can start aggregating a ton more data and see where these devices are used, where the devices go, what type of systems they might be on.
I think this research is applicable across the board to all the satellite providers so I want to see everyone start looking at the different providers now that the consumer is kind of begging for security. It's definitely in the forefront of everyone's mind.