Friday, August 7, 2020

"Insecure satellite Internet is threatening ship and plane safety"

From Ars Technica:

Attacks that worked 10 years ago have only gotten worse despite growing use.
More than a decade has passed since researchers demonstrated serious privacy and security holes in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020—as satellite Internet has grown more popular—providers would have fixed those shortcomings, but you’d be wrong.

In a briefing delivered on Wednesday at the Black Hat security conference online, researcher and Oxford PhD candidate James Pavur presented findings that show that satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced.

Over the course of several years, he has used his vantage point in mainland Europe to intercept the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India. What he found is concerning. A small sampling of the things he observed include:
  • A Chinese airliner receiving unencrypted navigational information and potentially avionics data. Equally worrisome, that data came from the same connection passengers used to send email and browse webpages, raising the possibility of hacks from passengers.
  • A system administrator logging in to a wind turbine in southern France, some 600 kilometers away from Pavur, and in the process exposing a session cookie used for authentication.
  • The interception of communications from an Egyptian oil tanker reporting a malfunctioning alternator as the vessel entered a port in Tunisia. Not only did the transmission allow Pavur to know the ship would be out of commission for a month or more, he also obtained the name and passport number of the engineer set to fix the problem.
  • A cruise ship broadcasting sensitive information about its Windows-based local area network, including the log-in information stored in the Lightweight Directory Access Protocol database
  • Email a lawyer in Spain sent a client about an upcoming case.
  • The account reset password for accessing the network of a Greek billionaire’s yacht.
Hacking satellite communications at scale While researchers such as Adam Laurie and Leonardo Nve demonstrated the insecurity of satellite Internet in 2009 and 2010, respectively, Pavur has examined the communications at scale, with the interception of more than 4 terabytes of data from the 18 satellites he tapped. He has also analyzed newer protocols, such as Generic Stream Encapsulation and complex modulations including 32-Ary Amplitude and Phase Shift Keying (APSK). At the same time, he has brought down the interception cost of those new protocols from as much as $50,000 to about $300.

“There are still many satellite Internet services operating today which are vulnerable to their [the previous researchers’] exact attacks and methods—despite these attacks having been public knowledge for more than 15 years at this point,” Pavur told me ahead of Wednesday’s talk. “We also found that some newer types of satellite broadband had issues with eavesdropping vulnerabilities as well.”

The equipment Pavur used consisted of a TBS 6983/6903 PCIe card/DVB-S tuner, which allows people to watch satellite TV feeds from a computer. The second piece was a flat-panel dish, although he said any dish that receives satellite TV will work. The cost for both: about $300.

Using public information showing the location of geostationary satellites used for Internet transmission, Pavur pointed the dish at them and then scanned the ku band of the radio spectrum until he found a signal hiding in the massive amount of noise. From there, he directed the PCIe card to interpret the signal and record it as a normal TV signal. He would then look through raw binary files for strings such as “http” and those corresponding to standard programming interfaces to identify Internet traffic.

All unencrypted comms are mine
The setup allows Pavur to intercept just about every transmission an ISP sends to a user via satellite, but monitoring signals the other way (from the user to the ISP) is much more limited. As a result, Pavur could reliably see the contents of HTTP sites a user was browsing or of an unencrypted email the user downloaded, but he couldn’t obtain customers’ “GET” requests or the passwords they sent to the mail server.

Even though the customer may be located in the Atlantic off the coast of Africa and is communicating with an ISP in Ireland, the signal it sends is easily intercepted from anywhere within tens of millions of square kilometers, since the high cost of satellites requires providers to beam signals over a wide area.....
 An attacker from anywhere within tens of millions of square kilometers can hijack the connection between 
a ship off the coast of Africa and a ground station in Ireland.