The magical promise of satellite Internet service is difficult to overstate. For millions living in developing economies or rural locations, satellites offer critical access to the online world that terrestrial infrastructure has, so far, failed to provide. In industrial applications, such as maritime and aviation, satellite broadband drives myriad connectivity-dependent innovations.
As the next generation of satellite Internet takes shape, the disruptive potential of truly global connectivity continues to grow. However, ensuring that these services are reliable and secure is a prerequisite to reaping these benefits. In our recent research, we took a closer look at modern satellite broadband practice in the hopes of identifying security mistakes of the past before they become legacies for the future.
The capabilities of nation-state actors and signals intelligence (SIGINT) agencies to eavesdrop on satellite signals is widely assumed. In our research, we sought to extend this threat model and consider the capabilities of an individual, low-resourced attacker. Using simple home-television equipment costing less than USD 400, we intercepted radio emissions from two major maritime Very Small Aperture Terminal (VSAT) broadband service operators.
One of the biggest challenges with using consumer-grade equipment was the resulting poor quality of our radio recordings. In the maritime context, customers would typically deploy sophisticated VSAT systems costing tens or hundreds of thousands of dollars aboard their vessels. Simple television equipment struggled to ‘keep up’ with the complex modulation schemes employed in these networks. Historically, this has been considered a mitigating factor to the eavesdropping threat as only sophisticated and highly motivated attackers were assumed to be willing and able to procure such equipment.
However, unlike Internet customers, hackers do not require 100% reliability. Indeed, even a single packet might reveal sensitive information that can be useful to an attacker. In recognition of this, we developed a forensic tool that extracted partial IP headers and packets from otherwise deeply corrupted VSAT signal recordings.
This required making standards-violating assumptions about the underlying protocols that ignored complex edge-cases and focused on ‘low-hanging fruit’ that could be easily extracted from the captures. This allowed us to convert unusable corrupt signal recordings into valid files for analysis with traditional network tools like Wireshark. Overall, our tool was able to partially reconstruct between 50 to 70% of the packets that hit our dish, providing terabytes of usable network traffic recordings.
Delving into these recordings we found that neither maritime VSAT service provider offered over-the-air encryption. That is to say, encryption was left entirely up to the consumer. While many customers used HTTPS and similar protocols, thousands did not. Organizations leaking sensitive data over these feeds included some of the world’s largest petroleum, cargo, and cruise companies — as well as smaller yachts, fishing crews, and ferry lines.
This had direct implications for the security and privacy of maritime vessels. We identified attack vectors that would allow eavesdroppers to access sensitive information ranging from information about cargo content to passport numbers of crew members and passengers. Likewise, sensitive credentials were identified from many vessels that may have allowed for the upload of maliciously modified nautical charts or malware targeted towards critical operational technology (OT).
It is tempting to chalk these issues up to incompetence – either on the part of the Internet service provider (ISP) or the customer using insecure protocols. However, over the course of responsibly disclosing these vulnerabilities we learned that there are non-trivial technical barriers to robust encryption in these networks.
We found that individual customers were unable to use traditional end-to-end VPN tools due to substantial performance degradation. For VSAT services in Geostationary Orbit (GEO), speed of light constraints mean that connections suffer from extremely high latency (up to 700ms round-trip time). ISPs deal with this latency behind these scenes by providing optimizations to the latency-sensitive TCP three-way handshake process. However, these optimizations are impossible to conduct if the customer tunnels their TCP connections through a VPN. As a result, customers are forced to rely on piecemeal application-layer encryption or suffer poor network performance.
In recent years, there has been some effort to develop latency sensitive satellite encryption tools — generally targeted towards satellite ISPs. However, our experiments suggest these tools have failed to permeate the market. Rebalancing incentives to favour security, either through regulation or commercial strategy, may be as important as developing technical encryption protocols for these networks.
Beyond this specific case-study, there is a clear need for experimental research, which challenges security assumptions that are made based on equipment cost or attacker willpower. However, it is also important to recognize that security does not exist in a vacuum. Identifying shortcomings is an important step, but it is only the first of many. Understanding the underlying commercial and technical tradeoffs that give rise to insecure systems is key to making security research actionable.
James Pavur is a PhD Student at Oxford University’s Department of Computer Science.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.