Transcription
Whispers Among the StarsPerpetrating (and Preventing) Satellite Eavesdropping AttacksJames Pavur, DPhil StudentOxford University, Department of Computer Science#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS2
#BHUSA @BLACKHATEVENTS3
#BHUSA @BLACKHATEVENTS4
Bio /Contributors PhD Student @ Oxford University,Systems Security Lab Title of (blank) thesis draft.tex file:Securing New Space: On SatelliteCybersecurityDon’t Work Alone Daniel Moser, armasuisse / ETHZürichMartin Strohmeier, armasuisse /Oxford UniversityVincent Lenders, armasuisseIvan Martinovic, Oxford University#BHUSA @BLACKHATEVENTS5
Lessons from the PastRuhr-University Bochum, 2005Black Hat DC, 2009Black Hat DC, 2010#BHUSA @BLACKHATEVENTS6
3 Domain-FocusedExperiments18 GEO SatellitesCoverage Area 100 million km2#BHUSA @BLACKHATEVENTS
Whose Data?9 FORTUNE GLOBAL500 MEMBERS6 OF 10 LARGESTAIRLINES 40% MARITIMECARGO MARKETGOVERNMENTALAGENCIESYOU?#BHUSA @BLACKHATEVENTS8
3-MinuteSATCOMCrashCourse#BHUSA @BLACKHATEVENTSPhoto: Three Crew Members Capture Intelsat VI, NASA, 1992, Public Domain9
#BHUSA #BHUSA@BLACKHATEVENTS@BLACKHATEVENTS
#BHUSA #BHUSA@BLACKHATEVENTS@BLACKHATEVENTS
#BHUSA #BHUSA@BLACKHATEVENTS@BLACKHATEVENTS
#BHUSA #BHUSA@BLACKHATEVENTS@BLACKHATEVENTS
#BHUSA #BHUSA@BLACKHATEVENTS@BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
Threat Model#BHUSA @BLACKHATEVENTS20
Nation-State Actor Tech#BHUSA @BLACKHATEVENTSPhoto: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.021
Nation-State Actor Tech#BHUSA @BLACKHATEVENTSPhoto: Het grondstation van de NSO, Wutsje, July 2012, Wikimedia Commons, CC BY-SA 3.022
300 of TV EquipmentTBS-6983/6903 200- 300 (orcomparable PCIE DVB-S tuner,ideally with APSK support)Selfsat H30D 90 (or any oldsatellite dish LNB off Craigslist)#BHUSA @BLACKHATEVENTS23
#BHUSA @BLACKHATEVENTS
MPEG-TS MPE/ULE Legacy (but still popular)standard Sort of a hacked togethercombination of protocols builtfor other purposes Tools exist for parsing dvbsnoop, tsduck, TSReader Primary focus of related workfrom 2000-2010#BHUSA @BLACKHATEVENTS25
GSE (GenericStreamEncapsulation) More modern, popularamong enterprise “VSAT”customers In practice, networksassume equipment inthe 25k- 100k rangea loaea erSea erea erSragmentStartSea errame Data ielea erSragmentnSea erea erSa loaa loaea erSea erSragmentStartrame Data iel#BHUSA @BLACKHATEVENTS26
GSExtractPacket Recovery Rate Using GSExtract Custom tool to forensicallyreconstruct bad recordings36% Applies simple rules to find IPheaders / place fragments24% 0000.2020.0005624%35%15% Public Release? SA @BLACKHATEVENTS27
dvbsnoopDish Tuner CardDVB-S*.pcapGSExtract#BHUSA @BLACKHATEVENTS28
General FindingsNO DEFAULTENCRYPTIONISP-ESQUEVANTAGE POINTBREACH THEPERIMETER#BHUSA @BLACKHATEVENTS29
Terrestrial#BHUSA @BLACKHATEVENTS30
TLS Privacy?#BHUSA @BLACKHATEVENTS31
TLS ! PrivacyTop SSL Certificate Names (MPEG-TS Case Study)#BHUSA @BLACKHATEVENTS32
!TLS ! Privacy#BHUSA @BLACKHATEVENTS33
IOT & Critical Infrastructure“admin-electro .”#BHUSA @BLACKHATEVENTS34
Maritime#BHUSA @BLACKHATEVENTS35
Case Study: 100 Random Ships#BHUSA @BLACKHATEVENTSArt: Rodney’s Fleet Taking in Prizes After the Moonlight Battle, Dominic Serres, Public Domain36
10% of Vessels Identifiable#BHUSA @BLACKHATEVENTS37
10% of Vessels Identifiable#BHUSA @BLACKHATEVENTS
10% of Vessels Identifiable#BHUSA @BLACKHATEVENTS
10% of Vessels Identifiable#BHUSA @BLACKHATEVENTS
ECDIS Electronic Chart Display andInformation System Standard Formats SupportCryptographic Verification But we observed more than15,000 unsigned charts files intransit Many also use proprietaryformats#BHUSA @BLACKHATEVENTSPhoto: Navigation system used on an oil tanker, Hervé Cozanet, Wikimedia Commons, CC BY-SA 3.041
Listening Can Be Enough Chart Update Via EmailPublicly Routable FTP Fileshares#BHUSA @BLACKHATEVENTS42
General PrivacyCaptain of Billionaire’s Yacht – MSFT Acct.Crew Passport Data Transmitted to Port Authorities#BHUSA @BLACKHATEVENTS43
Aviation#BHUSA @BLACKHATEVENTS44
Where Did the Planes Go?ropean airportsof epartin fli htsDDADSananeeararAprarApraannaartin fli htsastChart: Xavier Olive, Impact of COVID-19 on worldwide aviation, lsian airportsTTTS45#BHUSA @BLACKHATEVENTS
Where Did the Planes Go?ropean airportsof epartin fli htsDDADSananeeararAprarApraannartin fli htsaLots of UselessNonsense (e.g.Instagram Traffic)Chart: Xavier Olive, Impact of COVID-19 on worldwide aviation, lAlmost EntirelyEssential TrafficPeople Who ReallyNeed to Travelastsian airportsTTTS#BHUSA @BLACKHATEVENTS
Crossing the “Red Line””A primary concern is the sharing of these SATCOM devicesbetween different data domains, which could allow an attacker [ ]to pivot from a compromised IFE to certain avionics”#BHUSA @BLACKHATEVENTS47
The Loneliest EFB#BHUSA @BLACKHATEVENTSPhoto: Gulfstream Aerospace G150, Robert Frola, 2011, Flickr, GFDL.48
GSM @ 30,000ft#BHUSA @BLACKHATEVENTS49
ActiveAttacks?#BHUSA @BLACKHATEVENTS50
TCP Session Hijacking Snoop TCP sequence numbers Impersonate satellite-terminalconversation endpoint Possibly bi-directional, but morecomplex Network Requirements IPs must be routable to attacker No TCP sequence numberaltering proxies#BHUSA @BLACKHATEVENTS51
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
#BHUSA @BLACKHATEVENTS
Ethics and DisclosureAdhered to legalobligations in jurisdictionof data collection Data stored securely andonly while needed Data was never sharedwith 3rd parties Encryption untouched Won’t “name andshame”Followed responsibledisclosure process Contacted satelliteoperators in 2019 Reached out to some ofthe largest impactedcustomersVast majority ofcompanies were receptive Shared findings directlyto CISOs of several largeorgs Unclear if any changeshave been made Only one organizationthreatened legal action ifwe published!#BHUSA @BLACKHATEVENTS58
Thanks FBI!#BHUSA @BLACKHATEVENTS59
Thanks FBI!#BHUSA @BLACKHATEVENTS60
Thanks FBI!#BHUSA @BLACKHATEVENTS
Mitigationsand Defenses#BHUSA @BLACKHATEVENTS62
Why Does ThisHappen? Not 100% Incompetence /Ignorance Latency - Miserable TCPExperience S s fix wit “ e rforman en an ing rox ies”s Basically a benevolent Man-InThe-Middle attackan ’t se tra itional en -to-endVPN and PEPat odem toor tationiatencoatellitero nd t ationtonternet#BHUSA @BLACKHATEVENTS63
Short-Term FixesAccept VPN performancehitUse TLS / DNSSEC / etc.ISP: Alter sequencenumbers in PEP#BHUSA @BLACKHATEVENTS64
Longer-Term – SatelliteTerminalSro n stationltiplexe ann r p teSessionnternetnternetSer erTDestinationSer erSessionsor f rt erV#BHUSA @BLACKHATEVENTS65
QPEP Design PrinciplesOPEN SOURCEACCESSIBLE & SIMPLEContribute Here: https://github.com/ssloxford/qpepTARGET INDIVIDUALS (NOTISPS)#BHUSA @BLACKHATEVENTS66
Traditional VPN Encryption (OpenVPN)Encrypted PEP (QPEP) 25 seconds 14 seconds#BHUSA @BLACKHATEVENTS67
Satellite Broadband Traffic is Vulnerableto Long-Range Eavesdropping AttacksKeyTakeawaysSatellite Customers Across Domains LeakSensitive Data Over Satellite LinksPerformance and Privacy Don’t Need toTrade Off in SATCOMs Design#BHUSA @BLACKHATEVENTS68
T e “Next o ” i n now n. Encr t ever t in .Questions/Ideas: james.pavur@cs.ox.ac.ukSpecial thanks to a.i. solutions for offering academic access to FreeFlyer, used in our animations!#BHUSA @BLACKHATEVENTS
Photo: Three Crew Members Capture Intelsat VI, NASA, 1992, Public Domain 9. #BHUSA #BHUSA @BLACKHATEVENTS @BLACKHATEVENTS . #BHUSA #BHUSA @BLACKHATEVENTS @BLACKHATEVENTS . #BHUSA #BHUSA @BLACKHATEVENTS @BLACKHATEVENTS . . VPN and PEP i atenc atellite o ro nd tation to nternet at odem to or tation 63. #BHUSA @BLACKHATEVENTS Short-Term Fixes