More than a decade has passed since researchers identified serious privacy and security vulnerabilities in satellite-based Internet services. The vulnerabilities allowed attackers to search and sometimes manipulate data received by millions of users thousands of kilometers away. You might expect providers to fix these shortcomings in 2020 as satellite internet becomes more popular, but you'd be wrong.
In a briefing held online at the Black Hat Security Conference on Wednesday, researchers and Oxford Ph.D. Candidate James Pavur presented results that show that the satellite-based Internet is endangering millions of people, although providers are using new technologies that are said to be more advanced.
Over the course of several years, he has used his perspective on mainland Europe to intercept the signals from 18 satellites that send internet data to people, ships and planes in a 100 million square kilometer swath that stretches from the U.S. and the Caribbean, China and India. What he found is worrying. A small selection of the things he observed include:
- A Chinese airliner that receives unencrypted navigation information and other avionics data. It was also worrying that the data came from the same connection through which passengers sent emails and searched websites, increasing the possibility of hacking passengers.
- A system administrator logs on to a wind turbine in southern France, about 600 kilometers from Pavur, and discloses a session cookie that is used for authentication.
- Intercepting communications from an Egyptian oil tanker who reported a malfunctioning alternator when the ship entered a port in Tunisia. The transfer not only allowed Pavur to know that the ship would be out of service for a month or more, he also received the name and passport number of the engineer who was supposed to fix the problem.
- A cruise ship sends confidential information about its Windows-based local area network, including the credentials stored in the Lightweight Directory Access Protocol database
- Email a lawyer in Spain sent a client about an upcoming case.
- The password to reset the account used to access the network of a Greek billionaire yacht.
Hack satellite communications on a large scale
While researchers such as Adam Laurie and Leonardo Nve demonstrated the insecurity of satellite internet in 2009 and 2010, Pavur has investigated communications on a large scale, intercepting more than 4 terabytes of data from the 18 satellites he was listening to. He has also analyzed newer protocols such as generic stream encapsulation and complex modulations, including 32-ary amplitude and phase shift keying (APSK). At the same time, he has reduced the cost of eavesdropping on these new protocols from $ 50,000 to about $ 300.
"There are still many satellite Internet services today that are vulnerable to the precise attacks and methods used by previous researchers – although these attacks have been publicly known for more than 15 years," Pavur said before Wednesday's lecture. "We also found that some newer types of satellite broadband also had security bugging problems."
The equipment Pavur used consisted of a TBS 6983/6903 PCIe card / DVB-S tuner that allowed people to watch satellite television from a computer. The second piece was a flat panel dish, although he said that any dish that receives satellite television will work. The cost of both: about $ 300.
Pavur used public information that showed the location of geostationary satellites used for Internet transmission, pointed the dish at them, and then scanned the ku band of the radio spectrum until he found a signal that was hidden in the massive amount of noise . From there, he instructed the PCIe card to interpret the signal and record it as a normal TV signal. He then searched raw binary files for strings like "http" and those that correspond to standard programming interfaces to identify Internet traffic.
All unencrypted communications are mine
The setup allows Pavur to intercept almost any transmission that an ISP sends to a user via satellite, but monitoring signals in the other direction (from user to ISP) is much more limited. As a result, Pavur was able to reliably view the content of HTTP sites that a user was browsing or an unencrypted email that the user had downloaded, but was unable to receive customer GET requests or the passwords sent to the mail server.
Although the customer may be in the Atlantic off the coast of Africa and communicate with an ISP in Ireland, the signal they send can easily be intercepted from anywhere within tens of millions of square kilometers because providers have to do this due to the high cost of satellites Beam signals over a wide range.
Enlarge /. An attacker from a radius of several tens of million square kilometers can hijack the connection between a ship off the coast of Africa and a ground station in Ireland.
Pavur explained:
There are several reasons why the other direction is more difficult to grasp. The first is that the beam that connects a satellite to an ISP's ground station is often narrower and more focused (meaning that you have to be within a few dozen miles from the ISP's system to pick up radio waves in that direction). In some cases, ISPs use a different frequency band for bandwidth and performance reasons to transmit these signals. This means that an attack may require devices that are much more difficult to capture commercially and inexpensively. Even if an ISP uses only a normal wide-beam K> u-band signal, it normally sends on a different frequency in each direction. This means that an attacker would need a second set of antennas (not too difficult) and would also have to combine the two feeds correctly (somewhat more difficult).
Et tu, avionics?
In recent years, Pavur has focused on broadcasts sent to everyday users on land and on large ships at sea. That year he turned to airplanes. With the onset of the COVID-19 pandemic, which caused the passenger flight to collapse, the researcher had less opportunity than planned to analyze passenger communication from entertainment systems, in-flight internet services, and on-board femtocells that were used to send and receive mobile signals . (However, he saw a text message in which a passenger received a coronavirus test.)
However, it turned out that the decline in passenger traffic made it easier to focus on the traffic sent to the crew in the cockpit. If one of the crew members fingered a login for a so-called electronic flight bag, the flight deck equipment repeatedly received an HTTP 302 redirection error on the login page of the Wi-Fi service. The redirect format contained the URL of the original request with the GET parameters of the flight bag API. The parameters described the specific flight number and its coordinates, information that gave Pavur a good sense of what the device was doing on board the aircraft.
Enlarge /. An electronic flight bag that sends confidential avionics information over HTTP.
James Pavur
The flight bag data was transmitted via the same router for the translation of network addresses as the entertainment and Internet traffic of passengers. In other words, the same physical satellite antenna and the same modem delivered Internet traffic to both the flight bag and the passengers. This suggests that any network segregation that may have occurred was accomplished through software rather than physical hardware separation, which is less prone to hacking.
Hijacking session: The attacker always wins
The use of satellite-based Internet to receive the navigation data puts the crew and passengers at risk from an attack that Pavur developed that allows an attacker to pretend to be the plane with which the ground station communicates. The hack uses TCP session hijacking, a technique in which the attacker sends the ISP that the metadata customers use to authenticate.
Because user traffic is thrown back from a satellite 30 kilometers above the earth – a route that normally results in signal latency of around 700 milliseconds – and the attacker's data is not, the attacker always hits the customer when he reaches the ISP.
Session hijacking can be used to induce airplanes or ships to report incorrect locations or fuel levels, incorrect measurements for heating, ventilation, and air conditioning systems, or to transmit other sensitive data that is falsified. It can also be used to create denials of service that prevent the ship from receiving data that is critical to safe operation.
Enlarge /. Features and limitations of hijacking TCP sessions on satellite Internet.
James Pavur
Pavur explained the kidnapping method as follows:
We can convert the bytes from the record in real time on the IP packet layer. Essentially, we wait until we record an entire IP packet from the stream (typically a matter of milliseconds), and then we immediately write that packet to disk. As an attacker, you need to know what kind of data you want to extract from the "noise" of Facebook visitors, etc. To do this, you can use IP addresses or other traffic signatures to identify only the most relevant traffic that you want to programmatically respond to.
A problem in search of a solution
The most common response Pavur receives after sharing his findings is that satellite-based Internet users should simply use a VPN to prevent attackers from reading or tampering with sent data. Unfortunately, the handshakes that each endpoint needs to authenticate with the others result in a slowdown of about 90 percent. The overhead increases the already high latency of 700 milliseconds to a waiting time that makes the satellite Internet almost unusable.
While HTTPS and email-level encryption prevent attackers from reading the page and message text, most domain search queries are still unencrypted. Attackers can learn a lot by checking the data. HTTPS certificates allow attackers to create fingerprint servers that customers connect to.
Enlarge /. Left: An unencrypted DNS response indicates that a satellite Internet user is visiting Dropbox. Right: a breakdown of the most visited domains.
James Pavur
With this information, attackers can identify users who deserve more targeted attacks. Out of 100 ships that Pavur looked at by pseudo-coincidence, he was able to decanonymize and bind them to certain ships.
Enlarge /. Ships deanonymized Pavur.
James Pavur
Interception of unencrypted navigation maps, device failures on the open sea and the use of Windows 2003 servers with security holes also endanger users considerably. Combined with the use of insecure channels like FTP, an attacker could potentially manipulate maritime data to hide a sandbar or use the data to plan physical interventions.
The magnitude of the problem put the researcher in a dilemma. With tens of thousands of users affected, Pavur was unable to privately notify the vast majority of them. He decided to contact the largest companies that transmitted particularly sensitive data in plain text. He ultimately chose not to identify any of the affected users or companies because the essence of the problem is the result of industry-wide protocols that are unsafe.
"The goal of my research is to highlight the unique dynamics that create the physical properties of space for cybersecurity, and it is an area that has not yet been explored," he said. "Many people think that satellites are just normal computers that are a little further away, but a lot is different with satellites. By highlighting these differences, we can improve security to protect the systems."
