hack with na
TRANSCRIPT
-
8/13/2019 Hack with Na
1/25
WSRF 2012, Dubai
Hacking Risks for Satellites
Felix FX Lindner
Head of Recurity Labs
-
8/13/2019 Hack with Na
2/25
WSRF 2012, Dubai
Agenda Review of hacker interest
in satellites Motivations and Methods Current and emerging
trends in satellite hacking Lessons from computer
security challenges insimilar fields
Recommendations for
secure design andoperation
-
8/13/2019 Hack with Na
3/25
WSRF 2012, Dubai
History of Hacker Interest Generally, hackers are interested in
everything that is technologicallychallenging
I was introduced into hacking by
people who broke into Russianmilitary/spy satellites for imagery Astra signals were decoded by
hackers using Commodore C64home computers
Satellite Pay-TV used to be thedriver of interest
-
8/13/2019 Hack with Na
4/25
WSRF 2012, Dubai
Satellite Hacking Presentations atBlackHat and DEFCON
Year Title
1998 Low Earth Orbit Satellites
1999 Future & Existing Satellite Systems
2003 Satellite TV Technology2004 Weaknesses in Satellite Television Protection Schemes
2007 How to freak out your Satellite Navigation
2007 Satellite Imagery Analysis
2009 Satellite Hacking
2010 Playing in a Satellite Environment
-
8/13/2019 Hack with Na
5/25
-
8/13/2019 Hack with Na
6/25
WSRF 2012, Dubai
Motivation Drives Goals
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Confidentiality
Integrity
Availability
-
8/13/2019 Hack with Na
7/25
WSRF 2012, Dubai
Days of Attack
-
200
400
600
800
1,000
1,200
1,400
1,600
1,800
2,000
Anonymous LulzSec Recreational Cybercrime Military BlackHat Services
-
8/13/2019 Hack with Na
8/25
-
8/13/2019 Hack with Na
9/25
WSRF 2012, Dubai
Satellite Assisted Hacking Most satellite hackers come from DVB background
Accordingly, they keep their hardware as it is and explore 32% of all easily observable satellite traffic is now some
corporations network traffic (TCP/IP) The satellite downlinks provide the most convenient attack
path into corporate networks The ability to see one part of all the communication
enables many attacks that are otherwise a lot harder Reputation databases for IP address blocks have a
dedicated field for Satellite Provider
-
8/13/2019 Hack with Na
10/25
-
8/13/2019 Hack with Na
11/25
WSRF 2012, Dubai
Breaking Satellite Phone Encryption
Secret encryption algorithms developed by EuropeanTelecommunications Standards Institute (ETSI)
Researchers from Ruhr University Bochum (Germany)simply obtained the respective phones and reverse
engineered them GMR-1 turned out to be similar to GSM A5/2 Cipher text only attack possible due to design flaw Requires about 30 minutes on a standard PC
GMR-2 is only slightly better Design weaknesses allow known plaintext attacks
-
8/13/2019 Hack with Na
12/25
WSRF 2012, Dubai
Future Targets TT&C intrusions in order to obtain control when it
is needed More intelligence in satellite payloads (e.g. IP
routing) highly increases chance of successfuldirect attacks
Removes the need to attack TT&C Nations could consider attacks on launch control
systems in order to prevent new military satellitesfrom reaching orbit
-
8/13/2019 Hack with Na
13/25
WSRF 2012, Dubai
LESSONS FROM THE FIELD
He who doesnt understand history is doomed to repeat it. And whenit's repeated, the stakes are doubled. - Pittacus Lore
-
8/13/2019 Hack with Na
14/25
WSRF 2012, Dubai
The Domain Knowledge Myth One of the most common myths:
The domain specific knowledge required toattack our stuff is not readily available.
Disproved countless times in all domains
Keep in mind that we are no longer talking about bored teenagers A few quotes from hackers describing satellites:
Higher -level protocols may be standard TCP/IP, plaintext, encrypted,or some totally imaginary 17 bit codeword system.
The weak link are satellites themself. When you build a satellite, youdon't care about security, but you care about MTTF (mean time to fail)and MTTR (mean time to repair).
All I'm saying is, it's hardly rocket science.
-
8/13/2019 Hack with Na
15/25
WSRF 2012, Dubai
The Secret System Myth Assumption that the attacker needs specifications of
your system in order to attack it is wrong Reverse engineering is what drives many people. You
are providing an incentive, not a deterrent! Secret encryption is the worst form of the secrecy
myth In 1883 Auguste Kerckhoffs defined in the design
principles for military ciphers (now known asKerckhoffs Principle): It must not be required to be secret, and it must beable to fall into the hands of the enemy withoutinconvenience.
Common Weakness Enumeration CWE-656: Relianceon Security Through Obscurity
-
8/13/2019 Hack with Na
16/25
WSRF 2012, Dubai
False Focus People tend to look at potential security threats to
their system by how they would attack it Lack of formal threat modeling uses up all the time and
budget in the wrong place Firewalls, anti- virus, intrusion prevention
Even most penetration tests are done wrong! You cannot attack this TT&C, its in production! The hidden agenda is often to limit the scope of a
penetration test to the maximum level of ineffectiveness,in order to look good to higher management andcustomers
-
8/13/2019 Hack with Na
17/25
WSRF 2012, Dubai
DESIGN AND OPERATION FOR SECURITY
It can be done right.
-
8/13/2019 Hack with Na
18/25
WSRF 2012, Dubai
Threat Modeling Threat Modeling is a well established process to
holistically determine possible attacks, mitigations anddefenses of a complex system
Identifies processes, external actors, data stores and data
flows Establishes expected trust and process boundaries Results in data flow diagrams (DFD) of increasing detail
Systematically working though all threats automaticallydetermined from the DFDs models attacker process
Results in efficient investment of the scarce defenseresources
-
8/13/2019 Hack with Na
19/25
WSRF 2012, Dubai
Test and Audit
The only way to really know is to try it Use people with a track record in such things.
They may be harder to get, but they are worth it. Follow your threat model
Dont exclude components from 3 rd parties Verify the promised properties of everything
Once you know what you can rely on andwhat not, you have won half of the battle
-
8/13/2019 Hack with Na
20/25
WSRF 2012, Dubai
The Environment Dictates Everything
There is no one size fits all We have developed solutions in automotive, aerospace
and medical environments Specialized cryptography protocols Multiple secure fallback mechanisms Zero maintenance scenarios
Several of our customers are now 5+ years ahead oftheir industry, while their competition makes the news
in undesirable ways The longer the lifetime of your product, the better securitythe payoff from early security investments
-
8/13/2019 Hack with Na
21/25
WSRF 2012, Dubai
CONCLUSION
Predictions are hard especially if they concern the future Halvar Flake
-
8/13/2019 Hack with Na
22/25
WSRF 2012, Dubai
Satellites are Collateral Targets
1. High-end attackers focus on high profiletargets
2. High profile targets make ever increasing useof satellite communications
3. Everything in the satellite infrastructure is aperfect vantage point for the attackers
Satellites will be attacked to hit their customers
-
8/13/2019 Hack with Na
23/25
WSRF 2012, Dubai
Thank you.
Recurity Labs GmbH, Berlin, Germany
http://www.recurity-labs.com
Felix FX LindnerHead
-
8/13/2019 Hack with Na
24/25
WSRF 2012, Dubai
Felix FX Lindner Founder, technical and research lead of a high-end
security consulting and research team 23 years of computer programming 15 years of attack specialization 10 years of speaking at IT-security conferences First remote exploit against Cisco routers First attack programs running on HP printers First network router forensics system First provably secure solution for Adobe Flash
-
8/13/2019 Hack with Na
25/25
WSRF 2012, Dubai
Recurity Labs GmbH Program code audits for security and reliability
30+ programming languages, 15+ CPU architectures Security Architecture and Design
Reviews, verifications and proofs Invention, development and prototyping
Challenging customer base Large scale scenarios
Long living products Non standard requirements