Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
NATO DVB Streams Intercepted (2002)
Hackers have been demonstrating hacks into civilian and military satellite communications for years , but their security remains poor. At the latest Black Hat 2020 conference, Oxford student James Pavur demonstrated what satellite traffic is currently on the airwaves and what private information can be extracted from it.
For several years, Pavur listened to signals from 18 Internet satellites from European territory. The recipients of the information are individuals, ships and aircraft in an area of about 100 million square kilometers from the United States to China and India. Equipment for setting up such a station costs about $300:
Here are some examples of what interesting things were discovered:
- A Chinese airliner receiving unencrypted navigation and flight data. The traffic was on the same connection that passengers used to send email and surf the web, raising the possibility of passenger hacking.
- A system administrator logged into a wind turbine control system in southern France, intercepting a session cookie for authentication.
- An Egyptian oil tanker was intercepted reporting a generator malfunction as it entered a Tunisian port. Not only did the transmission reveal that the ship would be out of action for a month, the hacker also obtained the name and passport number of the engineer assigned to fix the problem.
- A cruise ship transmitting sensitive information about its Windows local network, including login information to an LDAP database.
- Email from a lawyer in Spain to his client about an upcoming case.
- Account reset password for accessing the network of the Greek billionaire's yacht.
During his research, Pavur collected more than 4 terabytes of data from 18 satellites. He also analyzed new protocols such as Generic Stream Encapsulation and complex modulations including APSK. Although the nature of the attack has not changed in more than 15 years, there are still many vulnerable satellite streams that are exposed and analyzed when intercepting traffic.
The attack mechanism is as follows. Using publicly available information showing the location of a geostationary satellite, the hacker points an antenna at it and then scans the Ku-band of the radio spectrum until a signal is detected hiding in a large amount of interference. At this point, a PCIe card is turned on to interpret the signal and record it as a regular TV signal. The recorded binary files are scanned for type strings httpand corresponding standard software interfaces to identify internet traffic.
The setup allows interception of almost all transmissions from the ISP to the user via satellite, but tracking signals in the opposite direction is much more difficult. As a result, we only see the content of HTTP sites viewed by the user, or unencrypted emails, but not requests GETor sent passwords.
Using HTTPS solves most problems, but DNS requests are not encrypted, and in most cases it is still possible to deanonymize the client.
At first, Pavur studied "marine" traffic transmitted to ships.
But then he turned his attention to aviation, where a lot of interesting things also happen. In particular, the specific flight number and its coordinates are transmitted in service messages from the onboard computer.
The information is transmitted over the same channel as the entertainment traffic of passengers, that is, the separation of service and user traffic occurs somewhere at the software level.
The researcher draws special attention to the advantage of a hacker when hijacking TCP sessions, since he has packets that have not yet reached the client. In theory, you could impersonate an aircraft or ship that a ground station is communicating with, sending the provider metadata that clients use to authenticate themselves — reporting incorrect locations or fuel levels, false HVAC readings, or other fake sensitive data. This spoofing could be used to launch a DoS attack on a ship or plane.
In essence, to a hacker, satellites, ships, and planes are just computers sending data over an open channel.
Source
