Cyber-security: Small satellite dish systems called ripe for hacking

The small dish systems, VSATs, transmit often-sensitive data from far-flung locations for critical industries. A cyber-security report found thousands with 'their digital front doors wide open.'

Thousands of small satellite dish-based computer systems that transmit often-sensitive data from far flung locations worldwide – oil rigs, ships at sea, banks, and even power grid substations – are at high risk of being hacked, including many in the United States, a new cyber-security report has found.

Very-small-aperture terminals, or VSATs, are workhorses for the oil and gas industry, utilities, and even news media. Journalists send reports via VSAT from firebases in Afghanistan, energy companies gather production data from oil drilling operations, and retail outlets send sales data back to corporate headquarters every day. Banks use VSATs for transactions between branches and headquarters.

But at least 10,500 of those terminals globally are wide open to being hacked, including some used in critical US infrastructure systems, according to the new report by IntelCrawler, a Los Angeles-based cyber-security firm.

“We found thousands and thousands of these systems with what are essentially their digital front doors left wide open,” says Dan Clements, IntelCrawler’s president, in an interview. “Someone needs to be aware that there are vulnerabilities here that could affect critical infrastructure, including utilities and financial systems.”

Worldwide there are more than 2.9 million VSATs, about two-thirds based in the US, according to Comsys, another company that catalogs satellite links. These VSATs typically sit on a pedestal or pole pointing at a satellite on the horizon – sending production data or critical control information from some remote electric grid substation or oil rig. The smallest are the size of a laptop computer.

In many cases, the VSAT systems were found to use the default passwords that came from the factory and which are often published for all to see in system handbooks widely available on the Internet, IntelCrawler reported. In other cases, the VSAT may not even use a password.

Network engineers and system administrators must plug those security holes or risk having proprietary data scooped up by bad buys operating anywhere in the world, the report said.

“The fact that one can scan these devices globally and find holes is similar to credit card thieves in the early 2000's just googling the terms ‘order.txt’ and finding merchant orders with live credit cards,” the report said. “The onus is on the enterprises, governments, and corporations to police themselves.”

IntelCrawler found “lots of interesting objects,” including vulnerable VSATs that likely transmit government and classified communications.

A couple examples: the Ministry of Civil Affairs of China infrastructure and the Ministry of Foreign Affairs of Turkey were both found listed as using VSAT systems in which there was “a clear and present danger for hacks,” the report found.

But there’s another security problem. Geolocation data that physically locates vulnerable VSATs is readily available, too. Using it, a terrorist or criminal – cyber or otherwise – could use standard Internet tools like Google maps and Google Earth to visually evaluate the physical security and layout of such systems. Obviously, that’s a bad thing if it belongs to a power-grid substation or other critical infrastructure, Clements says.

Vulnerable VSATs that IntelCrawler also found include some providing communications links for climate-monitoring systems in Alaska and industrial control devices in Australia, not to mention utility systems and financial infrastructure, Clements says.

There was no single VSAT user type that was given a clean bill of health since “we found these vulnerabilities occurred across the spectrum,” he says.

Such findings appear to be in sync with those of Jason Fritz, an Australian cyber-expert at Bond University in Queensland. In a recent academic study, he also found that vulnerable VSAT-supplied Internet access to remote locations, virtual private networks, industrial control systems, and financial data each “encompasses a large amount of sensitive data that might be of interest to hackers.”

With the increasing number of VSATs comes “an increase in unsecure data being transmitted via satellites [that] may pique the interest of hackers,” Dr. Fritz warns.

But beyond just theft of data, VSATs commandeered by hackers can be used as an entry point to gain control of satellites themselves – and any networks to which they are connected, Fritz warns. His study cites a handful of reports in which satellites were hacked apparently thanks to such vulnerabilities.

“Vulnerabilities exist at all nodes and links in satellite structure,” he writes. “These can be exploited through Internet-connected computer networks, as hackers are more commonly envisioned to do, or through electronic warfare methodologies that more directly manipulate the radio waves of uplinks and downlinks.”

Beyond cyber-crime gangs, nation states are fully capable of exploiting such vulnerabilities, Clements says. Indeed, IntelCrawler released its findings amid a wave of Internet-connected insecurity spawned by revelations of how the National Security Agency sifted Internet data sluicing through satellites and fiber-optic data pipes.

Thousands of vulnerable Internet-linked critical infrastructure networks have been discovered recently. A specialized search engine called SHODAN, for instance, now makes it possible for anyone – including hackers as well as legitimate researchers – to hunt for vulnerable industrial control systems. From those web-based interfaces, such control systems can be hacked, cyber-experts say.

In this latest case, IntelCrawler found vulnerable VSATs by inventorying devices on the Internet and by focusing on satellite operators like INMARSAT, Asia Broadcast Satellite, VSAT internet iDirect and Satellite HUB Pool, Clements says.

“We haven’t looked for direct evidence in the underground that someone has compiled these vulnerabilities on VSATS,” he says. “But common sense says that if we’ve scanned it then others have, too – nation states, cyber-gangs. It’s information that’s out there.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Cyber-security: Small satellite dish systems called ripe for hacking
Read this article in
https://www.csmonitor.com/World/Security-Watch/2014/0111/Cyber-security-Small-satellite-dish-systems-called-ripe-for-hacking
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe