Thousands of small satellite dish-based computer systems that transmit often-sensitive data from far flung locations worldwide – oil rigs, ships at sea, banks, and even power grid substations – are at high risk of being hacked, including many in the United States, a new cyber-security report has found.

Very-small-aperture terminals, or VSATs, are workhorses for the oil and gas industry, utilities, and even news media. Journalists send reports via VSAT from firebases in Afghanistan, energy companies gather production data from oil drilling operations, and retail outlets send sales data back to corporate headquarters every day. Banks use VSATs for transactions between branches and headquarters.

But at least 10,500 of those terminals globally are wide open to being hacked, including some used in critical US infrastructure systems, according to the new report by IntelCrawler, a Los Angeles-based cyber-security firm.

“We found thousands and thousands of these systems with what are essentially their digital front doors left wide open,” says Dan Clements, IntelCrawler’s president, in an interview. “Someone needs to be aware that there are vulnerabilities here that could affect critical infrastructure, including utilities and financial systems.”

Worldwide there are more than 2.9 million VSATs, about two-thirds based in the US, according to Comsys, another company that catalogs satellite links. These VSATs typically sit on a pedestal or pole pointing at a satellite on the horizon – sending production data or critical control information from some remote electric grid substation or oil rig. The smallest are the size of a laptop computer.

In many cases, the VSAT systems were found to use the default passwords that came from the factory and which are often published for all to see in system handbooks widely available on the Internet, IntelCrawler reported. In other cases, the VSAT may not even use a password.

Network engineers and system administrators must plug those security holes or risk having proprietary data scooped up by bad buys operating anywhere in the world, the report said.

“The fact that one can scan these devices globally and find holes is similar to credit card thieves in the early 2000's just googling the terms ‘order.txt’ and finding merchant orders with live credit cards,” the report said. “The onus is on the enterprises, governments, and corporations to police themselves.”

IntelCrawler found “lots of interesting objects,” including vulnerable VSATs that likely transmit government and classified communications.

A couple examples: the Ministry of Civil Affairs of China infrastructure and the Ministry of Foreign Affairs of Turkey were both found listed as using VSAT systems in which there was “a clear and present danger for hacks,” the report found.

But there’s another security problem. Geolocation data that physically locates vulnerable VSATs is readily available, too. Using it, a terrorist or criminal – cyber or otherwise – could use standard Internet tools like Google maps and Google Earth to visually evaluate the physical security and layout of such systems. Obviously, that’s a bad thing if it belongs to a power-grid substation or other critical infrastructure, Clements says.

Vulnerable VSATs that IntelCrawler also found include some providing communications links for climate-monitoring systems in Alaska and industrial control devices in Australia, not to mention utility systems and financial infrastructure, Clements says.

There was no single VSAT user type that was given a clean bill of health since “we found these vulnerabilities occurred across the spectrum,” he says.

Such findings appear to be in sync with those of Jason Fritz, an Australian cyber-expert at Bond University in Queensland. In a recent academic study, he also found that vulnerable VSAT-supplied Internet access to remote locations, virtual private networks, industrial control systems, and financial data each “encompasses a large amount of sensitive data that might be of interest to hackers.”

With the increasing number of VSATs comes “an increase in unsecure data being transmitted via satellites [that] may pique the interest of hackers,” Dr. Fritz warns.

But beyond just theft of data, VSATs commandeered by hackers can be used as an entry point to gain control of satellites themselves – and any networks to which they are connected, Fritz warns. His study cites a handful of reports in which satellites were hacked apparently thanks to such vulnerabilities.

“Vulnerabilities exist at all nodes and links in satellite structure,” he writes. “These can be exploited through Internet-connected computer networks, as hackers are more commonly envisioned to do, or through electronic warfare methodologies that more directly manipulate the radio waves of uplinks and downlinks.”

Beyond cyber-crime gangs, nation states are fully capable of exploiting such vulnerabilities, Clements says. Indeed, IntelCrawler released its findings amid a wave of Internet-connected insecurity spawned by revelations of how the National Security Agency sifted Internet data sluicing through satellites and fiber-optic data pipes.

Thousands of vulnerable Internet-linked critical infrastructure networks have been discovered recently. A specialized search engine called SHODAN, for instance, now makes it possible for anyone – including hackers as well as legitimate researchers – to hunt for vulnerable industrial control systems. From those web-based interfaces, such control systems can be hacked, cyber-experts say.

Get the Monitor Stories you care about delivered to your inbox. By signing up, you agree to our Privacy Policy

In this latest case, IntelCrawler found vulnerable VSATs by inventorying devices on the Internet and by focusing on satellite operators like INMARSAT, Asia Broadcast Satellite, VSAT internet iDirect and Satellite HUB Pool, Clements says.

“We haven’t looked for direct evidence in the underground that someone has compiled these vulnerabilities on VSATS,” he says. “But common sense says that if we’ve scanned it then others have, too – nation states, cyber-gangs. It’s information that’s out there.”