Incident Details

Incident: Satellite Communication Systems Vulnerable to Cyber-Physical Attacks

Published Date: 2018-08-09

Postmortem Analysis
Timeline	1. The software failure incident happened in August 2018. - Clues from Article 74402: The article was published on 2018-08-10, and it mentions the research presented at the Black Hat information security conference in Las Vegas, which was happening around that time. - Clues from Article 74796: The article was published on 2018-08-09, and it mentions that details of the vulnerabilities would be presented later on Thursday at the Black Hat security conference in Las Vegas, indicating the incident was recent.
System	1. Satellite communication systems used on ships, planes, and military bases [74402, 74796] 2. Satellite antennas vulnerable to cyber-physical attacks [74402, 74796] 3. Satellite ground stations on ships and in US military bases [74796]
Responsible Organization	1. Hackers were responsible for causing the software failure incident as they exploited vulnerabilities in satellite communication systems [74402, 74796].
Impacted Organization	1. Military users were impacted by the software failure incident as their satellite communication systems were vulnerable to cyber-physical attacks and location exposure [74402, 74796]. 2. Maritime users were also impacted by the software failure incident as their satellite systems could potentially be controlled by attackers to aid eavesdropping or damage the antenna [74796].
Software Causes	1. Vulnerabilities in popular satellite communication systems that could be exploited by hackers to carry out cyber-physical attacks, leak information, and hack connected devices [74402, 74796]. 2. Security weaknesses in the software that operates the satellite antennas, allowing attackers to seize control and disrupt, intercept, or modify communications passed through the antenna [74402]. 3. Backdoors in the controlling code of satellite communication systems that could be exploited by attackers to gain control over the systems [74796]. 4. Lack of secure software updates for some devices, requiring the replacement of the entire device with a more modern version running less hackable code [74796].
Non-software Causes	1. The vulnerability in satellite communication systems was due to security weaknesses in the software that operates the antenna, allowing attackers to seize control [74402]. 2. Backdoors were found in the controlling code of satellite communication systems, potentially inserted during software development, which could not be updated with secure software [74796].
Impacts	1. The vulnerability in satellite communication systems could lead to cyber-physical attacks, turning satellite antennas into weapons that operate like microwave ovens, potentially disrupting, intercepting, or modifying communications passed through the antenna [74402]. 2. The attack could leak information and hack connected devices, posing a safety risk for military and maritime users [74402]. 3. Military and maritime users are at risk of cyber-physical attacks, such as repositioning the antenna and launching a high-intensity radio frequency attack, which could cause physical damage to electrical systems [74402]. 4. The attack exposes the location of the satellite antenna, which poses a safety risk for military bases [74402]. 5. The vulnerabilities could allow attackers to take control of satellite systems used on aircraft, ships, and by the military, potentially overcharging satellite antennas to damage equipment or harm operators [74796]. 6. Attackers could betray the exact location of military forces in crisis zones using the vulnerabilities in satellite systems [74796].
Preventions	1. Implementing strong security measures and regular security audits to identify and patch vulnerabilities in satellite communication systems [74402, 74796]. 2. Ensuring that satellite systems have secure software development practices to prevent the insertion of backdoors that could be exploited by attackers [74796]. 3. Updating vulnerable devices with secure software to mitigate the risk of attacks [74796]. 4. Swapping out outdated devices with modern versions running less hackable code if secure software updates are not feasible [74796].
Fixes	1. Manufacturers working with IOActive to harden devices against attacks [Article 74796]. 2. Swapping entire devices for more modern versions running less hackable code where secure software updates are not possible [Article 74796].
References	1. Ruben Santamarta, researcher for the information security firm IOActive [Article 74402, Article 74796] 2. Black Hat information security conference in Las Vegas [Article 74402] 3. IOActive [Article 74796] 4. Technology news site eWeek [Article 74796]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to vulnerabilities in satellite communication systems has happened again at the same organization, IOActive. Ruben Santamarta, a researcher for IOActive, presented research in 2014 on vulnerabilities in satellite communication systems and then carried out further research on the same topic in 2018, indicating a recurrence of the issue within the organization [74402, 74796]. (b) The incident has also occurred with other organizations or their products and services. The vulnerabilities in satellite systems were found to affect systems used on aircraft, ships, and by the military, indicating a broader impact across multiple organizations and sectors [74402, 74796].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase is evident in the articles. Ruben Santamarta, a researcher for IOActive, discovered vulnerabilities in popular satellite communication systems that could be exploited by hackers to carry out cyber-physical attacks [74402, 74796]. These vulnerabilities were found to be due to security weaknesses in the software that operates the satellite antennas, allowing attackers to seize control and potentially disrupt, intercept, or modify communications passing through the antennas. The vulnerabilities were not maliciously inserted backdoors but were likely added during software development, indicating a design flaw in the system. (b) The software failure incident related to the operation phase is also highlighted in the articles. The vulnerabilities discovered by IOActive could potentially allow attackers to take control of satellite systems used on aircraft, ships, and military bases [74402, 74796]. Attackers could exploit these vulnerabilities to overcharge satellite antennas, betray the exact location of military forces, or even damage the equipment or harm operators. These issues point to failures in the operation or misuse of the systems, as attackers could potentially gain control over satellite receivers on ships to aid eavesdropping or damage the antenna by increasing its power output.
Boundary (Internal/External)	within_system, outside_system	(a) within_system: - The software failure incident discussed in the articles is primarily due to vulnerabilities and bugs within the satellite communication systems used on aircraft, ships, and by the military [74402, 74796]. - The vulnerabilities in the software that operates the satellite antennas allow attackers to seize control, disrupt, intercept, or modify communications passed through the antenna [74402]. - The attack works by connecting to the satellite antenna from the ground through the internet and exploiting security weaknesses in the software [74402]. - The vulnerabilities include backdoors in the controlling code of the satellite communication systems, which were likely added during software development [74796]. - The software failure incident involves flaws in the satellite systems that could potentially lead to cyber-physical attacks, such as repositioning the antenna and launching high-intensity radio frequency attacks [74402]. - IOActive, the firm that discovered the vulnerabilities, is working with manufacturers to address the bugs and harden the devices against attacks [74796]. (b) outside_system: - The software failure incident also involves external factors such as the potential for hackers to exploit the vulnerabilities in the satellite communication systems [74402, 74796]. - Attackers can take advantage of the vulnerabilities to carry out cyber-physical attacks, turning satellite antennas into weapons that operate like microwave ovens [74402]. - The safety risk posed by the software failure incident is higher for military and maritime users compared to the aviation sector [74402]. - The vulnerabilities could allow attackers to betray the exact location of military forces in crisis zones, indicating a potential external threat to the system [74796]. - IOActive delayed publishing details of its findings to allow manufacturers to address the vulnerabilities and mitigate the risks posed by external attackers [74796].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: - The vulnerability in satellite communication systems that could lead to cyber-physical attacks, turning satellite antennas into weapons, was identified as a non-human action software failure incident [74402, 74796]. - The attack works by exploiting security weaknesses in the software that operates the antenna to seize control, allowing for disruption, interception, or modification of communications passed through the antenna [74402]. - The vulnerabilities in satellite systems were found to be due to bugs that could be exploited by hackers to take control of the systems, potentially causing harm or damage [74796]. - Some vulnerabilities could betray the exact location of military forces in crisis zones, indicating a failure introduced without human participation [74796]. (b) The software failure incident occurring due to human actions: - The backdoors found in the controlling code of satellite communication systems were not inserted maliciously but were likely added during software development, suggesting a failure introduced by human actions [74796]. - Manufacturers were working to harden devices against attacks and were acting to negate the bugs identified by IOActive, indicating a response to failures introduced by human actions [74796].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware: - The vulnerability in satellite communication systems could allow hackers to overcharge satellite antennas to damage the equipment or harm operators, essentially turning them into weapons that operate like microwave ovens [Article 74796]. - In the case of military and maritime users, the attack exposes the location of the satellite antenna, as they usually need an attached GPS device to function, posing a safety risk [Article 74402]. (b) The software failure incident related to software: - The attack works by exploiting security weaknesses in the software that operates the satellite antenna to seize control, allowing attackers to disrupt, intercept, or modify communications passed through the antenna [Article 74402]. - The vulnerabilities found in satellite systems were due to bugs in the software that could let hackers take control of the systems, betraying the exact location of military forces and potentially causing harm [Article 74796].
Objective (Malicious/Non-malicious)	malicious, non-malicious	(a) The software failure incident described in the articles is malicious in nature. The vulnerabilities in satellite communication systems were exploited by hackers to potentially carry out "cyber-physical attacks" that could turn satellite antennas into weapons, leak information, hack connected devices, disrupt communications, intercept or modify data, and even launch high-intensity radio frequency attacks [74402, 74796]. The attacks were aimed at causing harm, gaining unauthorized control, and potentially endangering military and maritime users. (b) The software failure incident is also non-malicious to some extent as the vulnerabilities were not inserted maliciously but were likely added during software development as backdoors. These backdoors could have been unintentionally left in the code, making the systems vulnerable to exploitation [74796]. Additionally, the article mentions that manufacturers are working to harden devices against attacks, indicating efforts to address the vulnerabilities without malicious intent.
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The software failure incident reported in the articles is more aligned with poor_decisions. The vulnerabilities in satellite communication systems were due to security weaknesses in the software that operates the antenna, allowing hackers to seize control and potentially carry out cyber-physical attacks [74402]. The backdoors in the controlling code of the satellite communication systems were not inserted maliciously but were likely added during software development, indicating poor decisions in the software development process [74796].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident in the articles can be attributed to development incompetence. The vulnerabilities in satellite communication systems were identified as being due to security weaknesses in the software that operates the antenna, allowing attackers to seize control [74402]. Additionally, backdoors were found in the controlling code of the satellite communication systems, which were likely added during software development and could not be updated with secure software, indicating a lack of professional competence in software development practices [74796].
Duration	temporary	The software failure incident described in the articles is more likely to be temporary rather than permanent. The vulnerabilities in the satellite communication systems, as highlighted by the research conducted by Ruben Santamarta from IOActive, were due to security weaknesses in the software that operates the antenna [74402]. These vulnerabilities allowed attackers to potentially take control of the satellite systems, overcharge satellite antennas, betray the location of military forces, and even launch cyber-physical attacks [74796]. IOActive was working with manufacturers to address these vulnerabilities and harden the devices against such attacks, indicating that the issue was not a permanent failure but rather a temporary one that could be mitigated through appropriate measures.
Behaviour	omission, value, other	(a) crash: The articles do not mention any instances of a crash where the system loses state and does not perform any of its intended functions. (b) omission: The vulnerability in the satellite communication systems could lead to the omission of performing intended functions. For example, attackers could disrupt, intercept, or modify communications passed through the antenna, potentially omitting the proper transmission of data [74402]. (c) timing: There is no indication in the articles that the software failure incident was related to timing issues where the system performed its intended functions but at the wrong time. (d) value: The software failure incident is related to the system performing its intended functions incorrectly. For instance, attackers could take control of the satellite antenna, leak information, hack connected devices, and potentially cause physical damage to electrical systems [74402, 74796]. (e) byzantine: The software failure incident does not exhibit behaviors of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior exhibited in the software failure incident is the potential for the system to be used as a weapon by attackers. The vulnerability could allow attackers to turn satellite antennas into weapons that operate like microwave ovens, posing safety risks for military and maritime users [74402].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, network_communication, embedded_software	(a) sensor: The software failure incident mentioned in the articles is related to the sensor layer of the cyber-physical system. The vulnerability in satellite communication systems could allow hackers to connect to the satellite antenna from the ground, through the internet, and exploit security weaknesses in the software that operates the antenna to seize control [74402]. This indicates that the failure was due to contributing factors introduced by sensor error. (b) actuator: The incident does not specifically mention any issues related to the actuator layer of the cyber-physical system. (c) processing_unit: The failure was not directly attributed to issues with the processing unit of the cyber-physical system. (d) network_communication: The software failure incident is closely tied to network communication errors. The vulnerability in satellite systems could potentially allow attackers to take control of communications, betray the exact location of military forces, and even launch cyber-physical attacks by repositioning the antenna and setting its output to launch a high-intensity radio frequency attack [74796]. (e) embedded_software: The failure is also related to issues with embedded software. The vulnerabilities found in satellite systems were due to bugs in the software that controls the devices, including backdoors that could be exploited by attackers to gain control over satellite receivers or overcharge satellite antennas [74796].
Communication	connectivity_level	The software failure incident reported in the articles is related to the communication layer of the cyber-physical system that failed at the connectivity_level. The vulnerability exploited by hackers involved weaknesses in the software that operates the satellite antennas, allowing attackers to connect to the satellite antenna through the internet and seize control, enabling them to disrupt, intercept, or modify communications passed through the antenna [74402]. Additionally, the vulnerabilities found in satellite systems used on aircraft, ships, and by the military could potentially allow attackers to take control of the systems, betray the exact location of military forces, and even overcharge satellite antennas to damage the equipment or harm operators [74796]. These issues point to failures at the connectivity level of the communication layer in the cyber-physical system.
Application	TRUE	The software failure incident described in the articles was related to the application layer of the cyber-physical system. The vulnerability allowed attackers to exploit security weaknesses in the software that operates the satellite antennas to seize control, disrupt, intercept, or modify communications passing through the antenna [74402]. Additionally, the vulnerabilities in satellite systems could let hackers take control of them, potentially overcharging satellite antennas to damage equipment or betraying the exact location of military forces in crisis zones [74796]. These issues point to failures at the application layer due to bugs and security vulnerabilities in the software controlling the satellite systems.

Other Details

Category	Option	Rationale
Consequence	harm, property, non-human, theoretical_consequence	(a) death: There is no mention of people losing their lives due to the software failure incident in the articles. (b) harm: The software failure incident could potentially harm people as it mentioned that attackers could overcharge satellite antennas to damage the equipment or harm operators [Article 74796]. (c) basic: There is no mention of people's access to food or shelter being impacted due to the software failure incident in the articles. (d) property: The software failure incident could impact people's material goods, as attackers could potentially gain control over satellite receivers on ships to aid eavesdropping or damage the antenna by pumping up its power output [Article 74796]. (e) delay: There is no mention of people having to postpone an activity due to the software failure incident in the articles. (f) non-human: Non-human entities, such as satellite communication systems used on aircraft, ships, and by the military, were impacted by the software failure incident as they were found to contain vulnerabilities that could be exploited by hackers [Article 74796]. (g) no_consequence: There were observed consequences of the software failure incident, such as the potential for attackers to disrupt, intercept, or modify communications passed through the satellite antenna, as well as the risk of cyber-physical attacks [Article 74402, Article 74796]. (h) theoretical_consequence: The articles discuss potential consequences of the software failure incident that did not occur, such as the possibility of attackers betraying the exact location of military forces in crisis zones or launching high-intensity radio frequency attacks [Article 74796]. (i) other: The articles do not mention any other specific consequences of the software failure incident.
Domain	information, transportation, government	(a) The failed system was intended to support the information industry as it involved vulnerabilities in satellite communication systems used for internet connectivity [74402, 74796]. (b) The transportation industry was also impacted by the software failure incident as satellite systems used on aircraft and ships were found to contain bugs that could be exploited by hackers [74796]. (l) The government sector was affected by the software failure incident as vulnerabilities in satellite communication systems posed a safety risk for military users by potentially exposing the location of military bases and enabling cyber-physical attacks [74402, 74796].

Sources

Hacked satellite systems could launch microwave-like attacks, expert warns - The Guardian - Published on: 2018-08-10
Article ID: 74402
Warning over satellite security bugs - BBC.com - Published on: 2018-08-09
Article ID: 74796

Back to List