Crucial military satellite systems
are vulnerable to hacking, experts say
Researchers have
warned that military operations and flight-safety communications are
being endangered by software weaknesses
·
A member of staff at satellite communications company
Inmarsat in front of a screen showing subscribers using their service
around the world, at their headquarters in London, 25 March 2014.
Photograph: Andrew Winning/Reuters
A range of crucial satellite systems manufactured by
some of the world’s biggest government contractors contain severe
vulnerabilities that could be exploited to disrupt military operations
and flight-safety communications, researchers have warned.
Security consultancy
IOActive
says it has uncovered various vulnerabilities in software and
ground-based satellite systems manufactured by British suppliers Cobham
and Inmarsat. US firms Harris Corporation, Hughes and Iridium were also
said to have produced vulnerable kit, alongside Thuraya, a UAE provider,
and Japan Radio Company.
The Computer Emergency Response Team based in Carnegie
Mellon University, which is sponsored by the Department of Homeland
Security,
warned about a
handful of the vulnerabilities in January.
But on Wednesday information on more alleged weaknesses
was released, amid growing concern the contractors are ignoring the
threats. The latest report from IOActive suggested there were some
easily hackable systems, many of which were designed for keeping
aircraft, ships and army personnel safe.
'Soldiers could be located, systems disabled'
Many of the issues lie in the Broadband Global Area
Network (BGAN) satellite receivers that the manufacturers produce with
Inmarsat, the satellite operator that provided tools vital in helping
locate the Malaysian passenger plane MH370 that crashed last month. BGAN
is designed to provide internet and voice connectivity for remote teams.
The affected Harris BGAN satellite terminals are used
by the military, including Nato, for tactical radio communications.
Thanks to the vulnerabilities, a hacker could install malicious software
on the devices to obtain the location of the soldiers using the kit, or
even disable the systems, according to IOActive.
Cobham produces most Inmarsat terminals, a handful of
which were found to be vulnerable. Those used in shipping, such as the
Ship Security Alert System, could be exploited to prevent vessels
detecting distress messages or direct those containing sensitive cargo
on a collision course, suggested Ruben Santamarta, the IOActive
researcher who found the alleged weaknesses.
The Cobham Aviator machines could be compromised to
alter satellite communications, such as the Aircraft Communications
Addressing and Reporting System (Acars), used by a plane, he added.
A 'safety threat for the entire aircraft'
Acars, which is used to transmit vital information such
as fuel levels, was initially used to track the movements of the MH370
flight soon after it disappeared, before Inmarsat stepped in to help.
Attacks on the Cobham aircraft systems could “pose a safety threat for
the entire aircraft”, IOActive’s advisory read.
Only Iridium had confirmed it was working on fixes for
the vulnerabilities. None of the other manufacturers had responded to
contact from the Cert, which had been informed of the issues by
IOActive, Santamarta said.
Neither Cobham, Inmarsat or Hughes offered a response
to repeated requests by the Guardian to comment on the claims of
vulnerabilities of their products.
Santamarta was disconcerted by the lack of response
from the vendors. “Usually you receive a reply or an email. We have been
reporting a lot of vulnerabilities in the past. This is the first time
we've seen such behaviour. Usually, you get an email or something to
acknowledge the issue,” Santamarta told the Guardian.
The manufacturers were warned about the alleged
vulnerabilities, some of which, it is claimed, could be exploited with
little technical ability, in late 2013. The flaws are likely to have
been present in the products for at least two years, added Santamarta.
A cabinet office spokesperson provided this statement
to the Guardian: "Cert-UK is aware of the report and expects all vendors
to work to patch security vulnerabilities they are informed of. It is
important that organisations know what technologies they use and check
that they are updated regularly in order to receive critical security
patches."
http://www.theguardian.com/technology/2014/apr/17/military-satellite-system-vulnerable-hacking