The predictable banality of Evil

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

The articles of Cassandra Crossing I'm under license CC BY-SA 4.0 | Cassandra Crossing is a column created by Marco Calamari with the “nom de plume” of Cassandra, born in 2005.

With a series of logical reasoning Cassandra takes us into the wonderful world of firmware and satellite internet. To read all the way through because there is a very interesting "update"!

This article was written on March 21, 2022 from Cassandra

Cassandra Crossing 498/ The predictable banality of Evil

Is it really that difficult, in cyber warfare, to "turn off" the Internet via satellite?

Cassandra had a fairly accurate idea of a probable act of cyberwar, so much so that she decided to express her opinion for the benefit of her 24 tireless readers.

This concerns the blackout of several tens of thousands of VIASAT satellite internet users (distributed under various commercial names), in some European countries including Ukraine, which occurred right at the beginning of hostilities.

Official sources report that a certain number of satellite modems, varying from one source to another but always in the order of 10,000 units, have been rendered non-operational, and will "probably" have to be replaced.

While this is a fairly exact description, it is shrouded in that mystical aura of technology and secrecy, which, like the Clarke's third law enunciates, makes it indistinguishable from magic.

So let's see if Cassandra can lift the veil, and explain how we are not dealing with ultra-scientific weapons, but with the pure and simple ordinariness and antiquity of hardware and software architectures, as well as obviously the natural tendency to save wherever possible, and the normal dose of errors and omissions typical of the industry.

A premise, in case it was necessary; Cassandra is not in possession of any confidential information, but only knows how to use search engines and forums with close to average competence.

It is not even updated on the state of the art of modern and/or proprietary technologies, but it has a certain experience, even if now obsolete, in industrial development of hardware and software.

Nothing more is needed. Starting from these elements, Cassandra can explain, and trivialize, an event that, far from being mysterious, is as exciting and sophisticated as a bowl of semolina or a low-level DDOS.

And, picking among the many ways to compromise a satellite modem, well listed in this post, can hypothesize what really happened.

So, together with the 24 enterprising readers, let's start from scratch.

Any modem, indeed any IT object, has firmware, that is, software, even very complex ones, permanently stored in a hardware component of the printed circuit.
It can also be a simple uSD card, like those used to expand the memory of smartphones, or more sophisticated and specialized hardware components.

It matters little, because the important fact is that this software, together with the component that contains it, is enclosed in a box, perhaps elegant and certainly equipped with sockets and lights, and the box is installed somewhere.
In our case, since we are dealing with satellite Internet connections, probably a very out of the way place, perhaps cold and high up.

And the firmware should obviously be able to be updated without opening the box, without a technician having to connect his laptop to it, possibly without any manual intervention, perhaps in a totally automatic manner, with a single operation.

To load a firmware for the first time, various methods can be used, but in general there is a connector on the printed circuit of any device of this type JTAG; it is an industry standard that allows you to program programmable components in a standard way (nice, right?). Let it go and move on

The JTAG connector is so powerful and feared that it is normally used only during development or repair, while in equipment intended for sale it is not accessible (the hole in the box is missing), and often the connector is not even soldered onto the printed circuit, but the seat is left empty.

The blessing and delight of the hardware geeks of a few years ago was to open the box, locate the exact point on the printed circuit where the JTAG connector should have been mounted and solder two wires to it, directed towards a suitable USB adapter. And the geek magic could begin!

During normal operation the firmware is obviously not updated in this way, but rather (you will have done it at least once on your home modem) using the web interface of the modem itself, downloading the updated firmware from the manufacturer's website and writing it inside the component with a simple click on a button.

All slightly more modern objects, for example household IoT objects, do or can do this operation in a totally automatic and invisible way to the user.

Let's get back to our satellite modems.
All equipment that communicates via radio, such as satellite modems, but also many common televisions, have the possibility of downloading firmware which is transmitted via radio.

What better system than this for a small box installed in remote locations? THE modem used by Viasat are equipped with this ability.

The loading of the firmware is obviously controlled by a distribution system, which is partly constrained by the architectures of satellite systems; they are architectures in which we try to relieve the satellite of all the possible complexity (definitely more difficult to update!), concentrating it as much as possible in the software of the earth stations.

The problem of reliably and securely distributing firmware has long been solved at an industrial level with various methods, which however conflict with costs, with the constraints of old software architectures, and with the limitations of the hardware.
This often leads to solutions full of cryptographic keys to be updated manually, or even incorporated into the software, and other similar "delights". Even modern weapons systems are operated like this, so it's no wonder.

Let us now venture, armed only with Occam's razor, into the field of hypotheses.

This tool is enough for us to make a simple and banal hypothesis that perfectly explains the event; it involved the compromise of the firmware update system of a single earth station, and a single command that loaded a "malicious" version of the firmware onto the entire "fleet" of modems.

A firmware, malicious or not, has full control over the hardware at boot time; it can simply not work, not allow further updates and remain there forever, or more effectively overwrite the bootloader (the equivalent of the Master Boot Record) of the card, and permanently block the modem, preventing it from restarting.

Modems can be equipped with measures aimed at avoiding these situations, such as a second read-only copy of the firmware, which only allows the firmware to be updated, but these measures are expensive, they are not always present, and not always, even if present, they can be used, and are not always actually used.

It is therefore not a destructive attack; the modem is intact and the firmware, going on site for each modem, could be reloaded, copying the entire virtual filesystem via JTAG if there was a connector, which is not there, and then opening the box and soldering one to the printed circuit .

However, the costs of such a procedure are unacceptable; it is much less expensive to ship a new modem to the user and have him replace it. But who has 10,000 modems ready for shipment in stock today? And what about the logistics of getting them to the war zone?

Here the denial of a critical infrastructure in an even more critical moment and area can be explained with a type of attack, unfortunately of "ordinary administration" in the world of information security, just as fascinating as a bowl of semolina.

But the fact remains, proven and confirmed, that someone, somehow, truly “killed” satellite internet in a war zone.

And it was really too easy.

UPDATE: during the long gestation of this article, Viasat has “admitted“, that things happened just like this; you couldn't expect anything less from your favorite prophetess!

UPDATE: the CEO of Viasat implicitly confirms that the problem is an altered firmware, and provides details on the logistics which also confirm the details predicted by Cassandra.

Viasat chair Mark Dankberg told a satellite conference that … “thousands of modems were taken offline. In most of the cases of the modems that went offline, they need to be replaced. They can be refurbished, so we're recycling modems through,”.

Viasat CEO Mark Dankberg said at a satellite conference that “…thousands of modems have been knocked offline and need to be replaced. They can be repaired, so we are recycling them.”

Marco Calamari

Join communities