James Pavur, the author of the research identified that hackers can target Satellites with merely a $300 device.
Black Hat USA 2020 took place from 1 to 6 August and has brought rather interesting yet unnerving cybersecurity briefings from experts and professionals alike. A recent press release published, explains how threat actors can intercept internet traffic even if they are a continent away.
James Pavur, a researcher and doctoral candidate at Oxford University whilst speaking at the virtual event explained the vulnerability in global satellite internet communication.
Usually what happens is Satellite ISP’s have the ability to provide internet connections in far-flung areas, even where connectivity isn’t possible. This could either be a shipping fleet in the middle of the Atlantic Ocean or pilots in flight, campers in the midst of wilderness, or even observatories located in the Arctic.
BlackHat 2020: BlueRepli attack lets hackers bypass Bluetooth authentication on Android
Pavur explains in his research a critical point that makes satellite connections vulnerable to cyber attacks. When a satellite ISP forms a connection with the internet for a customer, it transmits the customer signals to a satellite in ‘geostationary orbit’ through a communication channel.
The signals are then sent down the same channel to a receiving telluric (earthbound) hub routing internet connection. In this whole chain, the response signals that are sent back ensues a broadcast transmission between the satellite and user which contains customer traffic.
Basically, the downstream signals are in the form of a wide beam that covers as many customers as possible. So, mere radio signals carrying a response to a Google search will reach the user in the midst of the ocean but can also hit an attacker’s satellite dish sitting in the other corner of the world.
So, if the interception is successful, hackers can easily eavesdrop and use critical information to their advantage.
Not only this, but an attacker can easily set up a station in only $300. All they need is a flat-panel satellite dish, any ordinary dish could work too, and a PCIe satellite tuner card which could cost around $200 to $300.
With this in hand, the hackers only need to decide where to point their satellite dish. Though the locations are available as public information. Pavur and his research team experimented this and successfully found a connected satellite:
“We’re going to point our satellite dish at a spot in the sky that we know has a satellite, and we’re going to scan the Ku band of the radio spectrum to find signals against the background noise. The way we’ll identify channels is by looking for distinct humps in the radio spectrum; because they stick out against the background noise, we can guess that there’s something going on there. We’ll tell our card tune to this one, and treat it as a digital video broadcasting for satellite feed. After a few seconds, we get a lock on that feed, meaning we successfully found a connected satellite,” Pavur told ThreatPost.
Pavur’s research team then applied their set up to form real satellite internet connection and found out that the Satellite ISP’s generally are not encrypted by default. Consequently, they were able to listen to feeds from potential victims in this scenario.
“What this means is that an attacker who’s listening to your satellite signal gets to see what your internet service provider would expect to see: Every packet that comes to your modem, every BitTorrent you download, every website you visit,”
But even encrypted traffic is susceptible to interpretation:
“Our ISP vantage point gives us some unique perspectives on what you’re doing – for example, your DNS queries are likely still sent unencrypted, so we can piece together your internet browsing history, and which websites you’re visiting, even those TLS certificates which are protecting the contents of your traffic are also fingerprinting the servers you’re talking to, and the services you’re connecting to.”
See: Kaspersky Claims Russian Government Hacking Groups Hacked Satellites
Pavur and his team were able to intercept an email correspondence between a lawyer and his client about an ongoing case. But this is just the tip of the iceberg. Through this, attackers can easily access email contents where they can easily decipher sensitive information such as PayPal account credentials.
Not only this, but wind turbines that operate using satellites can easily be intercepted which can enable threat actors to change power generation settings leading to a disaster.
“The credentials for these were often being sent in clear text over the satellite link, meaning that anyone on the internet could see that and start messing around with electricity infrastructure, there may be a second layer of protection behind this login page that we didn’t account for, but it’s at least intuitively concerning that these credentials are being broadcast in cleartext.”
As an afterthought, the researcher explains, the internet is a web of interconnected devices and systems which is vulnerable to attacks in ways that you cannot even comprehend. Pavur cautions:
“Having the right, the ability and the knowledge to encrypt your own data, and to choose to do that, is critical to protecting against this class of attack, whatever domain you think about it in.”
Watch Pavur’s video presentation:
We highly recommend going through Pavur’s research [PDF] for technical details and images.