Modern satellites are becoming a collection of mass-produced computers floating in space. By the end of the decade, thousands more will be out there. But with the increasing reliance on orbital technology comes a growing appetite for hacking it.
Data relayed via satellites is not immune to hacking. James Pavur, an Oxford PhD focusing on satellite systems security, has proven the above statement to be disturbingly evident. With his team, he used $300 worth of satellite TV equipment to intercept vast amounts of information distributed along the larger part of the Northern hemisphere.
“When you’re eavesdropping on satellite internet signals, you’re effectively seeing what someone’s ISP would see. You see every website that a customer browses to, or every email that they receive for every account that they own,” Pavur told CyberNews.
Unless satellite ISP’s are willing to take on the high costs of designing their systems to use encrypted protocols, they tend to leave it up to the customers to decide if they want to choose between fast internet or secure internet,
James Pavur.
A sum of money not large enough to buy a decent smartphone allowed Pavur’s team to eavesdrop on members of the Fortune 500 list, shipping companies, airline travelers, an actual jet fighter, and people like you and me.
I sat down with James to discuss satellite safety and how service providers and space industry companies could protect against possible attacks in the future.
I have listened to your presentation at Defcon last August, where you showed pieces of intercepted data such as images sent by people aboard vessels in the middle of the ocean or business emails sent out of holiday resorts. In your opinion, what types of personal security threats are we talking about when it comes to hacking satellites?
I think that a lot of people use satellite internet connections and don’t realize it. If you’re on a cruise ship or an airplane, or in some remote village, you may accidentally be sending signals, wireless footprints, across an extensive area. The radio waves that you’re getting your internet traffic from may cover thousands or millions of square kilometers. And someone quite far away can be listening to that.
Some examples of personal communications that we saw in our research included traffic from a lawyer in Spain, who seemed to be checking his iPhone at some resort and happened to be using an unsecured email protocol to download his inbox. And we could see the actual email conversations he was having with clients about upcoming court cases.
And that’s concerning for attorney-client privilege and personal communications privacy. But I think it also raises an interesting question: whose job is it to deal with this? It’s not clear that that lawyer should have the cybersecurity expertise to know that satellites can leak their signal like that. But also, there’s obviously some harm in choosing to use an unencrypted email client, and it’s just magnified when that happens over a satellite feed.
You said before that your team used relatively cheap equipment to intercept satellite signals. Could you tell a little bit why your experiment should be concerning?
The actual equipment to pull off these kinds of interception attacks isn’t that expensive. Because of the way that the signal spectrum is licensed, the commercial incentive is to send satellite internet services at the same radio frequency that you operate satellite television services. And as a result, satellite television equipment is physically capable of receiving these signals.
You end up with problems because it’s not as reliable as custom-built satellite modems and receivers. And you end up with kind of corrupted data, but an attacker doesn’t need a perfect capture of a radio signal to start finding private information. Even if you only get half of the emails sent over a satellite network, that’s still plenty to work with as an attacker.
When you’re eavesdropping on satellite internet signals, you’re effectively seeing what someone’s ISP would see. So, you see not just one specific conversation, like an attacker who compromised some server on the internet. You see every website that a customer browses to or every email that they receive for every account that they own.
And when traffic is encrypted with the TLS certificates that you would use when you visit a website online, those certificates are still providing an attacker with a list of the websites that someone might be visiting. And at scale, personal privacy becomes much harder to maintain because you can kind of piece together this metadata.
Some companies out there I talked to were kind of aware of the fact that their signals were unencrypted but had assumed it would cost hundreds of thousands of dollars for someone to listen to you,
James Pavur.
If I understand correctly, internet service providers rarely protect signals. Why is that? I mean, with all the data protection laws taking hold, it seems rather irresponsible to leave data exposed to such a vast extent.
It depends on the satellite ISP. There are definitely service providers out there that offer encrypted services. Sometimes they will charge extra targeting those services and work with military clients. But I think that satellite ISP’s have trouble employing encryption for a couple of reasons.
They often want to optimize the traffic in their network because bandwidth is costly over satellite connections. Being able to inspect the headers and contents of packets that your customers are sending makes that much easier to do so that people feel like their internet is snappier.
In particular, because satellites are so far away, some physical characteristics are related to latency and how long it takes to send a signal up into orbit and back down. The distance the signal needs to cover makes traditional privacy tools like VPNs have the effect of making your satellite connection feel slow because they block ISPs from optimizing those links.
Unless satellite internet service providers are willing to take on the high costs of designing their systems to use encrypted protocols, they tend to leave it up to the customers to decide if they want to choose between fast internet or secure internet. Customers are just not always aware that they’re making that choice.
Do you see any national-level threats involving similar hacking techniques you’ve employed? I mean things like critical infrastructure, IoT based security systems, etc.
We definitely saw some sensitive traffic that seemed to belong to critical infrastructure. I didn’t try to actually hack into any critical infrastructure systems and see how far you could go. So there probably is, I would hope, other protections down the line, but at the very least, we saw some sensitive information.
For example, passwords for wind turbines, often sent as a clear text, especially for offshore wind facilities. And then a lot of router infrastructure that’s used to maintain these remote electrical systems. There’s also kind of the intersection between critical infrastructure and more operational technology.
For example, if we think about things like oil tankers, people use satellite feeds to communicate information to their back offices. There may be compromises there because many navigational documents are sent over satellite feeds, and unreliable navigational details could lead to all kinds of incidents in the water.
How far away do you think we are from a place in time where average scammers are capable of intercepting data transmitted via satellites?
I think it’s definitely possible for a kind of a technically knowledgeable person, but not somebody who’s ever worked with satellites before, to replicate our research. And to pull off these attacks, at the very least, there are tools for older protocols that are still used sometimes that are just publicly available online and trivial to set up if you buy the right equipment.
And it’s definitely possible for a scammer or a sufficiently motivated attacker to do that kind of thing. The question comes down to whether or not they need to. It’s still more effort than sending a phishing email to someone or trying to crack some passwords. So, scammers could use this technique, but I’m not sure they would.
Of course, as people move more of their traffic to satellite feeds, if that ends up happening, there are much greater returns on compromising those feeds.
I think that satellite companies are generally aware that the traffic they’re sending is unencrypted but aren’t necessarily aware of whether they have a legal obligation to protect that data,
James Pavur.
Is it even possible to have secure communications with standard satellite software? Can companies and governments employ some extraordinary measures to safeguard communications?
I think that satellite service providers or companies that launch satellites could do something. Often what they will do is they will license out permission to use part of their radio hardware to an ISP. So, whoever has the ultimate responsibility is a little bit confusing, and there’s a lot of passing the buck and blame game that goes on when we contact companies and say that their information is un-encrypted, and they’ll say, “oh, that’s our subsidiary whose licensing that.”
It’s definitely possible for companies, especially the newer ones who are running satellites in lower orbits. So, SpaceX’s Starlink mission, for example, could adopt things like VPN technology because, in low Earth orbit, you have less speed of light delay. Whereas these older satellite platforms that are further away have better coverage areas but are also more susceptible to encryption problems.
The further away you are from the Earth, the more area your antenna can cover. That means that an attacker who was listening to a geostationary orbit satellite that’s 30,000 kilometers away would be able to pick up a lot more signals.
And then the lower satellites will often cross the horizon in the span of like eight minutes. In that case, the attacker probably would have to be in the same general area as you, although a lot of it depends on exactly how the signals are bounced around between satellites into ground stations.
Do you think private companies consider various safety concerns that security researchers like you point out?
I think that it depends on the company. Some companies out there I talked to were kind of aware of the fact that their signals were unencrypted but had assumed it would cost hundreds of thousands of dollars for someone to listen to you. And they said, you know, nation-states aren’t the threat we’re concerned about. And so, we don’t need to encrypt this traffic.
One of the surprises was that this could be done with kind of consumer hardware at very low costs. I think that satellite companies are generally aware that the traffic they’re sending is unencrypted but aren’t necessarily aware of whether they have a legal obligation to protect that data or if that falls to their customers.
And I think that that’s probably one of the biggest points of contention for trying to improve the situation in terms of regular people, someone who’s using their phone on an airplane. I think they probably don’t even know that it’s going over satellite most of the time, much less than it would be unencrypted.
Satellite safety seems to be getting a lot more attention over the past year. How do events like Defcon’s hack-a-sat contribute to the development of the ecosystem?
The hack-a-sat was a really exciting thing to happen at Defcon. And I know from my perspective, as someone who was researching this before hack-a-sat, just the kind of public relations and media attention that it received has dramatically improved the quality of research and work done in this area.
Especially by showing people in security that there are important questions in space that they can contribute to and by showing people in the space industry that security researchers can bring benefits. In particular, the way that companies would react to us disclosing vulnerabilities before and after hack-a-sat seems much more favorable now. And there’s a little bit more acceptance in the aerospace industry of security researchers. Whereas they’ve historically been pretty skeptical.
Representatives were somewhat skeptical of the idea of having some random person with an antenna find a vulnerability and report it to them. In a technical context, websites will have bug bounty programs and some kind of interface with hackers through conferences. In contrast, aerospace is a little bit more of an insular community and is not as accustomed to getting contacts.
For example, it’s tough to find who’s the right person to talk to you at a satellite company for vulnerability disclosure. Whereas tech giants, for example, will have a web page telling you who to contact. And that difference, I think, is starting to change as events like hack-a-sat raise awareness of how security researchers can help improve these systems.
