 Hi, I'm James Bevor. I'm a PhD student at Oxford University where I research satellite cyber security and Today I'll be talking about some research that we've done looking at satellite broadband signals And this is a bit of an update to a talk. I gave earlier last year at DEF CON 28 So I'll talk a little bit about things that have changed since that presentation new things We've been working on but it doesn't assume that you've seen it So even if you don't have any familiarity with the original presentation This will give some background and the sort of vulnerabilities and the cool things we found The basic premise of this research is is pretty straightforward Essentially, we conducted a series of experiments looking at maritime aviation and terrestrial customers of satellite internet services in particular from 18 satellites in Geostationary orbit that means they're about 30,000 kilometers away from the Earth's surface in Total these satellites provide the internet service to an area that looks something like this About a hundred million square kilometers of coverage area reaching from parts of the United States all the way to parts of China We essentially set up some satellite dishes Listen to these radio waves and try to see if we could find any sensitive information and We ended up finding quite a lot of sensitive information We saw sensitive data belonging to at least nine members of the fortune global 500 To six of the ten largest airlines in the world by passenger count from their in-flight Wi-Fi services Information belonging to cargo vessels that are owned by companies who together share almost half of the world's global cargo capacity a variety of governmental agencies ranging from a Postal service belonging to an Eastern European nation all the way to an Air Force jet belonging to a North African country and We even saw traffic from kind of regular people like you or me people who might be browsing the internet while they're at a coffee shop or Updating their social media while on a cruise Before I delve too deep into how we got at this information It's important to have a basic understanding of how satellite internet works So we're gonna run through a very simple kind of crash course scenario We have our customer in the middle of the Atlantic Ocean and they want to use this satellite here in geostationary orbits Like I said, it's 30,000 kilometers in the sky So this customer wants to use that satellite to reach a website hosted in Ireland will say Google To do this what they're going to do is try to communicate via this ground station run by the satellite internet service provider in Madrid Now we also have someone who wants to intercept this communication down here in Ghana They want to intercept the radio traffic that's coming off that satellite even though they're quite far away So how does this all play out? Well, first the customer on the cargo vessel will send a request to the satellite They'll point their dish to the right spot and say something like get me google.com The satellite is more or less just a bent pipe. It sends exactly what it got back down to earth And they'll say okay Get me google.com to that ground station in Madrid and it does us on a really narrow kind of focused beam The ground station in Madrid converts the weird satellite protocols to normal internet traffic and routes it to Ireland Just like if you were visiting a website somewhere it gets the response sends it back up to the satellite Which when I say sends back up to the satellite It's important to remember that this is very far away and the speed of light is not as fast as we would like So we're talking about 700 milliseconds of round trip time to finish this kind of communication Which is really slow compared to terrestrial internet Once we finally make it to space the last stage is to send that information back down to the customer But this time because we don't know exactly where the customer is We're gonna use a really broad beam to try to cover as much of the earth as possible And so the radio waves carrying that response from Google will hit our customers dish in the middle of the Atlantic Ocean At the same time as a hitter attackers dish in Ghana And this is the crux of satellite eavesdropping You have the ability to intercept signals from people who may be Thousands of miles away from the attacker and so there's really high stakes for ensuring that this kind of traffic is encrypted Now in terms of actually getting at this data as an attacker We need to think a little bit about our threat model What kind of equipment we need and how we convert those radio waves into meaningful information so we can understand What's happening in these signals if you're a government this is quite easy There are companies that sell specialized modems that are designed for doing intelligence collection and listening to you satellite radio signals I think most major players in cyberspace probably operate installations like this one that cost millions of dollars Unfortunately as a PhD student or a random hacker you don't necessarily have access to this kind of equipment So what we wanted to do is see how far we could get using some very inexpensive home television equipment We bought this nice little flat panel satellite dish here, which is very very small And then we also got a PCI e-tuner card to allow us to interpret the signals coming off of it on our computer These are widely available for customers to buy on the internet if they want to watch like satellite television on their home computer But we're going to try to adapt it to listen to satellite internet Now in attempting to doing so we ended up running into a pretty big problem Which is that our cheap equipment Struggled to deal with the corrupted recordings that they were getting we were dropping packets We were losing information So we built a custom tool called GSE extract which tries to kind of piece together these satellite recordings by looking for low-hanging fruit It parses a protocol called GSE or generic stream encapsulation With the goal of kind of finding the easiest packets to extract from that by looking for like the headers of IP packets Or the starts of different frames. There's an academic paper that goes much more in-depth into how this tool works It's also now available on github You can install it with PIP if you want to play around with it It's publicly available and it works fairly well So this kind of is how we used it in the lab I'll kind of run through the process to get it in your head The first thing we do is scan the radio spectrum to try to look for satellite signals And you can tell which signals are interesting by these kind of distinct radio humps in the spectrum If we tell our card to tune to one of these signals We can get some information about which frequency it's on and what kind of data is coming through with this like television tool that's designed to find TV services Next we offer we try to kick off a recording with this tool here that comes with our PCIe card So we can kind of look at the data that's inside that radio signal according to a specific protocol DVBS or digital video broadcasting for satellite So we go ahead and lock to that satellite signal that we found by scanning the radio spectrum And I'll kick off a very quick demo recording so we can walk through the process Now the size of this file can vary wildly depending on the specifics of the modulation You're listening to you or the specific service provider You might get a terabyte in a week. You might get a gigabyte in a week It really depends on the specifics of the network I'm just going to capture a couple thousand kilobytes here so we can get a feel for what's happening and kind of look around So once we have our data the next thing to do is to use that tool that I built called GSE extract You can go ahead and just take that recording file that's been saved to the desktop here and We'll go ahead and run GSE extract and see if we get anything out of it It converts these binary files into pcaps which can then be simply opened in Wireshark Now I've hidden the source and destination IP addresses here for privacy reasons But you can see that we've already caught several thousand different packets of other people's internet traffic Even though we're thousands of miles away and have no business listening to this information So this is the crux of satellite eavesdropping, but what's inside here? Well, because we all don't have perfect recordings. We're often dealing with kind of lossy chunks and bits You don't necessarily get everything So this is an example of an image that we intercepted from an engineer aboard a maritime vessel communicating with colleagues about maintenance issues and you can see that we were able to Reconstruct with GSE extract a good portion of that JPEG file, but we weren't able to get everything But as an hacker even a little bit can be quite a lot Because you don't necessarily need everything to find interesting and sensitive information And so using cheap hardware and kind of taking shortcuts like we do with GSE extract Allows us to punch above our weight in terms of our ability to get access to interesting and important information Without having expensive equipment or insider knowledge What we ended up finding in a nutshell was that the satellite internet service providers We were listening to didn't employ encryption by default that is to say that customers could encrypt their traffic by like using TLS or a VPN But the internet service provider simply sent the data that hit someone's Wi-Fi hotspot across the satellite feed in the same format that they received it This means that as an attacker We got to see what an internet service provider would be able to see every packet coming out of a customer's modem every file They download we could piece this together based on their IP address and kind of get a internet level vantage point on other people's traffic But it gets even worse when we think about corporations and big companies who are using this data Because over the satellite network they often operated what was essentially just a local area network like a windows LAN Environment across these satellite hops so think about like a bunch of windows desktops on different cruise ships You could see the internal LDAP traffic from one windows host to another Stuff that would normally be behind a lot of firewalls and quite hard to get at as a passive eaves dropper When we think about terrestrial customers so think like home internet users people on land who use satellite services Especially in rural areas you might think home customers are largely safe from this information, right? Because we know that you have that like locklight icon on your browser You might be using TLS to encrypt your traffic that means it should be secure against eaves dropping Well, we ended up finding though is that of course TLS is not perfect security The way TLS is often used today leaks quite a lot of information about what people are doing Whether that's from the DNS queries they send which tell you which websites someone is visiting or the actual Certificates that they're using to encrypt their traffic. It allows us to kind of piece together The nature of someone traffic and since we have an internet service provider level perspective on this We can get a lot more information than you might get as a man in the middle on any one Connection because we can actually see all of the websites someone visits and build a pretty robust fingerprint Unfortunately, the reality is often worse than this and that there are a lot of services that people use that are still unencrypted a great example is this email that we intercepted to a lawyer in Spain from one of his clients discussing an upcoming court case and Obviously, this is deeply sensitive information. You shouldn't be able to have the conversations You're having with your lawyer broadcast and clear text across an entire continent But it's unclear whose job it is to protect this Should the lawyer know that he shouldn't be downloading his emails over pop or should the internet service provider have some duty of care to Protect this information in transit We also saw traffic from a lot of internet of things and infrastructure devices This image on the left is from a Cisco router by a major electricity provider in Europe and you can see here Not only is the password in clear text. It's just basic Authentication so it's a base 64 encoded but nothing else But also the router itself is publicly accessible over the open internet if you look at that host address Which means that anyone with the rest of this information from this image could potentially start messing with this electricity provider's infrastructure Likewise, we saw a lot of wind turbines that were accessible over the open internet and the passwords for these turbines were sent in clear text There could be another layer of protection behind this We didn't actually try to log in and mess with any wind turbines But it's at least intuitively concerning that this information is out there and so easy to get at We also saw in the maritime domain very similar so a lot of ships at sea we'll use satellite internet to remain connected to offices on land and One challenge we had was we wanted to see if we could identify some vessels So we looked through our terabytes and terabytes of traffic We picked a random sampling and we were able to identify about 10% of the ships Some of those were very big like this container ship here Which is one of the larger ship types in the world belonging to one of the larger fleets in the world Whereas others were quite small like this subsea repair ship belonging to a petroleum company down here that from its traffic We were able to tell it was running a vulnerable version of Windows Server 2003 that had a bunch of CVEs against it that could be used in a targeted attack against this petroleum company or Against this specific vessel and if you kind of skim this chart You'll see that there's a broad range of different use cases in industry. This is not one company's problem This is the entire industry that's potentially exposed to this kind of stuff One particularly interesting thing we encountered was the process for updating navigational charts that tell Maritime operators where it's safe to go in the ocean and how they can get there legally And we found that a lot were updated either via insecure FTP file shares which we had the passwords for over the satellite link or via simple emails to inbox That's on the vessel and one of the crew members would copy everything That's in that inbox over onto a flash drive and plug it into the vessel to update the charts Now depending on how those charts are actually authenticated on the little navigation terminal on the ship It might be possible to use this information to manipulate an article chart and say conceal a sandbar from an oil tanker with Potentially devastating environmental consequences So it's important to recognize that when you use an insecure or unencrypted update mechanism in an environment where Ease dropping is so possible Someone could mess with the contents of your traffic even if they aren't directly transmitting radio waves at you just by using kind of the information You're leaking to them Much like in the terrestrial domain We also saw some interesting privacy things One of the most fun things we found was a bunch of communications from this Greek billionaires super yacht In particular one day his captain forgot to log in to or forgot the password for his Microsoft account And the password reset email was sent over clear text from there It would be a pretty simple step to hijack this account and potentially use it as a targeted social engineering operation against a very high net worth individual Likewise, we saw a lot of personal information from crew members when ships pull into ports They often have to communicate Immigration information like passport documents and visas and these were often sent in clear text over insecure HTTP web forms And so for example from this Indian cargo vessel We were able to get a list of all of the crew members on board their date of birth their nationality and their passport numbers And we were thousands of miles away from the ship when we got this information Finally the aviation use case is really interesting because in-flight Wi-Fi services are really kind of changing the way that flights happen And the way passengers stay connected in the air and it's not just passengers It's also the crew members and the pilots who are increasingly using data services to make flights more efficient or more reliable or safer and A lot of that information if transmitted and securely could have serious consequences This image here is an excerpt from some traffic We captured from a misconfigured electronic flight bag aboard a Chinese airline For some reason someone had gotten the password wrong and so every time the flight bag tried to log in It would reroute accidentally to this 302 page and leak information about the internal APIs of this airline Now an electronic flight bag is essentially a navigational terminal for aircraft For aircraft pilots it gives information about say weather updates or delays or other kind of general routing information It's not necessarily flight critical, but it has information that can impact the decisions a pilot makes for example This particular product maintained a lot of maintenance information whether there were maintenance issues with the aircraft That needed to be alerted and so forth and an attacker could potentially mess with this information or use it to reveal information about aircraft That's otherwise sensitive We likewise saw some interesting traffic from something that we call a femtosell Which is essentially a miniature cell tower that they put onto airplanes these days to allow you to communicate On the plane using your phone as if you were on the ground so to send like SMS text messages from the air and The front end of this is secure. It's an encrypted GSM or LTE signal just like you would expect anywhere But the back end is routed over these insecure satellite feeds And so the data that customers were sending specifically the text messages that passengers are receiving We're being broadcasting clear text across the entire continent of Europe A great example is this image here Which includes traffic that we intercepted from an individual on a transatlantic flight learning that his corona virus test result was negative That's a huge relief of course for anyone sitting next to him on the airplane But for other people who are concerned about medical information privacy this information really should not have been visible to us We also talk a little bit about active attacks We wanted to see if there was any way to mess with this information And the DEF CON talk goes more in-depth about this because it's a little bit longer But I'll kind of summarize the two active attacks that we were able to demonstrate The first is really straightforward It's based off of this idea that if you're an attacker and you know the IP address of a satellite customer And you know that they're using an insecure satellite signal What you can do is expel trait data by sending that information to the customer and then eavesdropping on that signal What this means is that you essentially have an untraceable link over that massive satellite signal footprint To send data from a compromised PC to your own command and control servers without revealing where those servers are And this attack has actually been used in practice in particular a Russian advanced persistent threat group called Tula group Has been found to use this exact strategy to exaltrate data from some sensitive customers without being caught Another type of attack that's pretty interesting to execute in these eavesdropping environments is the classic TCP session hijacking attack The basic idea here is that if you know TCP sequence numbers, you can use that information to impersonate an endpoint in a conversation And hijack information so you could pretend to be a ship at sea and send back to the home office Information that's not true about like where your vessel is going or whether or not it's oil levels are good Or what its maintenance state is and potentially wreaks in real havoc What's interesting about this is that it doesn't require any wireless communications equipment which can be either expensive or easily traced Everything happens just over normal internet communications So it's an active attack in these networks that is passive with respect to the radio signal And what makes that so powerful is that it allows an attacker with essentially no equipment or hobbyist equipment To actually mess with the data that someone thinks they're receiving from a satellite connection Now this doesn't work in all satellite networks, it actually requires some very specific design decisions in terms of how the IP addresses are set up And how TCP connections are handled, but we were able to demonstrate it in an actual satellite network And we think that it could work in quite a few of them So obviously this research has some ethical and legal implications We were very careful to adhere to the laws in the country where we did the data collection And we also, you notice I haven't neamed any companies This is a very conscious choice and one that I've received a little bit of flack about in the media on occasion But it's very important I think to keep the focus on the big picture here Which is that this is a systemic issue that affects a lot of companies And so rather than make this about like, you know, X-Cruise company is leaking people's data I think it's important to say there's something wrong with the way satellite internet is being used today We need to figure out why it's wrong and how we can help companies find a way to secure that data Of course we did talk to companies, we engaged in responsible disclosure as early as November of 2019 So it's been well over a year at this point, although the vulnerability still exists in many networks We also talked to customers of satellite internet, individual companies like those cruise companies or airline type companies In order to let them know about some of these issues And most companies were very happy about it, we were somewhat surprised at how interested companies were to learn about the vulnerabilities And how happy they were to cooperate with security researchers We only had one company threaten legal action if we publish, they haven't engaged in any legal action to my knowledge Which is a really good sign because we think we've been able to kind of make the case for them about why security research is important And I think that as a security researcher it's really important to reach out to companies in a productive way And try to make sure that they know that we're on the same side here, we're not trying to help hackers find information We're trying to protect that information And that's been a lot of what I've been working on since DEF CON, most of what my research has been since then Because it turns out that these issues that we found aren't simply because companies are lazy or incompetent or don't know that encryption is important It has a lot to do with the physical realities of space Remember when I said that space is really far away and the speed of light is only so fast? Well it turns out that to deal with that, satellite internet service providers have to optimize the TCP connection protocol Because you have this really slow three-way handshake whenever you start a TCP connection to a website And if each of those hops is over that long-distance satellite link, your connections get incredibly incredibly slow And the internet feels sluggish or almost unusable So what internet service providers do is they operate these things called performance enhancing proxies And essentially split your TCP handshake into two chunks, one locally at your home internet router And one on the satellite ground station to the main internet And this allows them to complete the TCP three-way handshake without sending all of those acknowledgement messages and so forth across the satellite link Making satellite connections feel really fast The problem with this is that if you put your connections into a VPN or some other end-to-end encryption solution Your internet service provider can no longer do this because they need to actually see the contents of your traffic In order to optimize how it's moved across their satellite networks So what I've been working on since DEF CON is seeing if we can combine this And kind of come up with a hybrid mix of a traditional VPN and a traditional performance enhancing proxy The basic idea is that we build a tool that spoofs a upstream internet connection So say it pretends to be Google.com, local to the customer, just like a performance enhancing proxy To make the acknowledgments really fast And then over the satellite hop we convert all of the TCP traffic we're getting to a protocol called QUICK Which is UDP based and encrypted by default And has some nice properties for congestion control and multiplexing That makes it really surprisingly fast and robust across the satellite link While having encryption built-ins that no one can eavesdrop Once we get back to land on the other side, somewhere up the internet on like a cloud server owned by the customer We then can convert those QUICK packets back to the TCP packets that were originally sent Pretend to be the customer and send it over the internet So this means all of the TCP three-way handshakes happen over the local connections without any of the satellite latency But the satellite hop is still encrypted using a widely trusted and kind of commonplace security standard Instead of some weird bespoke or proprietary implementation, we simply use a QUICK protocol Now there's some reasons this isn't trivial to implement in practice There are a lot of challenges we ran into in trying to design the system One thing is that starting a QUICK session isn't free, you have to actually exchange some key information There's at least one or two round trips in setting up a handshake And so what we do is we have these really long live sessions where you essentially connect to the upstream QUICK server And you can stay connected for a long period of time and send multiple different TCP connections through it And that bundling approach allows us to get a lot of efficiency over say a traditional VPN Another challenge is dealing with errors If you lose a packet in TCP, you have to be sure that you propagate that error back over the satellite link And back over the TCP link, or you end up in these weird unhandled states where one connection thinks it's active And the other two connections think they're dead Finally, it's important to map the TCP traffic that you're extracting to the correct QUICK session and back again So we have to keep track of state using basically an internal data structure Just a little dictionary mapping TCP connections to QUICK connections and back And ensure that's the same about the client side and the server side So that if an error happens, we can correct it on each side There's a lot more information in a paper that's going to be published pretty soon about this at NDSS Which is a system security conference in a month or so Which I'd encourage you to check out if you're kind of interested in the under the hood stuff But also QUICK, the proxy that we built is called QPEP And you can actually play around with it It's open source on GitHub, it's not a commercial product It's just kind of a fun thing I built to kind of play around with these ideas And what I'd really like people to do if you're curious about this stuff is to play around with it yourself QPEP is written in Go and it has a kind of Python Docker based testbed So you can play around with it, you can experiment with it, you can change different parameters Or even design your own proxy in the same environment that we built QPEP And the goal here is to try to think of solutions that allow us to encrypt satellite internet traffic Without requiring any trust in the internet service provider So QPEP's design is made so that an individual can install a client on their home computer And a server somewhere in the cloud and use it just like any other VPN to encrypt their traffic Without waiting for their satellite internet service provider to invest the money Or the time in providing that service offering So this is kind of a quick summary of what it looks like in practice On the right is our tool QPEP Which is kind of that optimized proxy I've been describing And on the left is a traditional VPN, open VPN, which is very secure and it's an excellent product But it doesn't take into account the physical realities of space And you can see the significant performance difference here and why that might matter to a satellite customer And so when we think why is this internet traffic unencrypted, why aren't people taking security seriously It's important to remember that security isn't the only thing that matters to people And finding a way to get rid of choices between security and performance Is perhaps one of the most productive things we can do in bringing encryption and best practices to domains that don't traditionally prioritize those issues If you get rid of the trade-offs, you dramatically increase the incentives to add security to an insecure system So to summarize, a couple of key lessons from this presentation The first is that satellite broadband traffic today is vulnerable to long-range eavesdropping attacks Someone in a different country or a different continent from you can be listening to your satellite internet traffic And you might not even know that they're doing this If you're someone who happens to forget to put your phone into airplane mode When you board a flight and it connects to a femtocell and then you get a text message You may never know that a satellite is involved in sending your traffic But someone else somewhere could and probably is listening to it Additionally, we see that lots and lots of people don't know that satellite broadband traffic is vulnerable Or at least they don't act like it Whether that's a Fortune 500 company, a major airline, an infrastructure provider, or even just a random lawyer in Spain People don't realize that when they send a packet across a satellite link or really across any internet connection There's no guarantee who's listening You might hope it's a government you trust or nobody at all But there's no guarantees anyone could be listening to any data because the internet is kind of this complex web of trust and handoffs In the satellite context specifically, we know that these security vulnerabilities have largely emerged from a false dichotomy A belief that there is a trade-off between performance in satellite networks and privacy A specifically end-to-end encryption And we find that if you take the time to actually engineer a system that considers the physical needs of space as kind of a unique aspect of the problem It becomes very possible to provide encryption and protect against these attacks without harming performance The real problem is when you're not willing to invest the time or the engineering efforts into considering the specifics of space And you just want to slap a VPN on it or require everyone to use TLS even though they'll often forget And in those contexts I think it's important for the security community to step up and try to make it easier to have security However, if there's one lesson that I think is most important from this research And one thing that I think extends way beyond satellite internet specifically It's a very simple statement, which is that the next hop your traffic takes is unknown When you send a packet, it could be handed off through dozens of countries It could pass over a satellite feed, it could be sent via radio antenna The internet is this weird web of kind of trust relationships and half promises And so having the right and the ability and the knowledge to encrypt your traffic is essential to protecting against these kinds of attacks In whatever domain they might happen Thank you so much for listening to this presentation Hopefully you enjoyed it And of course I'm happy to answer any questions during the Q&A session or also via email anytime