 talking come on stream come on all right and we're live all right we're here today with another speaker talking about sniffing satellite traffic whispers among the stars with James Pavor Pavor I didn't actually yeah Pavor Pavor got it right yeah all right we'll be taking questions in the track one live QA do you want to give a quick summary of your talk for anybody that might have my not have gotten a chance to see your talk right off the bat yeah sure so the the quick recap of the talk is that if you use kind of simple home television equipment you can intercept these radio waves coming off of satellites in geostationary orbit they're providing internet service and what we found is that these internet services are often unencrypted at the internet service provider level which means you get to see all kinds of nifty traffic we looked at it from a bunch of different perspectives we saw traffic going to like cargo ships and oil rigs in the ocean or to airplanes in the sky or to like winter vines on the ground and across all of these domains the talk kind of del is a little deeper into what an attacker might do with that information or how they might have used these signals to cause harm and then it concludes by talking about ways we can fix it by coming up with alternatives to VPNs which tend to be very slow on the satellite connection awesome so we do have our first question with RPTK 2015 MVP question asker in your talk you made an active attack by impersonating a ship response I assume this requires you to spoof your source address but ingress filtering ISPs is supposed to prevent IP spoofing can you please explain how you still did it yeah it's a great question I'm not actually sure how that happened from an ingress filtering perspective I guess the answer would be that it looks like they weren't filtering correctly because we were able to spoof in one specific network it's worth noting though that the vast majority of satellite networks we looked at we're not trivially vulnerable to TCP session hijacking because of the way that the sequence numbers were changed by those performance enhancing proxies I talk about in my presentation so there are only a handful of networks that were directly vulnerable and they seemed almost designs that each operators like IP address was like a direct gateway to the internet which might be why the IS like the individual customers weren't checking IP addresses for spoofing fair enough so like if it was if they were appearing directly into the backbone of the internet they might just trust that it's coming from a legitimate source already or already been filtered yeah okay cool uh you know I think Hawkeye asked one that would really fall in love in line with us and it's you know why do you believe that these high-profile enterprise SATCOM customers haven't adopted and implemented a simple encryption in transit policy to stop this kind of snooping so there are a couple of reasons I think one is that like I mentioned the top VPNs are really slow and that's what a lot of people think an encryption and transit policy would look like and because of the way that VPNs interact with the internet service provider offerings they often end up seeing this kind of false trade-off between privacy and performance that said there are a lot of these enterprise customers and when we reached out to them with responsible disclosure the answer would be that they kind of tried to implement like a TLS everywhere policy but you're talking about kind of massive networks like hundreds of ships at sea and so there are a lot of systems that are just forgotten like legacy FTP services or services that they think are behind some sort of firewall and so they're willing to accept the risk without realizing that that risk includes a wireless eavesdropping threat yeah and some of those ships have a lot of systems that are just unknown like that someone is a contractor install them at some point they just got lost or forgotten and still plugged into a network in there somewhere yeah definitely yeah so in your talk you mentioned the performance improving proxies and what I what I didn't understand was that that was something that would be run by the actual operator is that right yeah so almost always that's the case there's no like technical reason a customer couldn't bring their own performance enhancing proxy but generally Saturday satellite internet service providers are acting as kind of benevolent eavesdroppers on your TCP sessions and they're kind of messing with your TCP three-way handshake to make your traffic faster and that's just kind of part of how they see providing customers with sufficiently performant satellite internet services got it you want to throw a question out there oh you know I was sorry I'm there you had a lot of feedback on youtube and a lot of what I'm seeing though is people going could you do it with this could you do it with that and I know you gave a bit of an outline at the beginning of your talk on how you did it if somebody wanted to replicate this play along with it could you kind of give an outline you know from beginning down to software what they would need to just start out with yeah definitely so I think the core bits that you need are some sort of satellite dish that's capable of receiving satellite television we researched the KU band but there's no reason you couldn't do it in the KA or C frequency bands as well and then you need some kind of way to interpret what that dish is saying on your computer we use this specific kind of professional grade a PCI card which I think the model number is on the slide deck but you can actually get away with a bunch of like much less expensive cards the problem with that is that you won't be able to listen to some of the more interesting signals which use like 32 APSK modulation and seem to do really poorly there are also some USB cards so you could I do this with a laptop you don't have to like build out a satellite spying computer to be able to play with this stuff from a software perspective the tool that I show in the actual like little demo video is I think what I would recommend first it's called EBS pro and it's designed for feed hunting and it's really intuitive and has an interface that's easy to use if you're on the Linux side the tooling is I think significantly worse so it might be worth spinning up a Windows VM to do this stuff the other big tool in the space is something called crazy scan which is around on some of these like satellite television feed hunting forums and then once you have all of that lined up if you're listening to older protocols so the MPEG TS standard wire shark can actually just interpret those feeds directly if you're listening to newer protocols you have to kind of parse the traffic dumps unfortunately the tool I talk about in my presentation is still awaiting our chance to publish it as we're trying to be careful not to release an attack tool into the wild before systems are patched but we were able to build it using the python library called chi-tie which is used for like parsing various protocol formats and so it wouldn't be that hard to kind of put together your own GSE parser what do you know what the like uh like the signal width is on these like like what what level like what grade of software defined radio would you need to like be able to receive these signals that's a great question I actually have no idea I know that on the dvbs side of the software defined radio community I kind of delved into this a tiny bit and it looks like being able to keep up with these more complicated modulation schemes is not something that your kind of standard sdr software sdr is going to get yeah whereas these kind of like PCI cards I think they often use like specialized FPGAs for the signal processing and are just better at it right yeah I have two follow-ups on the previous question one somebody was asking which I find funny is if you're using kind of like the old dish network up on your ceiling do you need to go up there and kind of re-orientate the dish yeah so that was actually a big frustration for us because it turns out that I don't have any fine motor skills so there were like several hours between each satellite of me like swearing at various bits of hardware on the roof so what we ended up doing is purchasing this thing called the disc motor which allows you to steer a satellite dish across the horizon and you can actually just put in the specific location in geostation orbit you want and direct it that way it increased the cost of the attack a little bit but because we were looking at I think 18 satellites in total being able to hop between them without crawling onto the roof every time was a big benefit I can imagine so so your the parts that you had listed in your your talk were between like 300 and 400 what was the like extra cost of that automated rotor I don't remember off the top of my head I want to say it's around a hundred dollars you need to be careful that you get one that correctly mounts to the dish you have because different ones have different ways of attaching so it's a little bit less easy to just buy one off the shelf but it's definitely doable yeah I've done some ham radio stuff with with evening antennas and it's always kind of up in the air whether it's gonna work or not yeah have you documented any of this like in a blog you know a get hub whatever it is that you're using yeah so there are two academic papers that I can put into the chat afterwards that talk about our domain studies on to terrestrial users and maritime users and those go into a lot more detail in particular if you were interested in replicating the gse extract tool the appendix of the maritime paper goes into a lot of depth on like how we actually parse the gse packets and how we deal with the corruption in the signals that we were getting did you have a paper associated with the avionics stuff as well or is that just no that's new for the hacker summer camp so that was new stuff we're still I think once aviation picks up a little bit more we can get consistent data we may try to publish something that's a little bit more robust but because it was kind of a toss in the air as to whether or not there would be a plane out that day we didn't have as much data as we wanted yeah I mean one of my next questions was going to be like what are the the future research look like for you sounds like that's that's one of them you got anything else like coming down the pipe that you want to do with this kind of thing yeah so I mean we're still looking at the that proxy that I mentioned at the end of the paper so that's kind of going through peer review right now it's always hard to kind of convince academic peer reviewers that something to be both simple and novel so who knows how that's going to turn out in the end but it's on github and we're kind of working to make that something that people can hack on and use and then I'm also interested in satellite security in general I'll be talking at the aerospace village tomorrow for a little bit on other threat models to satellites around like space debris tracking and so just generally hacking satellites is kind of my my focus area sounds like a whole lot of fun I think we were yeah is there a satellite hacking village going on right now yeah so the aerospace village is doing both aviation like last year and then they've got all kinds of new talks on satellites this year yeah I knew there was supposed to be a special event this year but we went virtual maybe next year Hawkeye is asking is there any reason you didn't go with a parabolic antenna in your research seems that might the gain might increase with one yeah I think the gain would definitely increase with one the reason we use that self-sat flat panel is just literally because of the shape of the area we were trying to fit it in with a bunch of other things up there and it was just the one that we ordered fastest but I think that a curved dish would do better and would be cheaper cool I think I think it might be being addressed in the village but one of the questions on youtube was you know you've talked about how you pull down information what is the likelihood that you could push up commands as well and you know started kind of attacking we're not even attacking but just impacting what you're seeing so I haven't looked a ton at transmitting on these internet feeds and if there's any authentication there in part because it's just harder to get a license to transmit than a license to listen that said if you wanted to engage in like a tax against the telemetry link for the satellite so actually steer the satellite and stuff a lot of those communications happen in different frequency bands in particular S band is kind of the dominant satellite telemetry band and that would require completely different hardware and use different protocols that said the general threat model of like being within kind of this massive footprint areas I think would still be relevant to think about in that context cool we've actually got a fair number of questions that we've we've backed I'm sorry guys I'm not I'm not trying to ignore your questions let's see here since this is just a dvb-s or dvb-s too why not use one of the bazillion conditional access system solutions used for video broadcast that's a great question I didn't even oh so you're talking about the like streamwise encryption that's something that I talk about a little bit in one of the papers I think these protocols are not well designed from a cryptographic perspective at all there've been a lot of vulnerabilities found in them especially the proprietary ones which seem popular probably because they have a good marketing link behind them but also kind of doing a stream level encapsulation like these protocols do you work great for television where you don't want everyone watching a proprietary a video feed but it doesn't work well because anyone who has the keys can listen to their neighbor's traffic and you'll often have one satellite transponder that's carrying the traffic of 20 30 50 users and so it decreases the threat model a lot and is a big improvement but it doesn't fix the underlying issues and you mentioned another another solution that was it was sort of a replacement for the the mpeg which had been jury rigged to sort of take IP traffic does that have like the same level of like research involved in it is the same level of like vulnerabilities or something like that I know that you're doing like probabilistic extraction of data from it but yeah so the mpeg standards that are used for sending internet these days there's something called multi protocol encapsulation or mpe and ultra lightweight encapsulation I think or ule and we looked at both of those a wire shark has built in support for them so the threat model is fairly trivial there if you can get a good recording what's interesting about the mpeg context though is that building your own parser is a real pain because it's not a format that was designed for sending data and much less secure data and so it's an incredibly complicated and convoluted way of getting IP packets from one place to another I believe it all those all those old things that are just like oh yeah I'm sure we could fit this data in here somewhere it'll work right one of the questions I saw on youtube is yeah you talk in your you're talking your talk about how a lot of these are using you know old old devices obviously old operating systems and I don't know how much you went into the past but what they were wanting to know is have you seen any progression in what they're trying to do to actually protect this data or has it just been the same historically yeah so there are companies out there that offer encrypted satellite internet services it's often something a customer has to pay extra for or accept like significant performance degradation in the form of the vpn one big product in this area is made by new tech it's called enhanced tcp or etcp there was a wiki leaks document a few years ago that talked about how they were built in backdoors for law enforcement and intelligence agencies which is always the risk with using committees proprietary standards but there definitely is an initiative in parts of the industry to encrypt traffic I think it's just one of those things with a commercial incentives don't align with the need for customers so uh I just want to like we briefly talked about your performance improving proxy which you mentioned uses quick there is uh is there any potential benefits of just like using wire guard instead of like it's another vpn it's like you directly compare open vpn wire guards supposed to like it's simpler it's uh using udp sessions should be faster round trip um is there did you look at that in comparison before you started working on your own quick proxy that's a great question so we didn't test wire guard specifically although I would point out so that github repository that's linked at the end of the talk for key that is actually a generic purpose like docker test bed where you could easily install whatever vpn you want and simulate the satellite link uh that said I think that a udp based vpn like wire guard will still hide the tcp three-way handshake so also send those ak messages across the satellite link and so it might be a little bit faster like starting the vpn session but the encapsulated traffic is still going to be hidden from the isp and so they can't optimize it correctly so you really need to split out the tcp sessions on the ground first which most vpns don't do because it'd be a little silly right fair yeah and wire guards designed so that they specifically can't see those tcp sessions or what's inside right um so uh kind of changing space uh changing pace sorry uh talking and reading at the same time have you looked into like starlink i know it's a it's a pretty hot topic that's going on right now see if they have they are actively using any kind of encryption or anything else like that so i haven't tested anything related to starlink yet although that's definitely you talked about like areas i'd be interested in the future that's definitely an exciting topic um starlink is in lower orbit which does change the dynamics a lot because the satellites are closer you don't have the same problems with tcp three-way handshakes which means that using a vpn is generally viable because the latency is much lower although certain conditions can change that if you have to make a lot of hops across the constellation so i think that it would be easier for space tax to implement an encrypted service than it would be for some of these geostationary providers whether or not they do that is remains to be seen fair enough and like the uh receiving traffic it's like because they're in lower earth orbit there's going to have much smaller footprint uh to yeah that's a great point like the iridium lower earth orbit constellation each of the satellites passes across the horizon in like seven minutes so the area that an attack attacker could be is still too large right it's it's dozens of miles hundreds of miles but it's nowhere near comparable to a different continent yeah were were you looking at uh like iridium satellites as like your test bed like you didn't mention actually which which satellites uh it's were involved yeah so we didn't look at iridium because it's a lower earth orbiting constellation um we made the decision not to name specific satellite operators uh for like legal reasons but they were geostationary providers over europe yeah um i i've always found the iridium satellites like the the story behind the iridium satellite super interesting um like it's just like a fascinating evolution out of Motorola yeah uh yeah um i was wondering like as the you know i guess end result if i'm up on the airplane on a cruise ship and i decide to pay for internet and i'm getting things like text messages what can i do to protect the status something like a vpn enough to impact my protection so the text message case i think you're kind of you're kind of in a bad spot whatever you do because that's over the femtocells and you don't have a ton of control over what their back end looks like but for emails and stuff i so many people more people than ever should be were using just unsecure pop email inboxes and leaking deeply sensitive stuff over the feeds and i think just generally using like tls for visiting websites or pop free with tls for checking your inbox is a huge step up for protection and then if you're willing to take it a bit slower and have that latency problem any vpn will be better than having someone spy on your traffic in my opinion i think this is going to be the first year uh in defcon's history since the wall of sheep started that they did not get plain text pop or imap credentials and that's only because they're not capturing traffic people attending these conference should know at least that much making a lot of assumptions here i don't know i feel like you're going to a security convention you could at least not use pop it's a good start yeah um is there anything else that we haven't brought up like that you might want to um talk about specifically anything that you might have like left out of your or your talk that because it got cut by time that you're interested in anything like that there's not too much left i think that like one thing that so one thing that i kind of highlighted in the talk but ended up not happening is that gsc extract is not in our github repository yet um but it's still something i'm aware of and trying to get out there for people who are interested in checking it out um and so that's definitely something that i hope will be out soon other than that though i think that the general idea of the talk is pretty pretty straightforward right it's that unencrypted traffic wherever you put it um should be encrypted instead and satellites are especially frightening in this case because of the way that their signal properties are but really it's wherever you're using the internet you don't know who's listening and so encrypting end to end and being sure that you understand kind of how that works under the hood can go a really long way towards helping with privacy that's great um i i know you mentioned uh a one of the attack of using um the downlink of the satellites as a a way to like expel trade data and i know that there was one particular attack in history that made use of this and it was like somewhere in africa and they figured out that someone was just driving a truck around collecting that data do you know anything about the attack it's been a year since i remember anything about that yeah so i think it was by turlich group which is a russian state affiliated well depending on who you ask state affiliated advanced persistent threat group and yeah they seem to have been using these satellite hops to make traffic just disappear over the internet and i think that's a really intuitive threat model because all you have to do is be able to send a packet to the right ip address and you don't have to have any software on the place that you're sending it really really sneaky so uh i can't think of any more questions if anyone is out there watching the stream is interested in asking more questions we're still here for a couple more minutes um yep my email is also at the end of the slide deck and happy to answer any questions there too or on discord or wherever yeah do you have any uh any additional like resources you can share with us that we can just drop into track one anything in that people might be interested further research yeah definitely i'll share links to those academic papers there's also a pre-print paper talking about the proxy that's hasn't been published yet but um is generally the idea of what we're trying to get published um and so if anyone has ideas to contribute to that github repository or is noticed mistakes that i've made because i'm not a network programmer i feel free to pop up an issue on github that's great uh rptk 2015 says uh how did you get to this project like what was your your path to get here yeah so it was all those earlier talks from so there was the researchers in 2005 which was kind of academic and then there were two talks at blackhead dc in 2009 and 2010 and i was just fascinated by that as something that could be done and seeing which changed was really the starting off point and then it started out as literally just a summer mini project it was supposed to be six weeks but we found so much information in those six weeks that i've sort of pivoted my phd research around this satellite communications and everywhere we look it just gets more and more fascinating and honestly worse and worse fair enough so you know here between us just between friends can you tell us what was the most interesting piece of traffic that you kind of stumbled across oh that's so hard i mean it's it's really a different definition of interesting right like i forget if i mentioned this in my briefing or not but for example there were two friends like one guy was on a plane one guy was on the ground just like chatting about some wild dream they had where this guy's like mom popped up in a burning building and started trying to feed him and like so you get all this like real you know it's real people who are affected and then like i mentioned being able to track this this billionaire's yacht right and that's kind of a different world to know what the people in the yacht are eating for lunch that day based off of the like web apis that they're using to manage their their food system and so it's just a different world of security problems i don't think being able to listen to the internet is something a hacker expects to get from any perspective and the fact that it's so inexpensive and easy in a satellite world is i think especially concerning yeah but definitely like yeah not not great uh we do have uh someone calling out that uh this is one of the coolest talks that they've gotten to see i'm flattered yeah uh it was a really good talk and i am definitely glad that i got to do this qa session with you it was fun research to do so have you enjoyed it have you talked to any of the i know there's um uh there's some projects for like reviving old satellites and talking with them have you talked with those guys at all and it's like like they might have like additional knowledge about like talking to satellites or different research projects that you might be interested in doing no i haven't done that but it is a very very related field right because to some extent reverse engineering the satellite that you can't touch is the same as exploiting one a lot of the cases it's really understanding the systems is the entirety of the security properties and so yeah that's definitely a fascinating area i'd want to explore yeah i do know that they they've also gotten special permission to do a bunch of transmissions to satellites that's part of it as part of the revival stuff um so yeah that was uh they did a talk i want to say two years ago about mic moon which was their headquarters for satellite communications that's awesome yeah uh some people are making references to docsis work from earlier def cons i don't know how if that's necessarily related because docsis is a cable protocol yeah i don't know anything about it so if it is related i completely missed it but definitely something for someone else to contribute uh and the geek uh is asking you about new radio and sdr again which which we did briefly cover um but so yeah i think it's possible um i think it's just a little bit harder these things are pre-made and just easier to use and so widely available but it's easier to just pick up a satellite tuner yourself yeah makes sense i think you're getting a high compliments from mav there talking about how this feels very much like you know the old alexa park content so wow people are loving this yeah i'm really flattered yeah it was cool stuff to do it was a little frightening at times but really enjoyable research and i think space is a place people haven't done a lot of exploring i mean there obviously are other people before me but i think there's a lot of low-hanging fruit for people who are interested in kind of living the the days when hacking was maybe not easy but terrifying well done well we're approaching the uh end of the session uh any final shout outs or anything you want to do before we sign off uh one other thing i might hit on as i mentioned electronic flight bags in the talk as kind of an interesting component of the aviation stuff i didn't know it at the time when i was recording the talk but there were actually two two village talks on electronic flight bags um one happened yesterday by um matt gaffney um and i thought it was really cool and then there's one tonight by david robinson so if you're interested in kind of the aviation side and what it might mean to hack any fb i definitely recommend checking this out i know i will be that's awesome and i i think that uh at least the vast majority of our village talks are also being recorded and put on youtube i don't know specifically if that village is um it's it's an opt-in opt-out kind of thing so it was up to everyone uh but it may it may already be available on youtube the one yesterday may already be available on youtube for people if they uh want to go watch it as well okay well uh thank you very much for joining us for this qa session thank you for making such great content for defcon um thank you for being part of our virtual experience thanks it was great great talking to you all all right