Communications Hacks

0

In the movie “Geostorm”, a climate-controlling satellite was infected with a malware that triggered off a series of meteorological chaos from Hong Kong to Moscow.  The apocalyptic scenario may seem far-fetched; however, compromising space assets to cause operational obstructions and disruptions is not speculative fiction.

In 2012, Nasa revealed that it suffered “5,408 computer security incidents” between 2010 and 2011. One involved a stolen notebook which “resulted in the loss of the algorithms” used to control the space station. In fact, it was the target of 47 advanced persistent threats (APTs). NASA noted that “until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.”

Space assets targeted by attackers are not limited to ground networks or satellites. Communications links also face attacks – for example, by intruding on the (typically) unencrypted downstream traffic, details can be extracted to spoof a legitimate IP for masking the attacker’s location.

Phishing may be a headline Top Cyber Risk, but communication links, as attack vectors to cause Denial-of-Service or to gain illegitimate control, are not uncommon.  In particular, with 5G rollout expanding the attack surface, the security focus is growing.

We hear more about attacks on satellites and devices and equipment on other communication bands (radio-frequency and GSM), and what these cases portend for 5G in Singapore (BlackHat Asia 2019: March 26-29th 2019, 11th Global Science and Technology conference: February 14th – 15th 2019, ConnecTechAsia 2019, and InfoSec in the City Singapore: June 18th-20th).

“Professor Itzik Ben Israel (Chairman, Israel Space Agency, Cybersecurity Challenges for Satellites). Photo Credit: GSTC 2019”

Jamming Satellite TV

At the 11th Global Science and Technology conference, Professor Itzik Ben Israel (Chairman, Israel Space Agency, Cybersecurity Challenges for Satellites) pointed to the denial-of-service attack on the BBC Persian service in 2011, which BBC confirmed as due to “the heavy electronic jamming of satellites the BBC uses in the Middle East to broadcast the BBC Persian TV signal to Iran” following coverage of the political unrest in Egypt.

Space is an enabler of daily life, he pointed out.  In addition to GPS navigation and telecommunications, new uses are emerging as barriers to entry decline (such as satellite-launch costs). “The space club is growing with more players having access”, he said.  Improved bandwidth and higher resolution satellite data have also accelerated adoption of satellite imagery for environmental monitoring and urban planning.

“Industrial Remote Controller: Safety, Security, Vulnerabilities, Philippe Lin (Data analysis, machine learning, and software defined radio, TrendMicro) and Akira Urano (Senior Threat Researcher, TrendMicro)”

Even as new applications grow, security vulnerabilities in many legacy equipment remain. “Some of today’s satellites were designed long before awareness to cybersecurity,” said Professor Israel.

While satellites may seem to be the most obvious targets to attack, the most vulnerable and easiest targets are the ground station’s networks, or uplink communications – as illustrated in the BBC Persian TV incident. In fact, a GPS jamming device can be bought for less than $100.  “Protect the weakest link” and this defense approach is not any different than in other sectors, Professor Israel emphasised.

This means identifying the less secured assets in the chain and mitigating against potential threats.  For example, the US military now regularly undergo training to operate in the field as if their GPS signals go dark. For us civilians, perhaps we should not throw away our A-Z street directory just yet.

Manipulating Radio Remote Controllers for Industrial Applications

Cranes, drillers, and miners used in construction, manufacturing and many other industrial applications are commonly equipped with radio-frequency (RF) remotes.  These have become “the weakest link in these safety-critical applications, characterized by high replacement costs, long lifespans, and cumbersome patching processes”, said Mr Philippe Lin at BlackHat Asia 2019.

“Many of these RF controllers are still operating with vulnerabilities inherent in legacy and basic protocols (e.g. weak cryptography encrypting the data exchanged between transmitter and receiver – such as commands sent in clear text),” he elaborated.

The proprietary nature of these protocols also makes the identification of weaknesses and patching less systematic and frequent, compared to industrial standard ones.

These vulnerabilities can be exploited by re-programming weakly secured RF remotes, resulting in malicious mechanical motions. This can be done, as proven by the team, by using software defined radio.

Through an extensive in-lab and on-site analysis, he and his team demonstrated how the behavior of the machinery attached to the RF controller could be manipulated by spoofing commands, such as emergency-stop (e-stop) abuse and illegitimate re-pairing of remote-machinery.

As RF remote controllers are distributed globally with millions installed on heavy industrial machinery, the implications can range from financial, temporary disruption to serious injuries.  The long-term solution is abandoning proprietary RF protocols and focus on open, standard ones with increased security level – clearly this would remove the burden on the vendors’ part to design or integrate custom RF protocols.

“Aleksandr Kolchanov (Independent security researcher and consultant) at InfoSec in the City 2019.”

Hacking GSM devices – Intruder Systems, Access Control Systems (Garage doors)

“Lack of standards and authentication are some reasons why GSM devices are vulnerable: it is easy to create new authorization method, but it is hard to check if this method is secure”, said Aleksandr Kolchanov (Independent security researcher and consultant) at InfoSec in the City 2019.

With the proliferation of these devices over the years, there is no shortage of vulnerabilities for attackers to exploit. The systems can be hacked by using various authorization by-passing methods.

“Mr Tan Kiat How (Chief Executive of Infocomm Media Development Authority, SIngapore). Photo Credit: ConnecTechAsia 2019”

“You can try to use default or common 4-digit codes, or just spend one or two days to make a full brute-force for hacking several popular models.  In some cases, you can spoof the owner’s phone number to bypass authorisation” (straight-forward with the VoIP applications) where caller ID checks is the authorization protocol; classic social engineering attacks can be effective too.

However, he pointed out, even though attacks on authorization or security company can be effective, physical destruction or jamming may be easier, but still suitable.

Eavesdropping attacks based on the GSM networks by breaking the encryption had also been known, raising concerns of privacy of mobile phone calls on the GSM networks could be easily breached.

“Shekar Ayyar (EVP, Strategy and Corporate Development & GM, Telco NFV Group, VMware). Photo Credit: VM Ware”

5G and Cyber security

The race for 5G with the exciting applications ranging from autonomous vehicles, emergency healthcare to Smart cities planning trigger safety and security considerations.

At ConnecTechAsia 2019, Mr Tan Kiat How (Chief Executive of Infocomm Media Development Authority) said at his Opening Address, “Singapore sees 5G as an enabler to support the development of new innovative applications and services that will power our Digital Economy – a public utility that will benefit our entire economy.”

But, he stressed, “trusted, resilient and high quality digital infrastructure is a key building block for any country that aspires to be a leading Digital Economy.”

Indeed, Shekar Ayyar (EVP, Strategy and Corporate Development & GM, Telco NFV Group, VMware) noted, at his “Cybersecurity in the Age of 5G” keynote, “how do you move as fast as the business needs, while providing security? With an exponential increase in data transmitted across 5G networks, organizations relying on 5G will become increasingly vulnerable to  attacks from increasingly sophisticated cybercriminals.”

More importantly, for Communication Service Providers (CSP) in this race for 5G, he pointed out the need for end-to-end connectivity (and security) to support the agility (e.g. “VCN” – Virtual Cloud Network) required by the organisations.  For sure, in the age of 5G where the low-latency, high bandwidth, always-on connectivity are its USPs (unique selling points), an agile-based response is just as crucial in protecting this infrastructure against downtime and other attacks that impact network performance.

Share.

Comments are closed.