The wave of cyber threats has evolved rapidly in the last years in the pace of technological evolution. Attackers are posing a growing challenge to satellite fleet operators and raising questions on the level of security to ensure also for commercial satellites, security experts are convinced that they need to be “hardened” exactly like the secure military satellites. Principal cyber powers such as the US and UK fear a possible offensive from foreign hostile governments, non-state actors and even single hackers, but it is it is undeniable that the main concerns are related to the aggressive behavior of China, especially in this area. Chinese hackers, probably state-sponsored entities, have already gained access to US satellite; these incidents demonstrated the urgent need to secure both military and commercial satellites from external attacks and intrusions. The article will show various techniques of attack against satellites and potential risks related to sabotage operations and to intrusion for cyber espionage. It tries to explain the meaning of satellite hacking and to provide information about the principal vulnerabilities of this category of systems.

State of the Satellite Industry

The global satellite industry is a subset of both the global telecommunications and space industries. The revenues are divided into 62% for space sector and 4% for telecommunications. The global satellite industry grew 7% in 2012; according to data presented by the Satellite Industry Association in its most recent report issued in June 2013, the global satellite industry revenues in 2012 are $189.5 billion). It has been estimated that there are over 1,000 operating satellites as of year-end 2012, more than half of which are communications satellites. Following are the data on operational satellites by function: These figures are impressive, especially if it is considered the global economic crisis that has decimated other industry sectors. More than 50 countries operate at least one satellite.

Figure 1 – Global Satellite Industry Revenue – SIA The overall satellite industry is characterized by constant growth. The data related to orders for the next months confirm the sector’s excellent status. The industry is attracting huge investments, mainly from government entities. The quantity of information daily managed by these architectures is impressive, and the capability to protect them from attacks must be improved. The figures proposed give us an idea of the business behind the satellite industry and security issues are among primary concerns for the sector. Satellites play a significant role in communication, early warning systems, global broadcasting, meteorology, navigation, reconnaissance, remote sensing, and surveillance. Satellite services cover practically every sector, from mobile cellular communication to telemedicine, so any interference with them could have a serious effect. Satellites are a strategic asset for any country and are considered as “critical infrastructure,” therefore they are considerable as privileged targets for a possible cyber attack.

About Principal Threats

In a recent presentation titled “Satellite hacking,” a popular IT security expert listed the following top 10 threats:

Tracking – tracking over web data and software

Listening – listening with the right equipment, frequencies, and locations

Interacting – protocols and authentication used, radio transmissions need official license!

Using – take over a bird or a TT&C [use payloads, make pictures, transmit something (DVB or radio)]

Scanning/attacking – anonymous proof of concept in 2010 by Leonardo Nve Egea, scanning, DoS, and spoofing possible

Breaking – old technologies used (X.25, GRE)

Jamming – jamming well-known frequencies for satellites

Mispositioning/Control – transponder spoofing, direct commanding, command reply, insertion after confirmation but prior to execution

Grilling – activating all solar panels when exposed to sun, overcharging energy system

Collisioning

Jamming

Jamming is probably the best-known satellite hacking technique; the attacker floods or overpowers a signal, a transmitter, or a receiver, interfering with legitimate transmission. Interference has become the primary cause of the impairment and degradation of satellite services. The hackers use a directed antenna to produce the interference, usually a specifically crafted signal having enough power to override the original transmitted signal. Satellite jamming is a hacking method often used to interfere with communication for distribution of media for censorship purpose. The two forms of satellite jamming are “orbital” and “terrestrial”:

In orbital jamming, the attacker sends a beam of contradictory signals directly toward a satellite via a rogue uplink station. The jamming signals are mixed with the legitimate signals, thus interfering with them. The jamming signals are able to override the legitimate transmission, blocking its transmission to the recipient.

Figure 2 – Orbital jamming

In terrestrial jamming, the attacker transmits rogue frequencies in the direction of terrestrial targets (ground satellite dishes). Rather than targeting the satellite itself, as is the case in orbital jamming, terrestrial jamming involves transmitting rogue frequencies in the direction of local consumer-level satellite dishes. The jamming frequencies are limited to a specific area and are able to interfere only with the frequency emanating from the satellite in a specific location. Small, portable terrestrial jammers are easy to purchase and use; they typically have a range of 3-5 kilometers in urban areas, while in rural areas their range can increase to up to 20 kilometers.

Figure 3 – Terrestrial jamming The jamming attack could be directed against satellite receiving an uplink or against a ground station or user terminal receiving a downlink; the flooding of an uplink is considered the most damaging attack because it is able to saturate/destroy all possible recipients. Otherwise, jamming attacks against a terrestrial device could cause minor damages by impacting a limited portion of the satellite architecture, since downlink jamming is a reversible attack and it affects only users within line of sight of the jammer. Uplink jamming has relatively less impact because it can interfere with the transmission of a satellite over a broad area but only for a temporary period and it does not permanently harm the target system. The uplink jamming of the control link can prevent a satellite from receiving commands from the ground; it can also target user-transmitted data, thus disturbing the recipients. An uplink jammer must have at least the same power of the signal it is attempting to block and, during the attack, it must be located within the footprint of the satellite antenna it is targeting.

Figure 4 – Satellite Jamming The most concerning aspect of jamming attacks is that they can be undertaken using off-the-shelf technology and the detection and attribution of intermittent jamming can be difficult. In 2006 testimony before the House Armed Services Committee Strategic Forces Subcommittee, Lieutenant General Robert Kehler highlighted that the U.S. military has already experienced jamming on commercial systems it leases. The analysis of commercial SATCOM links over a 16-month period during Operation Iraqi Freedom found 50 documented instances of interference with military communications over commercial SATCOM; five of those attacks were surely operated by hostile jamming sources. “All five suspected cases of jamming occurred in the uplink signal, originated in the Southwest Asia region, and involved a transmitter using a continuous wave carrier signal. The use of a continuous wave carrier signal is particularly suspicious because it is unlikely to be an accidental transmission by a friendly user. Moreover, the continuous wave carrier signals used in these instances varied their center frequency within a band—what is known as a ‘sweeper’ signal in jamming because it creates intermittent outages across a wider piece of the spectrum.” In 2013, Iraq acquired GPS jamming equipment during Operation Iraqi Freedom, allegedly from the Russian company Aviaconversiya Ltd. At least six different jamming stations were discovered and destroyed. French commercial satellite fleet operator Eutelsat Communications has recently announced the future deployment of an experimental cutting-edge TV channel interference mitigation function for the first time on its upcoming EUTELSAT 8 West B satellite. The satellite is scheduled for launch in 2015 and will be stationed over the Middle East and North Africa, the area where the major number deliberate jamming attacks have been observed. The anti-jamming function will further raise the bar of signal security by increasing control over uplink frequencies to the satellite. “This function involves embarking new-generation frequency converters behind the satellites Receive antennas … This will put Eutelsat in the unique position to be able to change the frequency of an uplink signal without any impact on the downlink frequency received by user terminals, marking a major breakthrough in the bid for continuity of service for broadcast signals jammed by rogue uplink signals.” reads Eutelsat’s press release.

Eavesdropping

Differently from jamming, eavesdropping on a transmission allows an attacker to access transmitted data. Despite the fact that almost every satellite communication is encrypted, it is quite easy to read posts on the internet that describe how to use off-the-shelf products to intercept satellite transmissions whether they carry satellite broadcast media, satellite telephone conversations, or Internet traffic. In early 2012 German security researchers demonstrated that satellite phones can be easily intercepted and deciphered using equipment readily available on the market, just a personal computer and an antenna were sufficient to hack the two encryption standard algorithms, known as GMR-1 and GMR-2, implemented to protect satellite phone signals of principal phone operators. These encryption standards were commonly used in the Thuraya satellite phones deployed in Africa, the Middle East, and North Asia. GMR-1 is a variant of the A5/2 algorithm implemented by the GSM standards. It is vulnerable to cipher-text-only attacks. The GMR-2 standard introduced a new encryption algorithm, also cryptanalyzed. The speed of deciphering a call is a function of the computing capabilities of the attackers. The two researchers are convinced that the main problem related to the secrecy of both algorithms is that the science community did not test them. Why not improve encryption for satellite transmissions? The encryption of data on satellite transmissions has a series of drawbacks. The first is the increase in the costs of operation; another factor to consider is the impact on the overall performance. These considerations discourage the use of encryption for commercial satellite operators, and of course represent an attraction for hackers. Security experts Geovedi, Iryandi, and Zboralski, in a presentation dated 2008, highlighted the fact that encrypting satellite signals can cause an 80% drop in performance. The researchers also remarked that the introduction of encryption has a correlated cost to consider, such as implementing or upgrading systems to allow encryption and training staff on the use of the equipment. One of the most popular cases of satellite eavesdropping has as a protagonist the off-shelf software SkyGrabber, produced by the Russian firm Sky Software and sold for $26. The software was used by hackers in Iraq and Afghanistan to capture unencrypted video feeds of the Predator unmanned aerial vehicles ( UAVs). The software was used to access data broadcast by satellites. The insurgents in those areas weren’t able to control or disrupt the UAVs but, using SkyGrabber, eavesdropped on the signals sent. The news created a lot of noise in the military, for it is normal to expect the highest level of security in military equipment, including communication encryption. The fix of the flaw added cost to the military program, but the greatest menace from the eavesdropping of the videos was represented by the disclosure of locations of military areas under military surveillance and of course the patterns followed by drone used for reconnaissance activities.

Figure 5 – SkyGrabber home page

Hijacking/Control

Hijacking is the unauthorized use of a satellite for transmission, or seizing control of a signal, such as a broadcast, and replacing it with another. The data transmitted could be acquired (eavesdropping) by attackers who could also modify it in transit (spoofing). The term “Control” refers to the capability of a hacker to gain the control of part or all of the satellite architecture (ground station, bus, payload); particularly interesting is the hacker’s capability to maneuver the satellite in orbit. Satellite hijacking is the illegal use of the satellite to transmit the attacker’s signal, which could override or modify legitimate transmitted data. Attacks against Internet data connections and media broadcasts are very common. Following are the most recent cases for satellite hijacking: 2007 – The Tamil Tigers (LTTE) in Sri Lanka broadcast propaganda transmission on Intelsat satellites. 2009 – Brazilian authorities arrested 39 university professors, electricians, truckers, and farmers who had been using homemade equipment to highjack UHF frequencies dedicated to satellites in the US Navy’s fleet satellite communication system for their personal use. 2013—Emergency alert systems of TV stations in Montana and Michigan were hacked and the attackers broadcast a report of a Zombie invasion. It is unclear if the illegal transmissions were possible due an attack against satellites or Internet-connected. The lack of detail provided in reports led many security experts to believe that the first hypothesis was most probable. Controlling a satellite involves breaching the TT&C (tracking, telemetry and control) links; the wrong commands are sent to the satellite system, causing device rotation or movement that could direct solar panels and antenna in the wrong directions. Satellite control is considered very difficult to implement because security measures to protect satellites are very effective against these intentional attacks.

Figure 6 – Satellite architecture including TT&C In military environments, TT&C ground stations are not freely accessible; they are, in fact, usually protected within a secure area that has controlled access and physical countermeasures to avoid intrusion from external entities. Despite the high level of security the menace must be properly approached. An attacker could exploit a flaw in the command and control of commercial satellites, such as VSAT hubs, to compromise also military satellite systems. The best known of alleged takeovers of satellite control occurred in 2007 and 2008. In particular, a serious attack was observed in 2008 when hackers obtained the control of the NASA Terra EOS earth observation system satellite for 2 minutes in June and for another 9 minutes in October. Fortunately the attackers didn’t damage the satellite during the time they gained control of it. The second hack affected the Landsat-7 satellite on two occasions, one in October of ’07, the other in July of ’08. Unlike the Terra OS incident, this hack did not see control taken away, but access was anyway gained. Resuming: 2008 – “On June 20, 2008, Terra EOS [earth observation system] AM–1, a National Aeronautics and Space Administration-managed program for earth observation, experienced two or more minutes of interference. The responsible party achieved all steps required to command the satellite but did not issue commands” (USCC 2011). 2008 – “On October 22, 2008, Terra EOS AM–1 experienced nine or more minutes of interference. The responsible party achieved all steps required to command the satellite but did not issue commands” (USCC 2011).

GPS

One of the most classic examples of satellite control attack is the exploitation of the vulnerability of GPS systems, a technology widely used today in commercial and military sectors. The wide range of applications based on the technology in today’s society requires a continuous reassessment of the risks related to the exposure of incidents. The first report in which threats to GPS systems were discussed is known as the “Volpe Report.” This document describes the principal menaces for the technologies, as well as the means and the motivation behind for attacks in both the civil and military sectors. The most insidious threat for GPS systems is known as “GPS spoofing,” whereby interference with the GPS receiver is fooled into tracking counterfeit GPS signals. Unlike the case of jamming of GPS signals, in spoofing the targeted receivers are deceived. GPS “spoofers” are devices that create false GPS signals to fool receivers into thinking that they are at a different location or different times, this type of attacks can be really useful in a multitude of scenarios, such as the hijacking of drone or a vessel. These attacks are difficult to detect and can be conducted in numerous sectors, from transportation to financial environments. “Information on the capabilities, limitations, and operational procedures [of spoofers] would help identify vulnerable areas and detection strategies,” states the report. During the risk assessment, numerous countermeasures that have been classified for their implementation have been evaluated. Principal countermeasures implemented in software on GPS receivers are:

Amplitude discrimination

Time-of-arrival discrimination

More sophisticated techniques are:

Consistency of navigation inertial measurement unit (IMU) cross-check

Polarization discrimination

Angle-of-arrival discrimination

Cryptographic authentication

Some of the above attacks are difficult to conduct because they require sophisticated and expensive hardware, such as multiple antennas or a high-grade inertial measurement unit (IMU). The most efficient countermeasure against these attacks is the adoption of signal encryption; the receiver and transmitter use mutual authentication processes to avoid interferences from external sources. Unfortunately, these techniques, while compatible with a classic GPS, require more powerful hardware and systems able to manage the overhead introduced by authentication procedures. For this reason, encryption is limited to the military sector. In our imagination, the use of GPS systems is related to the concepts of position and route. It is documented that these systems are used in aviation, marine, and ground transportation to indicate the way forward in the absence of other references. The GPS technology is also used in other areas, from environmental control to the financial sector. A possible attack on GPS systems would impact many sectors with serious consequences. Since December 2003 the Department of Homeland Security has alerted on the risks of possible attack; it also documented that countermeasures, including monitoring the absolute and relative GPS signal strength, monitoring the satellite identification codes and the number of signals received, and checking the time intervals between the received signals can be used to guard against spoofs. Extremely interesting is the impact that a GPS system can have on the financial world, where the accuracy of measuring time on a global scale and the synchronization between the various time zones, an operation made possible with the use of the GPS technology, are considered crucial. The main trading systems use GPS to synchronize each other and an attack could even cause a block to trading. A typical attack can be addressed with the intent to sabotage the times on one of the global stock exchanges; it could cause a block of the activities once the automated trading systems notice the anomaly. It happened in during the Flash Crash of 2.45, on May 6, 2010, when the United States stock market crashed. Imagine the effect of a misalignment of a few milliseconds between the various trading systems: Criminals could exploit this mismatch to have advance knowledge of the value of any trade, which would be a disaster for the stock exchange. Todd Humphreys, an assistant professor at the University of Texas, and his team have created the world’s most powerful GPS spoofer and have tested it on GPS-based timing devices used in mobile phone transmitters. Fortunately, so far no serious attack has been recorded but we are seeing evidence of basic spoofing, likely carried out by rogue individuals or small groups of criminals. Evidences of these attacks have been collected in several countries monitoring jamming and spoofing activities for a long period. It is necessary to take into serious consideration this kind of threat due their sensible impact on our ordinary activities.

Scanning / Attacking

When explaining scanning and attacking concepts, it is useful to remember the content of a presentation made in 2010 by Spanish cyber security researcher Leonardo Nve at the Black Hat security conference in Arlington. The expert exposed to the audience a variety of tricks to access to satellite Internet connections and exploit them. The expert impressed those present with following assertion: “What’s interesting about this is that it’s very, very easy … Anyone can do it: phishers or Chinese hackers; it’s like a very big Wi-Fi network that’s easy to access.” At a cost of only $75 in tools he was able to intercept digital video broadcast (DVB) signals to get free high-speed Internet. Nve used a Skystar 2 PCI satellite receiver card along with open source Linux DVB software applications and the popular network sniffing tool Wireshark. NVE’s techniques exploited the lack of encryption for DVB signals. The technique was already known to the hacking community but Nve also demonstrated how to use satellite signals to anonymize his Internet connection, intercept satellite Internet users’ requests for Web content, and replace them to gain access to private networks. Nve exploited the satellite signal’s ability to spoof any user identity on the Internet via satellite. The Spanish researcher was also able to impersonate a website operating on the user DNS requests. He was in fact able to manipulate IP addresses received in response to request of conversion from an ISP for a website name. He made a DNS entry point to another IP than the one it would be supposed to point to (DNS spoofing). The IP address was sent back by Nve faster than the ISP deceiving the user and hijacking it on a fake website. The repercussion of this attacker is easily imaginable: An attacker in this way could serve malware or steal a user’s credentials. Nve revealed that during his test he was also able to hijack signals using GRE (generic routing encapsulation) or TCP protocols that entities use to communicate between PCs and servers.

Figure 7 – Slide of Nve presentation Resuming, the researcher was able to perform:

DNS spoofing

TCP hijacking

Attacking GRE

Signal Encryption and Hardening

The principal countermeasures to protect satellite infrastructures are the encryption of signals and the hardening of single components, such as the ground stations. Encryption is crucial to protect signals from spoofing attacks and it is also used to mutually authenticate communication interlocutors. It is fundamental to understand that encryption doesn’t represent a definitive solution; it adds a supplementary layer of defense as occurred for the algorithms A5-GMR-1 and A5-GMR-2, which have been cracked by a team of German researchers. The algorithms used and the level of encryption adopted is functional in the field of application. Managing signal encryption requires supplementary hardware capabilities, with repercussions on the overall cost of the systems, on the maintenance activities, and on the performance and the global security of the platform. Another element to consider is the encryption of signals exchanged between the modules of the satellite structure. Multiple nodes can be encrypted, such as data and TT&C uplinks or access between terrestrial networks and the ground stations. Due to the above reason, most commercial satellite systems are designed without encryption of the signals; every transmission has “open access,” and is transmitted without any protection. The information security could be improved by introducing encryption, while physical security could be increased with the adoption of hardening methods in different parts of the satellite system. Physical protection of the terrestrial environment includes common defense devices and supplementary structures such as access control systems, cameras, fences, and security guards. In a high-security environment ground stations are located within military compounds having in place strict security measures. The intrusion could be physical or electronic (e.g., radio signal interception and jamming). To protect signals from attackers, the satellite antennas are often obscured with barriers to prevent attacks that are dependent on line of sight. Other techniques could be used for terrestrial equipment protection such as directional antennas that reduce interception, shielding and radio emission control measures to mitigate surveillance or jamming activities from third parties. The satellite itself may be hardened against radiation, meteoroids, and orbital debris. To minimize disruption in case of kinetic or natural disaster, the deployment of satellite networks with redundant components having multiple satellites and ground stations is suggested. Hardening of the satellites themselves involves the use of “designs and components that are built to be robust enough to withstand harsh space environments and deliberate attacks” (GAO 2002). The main impact of the implementation of this type of countermeasures is the increase in costs in building, deployment, and maintenance.

Conclusions

The security of satellite systems is a primary topic for the cyber strategy of every government and it is not limited only to military environments. The increase of number of cyber attacks against satellite communications must be addressed with proper countermeasures. Demonstration of high interest is tangible in the document issued by the Congress of the U.S titled, “U.S.-China Economic and Security Review Commission.“ The document reveals that malicious cyber activities can be carried out to destroy the US systems. The report highlight vulnerability to cyber attacks of ground stations outside of the US. “China is one of the top space powers in the world today. The prestige of space exploration and the national security benefits of space systems serve as primary motivators for Chinese decision-makers,” states the report. Governments need to better define international agreements on the definition of harmful interference to prevent aggressive conduct in outer space. It is fundamental to define the attribution of responsibility processes within an international law framework shared on a global scale. On the technological side, it is necessary to develop new helpful technologies to improve the security of satellite infrastructures, focusing on the increase of threat mitigation. The target is the rapid identification of the attackers and the adoption of proper and proportional counteroffensives. The International Code of Conduct initiative is an important opportunity to begin these discussions. I want to close this post with a meaningful abstract of the presentation made by Frank A. Rose, Deputy Assistant Secretary, Bureau of Arms Control, Verification and Compliance in Abu Dhabi in his “Remarks at Global Space and Satellite Forum.” “Let me conclude by saying that every day, billions of people go through their day without realizing just how reliant they are on space. Encouraging responsible behavior in space through pragmatic, near-term transparency, and confidence-building measures offer one way to protect the space environment for all nations and future generations. “I’d also like to note how encouraged I am to see such a wide range of actors and issues on the agenda today. It is only through cooperation and communication that we can achieve what is in the interest of all of us here today: Strengthening long-term sustainability, stability, safety, and security of the space environment.”

References

http://www.sia.org/wp-content/uploads/2013/06/2013_SSIR_Final.pdf http://securityaffairs.co/wordpress/236/cyber-crime/hacking-satellites.html http://www.gpsworld.com/defense/security-surveillance/assessing-spoofing-threat-3171?page_id=1 http://securityaffairs.co/wordpress/2317/hacking/hacking-satellite-communications-and-its-implication.html http://www.linkedin.com/profile/view?id=5413671&locale=en_US&trk=tyah http://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-slides.pdf http://www.state.gov/t/avc/rls/2013/209192.htm http://www.forbes.com/2010/02/02/hackers-cybercrime-cryptography-technology-security-satellite.html http://conference.hitb.org/hitbsecconf2008kl/materials/D1T1%20-%20Jim%20Geovedi%20-%20Hacking%20a%20Bird%20in%20the%20Sky%202.0.pdf http://betabeat.com/2012/10/security-experts-warn-hackers-could-hijack-satellites/ http://www.hashdoc.com/document/2837/hacking-a-bird-in-the-sky-the-revenge-of-angry-birds http://www.slideshare.net/geovedi/satellite-hacking-intro-by-indianz-2012 http://www.csbaonline.org/wp-content/uploads/2013/07/Future-of-MILSATCOM-web.pdf http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1131&context=cm http://www.youtube.com/watch?v=xIsG8GpB67A http://www.youtube.com/watch?v=PNAqJCeFaPs http://www.slideshare.net/geovedi/hitb-labs-practical-attacks-against-3g4g-telecommunication-networks http://www.itu.int/en/ITU-R/space/workshops/2013-interference-geneva/presentations/Rob%20Rideout%20-%20SAT%20Corp.pdf http://www.lexology.com/library/detail.aspx?g=ec0d0039-b7e6-4637-8967-5cbb35b278d5 http://freebeacon.com/china-military-preparing-for-peoples-war-in-cyberspace-space/ http://www.belfasttelegraph.co.uk/lifestyle/technology-gadgets/what-if-hackers-hijacked-a-key-satellite-28869754.html http://smallmedia.org.uk/sites/default/files/Satellite%20Jamming.pdf http://hackread.com/snowden-unveils-nsa-satellite-sauron-program-targeting-citizens/ http://www.au.af.mil/au/ssq/2012/spring/kallberg.pdf http://www.intelsatgeneral.com/blog/new-and-emerging-cyber-security-threats-satellite-communications