Guest Blog by Michiel Mertens, Device Software Engineer at Newtec
At the beginning of January 2014 a report from the cyber intelligence company IntelCrawler caused a bit of a stir in the satcom industry. It stated that very-small-aperture terminals (VSAT) are vulnerable to external cyber-attacks, especially in distributed critical infrastructures and network environments (IntelCrawler PR). The company identified about 10.000 vulnerable units from various vendors. Although it is only about 0.3% of VSATs (see Comsys Report) in the world, the impact of one hacked VSAT terminal could indeed be significant, depending on the environment it has been deployed in. For example in the energy industry where they are often used for supervisory, control and data acquisition (SCADA) applications.
Stealing sensitive data or blocking a party from the internet can significantly improve another party’s economical or strategic position. But what are the common types of hacking, how are your VSAT Terminals protected and how could you protect them better?
Most Common Ways of Hacking
One should not forget that in general, VSAT terminals are considered to be nothing more than a communication device and the vast majority of people think they tend not to be worth hacking. However, not protecting a VSAT terminal against the most simple ways of hacking can put your data and other connected devices at risk.
• Firstly, what we typically see in the field is automated port scans. Where individuals or programs operating in the internet will scan the ports of all IP addresses in certain IP ranges, including VSAT terminals, and depending on the ports, try to log in. With this we see a massive flood of TCP connections and IP ping messages to terminals and any device behind those terminals. Generally, when logging in does not succeed they hop to the next IP address. They just scan the entire internet and when they are not successful, they just move on. Like the InterCrawler report indicates “providing not an easy to guess password combination is normally enough to fend off these login attempts”.
• Secondly, VSAT terminals typically offer more services than pure IP routing, like some HTTP webservers or file sharing services. The next step in hacking a terminal is trying to exploit the vulnerabilities of these services on the terminal. This is typically done by exploiting buffer overruns in the software implementation of these services. When successful, the hacker is typically able to force the device to run any type of malicious software.
• Thirdly, hackers may opt to use low-end routers or terminals as a distributer for viruses. Since these devices are always powered on and people don’t distrust their own devices, infected devices can cause a rapid spread of viruses in the local network.
• Fourthly, in case there is a network behind your terminal which is publicly accessible (e.g. a library). Someone can try to hack the VSAT terminal from within this public network with any of the above methods, often just to display their hacking skills.
Once access is gained to the terminal, it can be used for snooping any passing internet traffic, for example stealing credit card data or passwords. Normally no information itself is stored on the VSAT terminal, but it can be intercepted on the terminal.
Securing a VSAT Terminal
It is possible to protect VSAT terminals by not allowing them direct connectivity to the internet. You can remotely connect to the VSAT terminal, but only if you pass by the VSAT hub, using the hub as an intermediate hop. If you set your network up in this way there is no direct connectivity between the terminal and the internet. This protects against the bulk of the first three types of hacking. Note that blocking connectivity between the terminal and the internet does not in any way impact the client’s ability to use the VSAT terminal for bidirectional internet access.
The second and fourth types of hacking consist of exploiting open ports to login typically using Telnet or SSH. The approach taken on our, Newtec’s, VSAT terminals is to make sure that none of the terminal’s ports are accessible from the internet and a limited set of ports (i.e. HTTP, DNS, DHCP, etc.) can be accessed from the customer premises network. Moreover, the services that are accessible from the customer premises network have limited system access. So even if a service is hacked, there is another barrier to overcome before any data can be accessed and/or intercepted.
You can also protect the devices in the customer premises network by filtering, blocking or detecting that they are undergoing a hacking attempt. Protecting these devices is generally not done by the manufacturer of the VSAT equipment, but it is up to the clients to do so. This is typically done just before the VSAT hub where you can implement some sort of blocking policy.
Securing the Communication Link
Finally, it is also important to secure the satellite communication link. Sensitive data could be intercepted between the terminals and the hub, since satellite communication is distributed over large geographical areas, meaning that almost anyone can listen in. To prevent this from happening, the approach taken by Newtec (and others) is to encrypt all user data that is flowing via the VSAT link. This is done by separating all user data immediately when it enters the VSAT terminal and isolate the traffic inside an encrypted tunnel.
Another threat to the satellite communication link is a rogue VSAT terminal taking over the satellite link of another VSAT terminal. This would offer a malicious user unauthorised access to the network. To counter this, your VSAT terminal (like the MDM2200 – see fig. 1 below) can add a X.509 certificate based authentication to its encryption key exchange protocol. This creates a strong tie between the intended VSAT terminal and the satellite link and as such prevents rogue VSAT terminals accessing your network.
I have addressed some basic hacking methods that are applicable to VSAT terminals and why it is important to secure them. I have also identified some ways in which we fend off these hacking attempts. Some are designed into the units to make them withstand external threats whilst others can only be addressed when setting up the network. One thing is clear – all connected devices can be exploited by hackers so it is better to be safe than sorry!