At the last Black Hat conference was presented dedicated to security issues in satellite Internet access systems. The author of the report, using an inexpensive DVB-receiver, demonstrated the possibility of intercepting Internet traffic transmitted via satellite communication channels.
The client can connect to the satellite provider through asymmetric or symmetrical channels. In the case of an asymmetric channel, outgoing traffic from the client is sent through a terrestrial provider, and received through a satellite. In symmetrical links, outgoing and incoming traffic passes through the satellite. Packets addressed to the client are sent from the satellite using a broadcast transmission that includes traffic from different clients, regardless of their territorial location. It was not difficult to intercept such traffic, but it was not so easy to intercept traffic sent via satellite outgoing from the client.
For data exchange between a satellite and a provider, focused transmission is usually used, which requires the attacker to be several tens of kilometers from the provider's infrastructure, as well as a different frequency range and coding formats, the analysis of which requires expensive provider equipment. But even if the provider uses the usual Ku-band, as a rule, the frequencies for different directions are different, which requires the use of a second satellite dish to intercept in both directions and solve the problem of stream synchronization.
It was assumed that to organize the interception of satellite communications, special equipment was needed, which costs tens of thousands of dollars, but in fact, such an attack was implemented using tuner for satellite TV (TBS 6983/6903) and parabolic antenna. The total cost of the attack kit was approximately $300. Public information about the location of the satellites was used to point the antenna at the satellites, and a typical application designed to find satellite TV channels was used to locate the communication channels. The antenna was directed to the satellite and the scanning process was started .
Channels were identified by identifying peaks in the radio frequency spectrum that are visible against the background of general noise. After identifying the peak, the DVB-card was tuned to interpret and record the signal as a normal digital video broadcast for satellite television. With the help of trial interceptions, the nature of the traffic was determined and Internet data was separated from digital television (a banal search was used in the dump issued by the DVB card using the βHTTPβ mask, if found, it was considered that a channel with Internet data was found).
The traffic study showed that all the analyzed satellite Internet providers do not use encryption by default, which allows you to freely listen to traffic. It is noteworthy that warnings about problems with the security of satellite Internet ten years ago, but since then the situation has not changed, despite the introduction of new methods of data transmission. The transition to the new GSE (Generic Stream Encapsulation) protocol for encapsulating Internet traffic and the use of complex modulation systems, such as 32-dimensional amplitude modulation and APSK (Phase Shift Keying), did not complicate attacks, but the cost of interception equipment has now decreased from $ 50000 up to $300.
A significant drawback in data transmission via satellite communication channels is a very large packet delivery delay (~700 ms), which is ten times higher than the delay when sending packets via terrestrial communication channels. This feature has two significant negative impacts on security: the non-proliferation of VPNs and the vulnerability against spoofing (packet spoofing). It is noted that the use of a VPN slows down the transmission by about 90%, which, taking into account the large delays themselves, makes the VPN practically inapplicable with satellite channels.
The vulnerability to spoofing is explained by the fact that the attacker can completely listen to the traffic coming to the victim, which allows you to determine the sequence numbers in the TCP packets that identify the connections. When sending a fake packet through a terrestrial channel, it is almost guaranteed to arrive before a real packet transmitted over a satellite channel with large delays and additionally passing through a transit provider.
The easiest targets for attacks on satellite users are DNS traffic, unencrypted HTTP, and email, which are typically used by unencrypted clients. It is easy for DNS to send bogus DNS responses that bind the domain to the attacker's server (an attacker can generate a bogus response immediately after listening to a request in traffic, while the real request still has to go through the provider serving satellite traffic). Analysis of mail traffic allows you to intercept confidential information, for example, you can initiate the password recovery process on the site and spy on the traffic sent by email message with the operation confirmation code.
During the experiment, about 4 TB of data was intercepted, transmitted by 18 satellites. The configuration used in certain situations did not provide reliable interception of connections due to the high signal-to-noise ratio and the receipt of incomplete packets, but the information collected was enough to compromise. Some examples of what was found in the intercepted data:
- Navigational information and other avionics data transmitted to aircraft was intercepted. This information was not only transmitted without encryption, but also in the same channel as the traffic of the general on-board network, through which passengers send mail and browse websites.
- A session cookie of an administrator of a wind turbine in the south of France was intercepted, connecting to the control system without encryption.
- An exchange of information about technical problems on an Egyptian oil tanker was intercepted. In addition to information that the ship will not be able to go to sea for about a month, data were received on the name and passport number of the engineer responsible for troubleshooting.
- The cruise ship was transmitting sensitive information about its Windows-based LAN, including connection data stored in LDAP.
- The Spanish lawyer sent a letter to the client with details of the upcoming case.
- During the interception of traffic to the yacht of the Greek billionaire, the account recovery password sent by email in Microsoft services was intercepted.
Source: opennet.ru