by Craig Gibson (Principal Threat Defense Architect)
Already a vital part of both the internet of things and the critical infrastructure of the internet, satellites are set to take on a more significant role with the emergence of 5G cellular network technology and the continuing expansion of the internet of things (IoT). While terrestrial networks handle peak load well, disaster handling and critical infrastructure scenarios are served well by satellites, which are unaffected by most ground-based events. Ensuring the security of satellites, therefore, acquires even greater importance and warrants more initiatives to that end. The 5G Public-Private Partnership (5GPPP), for one thing, is working with large-scale entities like the EU Horizon 2020 in maximizing the mediation potential of governments with the investment of the private sector for the protection of space as well as land 5G telecommunications.
Benefits of 5G satellites in IoT environments
The satellite network is referred to as a global area network (GAN), and within that is the broadband global area network (BGAN) for satellite data. The BGAN and 5G take advantage of each other in a variety of ways that bring benefits to the IoT, specifically the industrial internet of things (IIoT). These benefits include reduced operating expenses (OPEX) and IoT management methods such as large-area update and modification of IoT systems and devices through firmware and software updates. One example of the latter is the use of a satellite to update the subscriber identity module (SIM) cards in mobile IoT devices such as autonomous vehicles. This “efficient content delivery” is planned for a variety of reasons, such as its bypassing of a degree of telecom complexity and expense by allowing 5G devices to be accessed directly by satellite.
The ability to update IoT devices from space can benefit a variety of industries that aim to reduce OPEX by increasing efficiency, including the automotive sector, where it’s referred to as firmware/software update over the air (FOTA/SOTA). This also addresses issues of vehicles, such as ships and unmanned aerial vehicles (UAVs), that may not have cellular packages or may operate in remote areas without coverage, like the middle of a large industrial park or smart factory, a remote road, a site flying at altitude, an open-faced mine, or the open sea. Satellite phones (aka satphones) also use this ability as part of their core function.
Satellites as a threat vector
In information security, there are a number of paths or directions (also known as vectors) a threat (a person or nation-state, for example) can take; these are called threat vectors. One threat vector is the satellite. Like most paths in the real world, the satellite threat vector goes both ways, up and down (space and ground). It even goes up and sideways (from the ground to satellite to satellite,) and down and sideways (satellite to ground to ground.)
Figure 1: User equipment enabled by 5G (such as cellphones and IoT devices) receiving satellite radio access network (RAN) messages from the core network (CN) on the ground
Most satellites are intended to be “pass-through” or “dumb pipe” transmission methods meant to counter geography-related issues such as laying cables across mountain ranges or economic issues such as sending a single message to many receivers. For this reason, the radio-related security in most satellites is minimal. The risk posed by bouncing a malicious signal off a satellite (which could be malware or coordination of criminal activity) is large.
Global communications satellite networks such as the Inmarsat and Iridium use modified GSM SIM cards. The satellites in these networks are functionally equivalent to GSM land-based cell towers. Many use a bridge between the telecom and satellite domains called an intermediate module repeater (IMR), which passes “invisible” SIM management over-the-air (SIM-OTA) messages from satellite to 4G or earlier domains. For many functions, this IMR is not needed in 5G as the SIM update messages can be passed directly to the user equipment from orbit.
It’s also worth noting that many satellite-related attacks using radio rely on the target satellites’ being overhead. The Encyclopedia Astronautica and other online catalogs are means by which attackers can select target satellites and predict when they will be overhead.
Types of attacks
A variety of telecommunications frauds such as international revenue share fraud (IRSF) are made much more profitable through the use of satellite connections. By routing attacks across very expensive infrastructure (or even just “appearing” to through satellite spoofing), attackers can increase the criminal value of the attacks. In this context, criminal value may be likened to the cost of a call: Where a normal call might cost only US$0.03 per minute, a satellite call could cost as much as US$18 per minute. The difference between the two is the revenue an attacker gets through this fraud type when performed across a satellite network. (The range of frauds and related crimes is detailed in a report by the Communications Fraud Control Association.)
It should be noted that the normal approach adopted by the telecom industry when expensive frauds are performed is to block the most convenient number range or geographic region. This, however, historically leaves the targets without any service at all, a situation known as telephony denial of service (TDoS). Knowing this, the attackers can choose the group that will be subjected to TDoS since the number range is chosen by them. The target group can be any group the attackers desire to deprive of service, such as a demographic, a specific set of equipment like smart factory robots, a cluster of cellphones, or a geographic region like an island nation. If the attackers’ choice is well thought out, the victims may have no means of restoring the service. In some cases, the denial of service may be so severe that the victims may have to physically drive or fly to their provider to request resumption of service. In extreme cases, the serving satellite itself may be functionally blocked from providing service.
In the Iridium satellite network, radio cross-links are used between satellites to relay data to the nearest satellite with a connection to an earth station. In this way, an attacker may appear as coming from one satellite when it in fact comes from multiple locations and is served only by the one closest to the victim.
The possession of satphones is prohibited or otherwise restricted in some countries, including China, India (which allows Inmarsat only), Myanmar, North Korea, and Russia (which since 2012 has required registration of devices with the national government and use of registered devices for only six months).
One of the reasons satphones and satellite access in general pose problems for governments is that they “break” geography. A landline or cellphone needs to pass through a terrestrial network containing devices controlled or regulated by the host nation and intercept (lawful wiretap) devices. By their nature, satellites and satphones communicate vertically, without crossing land-based or non-orbital network security devices such as wiretap. In this way, satphones and satellite-served IoT devices may not be controlled at all by the countries the satellites’ orbits cross. Satellite-enabled telecom devices may in fact not cross traditional network security perimeters very often, if at all.
Moreover, since lawful intercept typically requires a court order, it is often limited by jurisdiction. Clever attackers will therefore choose as their targets satellites that are under the jurisdiction of countries in which court orders are unlikely to be granted in time.
Attack scenarios and their consequences
Most satellites are more than five years old and are likely to be lacking the means of patching vulnerabilities discovered in the time they’ve been in orbit. Much of the security that did make it into orbit was the result of standards-based auditing, lacking radio hardening — meaning the only way of reaching most satellites in space (that is, radio) is the method with least security.
Attack scenarios that vulnerabilities in most satellites represent include:
• False earth station – Satellites are controlled from the ground through earth or base stations. If the authentication between the earth station and the satellite is poor or nonexistent, an attacker can gain control of the satellite or its transmitted payload.
• Evil satellite twin – A criminal setup or device located at altitude, such as a financial district building, the belly of a drone, or a hacked satellite, can broadcast information as though it came from a legitimate source. The expected action based on satellite information would then be easily manipulated, resulting in situations such as GPS creating gridlock on a highway, autonomous vehicles becoming lost, a television broadcast being overwritten with terrorist propaganda, or even blocking or jamming of broadcast satellite communications and control.
• Inter-satellite trust – Satellites are often part of mesh networks in which they trust one another, allowing other satellites in the network to sit with their security perimeter. Since satellites are usually unhardened to radio, posing as a member of the network grants easy access to it.
Consequences of these scenarios include: false telemetry injection into systems and devices such as robots, ships, tanks, autonomous vehicles, and 5G networks, in a fashion similar to Iran’s downing of a CIA Sentinel drone; a GPS evil twin enforcing GPS skew to wreak logistic chaos, as when self-driving cars that do not know where to go are compelled to stop, in turn causing a gridlock; and overriding of military GPS skew used during field operations.
The complexity, volatility, and scalability of 5G require a level of automation never before seen in the telecommunications domain. It is therefore necessary to address the evolution of information security models that do not tolerate perimeter-less and porous-perimeter networks.
Security orchestration enabled by 5G machine learning is needed to detect new threats in this automated always-on data-driven global model. This is a risk-based artificial intelligence model that has been used successfully in banks and trading floors for over a decade, modified for use in other environments.
The dawn of 5G pulls the complexity of the telecom domain into the information technology (IT) domain, including entire classes of threat actors that had been isolated in 4G. In 5G, telecom threat actors have the new ability to land inside the so-called security “fence” from above through satellites as well as from below through telecom.
One of the more promising options that could help ensure satellite security is blockchain, which has been touted as a secure decentralized distributed ledger. Already, the U.S. Department of Defense’s Defense Advanced Research Projects Agency (DARPA) is exploring the use of blockchain in securing satellites, while the telecom and banking industries are seeking to establish the interoperability of their models using the technology. All three may settle on the value of blockchain as a means of securing transactions across infrastructures, while tapping on machine learning and artificial intelligence to thwart other escalating threats such as criminal artificial intelligence.