You might think that satellites—complex and distant—are immune to eavesdropping, but that's not the case, according to James Pavur, a PhD Student at Oxford University.
At this year's socially distanced, online Black Hat security conference, Pavur showed how his team was able to intercept reams of data from satellite broadband providers using home television equipment and some custom software.
Elon Musk's Starlink satellites might be blocking views of the cosmos, but loose-lipped satellites are spewing secrets.
Pavur and his team looked at 18 satellites in geosynchronous orbit, covering parts of the US, China, India, and the Caribbean.
"A massive attack area," Pavur said.
"This wasn't just some boring data," said Pavur.
"This was interesting data from interesting people," including government agencies, major shipping companies, Greek billionaires, and even a North African fighter jet.
"We even saw traffic from people like you."
How It All Works
When a person or a machine tries to access the internet over a satellite connection, the data is transmitted up to orbit.
"The satellite doesn't do much," said Pavur.
"It's basically just a dumb, bent pipe." It sends the data back to a base station on Earth, which then connects to the internet as usual.
This part of the journey is very difficult for an attacker to intercept.
When data comes back from the internet, it heads to the satellite and back down to customers.
This time, Pavur explains, the satellite blasts data across an enormous area in order to reach all of the satellite ISP's customers.
"This is the crux of satellite eavesdropping," he explained.
Because the broadcast covers such a wide area, an attacker can easily intercept one side of the communications.
Pavur compared this to attacking a Wi-Fi connection.
In that scenario, you need to be very close to the target, perhaps no further than across the street.
Intercepting satellite communications can be done by someone in a different country, or even different continent, than the victim.
Nation-states, Pavur pointed out, already covertly monitor satellite communications from multimillion-dollar installations.
For this research, he and his team used an ordinary commercial satellite dish.
("Something already rusting on your roof, or off Craigslist," Pavur quipped.)
Pavur's team connected that to a DVB card, which can be had for anywhere between $80 and $300, and was up and running.
Using off-the-shelf software to search for satellite signals, and some custom-made forensics software to clean up the junk data, Pavur said he was able to capture anywhere from 1MB to 1TB of data in a week of observation.
Looking over the data they collected, Pavur said it was clear that most satellite ISPs aren't employing encryption by default.
This means that a savvy attacker can see whatever the ISP can see—which is just about everything.
In the team's research, they saw unencrypted wind turbine control credentials, updates to marine navigational charts, routers being used by major European energy providers, and ships' crew information—including names and passport numbers—being sent to local port authorities.
The team was even able to identify specific ships at sea.
There was also private email correspondence, which Pavur pointed out could be intercepted and used to take over accounts using password-reset options.
The security of high-tech satellites has been a more frequent topic of discussion at security conferences.
Experts have picked apart how satellites have many of the same security problems as Earthbound devices and are vulnerable to attack.
Satellite radio systems have also been compromised by enterprising researchers, and could maybe be used to cause physical damage.
Fixing It
"I haven't named and shamed any companies today," noted Pavur.
Instead, his team is more interested in bringing the problem to light.
Over the past year, he's been in contact with several companies, making them aware of the issues.
Only one threatened to sue, "which is pretty good considering the wide-ranging, systemic nature of the research," joked Pavur.
You might think that a VPN would be the solution, but Pavur said otherwise.
Satellite ISPs, it seems, use subtle tweaks to improve performance for customers.
Using a VPN secures the traffic entirely, but blocks those tweaks and slows the connection to a crawl.
To that end, Pavur's team began developing an encryption tool called QPEP.
"The basic idea here is that individual customers can protect their data over the satellite link without sacrificing performance."
Despite that progress, Pavur left Black Hat attendees with a warning: "the next hop is unknown." You may not know if a satellite link is part of how you connect to the web, and your data may be spewed over continents.
"Having the right and ability to encrypt your own data is critical to protect against this class of attack," he concluded.
