[HN Gopher] SATCOM terminals under attack in Europe: a plausible...
___________________________________________________________________
SATCOM terminals under attack in Europe: a plausible analysis
Author : mritzmann
Score : 209 points
Date : 2022-03-07 15:52 UTC (7 hours ago)
(HTM) web link (www.reversemode.com)
(TXT) w3m dump (www.reversemode.com)
| walrus01 wrote:
| I have personally seen that a lot of "cheap" point to multipoint
| contended access VSAT modems have very little security on them.
|
| Would not be surprised in the slightest if something like a new
| firmware load or configuration push coming from the hub of the
| network was not properly validated by the modems using a secure
| crypto key/signature method.
|
| Keep in mind that what we're talking about here is the European
| equivalent of the viasat/hughesnet/wildblue low cost, highly
| contended access geostationary vsat modem service. It's about the
| cheapest possible thing you can buy that is two way IP data via
| geostationary at 64:1 oversubscription ratio or more. There are
| very demanding economics factors in play that require the company
| to make the end user terminal hardware as absolutely cheap as
| possible, for all of the sub components (physical dish/mounting,
| LNB, Tx/BUC/SSPA, cabling, and modem).
| Nextgrid wrote:
| I've investigated network equipment before, my findings were that
| you shouldn't trust any of it and use a standard Linux box
| whenever possible. The worst was consumer-grade modems/routers
| with low-hanging fruits such as backdoors, "forgotten" telnet
| servers left enabled, shell command injection in the web UI, etc
| but even enterprise stuff had its problems (thankfully, at least
| on enterprise stuff you can disable the web UI and any services
| you don't use, considerably shrinking the attack surface to
| pretty much just the kernel). And don't get me started on mobile
| network equipment where untrusted data is parsed at the kernel
| level and the motto is still security by obscurity (and the
| impossibility to obtain said equipment for the average Joe).
|
| What I think happened is that they breached the control
| infrastructure which gives them access to an "internal" VLAN that
| the satellite terminals use to communicate with the mothership
| for firmware updates, configuration changes, etc, and from there
| were able to attack these as if they were locally connected (or
| worse - since that network segment is presumed "internal" and may
| expose services not normally available - think whatever is the
| TR-069 equivalent for BGAN terminals), either just pushing an
| incorrect configuration that prevents the terminal from
| connecting (essentially bricking it until you can get out-of-band
| access and reconfigure it properly) or obtaining root (via
| exploit or pushing a specially-crafted firmware update) and
| overwriting /dev/mtd* to completely kill the terminal.
|
| "Cyberattack on satellite network" sounds so serious but I very
| much doubt it's got anything to do with the satellite part of it.
| They've done the equivalent of breaching into the management
| network at a terrestrial, wired ISP and sent garbage
| configuration over TR-069 to brick the modems. Attacking the
| satellite layer would require much more effort for essentially
| the same gain (and if your objective was to get into the
| satellite layer, why waste that access on breaking everything in
| a highly-visible way when you're better off silently sitting
| there and using the access to eavesdrop on everything, especially
| when it's used for SCADA traffic of critical systems that's
| itself unencrypted and vulnerable to tampering?).
| mistrial9 wrote:
| > "Cyberattack on satellite network" sounds so serious
|
| yes agree -- third hand witness to actual ground station
| management of Small SATs here.. even internal engineers are
| locked out; multiple keys required to perform actions; closely
| monitored change-of-behavior networks, etc etc
|
| beware of REALLY LARGE CLAIMS at this time -- peace out
| bewaretheirs wrote:
| > why waste that access on breaking everything in a highly-
| visible way when you're better off silently sitting there and
| using the access to eavesdrop on everything
|
| The subtle approach takes more time.
|
| Take the PoV of the hypothetical Russian decision maker.. you
| can either take all them down now with something quick & dirty
| while the tanks are rolling, or inject a stealthy targeted
| piece of malware you haven't finished yet next week after Kiev
| is already in the hands of a puppet government....
| Nextgrid wrote:
| Yes, this was my point. I don't believe they've attacked
| anything satellite-specific and instead just pushed an
| intentionally-bad configuration or firmware update to
| terminals in the field.
| Melatonic wrote:
| This sort of what virtual networking devices are trying to
| solve, no?
|
| Going to a full on box also increases your attack surface by
| adding a lot of unnecessary stuff.
|
| Plus even with something completely in software you still need
| the physical hardware in there at some point - and those
| individual pieces will be running their own firmware and
| microcontroller software.
| CoastalCoder wrote:
| Can someone versed in military doctrine / strategy talk about
| dealing with the uncertainty of a false-flag attack?
|
| Does the best-known approach just boil down to weighing the
| cost/benefit of (acting | not acting) x P(most likely aggressor |
| some other cause)? Or has someone figured out a better approach?
| nonomaybeyes wrote:
| The purpose of a false flag is to drive a certain narrative, so
| it's always accompanied by incessant media coverage. That is
| not the case here, the attack is likely for genuine tactical
| purposes.
| Melatonic wrote:
| Everything you are describing would still have an intended
| audience - the audience may be smaller, or niche, but they
| still exist.
| CoastalCoder wrote:
| > That is not the case here
|
| Are you sure that false-flag attacks always involve a media
| blitz?
|
| Just thinking that if I were planning a false flag, and I
| know that people would _recognize_ it as such because of the
| media blitz, then I 'd look for a workaround. That seems
| consistent with what we have here.
| numbsafari wrote:
| What's the point of a false flag if nobody knows about it?
|
| See GP... the point of a false flag is to drive a
| narrative. Otherwise you are just damaging yourself for no
| reason.
| hammock wrote:
| Do you have an example of a false flag without a media
| circus around it?
| CoastalCoder wrote:
| > What's the point of a false flag if nobody knows about
| it?
|
| I agree. A false-flag attack is all about optics.
|
| But IIUC the GP, they're saying the SATCOM failure isn't
| widely known, so it wouldn't make sense as a false-flag
| attack.
|
| That's where GP loses me. Because we _are_ discussing it
| here, as members of the general public. And the discussion
| isn 't limited to a small nerdy site like HN; it's also
| being covered by Reuters [0].
|
| [0] https://www.reuters.com/business/energy/satellite-
| outage-kno...
| NotAWorkNick wrote:
| I usually use a 'what are either side saying about it' and then
| apply a 'there are always three sides to things <side A's, side
| B's' and the true event>' heuristic transform filter.
|
| Unfortunately with all the censorship, service withdrawals,
| disconnections etc (from both sides) makes this approach ....
| difficult ....
|
| My opinion is, let all the information flow. People are not
| sheep that need herding by the powers that be (again, I refer
| to both 'sides' here).
| Animats wrote:
| Any other sources on this yet? This, if real, is big enough there
| should be multiple news articles.
| lxgr wrote:
| The outage itself has already been widely reported (at least in
| EU media), especially the (potential) impact on wind
| electricity generation capacities:
|
| https://www.reuters.com/business/energy/satellite-outage-kno...
| ridaj wrote:
| Would Russia (assuming it's the source of this attack) have
| suffered collateral damage / friendly fire on its own satellite
| terminals?
| CrazyStat wrote:
| Elon Musk mentioned this attack in one of his tweets a few days
| ago:
|
| https://twitter.com/elonmusk/status/1499585449450344451
| Scoundreller wrote:
| Well, if my paytv CPE experience means anything here...
|
| One brand of electronic countermeasure would cause a firmware
| write that wouldn't allow the receiver to boot because you're a
| lazy hacker that didn't lock the flash chip at the hardware WE
| pin level.
|
| There were a couple of strategies to resolve:
|
| 1) remove chip and re-program (not fun on TSOPs)
|
| 2) JTAG reprogram (easy and cheap when computers had parallel
| ports: just some wires and a DB25 connector and the port can bit
| bang everything)
|
| 3) the device does a Power on self test. If it detects a
| corrupted flash file, it will grab a fresh and clean one from the
| satellite stream and overwrite your nasty one. You can trigger
| this by shorting/grounding the right address lines on the flash
| chip at the right time in the self-test. It won't pass checksum
| validation and will think a corrupted update occurred and rewrite
| it.
|
| That was all for the parallel flash chip (a 28 or 29f series I
| think).
|
| If it was a serial flash chip like a 24 series, that would be
| even easier to deal with.
| AdamJacobMuller wrote:
| Seems entirely plausible to me that someone pushed a firmware
| update which corrupted the firmware (even maybe at the
| fpga/bootcode level) and effectively bricked the devices. Not
| horribly complicated to do and once you've done it it would
| require physical access to recover each device individually.
|
| Is there a plausible explanation for who would do this, besides
| Russia?
|
| Is Viasat/Eutelsat a particularly good target for this for some
| reason (seems more like Iridium is used in these scenarios).
| NotAWorkNick wrote:
| Dumb Question here but my thoughts were - why not push the
| corrupted update to the sats? AKA hack the sat firmware? I'm
| fairly certain that they aren't wide open doors but still - I
| would guess that it would be a lot easier doing it that way.
| Perhaps it was both, or someting else entirely. It will make
| for an interesting read one day.
| myself248 wrote:
| It's easy to buy an end-user terminal and tear it apart on
| your workbench to develop an understanding of how it works. I
| don't know about you, but I haven't seen any satellites on
| eBay recently.
|
| Also, most satellites are intentionally as dumb as possible,
| just a "bent pipe" transponder, putting all the complexity on
| the ground stations which are easier to service if something
| goes wrong. There might not be much to do on the satellite
| itself.
| lxgr wrote:
| With the right commands, you could flip the satellite by
| 180 degrees, move it from Europe to the pacific ocean, or
| crash it into one of its neighbors.
|
| All geostationary satellites need to be capable of at least
| some station-keeping to correct for drift, move them to
| other service areas, or move them to a graveyard orbit at
| their end of life. (Unlike LEO, GEO satellites don't carry
| enough fuel for de-orbiting, and friction is essentially
| nonexistent at that altitude.)
|
| That layer of commands is hopefully very well protected.
| okl wrote:
| > That layer of commands is hopefully very well
| protected.
|
| Typically some form of HMAC authentication. You can read
| about it in the CCSDS Blue Book.
| Nextgrid wrote:
| The satellite layer is probably very custom and requires
| specific skills and initial recon work which could be visible
| and risky. In contrast, getting access to the management
| network and sending intentionally-malformed configurations or
| firmware updates to the terminals is much easier and doesn't
| require any satellite-specific knowledge. The satellite
| terminals (at least the router part of it) are just standard
| Linux embedded devices, so no special skills required.
|
| If your objective is to disable the devices like they've
| done, attacking the "easy" layer is enough so why waste time
| on unnecessary complexity? Of course they might well have
| also done recon on the satellite side and collected valuable
| data they can use in the next round.
| agnokapathetic wrote:
| Viasat KA-SAT was used by Ukraine for some Military and
| Government communications.
|
| The US, perhaps acting on intelligence preceding the Viasat
| attack, provided Zelenskywith an Iridium 9575A.
|
| https://www.cnn.com/europe/live-news/ukraine-russia-putin-ne...
| lxgr wrote:
| KA-SAT seems to be used for SCADA control of 11 Gigawatt worth
| of wind turbines in Germany, among other things [1].
|
| Not sure at all if this was the intended/primary target, but
| Europe is certainly scrambling for every Watt at the moment...
|
| Also note that KA-SAT/Viasat and Eutelsat seem to be different
| platforms. I've seen reports of services based on the former
| being affected (e.g. SkyDSL [2]), but not the latter (Konnect),
| so far.
|
| I was also surprised to learn that Ka-band based stationary
| consumer satellite internet services seem to be using (mostly)
| plain DOCSIS as the protocol. That possibly introduces its own
| share of vulnerabilities due to OTA updates/provisioning.
|
| [1] https://thestack.technology/viasat-ka-sat-outage-cyber/
|
| [2] https://www.connexionfrance.com/French-news/Thousands-in-
| Fra...
| adrr wrote:
| Taking a country's infrastructure through a cyberattack is
| considered an act of war. Same as if you bombed the power
| generation infrastructure.
| toxik wrote:
| Sure, but can you prove it to the public in enough
| certainty to declare war? No. Suppose it was Russian flag,
| they could very easily just claim they were framed - and
| they very likely could've been.
| krisoft wrote:
| > Sure, but can you prove it to the public in enough
| certainty to declare war?
|
| This is not a court of law, proof is not what is missing
| to declare a war against Russia. They have a credible
| nuclear deterent, that is why war is not declared against
| them by other countries.
|
| It is in fact a very sweet idea to think that a war
| declaration depends on meeting or not meeting some
| evidentiary standard.
| toxik wrote:
| You misunderstood, or simply ignored the word "public".
| In free press societies, you need the will of the people
| to go to war. You need a 9/11 moment. A casus belli.
| krisoft wrote:
| > In free press societies, you need the will of the
| people to go to war.
|
| Sure. And this consent can be produced when there is a
| need for it. "Proof" is not the missing component.
|
| That American basketball player who the Russians
| detained? Casus belli. The cyber attacks? Casus belli.
| Shelled civilians? Casus belli. The NATO country cargo
| ships which got hit and sunk? Casus belli.
|
| These are just the ones I can think of. A proper state
| aparatus can come up with many more and probably even
| better ones. Government officials will leak the
| background, solemn faced politicians will demand justice
| while friendly journalist will write up the whole thing
| in the most hearth wrenching way. If they want to they
| can.
|
| So why do they don't want to? Is it because the Russian
| army is so powerfull that we think we can't overpower
| them? No. Is it because the Russian air defences are so
| advanced that they cannot be picked apart? No. So what is
| it which makes the west avoid a direct confrontation with
| Russia? Why are they doing this strange dance of
| supplying weapons to Ukraine and hurting Russia with
| sanctions, but not directly engaging with them troop-to-
| troop? It's the Russian nukes.
|
| > You misunderstood, or simply ignored the word "public".
|
| I don't think so. You won't "prove" anything to the
| public through detailed technological explanations. A fig
| leaf of deniability might be an interesting roadblock in
| a criminal prosecution where things have to be proven
| "beyond a reasonable doubt". In a situation where there
| is a governmental will to engage in a peacekeeping
| mission (read: send troops to fck the Russians up) the
| evidentiary level is "can we find an authorative sounding
| voice in the whole government who can tell the right sod
| story to enough guilable journalist to sell the people on
| it". That is such a low level of "proof" that one might
| as well assume it can be met nearly always.
|
| Journalist won't pour over the attack binaries using
| Ghidra to make an assesment about the relative
| probabilities that it has the signatures of being created
| by this or that advanced persistent threat group. The
| ones who would demand that level of rigour before
| publishing won't get the scoop. The ones who are selected
| to spread the message will have a lovely hour with a very
| charismatic "expert" who will walk them through just
| enough of the detail to sound right but not to get bogged
| down in unnecesary complications. This chat will get
| translated into a single line in their article, maybe
| something like "experts at the National Security Agency
| matched the unique signatures of the cyberweapon to the
| advanced persistent threat group Tippsy Bears, a known
| front of the Russian Federation." Followed by two pages
| of hearth wrenching human angle story about innocents
| suffering needlesly. That is the "proof" the public might
| get.
| JumpCrisscross wrote:
| > _have a credible nuclear deterent, that is why war is
| not declared against them by other countries_
|
| Nobody "declares" wars anymore. If Russia were believed
| to be responsible for this, it would make it politically
| feasible to attack their critical infrastructure through
| targeted (plausibly deniable) cyber attacks.
| ajsnigrutin wrote:
| If this was true and practical, there would be so many
| wars... pretty much every country has had some
| infrastructure hacked, most more than once, some by random
| groups, some by government sponsored hacking, some by
| exploiting outdated installation of services and some using
| very advanced techniques (eg stuxnet).
| blackboxlogic wrote:
| From your first link:
|
| "The [turbines] affected remain in operation and are
| producing clean renewable energy. ... they will operate in
| automatic mode and are fundamentally capable of self-
| contained and independent regulation."
| lxgr wrote:
| Sure, I'd hope for a heavily decentralized system to have
| some capability of autonomous operation. But in the medium
| and long term, it can't be good to not be able to remotely
| monitor for failures requiring manual intervention or on-
| site mechanical servicing.
| londons_explore wrote:
| Having to visit every turbine to replace a satellite
| modem doesn't sound like a super large challenge at
| nation-state scale.
| mschuster91 wrote:
| The problem is once again our godawful prior government.
| Many tens of thousands of jobs in the wind industry have
| vanished over the last years [1] because the
| Conservatives oppose renewable power and impeded it
| wherever possible - if it is because of corruption,
| incompetence, fear of the far-right that outright
| _demonizes_ anything not fossil or nuclear I don 't know.
| In any case, we simply don't have the staff to visit
| _literally thousands_ of wind turbines, a lot of which
| are actually offshore, simply to replace routers.
|
| This situation is an unbelievable clusterfuck.
|
| [1]: https://www.zdf.de/nachrichten/wirtschaft/windkraft-
| industri...
| Animats wrote:
| [1] above: "This article was published on: 02/28/22".
| londons_explore wrote:
| > Is there a plausible explanation for who would do this,
| besides Russia?
|
| Any engineer could accidentally do it... I can totally imagine
| the release engineer accidentally pushing the dev version, only
| to realise later that the dev version doesn't have quite the
| right config to connect for example.
|
| Blaming it on a cyber attack is a lot less bad than saying
| "whoops, we bricked everyone's modems".
___________________________________________________________________
(page generated 2022-03-07 23:00 UTC)