Black Hat filed a report on security issues in access systems to Satellite internet. The author of the report demonstrated the ability to intercept traffic of Internet transmitted through satellite communication channels using a low cost DVB receiver.
This demonstrated that it is not difficult to intercept the traffic sent, but that there is some difficulty in intercepting the traffic sent through the satellite leaving the client.
In his explanation he mentions that the client can connect to the satellite provider through asymmetric or balanced channels:
- In the case of an asymmetric channel, the client's outgoing traffic is sent through the terrestrial provider and received through the satellite.
- In symmetric channels, the incoming and outgoing traffic passes through the satellite.
Packets addressed to the client are sent from the satellite via broadcast transmission, which includes the traffic of different clients, regardless of their location.
For the exchange of data between the satellite and the provider, a focused transmission is usually used, which requires the attacker to be several tens of kilometers from the provider's infrastructure, and different frequency ranges and encoding formats are used, whose Analysis requires expensive equipment from the vendor.
But even if the provider uses the usual Ku band, as a rule, the frequencies for different directions are different, which requires a second satellite dish to intercept in both directions and solve the problem of transmission timing.
It was assumed that special equipment is needed to intercept satellite communications, costing tens of thousands of dollars, but in fact, said attack was carried out using a conventional DVB-S tuner for satellite television (TBS 6983/6903) and a parabolic antenna.
The total cost of the strike team was approximately $ 300. Publicly available information on the location of the satellites was used to direct the antenna to the satellites and a typical application to search for satellite television channels was used to detect communication channels.
The antenna was directed to the satellite and the Ku-band scanning process began.
Channels were identified by identifying peaks in the RF spectrum, visible in the context of general noise. After identifying the peak, the DVB card was tuned to interpret and record the signal as a conventional digital video broadcast for satellite television.
With the help of test interceptions, the nature of the traffic was determined and the data from the Internet was separated from digital television (a banal search in the landfill emitted by the DVB card was used using the mask «HTTP», if found , it was considered that a channel with Internet data was found).
The traffic investigation showed thate all satellite internet providers analyzed don't use encryption by default, allowing an attacker to hear traffic without obstacles.
The transition to the new GSE (Generic Stream Encapsulation) protocol to encapsulate Internet traffic and the use of sophisticated modulation systems such as 32-D amplitude modulation and APSK (Phase Shift Keying) did not complicate the attacks, but the cost of the equipment interception now reduced from $ 50,000 to $ 300.
A significant disadvantage when data is transmitted via satellite communication channels it is a very big delay in the parcel deliverys (~ 700 ms), which is tens of times greater than the delays in sending packets through terrestrial communication channels.
The easiest targets for attacks on satellite users are DNS, unencrypted HTTP and email traffic, which are typically used by unencrypted clients.
For DNS, it is easy to organize the sending of fake DNS responses that bind the domain to the attacker's server (an attacker can generate a false response immediately after listening to a request in traffic, while the actual request must still go through a provider satellite traffic).
Email traffic analysis enables the interception of confidential informationFor example, you can start the password recovery process on the site and spy on the traffic sent by email with a confirmation code of the operation.
During the experiment, approximately 4 TB of data was intercepted, transmitted by 18 satellites. The configuration used in certain situations did not provide reliable interception of connections due to a low signal-to-noise ratio and the receipt of incomplete packets, but the information collected was enough to know that the data was compromised.
Some examples of what was found in the intercepted data:
- Navigation information and other avionics data transmitted to the aircraft were intercepted. This information was not only transmitted without encryption, but also on the same channel with the general on-board network traffic, through which passengers send mail and browse websites.
- An exchange of information on technical problems on an Egyptian tanker was intercepted. In addition to the information that the vessel could not be put to sea for about a month, information was received on the name and passport number of the engineer responsible for solving the problem.
- A Spanish lawyer sent a letter to the client with details of the upcoming case.