back to article In space, no one can hear cyber security professionals scream

"Space is an invaluable domain, but it is also increasingly crowded and particularly susceptible to a range of cyber vulnerabilities and threats." That's not an overblown sci-fi movie strapline, but rather the chilling words of Gina Galasso, managing director of The Aerospace Corporation UK, a member of the international …

  1. elsergiovolador Silver badge

    Obscurity

    "from the ground stations transferring the data to the telemetry stream, which is not currently encrypted,"

    Reminds me of a tech lead when asked that one of the company databases is publicly accessible on the internet. He said "It's not on a standard port and there is nothing interesting in there."

    Who is going to listen to satellite traffic? It's just boring numbers anyway...

    1. Pascal Monett Silver badge

      Re: It's just boring numbers anyway

      You do know that, for a computer, pictures are just boring numbers ?

      Pictures transmitted by spy satellites, for example.

      I'm pretty sure there's a lot of people who would not find those numbers boring at all.

      1. Bryan B

        Re: It's just boring numbers anyway

        Missed irony alert.

    2. jdiebdhidbsusbvwbsidnsoskebid Bronze badge

      Re: Obscurity

      Reminds me of something told to me by someone who really should have known better: They said that geo stationary satellites were immune to jamming from the ground because they were "too far away to be jammed".

      1. fargoneicehole

        Re: Obscurity

        mmm raspberry

        1. Down not across Silver badge

          Re: Obscurity

          There is only one man who would dare give me the raspberry!

          Lone Starr

    3. nojobhopes

      Re: Obscurity

      Exactly. After some keen amateur decoded video from SpaceX experimental launches the company decided to encrypt their comms. https://www.redorbit.com/spacex-begins-encrypting-telemetry-data-from-rocket-launches/

  2. Paul Crawford Silver badge
    Facepalm

    The technology and CCSDS standards for securing satellite links has been available for at least 2 decades.

    Of course every new generation of 'experts' seems to ignore them!

  3. fargoneicehole
    Joke

    fireworks pshaw... so terrestrial

    A nudge to the left here, and a nudge to the right over there, disable proximity detection... a few days later and we have fireworks every night for the foreseeable future

  4. Tron

    -set living standards back by decades.

    Brexit has already done that. Losing the satellites will just be the final piece of the puzzle. It would be weird to have limited choice on supermarket shelves, everything shooting up in price, sterling low in the water, huge delays in NHS care, long haul travel only for the wealthy and powerful, delays in waste collection, a rise in hate crime, football fans standing again and everyone buying second hand motors, yet having 21stC satellite systems. It would wreck the retro feel. The government have worked hard for several years to get us this far. We can't stop now, just when 1976 is within reach (including the heat wave). Take down those satellites now.

    -Persistent, over-the-horizon vision and continual, assured, high data-rate connectivity is fundamental in winning modern wars.

    Well it didn't work in Afghanistan against the guys with donkeys. Maybe they put 'the donkey conundrum' in a footnote.

    1. Binraider Silver badge

      Re: -set living standards back by decades.

      On the subject of guys with donkeys. An interesting argument is put forward in the excellent "A Distant Plain" by GMT Games is that "irregular warfare" is, if anything, the most common form of warfare. Not just today, but throughout the whole of history. Nation states slugging it out, while obviously not unknown, is relatively uncommon.

      Vietnam taught planners all over the globe, that to defeat the US, one does not tackle them in a standup fight. The west is not loss tolerant; and even with a 40:1 casualty ratio (or significantly worse), the insurgency can come out on top if it's prepared to endure.

      Donkeys don't need petrol or diesel; don't need mechanics, logistical support, are relatively inexpensive, and highly effective even on the roughest terrain. Contrast that to moody mechanical steeds being bound to mostly good terrain, heavy lifting requirements, logistical overheads etc. Sometimes, the latest and greatest gadget really isn't what's needed. See also, Germany, 1939-45, pursuing technological panacea. Amazing progress made, but the outcome certainly from 1943 onwards was never in doubt; mostly because the Russians were able to absorb losses in ways Germany couldn't.

      Information can and does help with tactical problems. But winning firefights does nothing to win a hearts and minds campaign. And low and behold history more or less repeats itself where lessons are not learned.

  5. hoofie

    You can easily communicate to/from a low earth orbit Amateur Radio satellite with a 30 quid handheld radio. Telemetry is piss-easy to download with modern SDR radio dongles. I've sent data packets up the ISS on 10W from the West Coast of Australia and had them re-transmitted down to the East Coast.

    That's of course Amateur Stuff which is designed to be accessible.

    Last year an Amateur operator found an old "Military" satellite that turned out to be alive. Reverse Engineering a signal/data stream is easier with modern computers and technology - the cost/effort to getting the raw signal is a lot lower than it was 20 years ago.

    1. Yet Another Anonymous coward Silver badge

      >an Amateur operator found an old "Military" satellite that turned out to be alive

      If it asks whether you want to play a game, may I recommend you select 'no'

      1. The Dark Side Of The Mind (TDSOTM)

        Re: "If it asks whether you want to play a game, may I recommend you select 'no'"

        If you accidentally select 'yes', then make sure you choose to play 'tic-tac-toe' instead of 'Go' or 'Chess'.

        1. bombastic bob Silver badge
          Happy

          Re: "If it asks whether you want to play a game, may I recommend you select 'no'"

          and don't forget to water the flowers

    2. bombastic bob Silver badge
      Devil

      back in the early days of teh intarwebs only a relative handful of people, the vast majority of whom were NOT potential miscreants, could access other computers on teh intarwebs. So the *pressing* need for security was a *bit* less than it is now. (A *bit* being more like the comparison between dust and boulders, knowing that you really do not want dust to accumulate either).

      Currently, only a relative handful of people have access to satellites via radio. Obvious comparison follows.

  6. Potemkine! Silver badge

    There are some many ways to be pwned that sometimes I wonder why there aren't more systems going down. I guess this is because surface attacks are so huge and devices so numerous that miscreants haven't the time to target them all. For now.

    Instead, there are lots of lawyers and political science folks who work in cyber policy and approach the issues from a purely theoretical perspective, using the newest buzzwords to get their unimplementable policy through."

    This description fits a lot of domains, not cybersecurity only!

  7. herman Silver badge
    Black Helicopters

    SATNOGS

    There are many earth observation satellites that provide data streams that can be intercepted by hobbyists. See https://satnogs.org/

  8. Binraider Silver badge

    The article infers that most policy wonks aren't informed at the technical level. One forgets that even if they are, the budget required to go back and fix things is not only astronomical, but ongoing.

    The solutions to this lie in future build is in simplified systems, and the "box" responsible for deploying them to correctly configure on day one. You know, basic stuff like not having universal passwords on components. Op Systems that don't have attack surfaces the size of continents would also be a good place to start; as would eliminating OS and Software that has built in obsolescence by design/commercial framework.

    Removing state-sponsored built-in backdoors while you're at it wouldn't go amiss.

    And perhaps most of all, not using desktop, consumer OS' "because they are cheap", in places they really should not be used. Seen this in far too many industrial computers for comfort.

  9. Mike 137 Silver badge

    An uncomfortable truth

    '"There are less than a handful of policy wonks who know anything about cyber security on the technical level," Kubecka says'

    In the UK, cyber security is "managed" at strategic level by the department of 'Digital', Culture, Media and Sport. Says it all really.

  10. MachDiamond Silver badge

    Only one ball of string

    I see in many cases that large companies have their whole operation run with one big piece of software. The long supply chain that has thousands of vendors logging into it is a couple of permission levels away from the goodie store (source codes, salary information, HR, AP, AR, GL, meeting minutes). Is that done for the convenience of secretaries that are tasked with pulling up company-wide reports for the execs? Is it so the execs can tap into any information they want from anywhere in the local solar system (on the right side of the sun, obviously)?

    Iran's nuclear lab got played by not having their computers air-gapped. This happens frequently with systems you would really thing should be off-line or on a non-internet private network. It's like a navy having everything in one system so a vulnerability with their recruitment website could lead to a listing of submarine deployments and the PII of the officers on those ships.

    While gapping systems either physically or by removing cross access can be inconvenient for some, the cost to a hospital where a cleaner clicks a ransomware link leads to the locking of every system in the hospital is plain stupidity. When I had a manufacturing company, the computers set up for design, CAD and product development notes was not connected to the internet or the internal network. Some of the magic in what we made was down to details in the manufacture that wouldn't be obvious in the finished product. If somebody had a copy of the build procedures, they'd have the keys to the castle. Some of the materials were down to specific vendors. While they looked pretty generic, they most definitely weren't. I still got stomped by the Chinese on price, but they were never able to get anywhere near the quality.

    1. Anonymous Coward
      Anonymous Coward

      Re: Only one ball of string

      If I'm not mistaken, Iran's centrifuge farms with Siemens PLCs were on air-gapped networks of their own. The network was infected with Stuxnet via USB.

      Air gapping is effective at certain tasks, but not invulnerable. I have seen working implementations of an air-gapped, but infiltrated unit where the fan speed was modulated in malware to produce an audible signalling system. This was then read off by microphones on less secure networks (a mobile phone would be enough to do it - and not be noticed). Obviously the bit rate was atrocious but that isn't the point of such an example!

      I will grant you that standards like IEC60870 for SCADA telecomms interchange have plenty of demonstrated weaknesses to man-in-the middle attacks amongst other things - air gapping at least stands as something of a barrier to this.

      A/C because employer happens to also have examples of the same PLCs that were vulnerable to Stuxnet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like