“Pavur was able to intercept traffic using a $90 satellite dish and a $200 digital video broadcasting satellite tuner – both available second hand online.”

Insecure satellite Internet is threatening ship and plane safety
by Dan Goodin /  8/5/2020

“More than a decade has passed since researchers demonstrated serious privacy and security holes in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020—as satellite Internet has grown more popular—providers would have fixed those shortcomings, but you’d be wrong. In a briefing delivered on Wednesday at the Black Hat security conference online, researcher and Oxford PhD candidate James Pavur presented findings that show that satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced.

Over the course of several years, he has used his vantage point in mainland Europe to intercept the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India. What he found is concerning. A small sampling of the things he observed include:

  • A Chinese airliner receiving unencrypted navigational information and potentially avionics data. Equally worrisome, that data came from the same connection passengers used to send email and browse webpages, raising the possibility of hacks from passengers.
  • A system administrator logging in to a wind turbine in southern France, some 600 kilometers away from Pavur, and in the process exposing a session cookie used for authentication.
  • The interception of communications from an Egyptian oil tanker reporting a malfunctioning alternator as the vessel entered a port in Tunisia. Not only did the transmission allow Pavur to know the ship would be out of commission for a month or more, he also obtained the name and passport number of the engineer set to fix the problem.
  • A cruise ship broadcasting sensitive information about its Windows-based local area network, including the log-in information stored in the Lightweight Directory Access Protocol database
  • Email a lawyer in Spain sent a client about an upcoming case.
  • The account reset password for accessing the network of a Greek billionaire’s yacht.

Hacking satellite communications at scale
While researchers such as Adam Laurie and Leonardo Nve demonstrated the insecurity of satellite Internet in 2009 and 2010, respectively, Pavur has examined the communications at scale, with the interception of more than 4 terabytes of data from the 18 satellites he tapped. He has also analyzed newer protocols, such as Generic Stream Encapsulation and complex modulations including 32-Ary Amplitude and Phase Shift Keying (APSK). At the same time, he has brought down the interception cost of those new protocols from as much as $50,000 to about $300. “There are still many satellite Internet services operating today which are vulnerable to their [the previous researchers’] exact attacks and methods—despite these attacks having been public knowledge for more than 15 years at this point,” Pavur told me ahead of Wednesday’s talk. “We also found that some newer types of satellite broadband had issues with eavesdropping vulnerabilities as well.”

The equipment Pavur used consisted of a TBS 6983/6903 PCIe card/DVB-S tuner, which allows people to watch satellite TV feeds from a computer. The second piece was a flat-panel dish, although he said any dish that receives satellite TV will work. The cost for both: about $300. Using public information showing the location of geostationary satellites used for Internet transmission, Pavur pointed the dish at them and then scanned the ku band of the radio spectrum until he found a signal hiding in the massive amount of noise. From there, he directed the PCIe card to interpret the signal and record it as a normal TV signal. He would then look through raw binary files for strings such as “http” and those corresponding to standard programming interfaces to identify Internet traffic.

All unencrypted comms are mine
The setup allows Pavur to intercept just about every transmission an ISP sends to a user via satellite, but monitoring signals the other way (from the user to the ISP) is much more limited. As a result, Pavur could reliably see the contents of HTTP sites a user was browsing or of an unencrypted email the user downloaded, but he couldn’t obtain customers’ “GET” requests or the passwords they sent to the mail server. Even though the customer may be located in the Atlantic off the coast of Africa and is communicating with an ISP in Ireland, the signal it sends is easily intercepted from anywhere within tens of millions of square kilometers, since the high cost of satellites requires providers to beam signals over a wide area.

“An attacker from anywhere within tens of millions of square kilometers can hijack the connection between a ship off the coast of Africa and a ground station in Ireland.”

Pavur explained: “There are a few reasons the other direction is harder to capture. The first is that the beam connecting a satellite to an ISP’s ground station is often more narrow and focused (meaning you have to be within a few dozen miles of the ISP’s system to pick up radio waves in that direction). In some cases, ISP’s will use a different frequency band to transmit these signals for bandwidth and performance reasons—this means an attack might need equipment that is much harder to pick up commercially and affordably. Finally, even if an ISP just uses a normal wide-beam K>u-band signal, they will normally transmit on a different frequency in each direction. This means an attacker would need a second set of antennas (not too difficult) and would also need to combine the two feeds correctly (slightly more difficulty).”

Et tu, Avionics?
In past years, Pavur focused on transmissions sent to everyday users on land and large ships at sea. This year, he turned his attention to planes. With the onset of the COVID-19 pandemic causing passenger flying to plummet, the researcher had less opportunity than he planned to analyze passenger communications from entertainment systems, in-flight Internet services, and onboard femtocells used to send and receive mobile signals. (He did, however, see a text message providing a passenger with a coronavirus test.) But it turned out that the decrease in passenger traffic made it easier to focus on traffic sent to crew members in the cockpit. When one of the crew fat fingered a login to what’s known as an electronic flight bag, the flightdeck equipment repeatedly got an HTTP 302 Redirect error to the Wi-Fi service login page. The redirect format included the URL of the original request showing the GET parameters of the flight bag API. The parameters described the specific flight number and its coordinates, information that gave Pavur a good feel for what the device was doing aboard the plane.

“An electronic flight bag like the one pictured here was sending the flightdeck crew potentially sensitive data through HTTP.”

The flight-bag data passed through the same network-address-translation router as entertainment and Internet traffic from passengers. In other words, the same physical satellite antenna and modem were delivering Internet traffic to both the flight bag and passengers. This suggests that any network segregation that may exist was performed by software rather than through physical hardware separation, which is less prone to hacking. In a detailed comment Pavur left after this post went live, he wrote: “The system we saw seemed to be used to download information like weather updates and navigational maps and to manage pre-flight safety/maintenance and some scheduling functionality. We weren’t able to 100% identify the device since it was just these weird API bounces that we intercepted, but it did appear to be a built-in/attached component of a particular aircraft. At the very least, it was always aboard the same physical plane over the course of many weeks but it could have been a mounted display from a laptop (e.g.”

Whether this fully crosses the “red line” dividing in-flight entertainment and aircraft critical systems is a complicated question. I personally felt that it rang alarm bells in that the network which helps the crew track severe weather or determine if its safe to fly should probably be segregated from the network which helps passengers visit Facebook. That said, aviation appears leagues ahead on security when compared to maritime. I encountered lots of routes that I think could cause physical harm to ships in the ocean, but very few which could obviously endanger planes in the skies.

Session hijacking: The attacker always wins
The use of satellite-based Internet to receive the navigational data puts the crew and passengers at risk of an attack Pavur developed that allows an attacker to impersonate the aircraft with which the ground station is communicating. The hack uses TCP session hijacking, a technique in which the attacker sends the ISP the metadata customers use to authenticate themselves. Because users’ traffic is bounced off a satellite 30,000 kilometers above Earth—a route that typically results in signal latency of about 700 milliseconds—and the attacker’s data isn’t, the attacker will always beat customers in reaching the ISP. The session hijacking can be used to cause planes or ships to report incorrect locations or fuel levels, false readings for heating, ventilation, and air conditioning systems, or transmit other sensitive data that’s falsified. It can also be used to create denials of service that prevent the vessel from receiving data that’s crucial to safe operations.

“Capabilities and limitations of TCP session hijacking of satellite Internet.”

Pavur explained the hijacking methodology this way: “We can convert the bytes from the recording in real-time at the IP-packet layer. Essentially, we wait until we record an entire IP packet from the stream (a matter of milliseconds normally) and then immediately write that packet to disk. As an attacker, you do need to know what kind of data you want to extract from the “noise” of people visiting Facebook and so forth. To do that, you can use IP addresses or other traffic signatures to identify just the most relevant traffic to respond to programmatically.”

“Left: an unencrypted DNS response shows a satellite Internet user is visiting Dropbox. Right: a breakdown of the most commonly visited domains.”

A problem in search of a solution
The common reaction Pavur gets after he shares his findings is that satellite-based Internet users should simply use a VPN to prevent attackers from reading or tampering with any data sent. Unfortunately, he said, the handshakes required for each endpoint to authenticate itself to the other results in a slow-down of about 90 percent. The overhead increases the already-large 700 millisecond latency to a wait that renders satellite Internet almost completely unusable. And while HTTPS and transport-level encryption for email prevent attackers from reading the body of pages and messages, most domain-lookup queries continue to be unencrypted. Attackers can learn plenty by scrutinizing the data. HTTPS certificates allow attackers to fingerprint servers customers connect to. That information allows attackers to identify users who are worthy of more targeted attacks. Out of 100 ships Pavur pseudo-randomly looked at, he was able to deanonymize about 10 and tie them to specific vessels.

“Ships Pavur deanonymized”

The interception of unencrypted navigational charts, equipment failures in the open sea, and the use of vulnerability-riddled Windows 2003 servers also puts users at considerable risk. Combined with the use of insecure channels such as FTP, an attacker might be able to tamper with maritime data to hide a sandbar or use the data to plan physical intrusions. The sheer scale of the problem put the researcher in a quandary. With tens of thousands of users affected, Pavur was unable to privately notify the vast majority of them. He settled on contacting the largest companies who were transmitting particularly sensitive data in the clear.

He ultimately chose not to identify any of the affected users or companies because, he said, the crux of the problem is the result of industrywide protocols that are insecure. “The goal of my research is to bring out these unique dynamics that the physical properties of space create for cybersecurity, and it’s an area that’s been underexplored,” he said. “A lot of people think that satellites are just normal computers that are a little bit further away, but there’s a lot that’s different about satellites. If we highlight those differences, we can better build security to protect the systems.”

Hackers Are Building an Army of Cheap Satellite Trackers
by Lily Hay Newman  /  08.04.2020

“Even though the Defcon security conference has moved entirely online this year, United States Air Force is going forward with Hack-a-Sat, a months-long competition that culminates with hacking a real orbiting satellite starting on Friday. But another project at Defcon’s Aerospace Village this week should have at least as much impact and a potentially much broader reach: an open source satellite communication tool made from about a hundred bucks worth of hardware.

The project, dubbed NyanSat, isn’t just a workaround for a remote conference. The goal is to make low-earth orbit satellite communication technology much more accessible and swap out the massive, specialized transmitters, antennas, and radio dishes that go into satellite “ground stations” for open source software and an affordable hardware kit. NyanSat ground stations aren’t refined or powerful enough to replace the real deal, but their strength lies in their potential ubiquity. With one of the devices up and running, you can point NyanSat’s antenna to specific coordinates in the sky and listen for the radio frequency transmissions coming from a satellite that’s out there.

“We designed this as a sneaky sidestep to make something inexpensive enough that everyone can have it,” says Ang Cui, CEO of the embedded security firm Red Balloon Security, which designed the NyanSat project in partnership with the Air Force and Defense Digital Service. “The innovation here is we’re using a cheap IMU—inertial measurement unit—to orient the antenna without having to use expensive motors and controls. It’s the same type of instrument used in drones for orientation and navigation. We want to engage as many people as possible with something hands on and get them interested in DIY space projects.”

Out of the box (so to speak), a NyanSat ground station knows its location through GPS and its orientation through the IMU. When you input specific coordinates, it will mechanically move to point its antenna toward them. Red Balloon is also offering an application programming interface that allows you to easily program a moving path, allowing you to choreograph movements so the device follows a satellite as it orbits. From there you can start listening to what satellites are transmitting. For example, you can sync up with the National Oceanic and Atmospheric Administration’s weather satellites to essentially livestream high-resolution black and white images of the Earth, or listen in on what’s coming from any coordinates in the sky.

Red Balloon researchers designed a custom motherboard, called Antenny, for NyanSat ground stations. The schematics are open source so anyone can make their own, but the team has been selling the boards and other equipment as a kit for one dollar. Really the hardware in the kits costs closer to $100, but Cui says that since Red Balloon isn’t paying to send researchers to Defcon this year—and won’t be throwing its annual poolside networking event—NyanSat kits are a way to give a gift to the open source community instead. So far Red Balloon has sold about 65 kits, and is working to put more of them together in batches of about 50. Cui says his colleagues recently detected a bot someone wrote to automate purchasing the kits as soon as they come back in stock, so there seems to be at least some pent-up demand.

The more NyanSat ground stations are out there, the more they can do together, communicating with known satellites or even probing the more stealthy or unknown objects orbiting the Earth. Individual NyanSat base stations don’t have to work as part of a collective and share data, but in many ways the devices have more potential as part of community research than as individual instruments. There’s already an active Discord channel where people are getting their base stations up and running and discussing ideas for long-term projects. “Let’s say we have 1,000 of these base stations distributed across North America,” says Cui. “If you could shine a radar beam into the sky not knowing if something is there or not, the chances that it’s reflected back to you, the sender, would be astronomically small. But if we have thousands of base stations all listening, they could amplify and correlate from whichever station hears the bounce back to find debris or other objects you wouldn’t know are up there.”

“The NyanSat Pan/Tilt Gimbal Control Setup”

While the NyanSat project promises an impressively cheap ground station, it isn’t the only way to hunt for space debris or undocumented satellites in orbit. Groups of amateur observers have been tracking spy satellites for decades. There’s precedent, too, for creating a low-cost, decentralized, open source ground station networks. A project known as SatNOGS, founded in 2014 during the NASA Space App Challenge hackathon, does similar work and has more than 60 deployed ground stations around the world. SatNOGS is run through a larger organization called the Libre Space Foundation. The ground stations cost between $300 and $500 to build.

Cui says that he hopes the NyanSat and SatNOGS communities will overlap, since all of the software and schematics for both projects are open source and could augment each other. “Although indeed there seem to be some similarities, there are many differences regarding the scope of our respective projects,” says Pierros Papadeas, director of operations for the Libre Space Foundation. “That said, we would wholeheartedly welcome as many open source projects and implementations of any part of the full satellite communications technology stack, since it could only mean more collaboration opportunities and a chance to broaden the open source space ecosystem. We can’t wait to get our hands into a NyanSat kit and hack it to run SatNOGS client.”

In addition to the low-cost ground stations, the Red Balloon researchers also collected equipment to build a mobile, military-grade ground station that can serve as a sort of queen bee for the NyanSat hive. The device is a weather-sealed, military spec antenna station designed to mount on a Humvee for satellite communication—the kind of thing that would come in handy in a disaster zone. The ground station transmits on a microwave frequency band reserved for satellite communication called the Ku band, and unscheduled transmissions from a ground station of its power would be illegal, as regulated by the Federal Communications Commission.

But the researchers will run a livestream during Defcon showing the ground station’s parts and how it’s constructed to offer a deeper understanding of what goes into a high-precision and accuracy ground station—very different than the cheap components in a NyanSat ground station. Participants will also be able to control the station remotely, with limitations on transmitting, and listen in on satellite transmissions with more range and clarity. “Pretty amazing what you can buy in mint condition for $1,600 from liquidators in New Jersey,” Cui says. Or a lot less, if all you’re after is a little low-key community satellite tracking from NyanSat.”

The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite
by Brian Barrett / 09.17.2019

“When the Air Force showed up at the Defcon hacker conference in Las Vegas last month, it didn’t come empty-handed. It brought along an F-15 fighter-jet data system—one that security researchers thoroughly dismantled, finding serious vulnerabilities along the way. The USAF was so pleased with the result that it has decided to up the ante. Next year, it’s bringing a satellite.

That’s a promise from Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics. While sending elite hackers after an orbiting satellite—and its ground station—might sound ambitious, it’s in keeping with Roper’s commitment to fundamentally changing how his branch of the military attacks its cybersecurity challenges. “We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” says Roper. “We have a very closed model. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.” Software inevitably has bugs that could be exploited, whether in a smart microwave or a complex flight system. Roper knows this from experience: The Hack the Air Force initiative, a bug bounty that sprang from a partnership between HackerOne and the Pentagon’s Defense Digital Service, paid out $130,000 to hackers who collectively found over 120 vulnerabilities last December.

It was DDS that connected the Air Force to the organizers of Defcon’s Aviation Village, a corner of the hacking conference dedicated to all things aerial that debuted this year. There, a group of seven vetted hackers, under the USAF’s watchful eyes, attacked a Trusted Aircraft Information Download Station, which transfers data back and forth on an F-15. With the vulnerabilities they found, they could have shut it down. And that’s just one of the countless components that the Air Force sources. The Air Force has its own internal cybersecurity team, of course, but its resources are finite. It needs a little help. “You would expect really high security procedures for the F-15, and it has them. But what about this humble data translator,” says Roper. “You might overlook it, but those kinds of things tend to be built by smaller companies. And you can imagine that smaller companies without the resources of a Lockheed Martin or Northrop Grumman or Boeing are not able to think about cyber resiliency and security at a level that can contend with a peer competitor like China.”

Once the Air Force sees what common security pitfalls plague its third-party parts, it can start writing stronger security requirements into its contracts. That hardens the entire supply chain—which in turn makes everyone’s aircraft more secure. More still needs to be done, though, to address the opacity of the broader aviation community. Airplane parts are difficult for independent researchers to come by, and the big manufacturers have bristled at any suggestion that their products might have vulnerabilities like anything else that runs on millions of lines of code. It’s especially glaring at a time when similar tensions with the automotive and medical device communities have largely thawed, says Pete Cooper, director of the Aviation Village. “I couldn’t see the same collaboration in the aviation sector,” says Cooper. “There wasn’t really much in the way of productive and positive relationships in that area.”

Roper hopes that the Air Force’s involvement can help build that bridge. After all, who wouldn’t want to hack a satellite? Here’s how it’s going to work: Sometime soon, the Air Force will put out a call for submissions. Think you know how to hack a satellite or its ground station? Let them know. A select number of researchers whose pitches seem viable will be invited to try out their ideas during a “flat-sat” phase—essentially a test build comprising all the eventual components—six months before Defcon. That group will once again be culled; the Air Force will fly the winners out to Defcon for a live hacking competition. “What we’re planning on doing is taking a satellite with a camera, have it pointing at the Earth, and then have the teams try to take over control of the camera gimbals and turn toward the moon,” says Roper. “So, a literal moon shot.”

Some specifics are still in the offing, like which satellite will be involved—regardless, it will likely be flying in low Earth orbit—how many teams will be selected in each round, and the size of the final cash award. But still, it’s not every day that you get to hack a celestial body, much less legally so. “If you want to get into a satellite, you can either go through the ground station or you can try to find a way into the satellite directly, with your own emitter. We will have opportunities for contestants to do both,” says Roper. “But what they’re going to do is try to take over the satellite by any means they find.”

Security researchers will have to go through a vetting process; this is military equipment, after all. But ideally the opportunity is worth the hassle. And the earlier in the process the security community comes in, the better. “We want to hack in design, not after we’ve built,” says Roper. “The right place to do it is when that flat-sat equivalent exists for every system. Let the best and brightest come tear it up, because the vulnerabilities are less sensitive then. It’s not an operational system. It’s easier to fix. There’s no reason not to do it other than the historical fear that we have letting people external to the Air Force in.”

If the Air Force is willing to let people look under the hood, then maybe the commercial aerospace industry will as well. “What we’re trying to achieve is to help industry see that, actually, there is value in learning about potential risks, that good-faith research can be something really helpful,” says Cooper, who applauds the Air Force for its relative openness to the security community. “The difficulty is linking up those doing good-faith research with the actual risk-owner of the system.” Sure, the satellite-hacking contest may be a bit of a public relations stunt.

But it’s one with both practical value—it’ll make at least one satellite more secure—and relevance. Cooper says that space has become such a vital part of aircraft cybersecurity that the Aviation Village will next year be the Aerospace Village. And the event will also convey a critical message: The Air Force has cool toys, and it’ll let you break them. For the security community, that’s quite an olive branch. And if satellites aren’t your thing? Don’t fret. Roper says he’s doing his best to bring an entire plane to Defcon. They’re just having a little trouble finding room.”



Leave a Reply