Spying on satellite internet comms with a $300 listening station

An attacker could use $300 worth of off-the-shelf equipment to eavesdrop and intercept signals from satellite internet communications.

The academic researcher James Pavur, speaking at Black Hat 2020 hacking conference, explained that satellite internet communications are susceptible to eavesdropping and signal interception. Attackers could use cheap equipment like a basic home-television gear that goes from $300 to spy on the internet traffic for high-value targets.

When a satellite ISP attempt to establish an internet connection for a customer, it beams that customer’s signals up to a geostationary satellite using a narrow communications channel. Then the signal is sent back down to a terrestrial receiving station and routed to the internet.

The response signals are sent back using the same channel, the transmission downlink between the satellite and the user will be a broadcast transmission that contains the larger volume of customers’ traffic simultaneously in order to optimize the costs.

“A critical difference is that we’re going to send [downstream signals] in a really wide beam, because we want to cover as many customers as possible, and satellites are very expensive,” explained Pavur. “So radio waves carrying a response to a Google search will reach our customer in the middle of the Atlantic Ocean; but they will also hit an attacker’s dish in, say, Ghana.”

Pavur explained that nation-state actors could use very expensive equipment in installed ground stations to eavesdrop on satellite communications. However, he demonstrated that it is possible to spy on satellite internet connections using basic home-television consumer equipment.

The boffin used a common flat-panel satellite dish and an off-the-shelf PCIe satellite tuner card to realize the listening station. Pavur pointed out that professional PCIe tuner cards cost between $200 and $300, but it is possible to use less reliable and cheaper versions that go for $50/$80.

The researchers explained that an attacker could spy on specific satellites, whose locations are public, by pointing them with the dish. Then they could use software like EPS Pro to discover internet feeds.

“We’re going to point our satellite dish at a spot in the sky that we know has a satellite, and we’re going to scan the Ku band of the radio spectrum to find signals against the background noise,” Pavur explained. “The way we’ll identify channels is by looking for distinct humps in the radio spectrum; because they stick out against the background noise, we can guess that there’s something going on there. We’ll tell our card tune to this one, and treat it as a digital video broadcasting for satellite feed. After a few seconds we get a lock on that feed, meaning we successfully found a connected satellite.”

Once discovered a feed the attacker have to record it and analyze the collected data in order to determine whether the traffic is related to an Internet connection or a TV feed. Pavur explained that this check is quite simple, he just looked for the presence of the string HTTP which is associated with Internet traffic and not in a TV feed.

Once the attacker has identified a satellite internet connection he can record it and then parse it for valuable information. The feed are transmitted in MPEG video streaming format or the generic stream encapsulation (GSE) protocols.

MPEG is easy to parse using commonly available tools like Wireshark, while GSE leverage more complicated modulations that make it hard for cheap hardware to parse the stream.

Pavur and his colleagues noticed that most of the traffic they collected resulted in corrupted files, for this reason, they developed a tool called GC Extract to extract IP data out of a corrupted GSE recording.

“What this means is that an attacker who’s listening to your satellite signal gets to see what your internet service provider would expect to see: Every packet that comes to your modem, every BitTorrent you download, every website you visit,” Pavur said. “But it gets even worse if we look at enterprise customers, because a lot of them were operating what was essentially a corporate land network over the satellite feeds. For example, imagine a cruise line that has a bunch of Windows devices aboard it ships. This Windows local area network with all that internal LDAP traffic and SDP traffic will be broadcast over the satellite link, giving an eavesdropper perspective from behind the firewall.”

Pavel explained that attackers could also collect information even when the traffic is encrypted. The analysis of DNS could reveal the user’s Internet browsing history while the analysis of TLS certificates could allow fingerprinting the servers the user connected.

The researcher presented some real cases in which he was able to access data sent on satellite internet connections.

The researchers and his Oxford team disclosed their findings to the test victims and ISPs.

The Federal Bureau of Investigation released a private threat-intelligence notification following the presentation of the results of the research.

“However, recently conducted research discovered man-in-the-middle attacks against maritime VSAT signals can be conducted with less than $400 of widely available television equipment, a presenting opportunities to a wider range of threat actors to potentially gain visibility into sensitive information.” reads the notification published by the FBI.

“The internet is a weird web with devices and systems that are connected in ways that you can never predict, you might connect to a secure Wi-Fi hotspot or a cell tower, but the next hop could be a satellite link or wiretapped Ethernet cable,” Pavur concluded. “Having the right, the ability and the knowledge to encrypt your own data, and to choose to do that, is critical to protecting against this class of attack, whatever domain you think about it in.”

The Presentation Slides are available here:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, satellite)

[adrotate banner=”5″]

[adrotate banner=”13″]