So this is bad. Black Hat, the king of enterprise security conventions, kicked off today, and most noticeable amid the fusillade of security research was some impressive work from Ruben Santamarta of IOActive, whose team has unearthed worrying vulnerabilities in satellite communication systems, aka SATCOM, used by airplanes, ships, and military units worldwide.
Now, it’s not catastrophically bad: in particular, while attackers could mess with or disable your in-flight Wi-Fi, conceivably try to hack into devices connected to them, and/or disable all in-flight satellite comms, they couldn’t actually affect any systems which control the airplane. The bigger worries are in the military or maritime spheres, because these are remote vulnerabilities — anyone on the Internet can hack into a connected vulnerable SATCOM device. Which is to say, presumably most of them, since communication is their whole reason for being.
In the former case, in addition to the risk of attackers modifying or disabling satellite communications, devices with onboard GPS could leak the location of military units. And in both cases, this opens up the prospect of “cyber-physical attacks”, a brilliantly dystopic phrase if ever there was one; basically, if you crank enough power through a satellite antenna, it can radiate energy powerful enough that it affects biological tissue and electrical systems. Same general principle as a microwave oven.
But wait, it gets worse! These are embedded systems. In general there’s no easy way to beam a remote upgrade to them; in some cases the only upgrade is a wholesale replacement. And while there are mitigations (not fixes per se, but approaches which will reduce the severity and likelihood of attacks) for aviation and military SATCOM, maritime systems are … more problematic.
So. Don’t worry too much if you’re not a sailor or a soldier, your airplane won’t plunge or divert because of this … but someone sitting at a computer far away on the ground might be able to take over your in-flight Wi-Fi. Santamarta (who has a history of this kind of thing) and IOActive are working with vendors and unspecified “government agencies” to address these vulnerabilities, but it sounds like, at least on the high seas, this problem is going to be with us for a while.
(The full technical talk regarding these vulnerabilities is tomorrow; today’s press conference was merely a teaser. I’ll update this post with any important details which arise there.)