Flawed Satellite Internet to Compromise Plane and Ship Safety
Satellite broadband services have applications in various sectors- Aviation, marine, and terrestrial, from domestic to commercial. Discrepancies in the security of the systems have been identified earlier. With time, the systems advanced, but they are often unencrypted and vulnerable to eavesdropping attacks by anybody sitting anywhere using remote access. The high cost of equipment has acted as a barrier for threat actors to create problems for a long time. But James Pavur, a Ph.D. student at Oxford, recently found a threat model that leaves the satellite systems exposed to eavesdropping attacks.
In a briefing delivered by Pavur at Blackhat.com, he talks about the threat model across three domains: land, air, and sea. The experiment reveals that the attack can happen by leveraging inexpensive and widely available home television equipment at the cost of less than even $300.
The equipment used consisted of a $90 Selfsat H30D (or any old satellite dish) and a $200-$300 TBS-6983/6903 (or PCIE DVB-S tuner with APSK support). To show the practicality of the attacks, GSExtract, a purpose-built forensic tool that enables the extraction of IP traffic from highly corrupted VSAT data streams, is used to achieve the results.
A GEO satellite has a vast footprint on the earth, due to which signals are not targeted to specific user-terminals. As a result, an attacker monitoring GEO broadcasts can passively eavesdrop on traffic belonging to an entire continent of satellite customers.
ECDIS (Electronic Charts Display and Information System) platforms are trivially vulnerable due to information leakage over maritime VSAT networks. In its standard format, which supports cryptographic verification, more than 15000 unsigned chart files were found in transit.
For the model to work in the aviation sector, sharing the SATCOM devices between different data domains could allow an attacker to pivot from a compromised IFE to specific avionics.
TCP session hijacking
In order to attack the TCP session, the attacker snoops TCP sequence numbers. They tend to impersonate satellite – terminal conversation endpoint. Those are claimed to be possibly bi-directional but more complex. However, there are certain requirements for the hijacking to happen. The IPs must be routable to the attacker. TCP sequence numbers must not alter proxies.
Mitigation
Increased levels of awareness are one way of tackling the problem. Pavur has suggested some short term measures as:
- Accepting VPN performance hit
- Using security protocols like TLS and DNSSEC
- In ISP, the sequence number could be altered in PEP
As a long term measure, the report suggested QPEP. It is an open-source platform that is accessible and simple. Also, it does not target ISPs. Instead, it targets individuals.
Satellite Broadband Traffic is Vulnerable to Long-Range Eavesdropping Attacks, as evident from the threat model. Easily accessible tools made it possible to conduct an attack on some most critical systems and communication modules. Satellite consumers do leak sensitive information over satellite links.
Overall, privacy and performance are not required to trade-off in SATCOMs design.