If you didn’t already know, there is a ton of readily available satellite TV electronics you can use to sniff and inspect satellite internet traffic
By:
Eric De Grasse
Chief Technology Officer
11 August 2020 (Athens, Greece) – Had this been “normal times”, I’d have been in Las Vegas last week and this week to attend DEFCON (the world’s largest, longest continuously run underground hacking conference) and Black Hat (its more “corporate” sister computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world). I’ve been attending both for 15+ years, and my partner and the founder of Project Counsel Media, Greg Bufithis, has been attending for 6 years. When we set up our penetration test company we recruited at DEFCON.
When you attend these events “live”, on-site, it seems “being hacked” is the watch word so in a gathering of thousands of hackers (each event draws about 20,000 attendees) Faraday bags and RFID blocking sleeves are suggested. If you bring a laptop device, a good idea is to flash it with a clean install, put the bare minimum of data on it you need to survive the week, and restrict unnecessary services like Bluetooth and Wifi. When you get home, you pull off any files you need to keep and restore the device from a backup. For phones, ALWAYS take a burner.
This year both events were virtual so it was nice I did not need to pack my combat gear. And yet both events over their combined 10 days provided days stuffed with intensive training courses, cutting-edge briefings, demos of innovative products and … surprisingly … some decent social networking via “virtual chat rooms”. But when you have a $1 million tech budget … well, you have the flexibility to do just about anything.
True, it was not the same level of social networking this year. Black Hat and DEFCON are unique in that it’s a “one-stop shopping” co-event, where every major security executive and analyst is gathered. You don’t have to travel around the globe or hunt them down on the Internet – they’re all there. And you can snag most of them for a 5 minute chat. It is where Greg and I have made our best networking contacts in the cyber / security / intelligence communities who we call upon all the time to assist in our work for clients, and to inform our blog posts.
Over the next few days I’ll cherry pick a few sessions I streamed (note to our cyber listserv membership: you’ll receive my Black Hat/DEFCON recap this weekend) which I think will be of interest to our cyber technology, legal technology, and mobile technology communities.
First up: satellites.
Back in 2014, the U.S. National Security Agency revealed how two of the world’s most advanced espionage groups (both Russian) had been caught unleashing an extremely stealthy trojan that for years siphoned sensitive data from governments and pharmaceutical companies around the world. They hijacked satellite-based Internet links to communicate with command and control servers. It made for several quite illuminating sessions at DEFCON in 2015 showing how far satellite hacking had come. At the time most available satellite-based Internet remained limited, was slow, and most satellite links were unencrypted and could be intercepted by anyone within a radius of more than 600 miles. That meant a connection between someone located in, say, a remote location in Africa and a satellite-based ISP can be monitored or even hijacked by an attacker.
Satellite technology (and vulnerability) progressed and it has become a major a focus at every tech event we attend besides Black Hat and DEFCON: InfoSec World, the International Cyber Security Forum, the Mobile World Congress, and many more. At the Mobile World Congress and at an RSA Security conference it even spilled over into the legal technology field. At both events we spoke about the technology moving faster than governments. The example was the development of internet provision and data storage by networks of “cubesats”. You’ve read our briefing notes about these “swarm satellites”, as well as unauthorized rogue satellites. These cubesats are roughly the size of Rubik’s cube and in low earth orbit. Their launch is causing issues which will throw a spanner in the works of national firewalls and other regional rules, especially the EU’s new General Data Protection Regulation (GDPR). If you can access the network and your data directly from any place on the globe it will be difficult (though not impossible) for governments to interfere.
NOTE: this is but one of the “hidden agenda” issues behind Amazon’s “Kuiper Constellation”. The U.S. Federal Communications Commission approved Amazon to launch 3,326 satellites as part of that constellation, to beam internet coverage down to Earth. And by the way, that’s roughly 600 more satellites than the total number currently in orbit. Governments around the world have freaked out. The original complaint was that the U.S. approved this without any world-wide, industry-wide guidelines, no “good corporate citizenship”, no regulation. And now that it has been determined these satellites can be data storage devices … well “concerns” have been raised.
Which brings us to our good friend James Pavur who did a presentation at DEFCON to show how, armed with around $300 of easy-to-find hardware plus some custom code, he and his colleagues were able to access non-encapsulated internet traffic beamed via satellite.
NOTE: by non-encapsulated, I mean, internet traffic that wasn’t already encrypted before it was relayed by the satellite – the satellite network didn’t provide any protection itself. Customers of satellite broadband ISPs include large enterprises, shipping companies, law firms, and communications providers using these orbiting birds to relay traffic.
Our regular readers will remember James. He was one of our sources for a long piece on the GDPR and its “unintended consequences”. As it turned out, the GDPR is an identity thief’s dream ticket to Europeans’ data, weaponized via the “Right of Access” to steal EU identities. You can read that post by clicking here. And an update: as of March 2020 we were still able to steal data via many of the techniques we outlined in that post.
His DEFCON talk this year looked at satellite communications affecting three domains: air, land, and sea. He showed how satellite eavesdroppers can threaten privacy and communications security – and even hijack active sessions over the satellite link. I have a video link below to the bulk of his presentation (not all; there were side chats after the main presentation) but just to note a few points:
• The research effort, said Pavur, began as a summer project to test whether the findings of satellite hackers in the 2000s had withstood the test of time. He says that while some of the methods of transmission have changed, the results are pretty much unchanged; a miscreant with minimal resources can sniff non-encapsulated internet traffic bounced around the heavens. “It allows someone to get away with $200 or $300 of home television equipment and do harm that they would otherwise need tens of thousands of dollars for,” Pavur claimed.
• Most satellite internet services, we’re told, do not wrap their signals in encryption, so if you can pick up the packets over the air, you’re in business: you’ll be able to receive and read any data sent in plaintext. Armed with a satellite decoder PCI card and an off-the-shelf satellite telly dish, anyone can tune to the right frequency and eavesdrop on non-encapsulated data, such as plaintext DNS lookups and HTTP connections. In short, if you use a satellite internet service you should wrap your connections in encryption – via a VPN or SSH tunnel, for example – because most of the ISPs do not provide it, and collecting data beamed down from birds is not hard to do.
• Relax, satellite hacking is unlikely to lead to Earth-blinding Kessler effect – at least not yet.
• To be clear, a few hundred bucks is not going to let you get a complete wiretap on a company’s internet traffic. Pavur said that his crew’s bare-bones setup was not always able to reliably snoop on connections – there was a high noise-to-signal ratio and getting complete packets was rare – but they were able to collect enough info to make any organization uneasy. One example he gave was he was able to pick-off the traffic from a major US law firm showing a lawyer sending emails to clients, with very sensitive documents, as well as the email exchanges from a major shipping company which contained employee passport and other sensitive information. Among the other data collected was business documents and internal communications from Fortune 500 businesses, as well as from ordinary folks. They were even able to harvest Windows PC information from local networks. It was easy, he said: “A lot of these enterprise networks operate basically as a LAN network across the satellite feed. The internal Windows traffic from that network was being broadcast.”
NOTE: those of you who have access to BBC4 will remember the series on satellites which had a segment whereby some tech geeks back in 2003 fashioned a standard dish and developed a somewhat off-the-shelf receiver and were able to listen in to calls being routed via satellite. Yes, the analogue era but as a DEFCON attendee pointed out, it is still possible to listen to calls in that manner [he told me the digital equipment I need; more in the weekend wrap-up]. So it doesn’t seem like security has improved much.
More worryingly, Pavur noted that the setup his team used pales in comparison to what most state-sponsored groups have at their disposal. This point was hammered home last January at the International Cyber Security Forum which devoted two panels to satellite cyber attacks. So given what his team was able to do with a bit of knowhow and some easily available hardware, it’s so surprise government intelligence agencies armed with high-powered dish arrays and special software can collect far more data more reliably.
BOTTOM LINE: anyone relying on a satellite internet service needs to step up their encapsulation encryption, because you can’t assume your traffic is being protected otherwise.
And Pavur makes it sound easy. It takes some technique. Intercepting a relatively well focussed point-to-point transmission requires being in the right place, not to mention knowing where the right place is. But, yes, the equipment is out there if you know to use it.
But Pavur nails the problem. The trouble with satelites is that they “spray” transmissions over thousands of square miles, so someone sitting at home can catch transmissions intended for a ship in the middle of the Atlantic, or somewhere on a different continent.
Here are the major bits of his presentation:
[ To read this post on our blog, along with our other articles, consult out archive by clicking here ]