An Oxford University-based security researcher says he used £270 ($300) of home television equipment to capture terabytes of real-world satellite traffic — including sensitive data from “some of the world’s largest organisations.”
James Pavur, a Rhodes Scholar and DPhil student at Oxford, will detail the attack in a session at the Black Hat security conference in early August.
Pavur will also demonstrate that, “under the right conditions” attackers can hijack active sessions via satellite link, a session overview reveals.
The news comes as the number of satellites in orbit is expected to increase from approximately 2,000 today to more than 15,000 by 2030. (Elon Musk’s SpaceX alone has permission to launch 12,000 satellites.)
The presentation will reveal details on “attacking satellite broadband communications across three domains: land, air, and sea”.
A synopsis warns hat these communications can be spied on “from thousands of miles away with virtually no risk of detection”.
While full details of the attack will not be revealed until the Black Hat conference, an 2019 conference paper published by Pavur gives a sneak peak into some of the challenges of security in the satellite communications space.
It appears to boil down in large part to the absence of encryption-in-transit for satellite-based broadband communications.
“Satellite transmissions cover vast distances and are subject to speed-of-light latency effects and packet loss which can impair the function of encryption schemes designed for high-reliability terrestrial environments (e.g. by requiring re-transmission of corrupted key materials). Moreover, satellites themselves are limited in terms of computing capabilities and any on-board cryptographic operation risks trading off with other mission functionality.”
It also reveals how some of the eavesdropping was conducted using a “75 cm, flat-panel satellite receiver dish and a TBS-6983 DVB-S receiver… configured to receive Ku-band transmissions between 10,700 MHz and 12,750 MHz. A set of 14 geostationary satellites were selected [and from them] over 350 transponders were identified using existing “Blind Scan” tools.
Pavur targets the Digital Video Broadcasting-Satellite (DVB-S) and DVB-S version 2 protocols, which transmit data in MPEG-TS format.
The paper adds: “A collection of Python utilities… was used to analyze each of these transponders for signs of DVB-based internet transmissions.”
The 2018 experiment (it was not immediately clear if the Black Hat presentation refers to fresh work) notes that through manual inspection of intercepted traffic, the security researchers identified “[traffic] flows associated with electrical power generation facilities”
“Vulnerable systems administration pages and FTP servers were publicly
routable from the open internet. This means that an attacker could sniff a session token from a satellite connection, open a web browser, and login to the plant’s control panel…”
Along with further details on the attack, Pavur will at Black Hat present an “open-source tool which individual customers can use to encrypt their traffic without requiring ISP involvement.”