Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land
description
Transcript of Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land
![Page 1: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/1.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
SATCOM Terminals Hacking by Air, Sea, and Land
Ruben Santamarta Principle Security Consultant
![Page 2: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/2.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Agenda
• Introduction • Methodology • Attack surface • Vulnerabilities • Real world Attacks • Demo
![Page 3: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/3.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Who Am I?
• Ruben Santamarta • Principal Security Consultant at IOActive • Reverse Engineering,
Research, Embedded, Software, ICS • rubens[at]ioactive[dot]com
![Page 4: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/4.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
SATELLITE COMMUNICATIONS
![Page 5: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/5.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Maritime
Aerospace
Industrial Military
Emergencies Media
![Page 6: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/6.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
SPACE SEGMENT GROUND SEGMENT
![Page 7: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/7.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Vendors Affected
![Page 8: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/8.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
SATCOM Terminals
![Page 9: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/9.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Ideal Research Environment
![Page 10: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/10.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Actual Research Environment
![Page 11: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/11.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Methodology
![Page 12: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/12.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Static Analysis
• Information gathering • Reverse engineering
![Page 13: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/13.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Information Gathering
• Datasheets • Implementation and support guides • Success cases • Manuals • Public information • Press releases • Multimedia material: videos, presentations, pictures …
![Page 14: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/14.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Information Gathering
• How was the system designed? • How is it typically deployed in real world
situations? • What are its components? • What are its main features?
![Page 15: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/15.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Reverse Engineering
• Support software • Configuration, setup • Firmware
Device Firmware Support Software
![Page 16: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/16.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Vulnerabilities
![Page 17: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/17.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
It’s Not a Bug, It’s a Feature
Hard coded Credentials
Backdoors
Insecure Protocols Undocumented
Protocols
• 13 CVEs • No patches
![Page 18: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/18.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Inmarsat BGAN Terminals
• BGAN Stack • GateHouse – www.gatehoude.dk
• Customization/firmware • Hughes
• Different Vendors • Harris, JRC, Hughes …
![Page 19: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/19.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Inmarsat BGAN Terminals
• VxWorks • USB, Ethernet, … • Firmweare
• Contains symbols • CRC • Upgrade via FTP • Debug/test/in house functionalities
![Page 20: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/20.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Zing Protocol – CVE-2013-6035
• Undocumented binary protocol • Inmarsat BGAN/FB terminals and Thuraya IP • 1827/TCP • Dozens of functions – GPS/DSP/FGPA, Memory, Comms • Complete control over the terminal
4 bytes N bytes N bytes
00 00 00 05 00 08 00 00 00 00 01 00
Read Memory Address Length
![Page 21: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/21.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Hard Coded Credentials - CVE-2013-6034
• FTP/Shell access
![Page 22: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/22.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 23: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/23.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Hard-coded Credentials ThurayaIP - CVE-2014-0326 • VxQWorks • FTP/Shell access
![Page 24: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/24.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
![Page 25: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/25.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
ThraneLINK Insecure Protocol – CVE-2013-0328
• “ThraneLINK is a sophisticated communication protocol that connects the SAILOR products in a network, offering important new opportunities to vessels. It provides facility for remote diagnostics and enables access to all the SAILOR products from a single point for service. This results in optimized maintenance and lower cost of ownership because less time is needed for troubleshooting and service. Installation is made easier as ThraneLINK automatically identifies new products in the system. The uniform protocol is an open standard which provides a future proof solution for all vessels “ - Cobham
![Page 26: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/26.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
![Page 27: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/27.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
ThraneLINK – Discovery Phase (Client Side)
• Service Locater Protocol (SLP) – OpenSLP
• Attributes
![Page 28: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/28.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
ThraneLINK – Discovery Phase (Client Side)
![Page 29: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/29.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
ThraneLINK Remote Management (Server Side)
• Features • Firmware update • Diagnostic • Reboot • Forwarded Syslog
• Custom configuration settings
• Implementation • SNMP
1. System config 2. Software download 3. Diagnostics report 4. Logging
![Page 30: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/30.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 31: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/31.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Predictable Admin Reset Code – CVE-2013-7810 • COBHAM • Explorer/Sailor/Aviator/VSAT
![Page 32: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/32.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
![Page 33: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/33.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Predictable Admin Reset Code – CVE-2013-7810 • Device serial number
• Hex. 16 bytes, padded with zeros • Hard coded string (redacted)
• “kd04rafIOACTIVE” (16 bytes)
import md5 m = md5.new() m.update("\x12\x34\x56\x78"+"\x00"*12) m.update("kdf04rafIOACTIVE") m.hexdigest()
![Page 34: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/34.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Aviator 700D
![Page 35: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/35.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Who Am I?
• Ruben Santamarta • Principal Security Consultant at IOActive • Reverse Engineering,
Research, Embedded, Software,ICS
![Page 36: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/36.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 37: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/37.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Admin Code ‘Backdoor’ -
![Page 38: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/38.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 39: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/39.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
AVIATOR SDU Shell Hardcoded Credentials – CVE-2014-2964
![Page 40: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/40.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Cobham TBus2 Hardcoded Credentials – CVE-2014-2941
![Page 41: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/41.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Cobham TBus2 Hardcoded Credentials – CVE-2014-2941
![Page 42: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/42.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 43: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/43.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
IRIDIUM – Pilot Hard Coded Account
![Page 44: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/44.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 45: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/45.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
IRIDIUM Pilot Unauthenticated Firmware Upload
![Page 46: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/46.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 47: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/47.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Real World Attacks
Maritime Aerospace Military
![Page 48: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/48.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Demo
![Page 49: Us 14 Santamarta SATCOM Terminals Hacking by Air Sea and Land](https://reader034.fdocuments.us/reader034/viewer/2022051402/5695d3781a28ab9b029e0734/html5/thumbnails/49.jpg)
IOActive, Inc. Copyright ©2014. All Rights Reserved.
Vendor Responses
• TBD