Data flowing through a satellite network operated by
Globalstar, which provides communications services and equipment to militaries,
oil companies, and many other organizations. “I can say with 100-percent
confidence I did inject data back into the network,” Colby Moore, who works for
a network security company called Synack, told reporters at
the Black Hat cybersecurity conference here.
Many organizations use Globalstar products to monitor assets
in remote locations — say, equipping a fleet of trucks deep in the wilderness
with satellite modems that periodically send their locations and operating
conditions back to headquarters. The modems use the STX3 transmitter
chip to send the data
up to Globalstar’s orbiting Simplex constellation, where it is sent around the
globe and back down to the proper ground station.
The STX3 doesn’t encrypt the data before it
sends it. For less than $1000, Moore bought a simple software-defined radio
system and a few other components to assemble a transceiver that allowed him to
sniff the data as it headed into space.
He discovered that not only could he read the GPS coordinates that told him exactly
where the GlobalStar-equipped assets were, but he was able to add his own fake
information to the stream.
So far, he’s only been able to hack the uplink, not the
downlink, but the data is the same, so stealing from the downlink doesn’t
present a particularly tough challenge, he says.
Moore said he told company officials about the vulnerability
more than a month ago. He says they responded with concern, said Moore. Since
that time But patching the Simplex network is likely impossible.
How big a problem is this? If you rely on Globalstar’s
Simplex network, your communications may be far more naked — and changeable —
than you realize. A lot of military personnel use satellite phones and
satellite tracking to communicate back home from dangerous deployments. Oil and
gas companies use satellite-based geo-tracking to keep tabs on
multimillion-dollar oil shipments. A lot of aviators use satellite tracking to
reassure air traffic control that their plane isn’t deviating from course.
Journalists and relief workers operating in dangerous locations often use
satellite tracking so that they can be found in case they are kidnapped or
go missing.
So what if an outsider can change your data in transit?
Consider how the military might react if a small private plane appeared to be
deviating from its flight path, making a beeline toward the White House. Or how
the Navy might react if supertankers in the Strait of Hormuz suddenly vanished.
Or how the Army might react if an enemy somehow knew just where to find U.S.
Globalstar has responded to repeated
media inquiries with a statement offering assurance (but no real proof) that
the situation was largely under control “Our engineers would know quickly if
any person or entity was hacking our system in a material way and this type of
situation has never been an issue to date. We are in the business of saving
lives daily and will continue to optimize our offerings for security concerns
and immediately address any illegal actions taken against our company.”
Then there are the vulnerabilities in infrastructure.
Globalstar’s satellite tracking is “used heavily in [supervisory control and
data acquisition] systems, water pipeline monitoring,” said Moore. And in June,
the company announced that they would
integrate its services with Lockheed Martin Flight Services to provide
satellite location data to non-commercial pilots. (Lockheed Martin says that
Flight Services doesn’t use data from Globalstar for air traffic control
purposes, only for search and rescue.)
It’s not immediately clear just how many militaries rely on
the company’s Simplex network. Pentagon officials could not immediately respond
to requests for comment. But Spain and other NATO allies have well-publicized business
contracts with the company.
And Globalstar’s testimonial page offers this note from a U.S.Army captain
who was operating in Iraq: “I can’t even begin to tell you what a lifeline your
phone has been for us. You should know that one of my fellow soldiers was able
to hear the cry of his newborn son thanks to your system. It is
much appreciated.”
0 komentar:
Post a Comment