Satellite tracking systems are used for myriad activities, including monitoring the progress of semi-trailers and armored car bank deliveries. In a session at the Black Hat USA conference on Aug. 5 in Las Vegas, Colby Moore, manager of special activities at Synack, will detail security risks in the GlobalStar simplex satcom protocol that could potentially enable attackers to do all manner of malicious things.
The GlobalStar satellite communication network is used for high-value asset tracking, including tanker cars, containers and armored car fleets, according to Moore. Unfortunately, he said, the GlobalStar system uses something called a direct sequence spread spectrum signal that can be intercepted and decoded.
“The direct sequence spread spectrum signal is generated with what is known as a pseudo-noise [PN] sequence,” Moore explained to eWEEK. “Essentially, you have a secret pseudo-random sequence that both the transmitter and the receiver know.”
The signal that a device or user transmits is mixed with the pseudo-random sequence at a fast rate, and that’s what spreads the signal out over the spectrum. So to actually intercept the satellite signal, there is a need to know what the sequence is.
“So I came up with a way to reverse-engineer the sequence to get the key, or the spreading code as they call it,” Moore said. “With that code, I could intercept code in transit from the ground to the satellite.”
Going a step further, Moore explained that after receiving the data, he had to decode it, so he reverse-engineered the entire packet format, including the unique identifier, and was able to extract the actual data as well.
“There is no digital signing or encryption for the data, meaning I could modify any of the different fields and generate packets and then inject that back into the satellite data stream,” he said. “So we can effectively spoof data.”
As to why, Moore’s discovery is impactful, it all has to do with where the GlobalStar tracking system is being used. It could, for example, be in an industrial control system that monitors the status of a dam to make sure it isn’t overflowing, he said. If an attacker could change the status, an environment disaster could result.
Also, an attacker could find an armored car and somehow disable the transmitter on the car, according to Moore. The attacker could then use the hacked transmitter to provide a false report that the armored car is on track, while the attackers drive in the opposite direction and get away with all the cash.
Moore said Synack contacted GlobalStar more than 180 days ago and got some initial interest but no response on how or if the system will be patched. GlobalStar did not respond to a request for comment from eWEEK about Moore’s Black Hat talk.
“I think it’s reasonable to expect that many of the other satellite systems out there have similar bugs,” Moore said. “Few people have looked at these systems because the barrier to entry is so high, and so I hope my talk lowers the barrier so other security researchers can start looking at this issue.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.