DEF CON Safe Mode - James Pavur - Whispers Among The Stars

DEFCON 28
Whispers Among the Stars

Perpetrating (and Preventing) Satellite Eavesdropping Attacks
James Pavur, DPhil Student
Oxford University, Department of Computer Science
08-082020
1
DEFCON 28
08-082020
2
DEFCON 28
08-082020
3
DEFCON 28
08-082020
4
DEFCON 28
Bio / Contributors
• PhD Student @ Oxford University,
Systems Security Lab
• Title of (blank) thesis_draft.tex file:
Securing New Space: On Satellite
Cybersecurity
• Don’t Work Alone…
• Daniel Moser, armasuisse / ETH Zürich
• Martin Strohmeier, armasuisse /
Oxford University
• Vincent Lenders, armasuisse
• Ivan Martinovic, Oxford University
08-082020
5
DEFCON 28
Lessons from the Past
Ruhr-University Bochum, 2005 Black Hat DC, 2009 Black Hat DC, 2010
08-082020
6
DEFCON 28
3 Domain-
Focused
Experiments
18 GEO Satellites
08-082020 Coverage Area ~100

million km2
7
DEFCON 28
Whose Data?
9 FORTUNE GLOBAL 6 OF 10 LARGEST ~40% MARITIME GOVERNMENTAL YOU?

500 MEMBERS AIRLINES CARGO MARKET AGENCIES
08-082020
8
DEFCON 28
3-Minute
SATCOM Crash
Course
08-082020
Photo: Three Crew Members Capture Intelsat VI, NASA, 1992, Public
9 Domain
DEFCON 28
08-082020
10
#BHUSA @BLACKHATEVENTS
DEFCON 28
08-082020
11
DEFCON 28
08-082020
12
DEFCON 28
08-082020
13
DEFCON 28
08-082020
14
DEFCON 28
08-082020
15
DEFCON 28
08-082020
16
DEFCON 28
08-082020
17
DEFCON 28
08-082020
18
DEFCON 28
08-082020
19
DEFCON 28
Threat Model
08-082020
20
DEFCON 28
Nation-State Actor Tech
08-082020 Photo: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.0
21
DEFCON 28
Nation-State Actor Tech
08-082020 Photo: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.0
22
DEFCON 28
$300 of TV Equipment
Selfsat H30D ~$90 (or any TBS-6983/6903 ~$200-300

08-082020
satellite dish + LNB) (or comparable PCIE tuner,
ideally with APSK support)
23
DEFCON 28
08-082020
24
DEFCON 28
MPEG-TS +
MPE/ULE
• Legacy (but still popular)
standard
• Hacked together
combination of protocols
built for other purposes
• Tools exist for parsing
• dvbsnoop, tsduck, TSReader
• Primary focus for related
work from 2000-2010
08-082020
25
DEFCON 28
GSE (Generic Stream Encapsulation)

• More modern, popular among enterprise “VSAT” customers
• In practice, networks assume equipment in the $25k-$100k range
• Doesn’t work well on our hardware…
08-082020
26
DEFCON 28
GSExtract Packet Recovery Rate Using GSExtract
• Custom tool to forensically 36%

reconstruct bad recordings
24%
• Applies simple rules to find IP
headers / place fragments 11% 24% 35%
• https://doi.ieeecomputersociety.org/10.
15%
1109/SP40000.2020.00056
65%
• Public Release? 40%
50% 50%
• https://github.com/ssloxford 10%
40%
08-082020
27
DEFCON 28
08-082020
28
DEFCON 28
dvbsnoop
Dish + DVB-S
*.pcap
Tuner Card
GSExtract
08-082020
29
DEFCON 28
General Findings
NO DEFAULT ISP-ESQUE
ENCRYPTION VANTAGE POINT
BREACH THE
08-082020
PERIMETER
30
DEFCON 28
Terrestrial
08-082020
31
DEFCON 28
TLS == Privacy?
08-082020
32
DEFCON 28
TLS != Privacy Top SSL Certificate Names (MPEG-TS

Case Study)
08-082020
33
DEFCON 28
!TLS != Privacy
08-082020
34
DEFCON 28
IOT & Critical Infrastructure
“admin-electro…..”
08-082020
35
DEFCON 28
Maritime
08-082020
36
DEFCON 28
Case Study: 100 Random Ships
08-082020 Art: Rodney’s Fleet Taking in Prizes After the Moonlight Battle, Dominic Serres, Public Domain
37
DEFCON 28
~10% of Vessels Identified
08-082020
38
DEFCON 28
08-082020
39
DEFCON 28
08-082020
40
DEFCON 28
08-082020
41
DEFCON 28
ECDIS
• Electronic Chart Display
and Information System
• Standard Formats
Support Cryptographic
Verification
• But we observed more than
15,000 unsigned charts files
in transit
08-082020
• Many also use
proprietary formats
42
DEFCON 28
Listening Can Be Enough…

Chart Update Via Email
Publicly Routable FTP Fileshares
08-082020
43
DEFCON 28
General Privacy
Captain of Billionaire’s Yacht – MSFT Acct. Guests & Crew / Lunch Orders?
08-082020
44
DEFCON 28
General Privacy
POS Traffic From Cruise Ships Crew Passport Data Transmitted to Port Authorities
08-082020
45
DEFCON 28
Aviation
08-082020
46
DEFCON 28
Where Did the Planes Go?
08-082020
47
Chart: Xavier Olive, Impact of COVID-19 on worldwide aviation, https://traffic-
viz.github.io/scenarios/covid19.html
DEFCON 28
Where Did the Planes Go?
Lots of Useless
08-082020 Almost Entirely People Who Really
Nonsense (e.g.
Essential Traffic Need to Travel
Instagram Traffic)
48
Chart: Xavier Olive, Impact of COVID-19 on worldwide aviation, https://traffic-
viz.github.io/scenarios/covid19.html
DEFCON 28
Crossing the “Red Line”
”A primary concern is the sharing of these

SATCOM devices between different data domains,
which could allow an attacker […] to pivot from a
compromised IFE to certain avionics”
08-082020
49
DEFCON 28
The Loneliest EFB
08-082020
50
Photo: Gulfstream Aerospace G150, Robert Frola, 2011, Flickr, GFDL.

DEFCON 28
GSM @ 30,000ft
08-082020
51
DEFCON 28
Active
Attacks?
08-082020
52
DEFCON 28
“Untraceable” Exfiltration: Requirements
ROUTE FROM COMPROMISED DISH INSIDE FORWARD LINK

HOST TO SATELLITE IP FOOTPRINT
08-082020
53
DEFCON 28
Compromised PC Attacker’s Server
08-082020
54
DEFCON 28
Compromised PC Internet Attacker’s Server
08-082020
55
DEFCON 28
Compromised PC Internet Attacker’s Server
08-082020
56
DEFCON 28
Compromised PC Internet SATCOM Customer Attacker’s Server
08-082020
57
DEFCON 28
08-082020
58
DEFCON 28
08-082020
59
DEFCON 28
TCP Session Hijacking

• Snoop TCP sequence
numbers
• Impersonate satellite-
terminal conversation
endpoint
• Possibly bi-directional, but
more complex
• Network Requirements
• IPs must be routable to
08-082020
attacker
• No TCP sequence number
altering proxies
60
DEFCON 28
08-082020
61
DEFCON 28
08-082020
62
DEFCON 28
08-082020
63
DEFCON 28
08-082020
64
DEFCON 28
08-082020
65
DEFCON 28
08-082020
66
DEFCON 28
Ethics and Disclosure

Adhered to legal Vast majority of
Followed responsible
obligations in jurisdiction companies were
disclosure process
of data collection receptive
• Data stored securely • Contacted satellite • Shared findings directly
and only while needed operators in 2019 to CISOs of several large
• Data was never shared • Reached out to some of orgs
with 3rd parties the largest impacted • Unclear if any changes
• Encryption untouched customers have been made…
• Won’t “name and • Only one organization
shame” threatened legal action
if we published!
08-082020
67
DEFCON 28
Thanks FBI!
08-082020
68
DEFCON 28
Thanks FBI!
08-082020
69
DEFCON 28
Thanks FBI!
08-082020
70
DEFCON 28
Mitigations
and Defenses
08-082020
71
DEFCON 28
Why Does This Happen?

• Not just ignorance /
incompetence
• Space is far and round-trip
times (RTT) to GEO are long
• TCP especially troublesome
because of the 3-way
handshake
08-082020
72
DEFCON 28
Your ISP: A Helpful MITM?

Basic Performance Enhancing Proxy (PEP)
• Split TCP handshake locally
• One handshake at the modem
• One handshake at the ISP
groundstation
• Problem: Can’t split TCP
connections if they’re
wrapped in a VPN
• Applies to TCP-based VPNs too
since underlying connection is
08-082020 at odem to i atenc atellite
ro nd tation
wrapped or tation o
to
nternet
73
DEFCON 28
Ok, but what can I do today?
Accept VPN performance Use TLS / DNSSEC / etc. ISP: Alter sequence
hit numbers in PEP
08-082020
74
DEFCON 28
Longer Term: QPEP
08-082020
75
DEFCON 28
QPEP Design Principles
OPEN SOURCE ACCESSIBLE & SIMPLE TARGET INDIVIDUALS (NOT

Contribute Here: ISPS)
08-082020 https://github.com/ssloxford/qpep
76
Traditional VPN Encryption (OpenVPN) Encrypted PEP (QPEP)
~25 seconds ~14 seconds

DEFCON 28
Key Takeaways
Satellite Broadband Traffic is Vulnerable
to Long-Range Eavesdropping Attacks
Satellite Customers Across Domains Leak

Sensitive Data Over Satellite Links
08-082020
Performance and Privacy Don’t Need to
Trade Off in SATCOMs Design
78
DEFCON 28
The “Next Hop” is unknown. Encrypt everything.
08-082020
79 Questions/Ideas: james.pavur@cs.ox.ac.uk
Special thanks to a.i. solutions for offering academic access to FreeFlyer, used in our animations!

DEF CON Safe Mode - James Pavur - Whispers Among The Stars

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DEF CON Safe Mode - James Pavur - Whispers Among The Stars

Uploaded by

Copyright:

Available Formats

DEFCON 28

Whispers Among the Stars

Lessons from the Past

08-082020 Coverage Area ~100

9 FORTUNE GLOBAL 6 OF 10 LARGEST ~40% MARITIME GOVERNMENTAL YOU?

Nation-State Actor Tech

Nation-State Actor Tech

Selfsat H30D ~$90 (or any TBS-6983/6903 ~$200-300

GSE (Generic Stream Encapsulation)

GSExtract Packet Recovery Rate Using GSExtract

• Custom tool to forensically 36%

TLS != Privacy Top SSL Certificate Names (MPEG-TS

IOT & Critical Infrastructure

Case Study: 100 Random Ships

~10% of Vessels Identified

~10% of Vessels Identified

~10% of Vessels Identified

~10% of Vessels Identified

Listening Can Be Enough…

Publicly Routable FTP Fileshares

Where Did the Planes Go?

Where Did the Planes Go?

Crossing the “Red Line”

”A primary concern is the sharing of these

The Loneliest EFB

Photo: Gulfstream Aerospace G150, Robert Frola, 2011, Flickr, GFDL.

“Untraceable” Exfiltration: Requirements

ROUTE FROM COMPROMISED DISH INSIDE FORWARD LINK

Compromised PC Attacker’s Server

Compromised PC Internet Attacker’s Server

Compromised PC Internet Attacker’s Server

Compromised PC Internet SATCOM Customer Attacker’s Server

Compromised PC Internet SATCOM Customer Attacker’s Server

Compromised PC Internet SATCOM Customer Attacker’s Server

TCP Session Hijacking

Ethics and Disclosure

Why Does This Happen?

Your ISP: A Helpful MITM?

Ok, but what can I do today?

Longer Term: QPEP

QPEP Design Principles

OPEN SOURCE ACCESSIBLE & SIMPLE TARGET INDIVIDUALS (NOT

~25 seconds ~14 seconds

Satellite Customers Across Domains Leak

The “Next Hop” is unknown. Encrypt everything.

You might also like