Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Satellites are absolutely everywhere! Are they secure? It turns out that a lot of data is being sent unencrypted over satellite broadband for both internet and TV. In the past, the HTTP requests were fine. But, as the internet has gotten more complicated and more used, the security did not improve with it.

Satellite communication for internet traffic is quite odd. This is the flow:

1. User makes a request.
2. Request is sent to the satellite.
3. Request is received by the satellite.
4. No processing is done. The request is sent back down to the ground station. In reality, this is a VERY large beam that covered a large portion of the earth.
5. The ground station converts the this to internet traffic.
6. Ground station sends data back to the satellite.
7. Satellite sends the data to the original location.

Who can read this traffic? It turns out that a cheap TV satellite dish with a card for processing the data is all you need. The researchers ended up spending about $400 for this. Using the tool EBSPro (used for finding satellite TV signals), a spectrogram shows the signals that come from satellite feeds. The card for processing the data can then be used to dump the raw data from the signal. The card has a card came with a tool called TBS recorder. The output is raw binary data. But, simply grepping for HTTP in this output shows us internet traffic! At this point, we can see private information, which is a serious security vulnerability. To make matters worse, this can be done from a different continent!

There are two main protocols for sending information are MPEG and Generic Stream Encapsulation (GSE). GSE is more common for maritime (boats), aviation and bigger clients. Past research focused on MPEG but this research built upon GSE. They built a tool called GSExtract that does a fuzzy search for HTTP traffic and can partially recover details with cheap equipment and bad streams.

What does this mean practically? None of the data for customers was encrypted by default. They essentially had the same viewpoint as an internet service provider (ISP). However, things get worse with maritime and other things. These customers used the protocol for LAN communication, which would normally be behind a firewall. Items such as LDAP, email and other things are open, editable and viewable. Even with TLS, DNS is still unencrypted.

As an example, the authors saw a ton of information about a lawyer. They could see private emails from themselves to a client, and the DNS traffic of the them, such as PayPal. Since they know the email of the lawyer, can see internet traffic and DNS, they could hit the reset password link on PayPal and take over the account. Damn, even though TLS is employed on HTTP traffic this does not mean that everything is secure!

Passwords to configuration operations, FTP services with electronic chart display and information system (ECDIS), point of sale (PoS) traffic with credit cards, GSM cellular devices on airplanes... All of this passive logging is absolutely terrible when looking at the bigger picture.

A particular interesting target was the aviation industry. When they started this research in 2020, everything was going well and they were viewing lots of traffic. However, the pandemic stops flights in their tracks, making their be way less traffic. But, there is silver lining here: less traffic from people using Instagram gave them almost ONLY operations of the airline or the airplane. This made completely possible (and a rare opportunity) to see how the satellite traffic of planes actually worked. Eventually, they were able to fingerprint the service for EFB on airlines and several other things. Interesting flip of the script!

Can anything active be done? TCP session hijacking! TCP has MANY random values that normally cannot be predicted as part of the three way handshake. By being able to do this, the traffic being sent down can be altered in some way. For instance, a website (not using HTTPs) talking to a ship could be altered to have a different response than what was expected. Even though we cannot send bad packets to the satellite itself, since we are apart of the internet, this creates a major problem.

How can we protect against these attacks? Simply just use encryption all over the place. DNSSEC, HTTPs and all that jazz are a good solution to the problem. When this is not possible, sending data over an encrypted VPN connection should be done. The authors were also building a tool called QPEP to still have good performance but encrypt the traffic.