[HN Gopher] SATCOM terminals under attack in Europe: a plausible... ___________________________________________________________________ SATCOM terminals under attack in Europe: a plausible analysis Author : mritzmann Score : 209 points Date : 2022-03-07 15:52 UTC (7 hours ago) (HTM) web link (www.reversemode.com) (TXT) w3m dump (www.reversemode.com) | walrus01 wrote: | I have personally seen that a lot of "cheap" point to multipoint | contended access VSAT modems have very little security on them. | | Would not be surprised in the slightest if something like a new | firmware load or configuration push coming from the hub of the | network was not properly validated by the modems using a secure | crypto key/signature method. | | Keep in mind that what we're talking about here is the European | equivalent of the viasat/hughesnet/wildblue low cost, highly | contended access geostationary vsat modem service. It's about the | cheapest possible thing you can buy that is two way IP data via | geostationary at 64:1 oversubscription ratio or more. There are | very demanding economics factors in play that require the company | to make the end user terminal hardware as absolutely cheap as | possible, for all of the sub components (physical dish/mounting, | LNB, Tx/BUC/SSPA, cabling, and modem). | Nextgrid wrote: | I've investigated network equipment before, my findings were that | you shouldn't trust any of it and use a standard Linux box | whenever possible. The worst was consumer-grade modems/routers | with low-hanging fruits such as backdoors, "forgotten" telnet | servers left enabled, shell command injection in the web UI, etc | but even enterprise stuff had its problems (thankfully, at least | on enterprise stuff you can disable the web UI and any services | you don't use, considerably shrinking the attack surface to | pretty much just the kernel). And don't get me started on mobile | network equipment where untrusted data is parsed at the kernel | level and the motto is still security by obscurity (and the | impossibility to obtain said equipment for the average Joe). | | What I think happened is that they breached the control | infrastructure which gives them access to an "internal" VLAN that | the satellite terminals use to communicate with the mothership | for firmware updates, configuration changes, etc, and from there | were able to attack these as if they were locally connected (or | worse - since that network segment is presumed "internal" and may | expose services not normally available - think whatever is the | TR-069 equivalent for BGAN terminals), either just pushing an | incorrect configuration that prevents the terminal from | connecting (essentially bricking it until you can get out-of-band | access and reconfigure it properly) or obtaining root (via | exploit or pushing a specially-crafted firmware update) and | overwriting /dev/mtd* to completely kill the terminal. | | "Cyberattack on satellite network" sounds so serious but I very | much doubt it's got anything to do with the satellite part of it. | They've done the equivalent of breaching into the management | network at a terrestrial, wired ISP and sent garbage | configuration over TR-069 to brick the modems. Attacking the | satellite layer would require much more effort for essentially | the same gain (and if your objective was to get into the | satellite layer, why waste that access on breaking everything in | a highly-visible way when you're better off silently sitting | there and using the access to eavesdrop on everything, especially | when it's used for SCADA traffic of critical systems that's | itself unencrypted and vulnerable to tampering?). | mistrial9 wrote: | > "Cyberattack on satellite network" sounds so serious | | yes agree -- third hand witness to actual ground station | management of Small SATs here.. even internal engineers are | locked out; multiple keys required to perform actions; closely | monitored change-of-behavior networks, etc etc | | beware of REALLY LARGE CLAIMS at this time -- peace out | bewaretheirs wrote: | > why waste that access on breaking everything in a highly- | visible way when you're better off silently sitting there and | using the access to eavesdrop on everything | | The subtle approach takes more time. | | Take the PoV of the hypothetical Russian decision maker.. you | can either take all them down now with something quick & dirty | while the tanks are rolling, or inject a stealthy targeted | piece of malware you haven't finished yet next week after Kiev | is already in the hands of a puppet government.... | Nextgrid wrote: | Yes, this was my point. I don't believe they've attacked | anything satellite-specific and instead just pushed an | intentionally-bad configuration or firmware update to | terminals in the field. | Melatonic wrote: | This sort of what virtual networking devices are trying to | solve, no? | | Going to a full on box also increases your attack surface by | adding a lot of unnecessary stuff. | | Plus even with something completely in software you still need | the physical hardware in there at some point - and those | individual pieces will be running their own firmware and | microcontroller software. | CoastalCoder wrote: | Can someone versed in military doctrine / strategy talk about | dealing with the uncertainty of a false-flag attack? | | Does the best-known approach just boil down to weighing the | cost/benefit of (acting | not acting) x P(most likely aggressor | | some other cause)? Or has someone figured out a better approach? | nonomaybeyes wrote: | The purpose of a false flag is to drive a certain narrative, so | it's always accompanied by incessant media coverage. That is | not the case here, the attack is likely for genuine tactical | purposes. | Melatonic wrote: | Everything you are describing would still have an intended | audience - the audience may be smaller, or niche, but they | still exist. | CoastalCoder wrote: | > That is not the case here | | Are you sure that false-flag attacks always involve a media | blitz? | | Just thinking that if I were planning a false flag, and I | know that people would _recognize_ it as such because of the | media blitz, then I 'd look for a workaround. That seems | consistent with what we have here. | numbsafari wrote: | What's the point of a false flag if nobody knows about it? | | See GP... the point of a false flag is to drive a | narrative. Otherwise you are just damaging yourself for no | reason. | hammock wrote: | Do you have an example of a false flag without a media | circus around it? | CoastalCoder wrote: | > What's the point of a false flag if nobody knows about | it? | | I agree. A false-flag attack is all about optics. | | But IIUC the GP, they're saying the SATCOM failure isn't | widely known, so it wouldn't make sense as a false-flag | attack. | | That's where GP loses me. Because we _are_ discussing it | here, as members of the general public. And the discussion | isn 't limited to a small nerdy site like HN; it's also | being covered by Reuters [0]. | | [0] https://www.reuters.com/business/energy/satellite- | outage-kno... | NotAWorkNick wrote: | I usually use a 'what are either side saying about it' and then | apply a 'there are always three sides to things <side A's, side | B's' and the true event>' heuristic transform filter. | | Unfortunately with all the censorship, service withdrawals, | disconnections etc (from both sides) makes this approach .... | difficult .... | | My opinion is, let all the information flow. People are not | sheep that need herding by the powers that be (again, I refer | to both 'sides' here). | Animats wrote: | Any other sources on this yet? This, if real, is big enough there | should be multiple news articles. | lxgr wrote: | The outage itself has already been widely reported (at least in | EU media), especially the (potential) impact on wind | electricity generation capacities: | | https://www.reuters.com/business/energy/satellite-outage-kno... | ridaj wrote: | Would Russia (assuming it's the source of this attack) have | suffered collateral damage / friendly fire on its own satellite | terminals? | CrazyStat wrote: | Elon Musk mentioned this attack in one of his tweets a few days | ago: | | https://twitter.com/elonmusk/status/1499585449450344451 | Scoundreller wrote: | Well, if my paytv CPE experience means anything here... | | One brand of electronic countermeasure would cause a firmware | write that wouldn't allow the receiver to boot because you're a | lazy hacker that didn't lock the flash chip at the hardware WE | pin level. | | There were a couple of strategies to resolve: | | 1) remove chip and re-program (not fun on TSOPs) | | 2) JTAG reprogram (easy and cheap when computers had parallel | ports: just some wires and a DB25 connector and the port can bit | bang everything) | | 3) the device does a Power on self test. If it detects a | corrupted flash file, it will grab a fresh and clean one from the | satellite stream and overwrite your nasty one. You can trigger | this by shorting/grounding the right address lines on the flash | chip at the right time in the self-test. It won't pass checksum | validation and will think a corrupted update occurred and rewrite | it. | | That was all for the parallel flash chip (a 28 or 29f series I | think). | | If it was a serial flash chip like a 24 series, that would be | even easier to deal with. | AdamJacobMuller wrote: | Seems entirely plausible to me that someone pushed a firmware | update which corrupted the firmware (even maybe at the | fpga/bootcode level) and effectively bricked the devices. Not | horribly complicated to do and once you've done it it would | require physical access to recover each device individually. | | Is there a plausible explanation for who would do this, besides | Russia? | | Is Viasat/Eutelsat a particularly good target for this for some | reason (seems more like Iridium is used in these scenarios). | NotAWorkNick wrote: | Dumb Question here but my thoughts were - why not push the | corrupted update to the sats? AKA hack the sat firmware? I'm | fairly certain that they aren't wide open doors but still - I | would guess that it would be a lot easier doing it that way. | Perhaps it was both, or someting else entirely. It will make | for an interesting read one day. | myself248 wrote: | It's easy to buy an end-user terminal and tear it apart on | your workbench to develop an understanding of how it works. I | don't know about you, but I haven't seen any satellites on | eBay recently. | | Also, most satellites are intentionally as dumb as possible, | just a "bent pipe" transponder, putting all the complexity on | the ground stations which are easier to service if something | goes wrong. There might not be much to do on the satellite | itself. | lxgr wrote: | With the right commands, you could flip the satellite by | 180 degrees, move it from Europe to the pacific ocean, or | crash it into one of its neighbors. | | All geostationary satellites need to be capable of at least | some station-keeping to correct for drift, move them to | other service areas, or move them to a graveyard orbit at | their end of life. (Unlike LEO, GEO satellites don't carry | enough fuel for de-orbiting, and friction is essentially | nonexistent at that altitude.) | | That layer of commands is hopefully very well protected. | okl wrote: | > That layer of commands is hopefully very well | protected. | | Typically some form of HMAC authentication. You can read | about it in the CCSDS Blue Book. | Nextgrid wrote: | The satellite layer is probably very custom and requires | specific skills and initial recon work which could be visible | and risky. In contrast, getting access to the management | network and sending intentionally-malformed configurations or | firmware updates to the terminals is much easier and doesn't | require any satellite-specific knowledge. The satellite | terminals (at least the router part of it) are just standard | Linux embedded devices, so no special skills required. | | If your objective is to disable the devices like they've | done, attacking the "easy" layer is enough so why waste time | on unnecessary complexity? Of course they might well have | also done recon on the satellite side and collected valuable | data they can use in the next round. | agnokapathetic wrote: | Viasat KA-SAT was used by Ukraine for some Military and | Government communications. | | The US, perhaps acting on intelligence preceding the Viasat | attack, provided Zelenskywith an Iridium 9575A. | | https://www.cnn.com/europe/live-news/ukraine-russia-putin-ne... | lxgr wrote: | KA-SAT seems to be used for SCADA control of 11 Gigawatt worth | of wind turbines in Germany, among other things [1]. | | Not sure at all if this was the intended/primary target, but | Europe is certainly scrambling for every Watt at the moment... | | Also note that KA-SAT/Viasat and Eutelsat seem to be different | platforms. I've seen reports of services based on the former | being affected (e.g. SkyDSL [2]), but not the latter (Konnect), | so far. | | I was also surprised to learn that Ka-band based stationary | consumer satellite internet services seem to be using (mostly) | plain DOCSIS as the protocol. That possibly introduces its own | share of vulnerabilities due to OTA updates/provisioning. | | [1] https://thestack.technology/viasat-ka-sat-outage-cyber/ | | [2] https://www.connexionfrance.com/French-news/Thousands-in- | Fra... | adrr wrote: | Taking a country's infrastructure through a cyberattack is | considered an act of war. Same as if you bombed the power | generation infrastructure. | toxik wrote: | Sure, but can you prove it to the public in enough | certainty to declare war? No. Suppose it was Russian flag, | they could very easily just claim they were framed - and | they very likely could've been. | krisoft wrote: | > Sure, but can you prove it to the public in enough | certainty to declare war? | | This is not a court of law, proof is not what is missing | to declare a war against Russia. They have a credible | nuclear deterent, that is why war is not declared against | them by other countries. | | It is in fact a very sweet idea to think that a war | declaration depends on meeting or not meeting some | evidentiary standard. | toxik wrote: | You misunderstood, or simply ignored the word "public". | In free press societies, you need the will of the people | to go to war. You need a 9/11 moment. A casus belli. | krisoft wrote: | > In free press societies, you need the will of the | people to go to war. | | Sure. And this consent can be produced when there is a | need for it. "Proof" is not the missing component. | | That American basketball player who the Russians | detained? Casus belli. The cyber attacks? Casus belli. | Shelled civilians? Casus belli. The NATO country cargo | ships which got hit and sunk? Casus belli. | | These are just the ones I can think of. A proper state | aparatus can come up with many more and probably even | better ones. Government officials will leak the | background, solemn faced politicians will demand justice | while friendly journalist will write up the whole thing | in the most hearth wrenching way. If they want to they | can. | | So why do they don't want to? Is it because the Russian | army is so powerfull that we think we can't overpower | them? No. Is it because the Russian air defences are so | advanced that they cannot be picked apart? No. So what is | it which makes the west avoid a direct confrontation with | Russia? Why are they doing this strange dance of | supplying weapons to Ukraine and hurting Russia with | sanctions, but not directly engaging with them troop-to- | troop? It's the Russian nukes. | | > You misunderstood, or simply ignored the word "public". | | I don't think so. You won't "prove" anything to the | public through detailed technological explanations. A fig | leaf of deniability might be an interesting roadblock in | a criminal prosecution where things have to be proven | "beyond a reasonable doubt". In a situation where there | is a governmental will to engage in a peacekeeping | mission (read: send troops to fck the Russians up) the | evidentiary level is "can we find an authorative sounding | voice in the whole government who can tell the right sod | story to enough guilable journalist to sell the people on | it". That is such a low level of "proof" that one might | as well assume it can be met nearly always. | | Journalist won't pour over the attack binaries using | Ghidra to make an assesment about the relative | probabilities that it has the signatures of being created | by this or that advanced persistent threat group. The | ones who would demand that level of rigour before | publishing won't get the scoop. The ones who are selected | to spread the message will have a lovely hour with a very | charismatic "expert" who will walk them through just | enough of the detail to sound right but not to get bogged | down in unnecesary complications. This chat will get | translated into a single line in their article, maybe | something like "experts at the National Security Agency | matched the unique signatures of the cyberweapon to the | advanced persistent threat group Tippsy Bears, a known | front of the Russian Federation." Followed by two pages | of hearth wrenching human angle story about innocents | suffering needlesly. That is the "proof" the public might | get. | JumpCrisscross wrote: | > _have a credible nuclear deterent, that is why war is | not declared against them by other countries_ | | Nobody "declares" wars anymore. If Russia were believed | to be responsible for this, it would make it politically | feasible to attack their critical infrastructure through | targeted (plausibly deniable) cyber attacks. | ajsnigrutin wrote: | If this was true and practical, there would be so many | wars... pretty much every country has had some | infrastructure hacked, most more than once, some by random | groups, some by government sponsored hacking, some by | exploiting outdated installation of services and some using | very advanced techniques (eg stuxnet). | blackboxlogic wrote: | From your first link: | | "The [turbines] affected remain in operation and are | producing clean renewable energy. ... they will operate in | automatic mode and are fundamentally capable of self- | contained and independent regulation." | lxgr wrote: | Sure, I'd hope for a heavily decentralized system to have | some capability of autonomous operation. But in the medium | and long term, it can't be good to not be able to remotely | monitor for failures requiring manual intervention or on- | site mechanical servicing. | londons_explore wrote: | Having to visit every turbine to replace a satellite | modem doesn't sound like a super large challenge at | nation-state scale. | mschuster91 wrote: | The problem is once again our godawful prior government. | Many tens of thousands of jobs in the wind industry have | vanished over the last years [1] because the | Conservatives oppose renewable power and impeded it | wherever possible - if it is because of corruption, | incompetence, fear of the far-right that outright | _demonizes_ anything not fossil or nuclear I don 't know. | In any case, we simply don't have the staff to visit | _literally thousands_ of wind turbines, a lot of which | are actually offshore, simply to replace routers. | | This situation is an unbelievable clusterfuck. | | [1]: https://www.zdf.de/nachrichten/wirtschaft/windkraft- | industri... | Animats wrote: | [1] above: "This article was published on: 02/28/22". | londons_explore wrote: | > Is there a plausible explanation for who would do this, | besides Russia? | | Any engineer could accidentally do it... I can totally imagine | the release engineer accidentally pushing the dev version, only | to realise later that the dev version doesn't have quite the | right config to connect for example. | | Blaming it on a cyber attack is a lot less bad than saying | "whoops, we bricked everyone's modems". ___________________________________________________________________ (page generated 2022-03-07 23:00 UTC)