The US Computer Emergency Response Team (CERT) has issued a wave of warnings regarding a multitude of flaws in satellite communications (Satcoms) systems leaving aeroplanes, ships, oil rigs and other important forms of transport and infrastructure open to attack.
The CERT team issued six alerts on a variety of different Cobham and Iridium Satcoms systems, warning that the flaws could be targeted by hackers for a variety of purposes including data theft, account hijacking and even the ability to “gain full control of the satellite terminal”.
The threats are taken as particularly dangerous as the CERT reported that it is "unaware of any practical solution” to the fix the flaws.
Cobham confirmed that it is aware of the issues in its products in a series of statements and promised. “Cobham Satcom will continue to evaluate any potential vulnerabilities with its equipment and implement increased security measures if required," it said.
At the time of publishing Iridium had not responded to V3’s request for comment on the CERT’s warnings.
News of the flaws broke earlier this week during a talk at the Black Hat trade show in Las Vegas, hosted by principal security consultant researcher at IOActive, Ruben Santamarta.
The presentation revealed technical details of how attacks leveraging the flaws could happen. "Ships, aircraft, military personnel, emergency services, media services, and industrial facilities (oil rigs, gas pipelines, water treatment plants, wind turbines, substations, etc.) could all be impacted by these vulnerabilities," IOActive said.
The demonstration follows on from initial research Santamarta revealed in April, which purported to find vulnerabilities with a raft of satellite communications kit in use in a vareity of sectors, including transport and military.
"IOActive found that malicious actors could abuse all of the devices within the scope of this study. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms," the report said.
"In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks."
At the time IOActive also warned that despite alerting many of the vendors listed in its report to its findings, no action was taken.
"Co-ordinated disclosure is a basic principle of security research, particularly in such high-stakes cases. With the help of the CERT Co-ordination Center, IOActive initiated the process to alert the affected companies about the issues we had uncovered.
"Unfortunately, except for Iridium, the vendors did not engage in addressing this situation. They did not respond to a series of requests sent by the CERT Coordination Center and/or its partners."
IBM and Technical University of Munich team demonstrate how Shor's algorithm, which can't be cracked by conventional computers, can be solved quickly with quantum computing
Hubble Space Telescope finds superflares from young red dwarfs could strip away planetary atmosphere
Younger stars are 100 to 1,000 times more energetic than when they're older
Two of the big four supermarkets will use the system to control sales of restricted products
PUBG news and updates: November's Update #23 to bring new Skorpion pistol and changes to blue zone visibility
Genuinely useful side-arm coming to PUBG in Update #23