Globalstar Refutes Cybersecurity Risks from Synack Research
[Via Satellite 08-17-2015] Globalstar is refuting claims from cybersecurity company Synack that its simplex network is extremely vulnerable to hackers. In a July 30 article on Wired, Colby Moore, manager of special activities and information security officer at Synack claimed that several asset tracking devices that use the network could be easily hacked, and that hackers could feed fake information to users for nefarious purposes such as spoofing the location of hijacked shipments.
Globalstar issued a statement on Aug. 5 claiming that Synack “uses a Rube Goldberg type of analysis and doomsday language to make something appear to be a vulnerability when it is not.” The company further wrote that Synack approached Globalstar in March about potential security issues with its simplex network and insisted the company implement remedial measures proposed by Synack.
Synack’s argument centered on the absence of Globalstar-implemented encryption of communication between tracking devices and the satellite system, and the lack of requirement for communication to be authenticated. According to Synack, someone can intercept the communication, and subsequently spoof it or jam it, with minimal difficulty. In the article and in following presentations at Def Con 23 and Black Hat 2015, Moore said he spent roughly $1,000 in hardware to create a transceiver capable of intercepting data from Globalstar devices, and another $300 in software and hardware for analyzing the data and imitating a tracking device.
In an interview with Via Satellite, Globalstar Chairman and CEO Jay Monroe said much of what Synack claims is implausible.
“Like every business and government entity, we are constantly looking at improving the devices, the security around devices, and our entire network. There were certainly some things that Synack said that makes us know that they are not necessarily playing with a full understanding of everything that is absolutely current on Globalstar’s system, because we do continuously make changes,” said Monroe.
Moore told Via Satellite that Synack was able to decode data transmissions and verify that the data was not encrypted on the devices that were tested. Synack tested Globalstar’s Spot Personal Locator Beacon, Spot Trace, and Globalstar SmartOne A. Moore said each device does not encrypt communication, and that it is suspected many others do not as well since this is left up to the end integrator. Synack knows this, he said, because the company was able to decode data transmissions and verify that the data was not encrypted on the devices that were tested.
“Research so far indicates that many if not all devices that operate on the simplex data network all use the same ‘spreading codes.’ While spreading codes should never be considered a ‘security mechanism,’ without the code, it is impossible to decipher the transmissions. Synack successfully reverse engineered this unknown code. Possession of this code allows us to intercept simplex network data network communication,” he said.
“Attackers can inject arbitrary data back into the Globalstar network without much effort. If integrators have not encrypted their data, this leaves the system open to data spoofing. This means attackers can spoof false messages from devices. We know this because it is trivial to generate the signals necessary to talk to the satellite network,” he added.
Monroe said Globalstar’s network is nowhere near the level of risk described by Synack because 90 percent of the company’s business is personal tracking, which is often used by hikers and adventurists. Duplicating sequential serial numbers would not be effective, nor would attempting to overwhelm the SOS side of the network, he said.
“As soon as we have multiple serial numbers on the system, our alarm bells go off. If somebody has 50 of the same serial number and they are all dialing SOS, do you think that our system doesn’t identify that? Of course it does. It will be an operational headache, but one that we will put 100 percent focus on to protect our customers,” said Monroe.
For potential high-value assets, such as ocean vessels, trucks and military vehicles, Monroe said many of Globalstar’s Value Added Resellers (VARs) encrypt signals based on customer demands. This is especially evident with government customers, he said.
“Globalstar is, in the simplex world, a purveyor of a little piece of end technology that someone builds into something else that they want to do. So, if they are going to be tracking nuclear waste for the federal government, you can be very certain that that signal is encrypted. Many of our VARs do that,” said Monroe.
Globalstar declined to do business with Synack and is not talking to the cybersecurity company. Monroe said most of the things Synack mentioned to Globalstar in their original transmittal were “very obtuse,” and dissuaded them from doing business. He said it was very clear to Globalstar that Synack intended to use its research as the centerpiece for a presentation “to make a name for themselves.”
Globalstar refutes that to absolve the risks cited by Synack would require a re-architecturing of its network. Moore stood by Synack’s conclusion that Globalstar’s simplex network remains at risk and that patching the system would be very difficult.
“It’s not clear if many devices support firmware upgrades and for the ones that do, it’s not clear if an upgrade would fix the issue. Many devices are deployed in very hard to access locations and will likely never see an update anyway. Going forward, Globalstar has the ability to layer encryption or signing onto their system, but it will likely take significant effort and time,” said Moore.
Moore said that exact consequences of these vulnerabilities are unknown, but they leave a strong possibly of serious security issues.
“We hope that our research has shown Globalstar the importance of designing secure systems from the ground-up,” added Jay Kaplan, CEO of Synack. “Legacy systems that were architected years ago require fundamental changes and continuous testing to protect the ecosystem against new and existing vulnerabilities. Additionally, we can verify that Synack has never tried to sell business to Globalstar.”