Professional Documents
Culture Documents
08-082020
1
DEFCON 28
08-082020
2
DEFCON 28
08-082020
3
DEFCON 28
08-082020
4
DEFCON 28
Bio / Contributors
• PhD Student @ Oxford University,
Systems Security Lab
• Title of (blank) thesis_draft.tex file:
Securing New Space: On Satellite
Cybersecurity
• Don’t Work Alone…
• Daniel Moser, armasuisse / ETH Zürich
• Martin Strohmeier, armasuisse /
Oxford University
• Vincent Lenders, armasuisse
• Ivan Martinovic, Oxford University
08-082020
5
DEFCON 28
Ruhr-University Bochum, 2005 Black Hat DC, 2009 Black Hat DC, 2010
08-082020
6
DEFCON 28
3 Domain-
Focused
Experiments
18 GEO Satellites
Whose Data?
08-082020
8
DEFCON 28
3-Minute
SATCOM Crash
Course
08-082020
Photo: Three Crew Members Capture Intelsat VI, NASA, 1992, Public
9 Domain
DEFCON 28
08-082020
10
#BHUSA @BLACKHATEVENTS
DEFCON 28
08-082020
11
#BHUSA @BLACKHATEVENTS
DEFCON 28
08-082020
12
#BHUSA @BLACKHATEVENTS
DEFCON 28
08-082020
13
#BHUSA @BLACKHATEVENTS
DEFCON 28
08-082020
14
#BHUSA @BLACKHATEVENTS
DEFCON 28
08-082020
15
DEFCON 28
08-082020
16
DEFCON 28
08-082020
17
DEFCON 28
08-082020
18
DEFCON 28
08-082020
19
DEFCON 28
Threat Model
08-082020
20
DEFCON 28
08-082020 Photo: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.0
21
DEFCON 28
08-082020 Photo: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.0
22
DEFCON 28
$300 of TV Equipment
08-082020
24
DEFCON 28
MPEG-TS +
MPE/ULE
• Legacy (but still popular)
standard
• Hacked together
combination of protocols
built for other purposes
• Tools exist for parsing
• dvbsnoop, tsduck, TSReader
• Primary focus for related
work from 2000-2010
08-082020
25
DEFCON 28
08-082020
26
DEFCON 28
• https://doi.ieeecomputersociety.org/10.
15%
1109/SP40000.2020.00056
65%
• Public Release? 40%
50% 50%
• https://github.com/ssloxford 10%
40%
08-082020
27
DEFCON 28
08-082020
28
DEFCON 28
dvbsnoop
Dish + DVB-S
*.pcap
Tuner Card
GSExtract
08-082020
29
DEFCON 28
General Findings
NO DEFAULT ISP-ESQUE
ENCRYPTION VANTAGE POINT
BREACH THE
08-082020
PERIMETER
30
DEFCON 28
Terrestrial
08-082020
31
DEFCON 28
TLS == Privacy?
08-082020
32
DEFCON 28
08-082020
33
DEFCON 28
!TLS != Privacy
08-082020
34
DEFCON 28
“admin-electro…..”
08-082020
35
DEFCON 28
Maritime
08-082020
36
DEFCON 28
08-082020 Art: Rodney’s Fleet Taking in Prizes After the Moonlight Battle, Dominic Serres, Public Domain
37
DEFCON 28
08-082020
38
DEFCON 28
08-082020
39
DEFCON 28
08-082020
40
DEFCON 28
08-082020
41
DEFCON 28
ECDIS
• Electronic Chart Display
and Information System
• Standard Formats
Support Cryptographic
Verification
• But we observed more than
15,000 unsigned charts files
in transit
08-082020
• Many also use
proprietary formats
42
DEFCON 28
08-082020
43
DEFCON 28
General Privacy
Captain of Billionaire’s Yacht – MSFT Acct. Guests & Crew / Lunch Orders?
08-082020
44
DEFCON 28
General Privacy
POS Traffic From Cruise Ships Crew Passport Data Transmitted to Port Authorities
08-082020
45
DEFCON 28
Aviation
08-082020
46
DEFCON 28
08-082020
47
Chart: Xavier Olive, Impact of COVID-19 on worldwide aviation, https://traffic-
viz.github.io/scenarios/covid19.html
DEFCON 28
Lots of Useless
08-082020 Almost Entirely People Who Really
Nonsense (e.g.
Essential Traffic Need to Travel
Instagram Traffic)
48
Chart: Xavier Olive, Impact of COVID-19 on worldwide aviation, https://traffic-
viz.github.io/scenarios/covid19.html
DEFCON 28
49
DEFCON 28
08-082020
50
GSM @ 30,000ft
08-082020
51
DEFCON 28
Active
Attacks?
08-082020
52
DEFCON 28
53
DEFCON 28
08-082020
54
DEFCON 28
08-082020
55
DEFCON 28
08-082020
56
DEFCON 28
08-082020
57
DEFCON 28
08-082020
58
DEFCON 28
08-082020
59
DEFCON 28
08-082020
61
DEFCON 28
08-082020
62
DEFCON 28
08-082020
63
DEFCON 28
08-082020
64
DEFCON 28
08-082020
65
DEFCON 28
08-082020
66
DEFCON 28
67
DEFCON 28
Thanks FBI!
08-082020
68
DEFCON 28
Thanks FBI!
08-082020
69
DEFCON 28
Thanks FBI!
08-082020
70
DEFCON 28
Mitigations
and Defenses
08-082020
71
DEFCON 28
08-082020
72
DEFCON 28
73
DEFCON 28
Accept VPN performance Use TLS / DNSSEC / etc. ISP: Alter sequence
hit numbers in PEP
08-082020
74
DEFCON 28
08-082020
75
DEFCON 28
76
Traditional VPN Encryption (OpenVPN) Encrypted PEP (QPEP)
Key Takeaways
Satellite Broadband Traffic is Vulnerable
to Long-Range Eavesdropping Attacks
08-082020
Performance and Privacy Don’t Need to
Trade Off in SATCOMs Design
78
DEFCON 28
08-082020
79 Questions/Ideas: james.pavur@cs.ox.ac.uk
Special thanks to a.i. solutions for offering academic access to FreeFlyer, used in our animations!