Black Hat 2020: Satellite Comms Globally Open to $300 Eavesdropping Hack

satellite isp eavesdropping black hat

Attackers can listen in on internet traffic for high-value targets a continent away, like shipping fleets and oil installations, using some basic home-television gear.

Satellite internet communications are susceptible to eavesdropping and signal interception by far-flung attackers located in a different continent or country from their victims. And all they need is $300 worth of off-the-shelf equipment to pull it off.

That’s the word from James Pavur, an academic researcher and doctoral candidate at Oxford University, speaking at Black Hat 2020 on Wednesday.

Satellite ISPs provide connectivity in places where terrestrial communications aren’t possible. For instance, at oil rigs in the Gulf, or to pilots in-flight. Commercial shipping vessels, fishing boats, cruise passengers, terrestrial explorers camping in the wilderness, Arctic observation camps, weather stations and others all rely on satellite to connect to the outside world.

Click to register!

The first thing to know is that the way satellite communications work provides for a wide geographical attack area, the researcher explained. When a satellite ISP makes an internet connection for a customer, it beams that customer’s signals up to a satellite in geostationary orbit within a narrow communications channel; that signal is then sent back down to a terrestrial receiving hub and routed to the internet. However, when the response signals are sent back along the same path (just in reverse), that transmission downlink between the satellite and the user will be a broadcast transmission, containing many customers’ traffic simultaneously.

“A critical difference is that we’re going to send [downstream signals] in a really wide beam, because we want to cover as many customers as possible, and satellites are very expensive,” according to Pavur. “So radio waves carrying a response to a Google search will reach our customer in the middle of the Atlantic Ocean; but they will also hit an attacker’s dish in, say, Ghana.”

Essentially what this means is that if they were able to perform an interception, adversaries could eavesdrop on vast sections of the globe.

The $300 Listening Station

The common assumption is that for an attacker to pull off this kind of signal interception, it takes money. And indeed, there are specialized modems for intelligence-collection purposes that allow governments to listen in on satellite communications, Pavur noted; they’re installed in multimillion-dollar ground stations worldwide. However, for those without nation-state assistance, the researcher demonstrated that the same kind of attack can be accomplished with basic home-television consumer equipment.

“We purchased this simple flat panel satellite dish — although honestly any satellite dish would do, even something that’s already resting on your roof, or off of Craigslist or Gumtree for basically free,” Pavur said. “And then we used a PCIe satellite tuner card. These are widely available for people who want to watch satellite television on their computer.”

Higher-end professional PCIe tuner cards cost between $200 and $300, but there are cheaper versions in the $50 to $80 price range. The downside of the cheaper ones, Pavur explained, is that there will be a lack of reliability in listening in on certain feeds.

With the equipment in hand, eavesdroppers then need to decide where to point their dishes (the locations of comms satellites are public information), and then go about discovering internet feeds. To do that, Pavur’s team used a software tool called EPS Pro, which is designed to help people find satellite television channels.

“We’re going to point our satellite dish at a spot in the sky that we know has a satellite, and we’re going to scan the Ku band of the radio spectrum to find signals against the background noise,” Pavur explained. “The way we’ll identify channels is by looking for distinct humps in the radio spectrum; because they stick out against the background noise, we can guess that there’s something going on there. We’ll tell our card tune to this one, and treat it as a digital video broadcasting for satellite feed. After a few seconds we get a lock on that feed, meaning we successfully found a connected satellite.”

The next step is to make a short recording of the feed; depending on the signal-to-noise ratio, the amount of data captured could range from a megabyte to a terabyte. In any event, attackers would then examine the data to discover whether they’ve found internet traffic or a TV feed.

“There’s no dark magic to this process, I’m just going to look through that raw binary file for the string HTTP, which we’d expect to see an internet capture, but wouldn’t expect to see in a television feed,” Pavur explained.

Once an internet connection is identified, it’s possible to record it and then parse it for information. But there’s one other obstacle to this process, according to the research. The feed might be transmitted in one of two protocols: The MPEG video streaming format (which is easy to parse using commonly available tools like Wireshark), or a newer protocol known as generic stream encapsulation (GSE).

“GSE is much simpler in theory; it takes an IP payload and wraps it in a generic GSE stream which has a bunch of different fragments, and then puts that into a digital video broadcasting feed,” explained the researcher. “This is particularly popular we found among enterprise customers, who rent an entire satellite transponder for their networks. But, the signals they send have more complicated modulations that are hard for cheap hardware to keep up with.”

As a result, the team found they were often losing big chunks of these types of GSE internet feeds, resulting in corrupted files. There was a fix however: they wrote a forensic tool called GC Extract that can reconstruct meaningful IP data out of a corrupted GSE recording – problem solved.

Encryption Issues

The Oxford team took their set-up and applied it to real satellite internet connections, finding that generally speaking, the satellite ISPs they examined did not seem to be employing encryption by default. As a result, they were able to listen in on feeds from a wide range of victim types, on land, at sea and in the air – as if they were the ISP themselves.

“What this means is that an attacker who’s listening to your satellite signal gets to see what your internet service provider would expect to see: Every packet that comes to your modem, every BitTorrent you download, every website you visit,” Pavur said. “But it gets even worse if we look at enterprise customers, because a lot of them were operating what was essentially a corporate land network over the satellite feeds. For example, imagine a cruise line that has a bunch of Windows devices aboard it ships. This Windows local area network with all that internal LDAP traffic and SDP traffic will be broadcast over the satellite link, giving an eavesdropper perspective from behind the firewall.”

Even users whose own traffic is encrypted are susceptible, Pavur explained.

“Our ISP vantage point gives us some unique perspectives on what you’re doing – for example, your DNS queries are likely still sent unencrypted, so we can piece together your internet browsing history, and which websites you’re visiting,” the analyst noted. “Even those TLS certificates which are protecting the contents of your traffic are also fingerprinting the servers you’re talking to, and the services you’re connecting to.”

Victim Impact

Pavur also offered a few examples of what the team was able to pick up. For instance, they intercepted an email conversation that a lawyer in Spain was having with a client, about an upcoming court case.

“Now, obviously, this raises serious concerns for attorney client privilege and personal communications privacy,” said the researcher. “But in our threat model, it gets even worse, because at this point, we have access to the contents of this email inbox, we know his email address. So we can say hey, this guy goes to, and we can also go to PayPal and use the ‘forgot my password’ function to steal his PayPal account or any other account.”

In another example, the team found that many wind turbines use satellite, and that they have connected terminals with a control panel for changing the settings of the power station.

“The credentials for these were often being sent in clear text over the satellite link, meaning that anyone on the internet could see that and start messing around with electricity infrastructure,” Pavur said. “There may be a second layer of protection behind this login page that we didn’t account for, but it’s at least intuitively concerning that these credentials are being broadcast in clear text.”

In a maritime use case, the eavesdropping picked up multiple terabytes of information from ships, but it wasn’t immediately clear which packets were coming from which vessel.

“So we picked 100 random IP addresses and devised a basic fingerprint consisting of DNS queries, TLS certificates and some strings from the first couple of bytes of their traffic, to see if we could actually de-anonymize these IP addresses and tie them to specific ships in the ocean,” Pavur explained, adding that they were successful for about 10 percent of the vessels the team looked at.

One was a fishing boat that was using software to tell it where fish could be found, over the satellite feed, while another was a massive container ship, “one of the larger ships in the world for one of the largest shipping companies in the world.”

Other successful targets for interception included a subsea repair ship, operated by a major petroleum company, which had a vulnerable box running Windows Server 2003; a port authority transmitting cargo-ship lists of all crew members, dates of birth and passport numbers, in clear text; and communications from a Greek billionaire’s yacht.

In the case of the vulnerable server, Pavur cautioned that this could be a pathway to attacking the operational technology on board the ship.

As for the latter, “one day, his captain forgot his Microsoft account login,” Pavur said. “And so the account-reset password was sent over clear text on the satellite feed. At this point, we had a route where we could have potentially hijacked this captain’s account and targeted an extremely high net-worth individual via targeted social-engineering attacks.”

Notification and Mitigation

The Oxford team disclosed their findings to all impacted entities, both the test victims and ISPs – but won’t be “naming and shaming” anyone.

“We don’t want this to be a report about X cruise line leaking your personal information; we want to talk about a systemic issue that affects almost every customer of satellite geostationary broadband,” said Pavur. “We of course responsibly disclose these vulnerabilities, reaching out to some companies as much as a year ago, as well as the customers who are most affected by these breaches. Generally people were pretty receptive.”

The Federal Bureau of Investigation also released a private threat-intelligence notification in response to the research.

On the mitigation front, the response is more complicated than simply adding encryption. Users that employ standard end-to-end encryption will find themselves taking a big performance hit, according to the research.

“It turns out that traffic is really slow over those satellite feeds because of all the hops you have to make in the sky,” Pavur explained. “And so as a result, satellite internet service providers have built a tool called a performance-enhancing proxy, which is essentially a benevolent man-in-the-middle that intercepts and modifies your TCP sessions on both sides of the satellite link to make it feel fast. Unfortunately, if you use standard end to end encryption, this will stop the ISP from being able to engage in that benevolent man-in-the-middle attack, and it will slow your satellite speeds to a crawl.”

An alternative is to use a TLS-encrypted email client which would eliminate the performance difference, but would protected at least email-related communications. And also, ISPs could improve on their end, with encryption or tweaks that disallow traffic to be parsed.

The takeaway, according to Pavur, is that internet users should always remember that the next hop is unknown.

“The internet is a weird web with devices and systems that are connected in ways that you can never predict, you might connect to a secure Wi-Fi hotspot or a cell tower, but the next hop could be a satellite link or wiretapped Ethernet cable,” Pavur cautioned. “Having the right, the ability and the knowledge to encrypt your own data, and to choose to do that, is critical to protecting against this class of attack, whatever domain you think about it in.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.


Suggested articles