Internet Security and Satellite Internet: A gap that needs to be patched?

Today there are over a million computers in America that connect to the Internet via a satellite connection, and the number continues to grow. During this past winter I used my spare time to write a white paper on satellite Internet connectivity, mainly to drive home the point that it is no substitute for DSL/cable/fiber when it comes to broadband access for rural communities. The white paper has just been published by the Rural Mobile and Broadband Alliance (RuMBA).

However, an interesting security issue came up in the course of writing this 22-page paper and I thought I would highlight it here. If you like, you can download the full report at no charge from this link. (You can also read more about this research in this blog post.)

One of the reasons nobody should seriously consider defining satellite Internet as broadband is the daily download limit that satellite services impose, typically about 400 megabytes a day, which is less than some operating system upgrades we have seen in recent years. These capacity limits are not just a serious inconvenience, they have serious implications for computer security.

Basically, satellite Internet users have to turn off automated updating of operating systems and applications to prevent incurring costs and usage restrictions arising from bandwidth caps. However, as I am sure you know, computer and software makers increasingly rely on these automated processes to distribute the security “patches” required to prevent exploitation of computers by criminal hackers.

Computers with unpatched operating systems and applications are a prime target for hackers as these machines are more easily exploited and turned into “zombies” under the control of attackers. Zombies are then orchestrated into “botnets” that are used to attack other systems, from commercial and government websites to utility systems and entire sections of the Internet itself. The Department of Homeland Security today considers unpatched consumer computers a threat to national security and the problem has been openly discussed by cyber-security officials at the federal level since at least 2002.

Some might argue that computers on a relatively slow satellite connection (you're lucky to get above 256Kbps when uploading) are not attractive to botnet builders, But some botnet attacks don't need much speed or capacity to be effective. The fact that the IP address blocks occupied by these "at risk" systems are relatively easy to identify may also be considered an added risk factor.

Solutions are possible, like special exemptions on bandwidth caps for authorized OS and application patches, but so far I have not heard any talk of these being implemented. Since the federal government is currently handing over tens of millions of taxpayer dollars to satellite Internet service providers to help them build their subscriber base, maybe that money should come with strings, like better provision for prompt security patching.