A researcher is set to detail how satellite tracking can be hacked, enabling misdirection of assets and theft.
Satellite tracking systems are used for myriad activities, including monitoring the progress of semi-trailers and armored car bank deliveries. In a session at the Black Hat USA conference on Aug. 5 in Las Vegas, Colby Moore, manager of special activities at Synack, will detail security risks in the GlobalStar simplex satcom protocol that could potentially enable attackers to do all manner of malicious things.
The GlobalStar satellite communication network is used for high-value asset tracking, including tanker cars, containers and armored car fleets, according to Moore. Unfortunately, he said, the GlobalStar system uses something called a direct sequence spread spectrum signal that can be intercepted and decoded.
"The direct sequence spread spectrum signal is generated with what is known as a pseudo-noise [PN] sequence," Moore explained to eWEEK. "Essentially, you have a secret pseudo-random sequence that both the transmitter and the receiver know."
The signal that a device or user transmits is mixed with the pseudo-random sequence at a fast rate, and that's what spreads the signal out over the spectrum. So to actually intercept the satellite signal, there is a need to know what the sequence is."So I came up with a way to reverse-engineer the sequence to get the key, or the spreading code as they call it," Moore said. "With that code, I could intercept code in transit from the ground to the satellite."
Going a step further, Moore explained that after receiving the data, he had to decode it, so he reverse-engineered the entire packet format, including the unique identifier, and was able to extract the actual data as well.
"There is no digital signing or encryption for the data, meaning I could modify any of the different fields and generate packets and then inject that back into the satellite data stream," he said. "So we can effectively spoof data."
As to why, Moore's discovery is impactful, it all has to do with where the GlobalStar tracking system is being used. It could, for example, be in an industrial control system that monitors the status of a dam to make sure it isn't overflowing, he said. If an attacker could change the status, an environment disaster could result.
Also, an attacker could find an armored car and somehow disable the transmitter on the car, according to Moore. The attacker could then use the hacked transmitter to provide a false report that the armored car is on track, while the attackers drive in the opposite direction and get away with all the cash.
Moore said Synack contacted GlobalStar more than 180 days ago and got some initial interest but no response on how or if the system will be patched. GlobalStar did not respond to a request for comment from eWEEK about Moore's Black Hat talk.
"I think it's reasonable to expect that many of the other satellite systems out there have similar bugs," Moore said. "Few people have looked at these systems because the barrier to entry is so high, and so I hope my talk lowers the barrier so other security researchers can start looking at this issue."
Globalstar tracking system 'open to attack'
A widely used location-tracking system can be intercepted or fooled with fake data, claims a security researcher.
Many firms use Globalstar's satellite-based system to keep an eye on trucks, cars, containers and ships as they move around.
However, said Colby Moore from security firm Synack, the way it passes data around is "fundamentally broken" making it vulnerable to attack.
Globalstar has not yet issued any comment on Mr Moore's findings.
Mr Moore said the problems with Globalstar's network arise because it does not encrypt the data passing between devices and satellites. Instead, he said, the system attempts to conceal what it does by changing frequencies and padding transmissions with useless data.
The system also does not check that data was coming from where it claimed, he said.
"I ended up figuring out how to decode the data in transit," Mr Moore told Reuters, adding that it might prove hard to fix the flaws as existing hardware was not easy to update.
Globalstar has been told about the flaws, he added, but so far has not issued any updates or fixes.
Attackers can easily find out these flaws, he said, making it easy to spoof data or keep an eye on assets being tracked. Organised crime gangs, police and intelligence agencies might already be listening in, he said.
Mr Moore is planning to release more details about his work at the Black Hat hacker conference in Las Vegas next week. This month has seen the early release of other investigations into the security of cars and Android phones that will also feature at Black Hat.
Earlier this week, security experts from Zimpherium released some information about a vulnerability that affected almost one billion Android handsets. Google has produced a patch for the bug but many handsets have yet to have it applied.
Last week, in separate demonstrations, Charlie Miller and Chris Valasek from security firm IOActive and Andy Davis from the UK's NCC Group showed how it was possible to attack some makes of car via their entertainment systems.
The IOActive work led car maker Chrysler to issue a recall of more than 1.4 million vehicles to patch the software hole.