Security Analysis of Satellite Command and Control Uplinks
By Brian Oblivion, L0pht Heavy
Industries
With every passing day we are becoming aware of the fragile link
between technology and modern society. Many critical information paths
flow over satellites orbiting our earth. A box floating in space seems
to be a likely target for hacker groups or renegade nation-states.
As sensational as such a satellite takeover would be, it is highly
unlikely. These satellites cost millions of dollars, and an adequate
sum of money is devoted to make sure it remains under the control of
the intended parties.
This document attempts to perform an analysis of security methods used
by Government/Military Ground Stations. This information is a summation
and review of open-source non-classified information taken from the
Internet and other printed sources. Most information is from NASA
operations proceedures, however, references from those proceedures
influence/are influenced by military SATCOM standard operating
proceedures.
There are two methods of compromising a satellite by an external threat
vector.* One is an attack directly on the Satellite by a rogue Ground
Station. The second is an attack on the Master Ground Station (MGS),
which houses the command and control (C&C) Uplink, and various access
control equipment. An outside attacker may not have all the resourses
necessary to attack the C&C uplink such as the eqiupment that encodes the
commands and the transmission to the spacecraft. This driving factor
makes the assult on the MGS all the more appealing.
A great deal of work has been put into securing the C&C Uplink. The
spacecraft command processor authenticates every command sent to it.
The C&C data is often encrypted and decrypted in the spacecraft. The
downlink is often unencrypted, however, in the military arena, this is
often encrypted as well. Various transmission modes can be used but in
the military/government arena spread spectrum (SS) or frequency hopping
(FH) is generally employed using secure spreading or hopping sequences.
SS and FH are used due to thier anti-jamming and low probability of
intercept characteristics.
In the unlikely event a rogue Ground Station actually acquired the
sequence to get a command burst to the satellite, the MGS would begin
to receive telemetry indicating that a command channel is being accessed.
Responses from the satellite to the rogue Ground Station would be received
at both locations. The MGS would see a response to a request it did not
send and a flag would be raised at which point contingency plans would be
set in motion. It would also be very difficult for a rogue Ground Station
to supply the proper command sequence field, unless the MGS is being
monitored. Highly unlikely in the case of the armchair hacker, point
and clicking his way to telecommunications Godhood.
By far the path of least resistance is obtaining control through
compromising the security of the MGS. While long term control may not
be achievable, there is the possibility of spoofing a command message
to the uplink operators and having them pass that information to the
satellite. Scientific Exploration and commercial satellites usually
conform to the CCSDS telecommand frames and the military/government uses
something similar. Information on these command frames and command
syntax are available through the Internet.
A set of checks and balances exist within the MGS. If a command request
exceeds pre-defined parameters, the command is flagged and escalated to
an authority to determine the nature of the exception. Interception,
modification, and re-submission of a command message is of the greatest
risk. However, the attacker would require an indepth knowledge of the
target system and have knowledge of the normal operational parameters
so exceptions would not be flagged, reveling his presence. Once a
command is determined valid by the spacecraft command processor, the
command is sent back to verify the proper command was indeed received
and awaits acknoledgement. Further analysis of the command processor
and actual checks performed on the sequence and syntax of commands
received are beyond the scope of this document.
Due to these checks, one command sending the satellite spiraling out of
orbit is just not possible without the addition of catestrophic equipment
failure. Remember that satellite position is also tracked by third
parties. In the event that a satellite makes a change in course, the MGS
of that satellite would be immediately notified. There are other checks
in place that monitor the heartbeat of a satellite. Should that satellite
move, its associated beam spot would become disturbed resulting in loss
or degredation of communications.
There are overrides to the normal safeguards for emergency spacecraft
commanding. As long as an override provision exists, there is the
possibility of the exploitation of that provision. However, the override
can only be engaged by onsite MGS personel. Manual overrides are a
requirement for every MGS. In the event that the computerized frontend
is compromised in some fashion, be it of malicious intent or equipment
failure, commands can be relayed to the spacecraft directly from manual
command consoles.
The nature of Satellite communications often dictates that Ground
Stations are not necessarily located in the most convient locations.
Quite often they are located in remote regions and/or at sea. This
requires a distributed networking architecture as well as interoper-
ability definitions. NASA in particular has been moving from its highly
proprietary legacy systems to more commercial-off-the shelf (COTS)
hardware. One must realize this obscurity once provided additional
security to the network. The current trend in commercial security
offerings is a reactionary role to security management. Holes remain
to be identified until the units are shipped to the end user and often
not found until the device is in operation.
Some MGS's are known to be connected to live internetworked nets.
These nets are often treated as sensitive, yet unclasified, to support
interoperability. Security policy governing the nature of the systems
which are hosted by the satellites define the security of the MGS
network. Where interoperablity is not an issue, without physical access
to the MGS, your chances are remote to compromise the system.
Institutional security policy sets directives in employing firewalls and
restrictive routers. Intrusion detection system may also be employed
between closed networks. SecurID, kerberos, and biometric access controls
are found throughout the commercial/government/military access controls.
Access is usually restricted by IP address. Firewalls and routers have
been known to be accidentially misconfigured, and often remain that way
for lenghty periods of time due to inadequate penetration testing and
security fault analysis. An offline proof-of-concept security prototyping
lab is a requirement for integrating a new access control system into the
operational environment. A good institutional security policy will
require such facilities.
Many safeguards have been built into the existing C&C uplinks. Key
management systems are classified, as is information on implementation
of cryptographic systems used. There may be holes in the implementation,
but with the other safeguards, the chances of successfuly undermining the
o security mechanisms is slim. One can never under estimate the human
factor in these systems. To poke holes in security policy is human.
Hopefully this article shed light onto the criteria which may lead to MGS
compromise and direct satellite C&C uplink attack. The chances of
something along these lines actually happening without new techniques or
heretofore unknown methods being employed, is remote, but not impossible.
----------------------------------------------------
* A third attack vector could be an attack from within. Poisoning the
flight software on the satellite, or the software used to interact with
the satellite, bypassing required security provisions.
Code review could diminish this threat.