Security vulnerabilities in satellite broadband communications could allow cyber attackers to intercept unencrypted web traffic using nothing more than a few hundred dollars’ worth of home television equipment.
By exploiting the vulnerabilities, it’s possible for an attacker to spy on sensitive communications from thousands of miles away, with virtually no risk of being detected.
A cybersecurity researcher at Oxford University has demonstrated how they were able to do this and intercept real traffic from targets ranging from ships to law firms to Internet of Things providers across half the globe – all from a fixed point in the UK.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
PhD candidate in the Department of Computer Science James Pavur revealed his research at the Black Hat USA virtual conference after previously disclosing his findings to the affected parties in order to help them improve security.
Organisations transmitting information via satellite broadband connections – something that’s useful in areas where fixed internet connections might be slow or non-existent – could get their traffic sniffed, potentially putting usernames and passwords into the hands of attackers, as well as the ability to track sensitive information about individuals or corporations.
One of the reasons this is possible is because when data is being transferred across satellite broadband communications by ISPs, it isn’t encrypted because that’s the fastest way to transmit the data over vast distances. But it also leaves it vulnerable.
“Geostationary orbit is so far away that it takes a long time to send signals up there, so you end up with really high latency,” Pavur told ZDNet. “ISPs alter your traffic to optimise it and make it go faster over satellite – they can listen to your traffic and then strategically change it to make your experience better”.
Pavur discovered he was able to intercept traffic using a $90 satellite dish and a $200 digital video broadcasting satellite tuner – both available second hand online.
All it took was being able to identify where a geo-orbital satellite was orbiting – information which is available online – and pointing the satellite dish in direction towards it, as well as setting some freely available signal-recording software to record data that’s being transmitted. From there, it’s possible to examine it for internet traffic by searching for anything using http protocols.
“It doesn’t take much skill to do this. At a higher level it’d take more skill and spending on equipment – but attackers don’t need perfect, they just need to find some sensitive information or one password from a target. Getting good enough data can be done with tools which are already available,” Pavur explained.
Attacks successfully finding something could be down to luck on the part of the attacker, but if they discovered information being transmitted by a large organisation, it could be highly lucrative.
Information that was able to be observed during the research included information about maritime shipping, such as identifications and contents of vessels and the operating systems they use and personal information on crews on shore leave, which had to be transmitted in advance of docking.
Pavur was also able to uncover private information of people ranging from the captain of a billionaire’s yacht to people using airplane Wi-Fi to sensitive information being transmitted by a law firm. None of this information was anything that was specifically set out to be examined, but it was available by exploiting vulnerabilities in satellite communications.
While it would be difficult to use this technique to target a specific organisation, it wouldn’t be impossible, especially if there’s information in the public sphere about the technology being actively used.
“If I were to look up an airline and see they’ve installed these particular antennas for their in-flight service, it’s a pretty short step from there to see what satellites it has a license to speak with or what services providers are offering that service. And I can be pretty sure what satellites are connected to the airline. At a very broad level you can target corporations,” Pavur explained.
When information from corporate networks could be sniffed, it was often because the company hadn’t configured it’s connection with firewalls or encryption properly, especially over internal networks.
This has become more of an issue this year as more organisations have been forced to resort to remote working and what used to be internal systems are now facing the outside world – and often the data transmitted isn’t encrypted.
“When we were looking at these networks, we often found ourselves behind the corporate firewall and what we found is that corporations don’t always understand their networks,” said Pavur.
“So we found a lot of corporations were treating the satellite environment like it was inside their offices, when in reality it was being broadcast over entire continents.”
SEE: Black Hat: Hackers can remotely hijack enterprise, healthcare Temi robots
None of the satellite manufacturers, ISPs or organisations affected by having their traffic sniffed have been publicly disclosed for security reasons – but having detailed what he found to them, Pavur hopes that security is improved as satellite communications become more widely used.
“We’re at an inflection point where we can design satellite networks for good performance and to be secure. I think that consciously including security in the design of these networks is a lesson the satellite industry can take,” said Pavur.
While on the ground, organisations could also think about where their traffic goes – and how they can secure it.
“For companies, the lesson is to understand once you send a packet on the internet, you don’t know how it’ll get to the destination. You know where it’ll eventually end up, but any number of people on the way can look at that packet. So you need to consider the security of that so that you can feel more confident,” Pavur said.