A pivotal network of GPS satellites doesn’t properly guard its communication, making devices back on Earth susceptible to hacking, according to new research.
Lots of companies — everything ranging from overseas shipping containers to oil drilling rigs — use location data beamed from GPS trackers to ensure that equipment never goes off course.
But Colby Moore, a researcher with cybersecurity firm Synack, has found that it’s easy to crack Globalstar’s GPS satellite network. This is a company that bills itself as “the world’s most modern satellite network.”
GPS trackers beam data to satellites, which send them back to base stations on Earth. Using cheap hardware and small planes, Colby successfully intercepted and decoded data — none of which was encrypted.
He also found that there are no safeguards to check that data is shared only between real trackers and base stations. With that access, Moore was able to decode the transmissions and create fake GPS data.
The result? High-tech thieves could steal a freight truck full of precious cargo without setting off alarms. Rescuers responding to a sinking cruise ship could be redirected far away from the actual wreckage.
Aviation is especially at risk. Lots of planes transmit their location using Globalstar’s system, especially now that the organization that collects pilots’ flight plans, Lockheed Martin (LMT) Flight Service, signed a deal with the satellite company in June.
A spokesman for Lockheed Martin did not respond to a request for comment.
A hacker’s faked plane GPS signals could cause chaos at an airport that expects a plane to land — but can’t spot anything on radar.
Moore will present his findings at the Black Hat hacking conference in Las Vegas next week.
Globalstar (GSAT) did not acknowledge the flaw — or say whether it plans to actually start encrypting its communication.
“This type of situation has never been an issue to date,” said company representative Allison Hoffman. Globalstar said it would know if its systems were under attack. But this hack doesn’t technically attack Globalstar’s systems — it only fools them.
In today’s world, lack of encryption with sensitive communication is unacceptable. Encryption is required in all electronic banking, and it’s expected in email, texting, and even casual Web browsing.
Globalstar’s problem could be a result of old technology. The company had already launched 40 satellites into space by late 1999, when encryption was an afterthought. Plus, encryption adds to the size of data being transmitted — and in space, bandwidth is expensive, especially 20 years ago.
Moore said the only fix would be to add security features to new devices on Earth. But there are currently 649,000 Globalstar customers with devices whose software will be difficult — or impossible — to upgrade.