DEF CON Safe Mode - James Pavur - Whispers Among the Stars Q and A

(laughs) - Talking. Come on screen, come on. All right. And we’re live. All right. We’re here today with another speaker talking about, sniffing satellite traffic, whispers among the stars, and with James, Pavur? Pavur I didn’t actually. - Yeah, Pavur. - Pavur, I got it right, yeah. All right, we’ll be taking questions in the track one live QA. Do you want to give a quick summary of your talk for anybody that might have might not have gotten a chance to see your talk right off the bat? - Yeah, sure. So the quick recap of the talk is that if you use kind of simple home television equipment, you can intercept these radio waves coming off of satellites in geostationary orbit, they’re providing internet service. And what we found is that these internet services are often un-encrypted at the internet service provider level, which means you get to see all kinds of nifty traffic.

01:12 - We looked at it from a bunch of different perspectives. So we saw traffic going to like cargo ships and oil rigs in the ocean, or to airplanes in the sky, or to like wind turbines on the ground, I mean across all of these domains to talk kind of, delve us a little deeper into what an attacker might do with that information or how they might’ve used these signals to cause harm. And then it concludes by talking about ways we can fix it by coming up with alternatives to VPNs, which tend to be very slow on a satellite connection. - Awesome. So, we do have our first question with RPTK2015 MVP question asker. In your talk, you made an active attack by impersonating a ship response.

01:50 - I assume this requires you to spoof your source address, but ingress filtering ISP is supposed to prevent, IP spoofing. Can you please explain how you still did it? - Yeah, that’s a great question. I’m not actually sure how that happened from an ingress filtering perspective. I guess the answer would be that it looks like they weren’t filtering correctly, because we were able to spoof in one specific network. It’s worth noting though, that the vast majority of satellite networks we looked at, were not trivially vulnerable to TCP session hijacking, because of the way that the sequence numbers were changed by those performance enhancing proxies, I talked about in my presentation.

02:23 - So, there are only a handful of networks that were directly vulnerable, and they seemed almost designed so that each operator’s like IP address, was like a direct gateway to the internet, which might be why the eyes that the individual customers weren’t checking IP addresses for spoofing. - Fair enough, so like, if it was, if they were appearing directly into the backbone of the internet, they might just, trust that it’s coming from a legitimate source already or already been filtered. - Yeah. - Okay, cool. - You know ,I think Hawkeye asked one that would really fall in love, love in line with that, and it’s, you know, why do you believe that these high profile enterprise Satcom customers, having adopted and implemented a simple encryption in transit policy to stop this kind of snooping? - So there’re a couple of reasons. I think one is that, like I mentioned, in the talk, VPNs are really slow and that’s what a lot of people think an encryption and transit policy would look like. And because of the way that VPNs interact with the internet service provider offerings, they often end up seeing this kind of false trade off between privacy and performance.

03:25 - That said there are a lot of these enterprise customers. And when we reached out to them with responsible disclosure, the answer would be that they had kind of tried to implement like a TLS everywhere policy, but you’re talking about kind of massive networks, like hundreds of ships at sea. And so there are a lot of systems that are just forgotten, like Legacy FTP services, or services that they think are behind some sort of firewall. And so they’re willing to accept the risk, without realizing that that risk includes a wireless eavesdropping threat. - Yeah, and some of those ships have a lot of systems that are just unknown.

03:55 - Like someone as a contractor, installed them at some point and they just got lost or forgotten and still plugged into a network in there somewhere. - Yeah, definitely. - Yeah. So, in your talk, you mentioned the performance improving proxies, and what I didn’t understand was that, that was something that would be run by the actual operator. Is that right? - Yeah so, almost always that’s the case. There’s no like technical reason a customer couldn’t bring their own Performance-enhancing proxy, but generally satellite internet service providers are acting as kind of benevolent eavesdroppers, on your TCP sessions. And they’re kind of messing with your TCP through a handshake to make your traffic faster.

04:36 - And that’s just kind of part of how they see providing customers with sufficiently performance, satellite internet services. - Got it. You wanna throw a question out there? - You know, I was, sorry, there, you had a lot of feedback on YouTube, and a lot of what I’m seeing though, is people going, could you do it with this? Could you do it with that? And I know you gave a bit of an outline at the beginning of your talk and how you did it. If somebody wanted to replicate this play along with it, could you kind of give an outline, you know, from beginning down to software, what they would need to just start out with. - Yeah, definitely. So, I think the core bits that you need are some sort of satellite dish that’s capable of receiving satellite television. We researched the Ku-Band, but there’s no reason you couldn’t do it in the Ka or c frequency bands as well.

05:25 - And then you need some kind of way to interpret what that dish is saying on your computer. We use this specific kind of professional grade, a PCIe card, which I think the model number is on the slide deck. But you can actually get away with a bunch of like much less expensive cards. The problem with that is that you won’t be able to listen to some of the more interesting signals, which he like 32 APS game modulation, and seemed to do really poorly. There are also some USB cards. So you could, I do this with a laptop. You don’t have to like deal without a satellite spying computer, to be able to play with this stuff.

05:55 - From a software perspective, the tool that I show in the actual like little demo video, is I think what I would recommend first, it’s called EBSpro and it’s designed for feed hunting. I mean, it’s really intuitive and has an interface that’s easy to use. If you’re on the Linux side, the tooling is I think significantly worse. So, it might be worth spinning up a Windows VM to do this stuff. The other big tool in this space is something called CrazyScan, which is around on some of these like satellite television feed, hunting forums.

06:23 - And then once you have all of that lined up, if you’re listening to older protocols, so they MPEG-TS standard, Wireshark can actually just interpret this feeds directly. If you’re listening to newer protocols, you have to kind of parse the traffic dumps. Unfortunately, the tool I talk about in my presentation, is still awaiting our chance to publish it, as we’re trying to be careful not to release an attack tool into the wild before systems are patched, but we were able to build it using the Python Library called, QuTiP, which is used for like parsing various protocol formats. And so it wouldn’t be that hard to kind of put together your own GSE-parser. - What, do you know what the like a, like the signal with is on these? Like, like what, what level of like, what great of software defined radio would you need to like be able to receive these signals? - That’s a great question. I actually have no idea.

07:11 - I know that on the DVB-S side of the software defined radio community, I kind of delved into this a tiny bit, and it looks like being able to keep up with these more complicated modulation schemes, is not something that, your kind of standard SDR software is able to teach. - Your TLS DR is gonna do. - Yeah, whereas these kind of like PCIe cards, I think they often use like specialized FPGAs for the signal processing, and are just better at it. - Yeah, I have two follow ups on the previous question, one, somebody was asking which I find funny, is if you’re using kind of like the old dish network up on your ceiling, do you need to go up there and kind of reorient it, the dish? - Yeah so that was actually a big frustration for us because it turns out that I don’t have any fine motor skills. So there were like several hours between each satellite of me, like steering at various bits of hardware on the roof. So we ended up doing is purchasing this thing called a Discotheque Motor, which allows you to steer a satellite dish across the horizon.

08:04 - And you can actually just put in the specific location and geostationary orbit you want, and directed that way. It increased the cost of the attack a little bit, but because we were looking at, I think 18 satellites in total, being able to hop between them without crawling onto the roof every time was a big benefit. - I can imagine. So, the parts that you had listed in your talk were between like 300 and 400, what was the like extra cost of that automated rotor? - I don’t remember off the top of my head. I wanna say it’s around a hundred dollars. You need to be careful that you get one that correctly mounts to the dish you have, because different ones have different ways of attaching.

08:37 - So it’s a little bit, less easy to just buy one off the shelf, but it’s definitely doable. - Yeah, I’ve done some ham radio stuff with, with eating antennas and it’s always kind of up in the air, whether it’s gonna work or not. (laughs) - Have you documented any of like in a blog, you know, a get hub, whatever it is that you’re using? - Yeah, so there are two academic papers that I can put into the chat afterwards, that talk about our domain studies onto terrestrial users and maritime users. And those go into a lot more detail. In particular, if you were interested in replicating the GSE extract tool, the appendix of the maritime paper, goes into a lot of depth on like how we actually parse the GSE packets, and how we deal with the corruption in the signals that we were getting. - Did you have a paper associated with the avionics stuff as well, or was that just a– - No, that’s new for the hacker summer camp. So that was, new stuff.

09:33 - We’re still, I think once aviation picks up a little bit more, we can get consistent data. We may try to publish something that’s a little bit more robust, but because it was kind of a toss in the air as to whether or not there would be a plane out that day, we didn’t have as much data as we wanted. - Yeah, I mean, one of my next questions was gonna be like, what are the future research look like for you? It sounds like that’s, that’s one of them. You’ve got anything else, like coming down the pipe that you wanna do with this kind of thing. - Yeah so I mean, we’re still looking at the, that proxy that I mentioned at the end of the paper.

10:01 - So that’s kind of going through peer review right now. It’s always hard to kind of convince academic peer reviewers, that’s something you need both simple and novel. So who knows how that’s gonna turn out in the end. But it’s on GitHub and we’re kind of, working to make that something that people can hack on and use. And then I’m also interested in satellite security in general.

10:18 - I’ll be talking at the Aerospace Village tomorrow for a little bit on other threat models to satellites around like space debris tracking. And so just generally hacking satellites is kind of my focus area. - Sounds like a whole lot of fun. I think we’re, yeah. Is there a satellite hacking village going on right now? - Yeah so the Aerospace Village is doing both aviation like last year, and then they’ve got all kinds of new talks on satellites this year. - Yeah. I knew there was supposed to be a special event this year, but we went virtual, maybe next year. Hawkeye is asking, is there any reason you didn’t go with a parabolic antenna in your research? It seems that might, the gain might increase with one.

11:01 - - Yeah, I think the gain would definitely increase with one. The reason we use that self set flat panel is just literally because of the shape of the area. We were trying to fit it in with a bunch of other things up there. And it was just the one that we ordered fastest. But I think that a curve dish would do better, and would be cheaper. - Cool.

11:20 - - I think, oh, I think it might been addressed in the village, but one of the questions on YouTube was, you know, you’ve talked about how you pull down information, what is the likelihood that you could push up commands as well? And you’re starting, kind of attacking, we’re not even attacking, but just impacting what you’re seeing. - So I haven’t looked a ton at transmitting on these internet feeds, and if there’s any authentication there, in part because it’s just harder to get a license to transmit than a license to listen. If that said, if you wanted to engage in like attacks against telemetry link for the satellite, so actually steer the satellite and stuff, a lot of those communications happen in different frequency bands, in particular S band is kind of the dominant satellite telemetry band, and that would required completely different hardware and use different protocols. That said the general front model of like being within kind of this massive footprint areas, I think would still be relevant to think about in that context. - Cool. I know, we’ve actually got a fair number of questions that we’ve, we’ve backlog. - Nice.

12:21 - - I’m sorry guys, I’m not trying to ignore your questions. Let’s see here, since this is just a DVB-S or DVB-S2, why not use one of the bazillion conditional access system solutions used for video broadcast? - That’s a great question, I didn’t even, oh, so you’re talking about the like stream wise encryption. That’s something that I talk about a little bit in one of the papers. I think these protocols are not well-designed, from a cryptographic perspective at all. There have been a lot of vulnerabilities found in them, especially to proprietary ones, which seem popular probably cause they have a good marketing wing behind them.

13:00 - But also kind of doing a stream level encapsulation like these protocols do you works great for television, where you don’t want everyone watching a proprietary, a video feed, but it doesn’t work well because anyone who has the keys can listen to their neighbors, traffic. And you’ll often have one satellite transponder, that’s carrying the traffic of 20, 30, 50 users. And so it decreases the threat model a lot and is a big improvement, but it doesn’t fix the underlying issues. - And you mentioned another, another solution that was, it was sort of a replacement for the MPEG, which had been jury rigged to sort of take IP traffic. Does that have like the same level of like research involved in it as the same level of like vulnerabilities or something like that? I know that you you’re doing like, probabilistic extraction of data from it, but.

13:46 - - Yeah, so the MPEG standards that are used for sending internet these days, there’s something called Multi Protocol Encapsulation or MTE, and Ultra Lightweight Encapsulation, I think, or ULE. And we looked at both of those. Wireshark has built-in support for them, so their threat model is fairly trivial there, if you can get a good recording. What’s interesting about the MPEG context that was that yielding your own parser is a real pain, because it’s not a format that was designed for sending data and much less secure data. And so it’s an incredibly complicated and convoluted way of getting IP packets from one place to another. - I believe it, all of those, all those old things that are just like, like, oh yeah, I’m sure we could fit this data in here somewhere. - Yeah.

- All good, correct? 14:30 - - One of the questions I saw on YouTube is, you know, you talk in your, you’re talking your talk, about how a lot of these are using, you know, old, old devices obviously, old operating systems. And I don’t know how much you went into the past, but where they were wanting to know is, have you seen any progression in what they’re trying to do to actually protect this data? Or is it just been the same historically? - Yeah, so there are companies out there that offer encrypted satellite internet services. It’s often something a customer has to pay extra for, or accept like significant performance degradation in the form of the VPN. One big product in this area is made by Newtec, it’s called Enhanced TCP or ETCP. There was a WikiLeaks document a few years ago, that talks about how there were built in back doors for law enforcement and intelligence agencies, which is always the risk with using kind of these proprietary standards.

15:20 - But there definitely is an initiative in parts of the industry to encrypt traffic. I think it’s just one of those things where the commercial incentives don’t align with the need for customers. - So, I just wanna, like, we, we briefly talked about your performance improving proxy, which you mentioned uses quick. There is, is there any potential benefits of just like using WireGuard instead of like, is there another VPN, just like you directly compare Open VPN, wire guard’s supposed to, like it’s simpler, it’s using UDP sessions should be faster around trip. Is there, did you look at that in comparison before you started working on your own Quick proxy? - That’s a great question.

16:00 - So we didn’t test WireGuard specifically, although I would point out so that GitHub repository is linked at the end of the talk, for keep up is actually a generic purpose, like Docker testbed, where you could easily install whatever VPN you want and simulate the satellite link. That said, I think that a UDP based VPN like WireGuard will still hide the TCP 3-way handshake. So also send those act messages across the satellite link. And so it might be a little bit faster, in like starting the VPN session, but the encapsulated traffic is still gonna be hidden from the ISPN, so they can’t optimize it correctly. So you really need to split out the TCP sessions on the ground first, which most VPNs don’t do, because it’d be a little silly.

16:39 - - Right, fair, and WireGuard designs so that they specifically can’t see those TCP sessions or what’s inside. - Right. - So, kind of changing space, changing pace, sorry, talking and reading at the same time. (laughs) Have you looked into like Starlink? I know it’s a pretty hot topic that’s going on right now. See if they have, they are actively using any kind of encryption or anything else like that? - So, I haven’t tested anything related to Starlink yet, although that’s definitely, you talked about like areas I’d be interested in the future. That’s definitely an exciting topic. Starlink is in Low Earth Orbit, which does change the dynamics a lot, because the satellites are closer, you don’t have the same problems with TCP 3-way handshake which means that using a VPN, is generally viable because the latency is much lower.

17:28 - Although certain conditions can change that. And if you have to make a lot of hops across the constellation. So I think that it would be easier for Space Next to implement an encrypted service, than it would be for some of these geostationary providers, whether or not they do that is, remains to be seen. - Fair enough, and like the, receiving traffic it’s like, because they’re in lower earth orbit, there’s gonna have much smaller footprint. - Yeah, that’s a great point. Like the Iridium Laura orbit constellation, each of the satellites passes across the horizon in like seven minutes.

17:58 - So the area that an attack, attacker can be is still too large, right. It’s dozens of miles, hundreds of miles, but it’s nowhere near comparable to a different continent. - Were you looking at, like Iridium satellite as like your test bed? like you didn’t mention naturally which, which satellites, were involved. - Yeah so we didn’t look at Iridium ‘cause it’s a lower earth orbiting constellation. We made the decision not to name specific satellite operators. - Fair, fair.

18:23 - - For I feel like legal reasons, but they were geostationary providers of Europe. - Yeah. I’ve always found the Iridium satellites, like the story behind the Iridium satellite super interesting. Like it’s just like a fascinating evolution out of Motorola. - Yeah. - Yeah. - I was wondering like, as the, you know, I guess end result, if I’m up in the airplane, on a cruise ship and I decide to pay for internet and I’m getting things like text messages, what can I do to protect the status? Something like a VPN enough to impact my protection? - So the text message case, I think you’re kind of, you’re kind of in a bad spot, whatever you do, because that’s over the femto cells, and you don’t have a ton of control over what their backend looks like. But for emails and stuff, I, so many people, more people than ever should be re-using just insecure pop, email, inboxes, and leaking deeply sensitive stuff over the feeds.

19:18 - And I think, just generally using like TLS for visiting websites or POP3 with TLS, for checking your inbox, is a huge step up for protection. And then if you’re willing to take it a bit slower and have that latency problem, any VPN will be better than having someone spy on your traffic in my opinion. - I think this is gonna be the first year, in Def Con’s history since the world of ship started that they did not get plain text pop or I got credentials. And that’s only because they’re not capturing traffic. (laughs) People attending these conference should know at least that much. - Yeah.

19:56 - (laughs) - Making a lot of assumptions here. - Yeah, I dunno. I feel like you’re going to a security convention. You could at least not use POP. (laughs) - That’s a good start. - Yeah. - Is there anything else that we haven’t brought up like that you might wanna talk about specifically? Anything that you might’ve liked left out of your, your talk that, cause it got cut by time that you’re interested in, anything like that? - There’s not too much left. I think that like one thing that, so one thing that I kind of highlighted in the talk, but ends up not happening is that GSE extract is not in our GitHub repository yet. But it’s still something I’m aware of and trying to get out there for people who are interested in checking it out.

20:42 - And so that’s definitely something that I hope will be out soon. Other than that though, I think that the general idea of the talk is pretty, pretty straightforward, right? It’s that un-encrypted traffic wherever you put it, should be encrypted instead. And satellites are especially frightening this case because of the way that their signal properties are. But, really it’s wherever using the internet, you don’t know who’s listening, and so encrypting end to end, and being sure that you understand kind of how that works under the hood, can go a really long way towards helping with privacy. - That’s great. I know you mentioned a, one of the attack of using, the downlink of, of the satellites as a, a way to like ex-filtrate data.

21:27 - And I know that there was one particular attack in history that made use of this, and it was like somewhere in Africa, and they figured out that someone was just driving a truck around, collecting that data. Do you know anything about the target? It’s it’s been a year since I remember anything about that. - Yeah, so I think it was by Turla group, which is a Russian state affiliated. Well, depending on who you ask, state affiliated, advanced persistent threat group. And yeah, they seem to have been using these satellite hops to make traffic just disappear over the internet.

21:55 - And I think that’s a really intuitive threat model because all you have to do is be able to send a packet to the right IP address, and you don’t have to have any software on the place that you’re sending it. - Really, really sneaky. So, I can’t think of any more questions. If anyone is out there watching the stream and is interested in asking more questions, we’re still here for a couple more minutes. - Yep, my email is also at the end of the slide deck. I’m happy to answer any questions there too or on discord or wherever. - Yeah, do you have any, any additional like resources you can share with us that we can just drop into, track one, anything in that people might be interested for the resource? - Yeah, definitely, I’ll share links to those academic papers.

22:38 - There’s also a pre-print paper, talking about the proxy, that’s, hasn’t been published yet, but is generally the idea of what we’re trying to get published. And so if anyone has ideas to contribute to that, GitHub repository or as notice the mistakes that I’ve made, cause I’m not a network programmer. I, feel free to pop up an issue on GitHub. - That’s great. RPTK2015 says, how did you get to this project? Like what was your path to get here? - Yeah, so it was all those earlier talks from, so there was a researchers in 2005, which was kind of academic. And then there were two talks at Black Hat D.C. in 2009 and 2010.

23:17 - And I was just fascinated by that as something that could be done, and seeing what’s changed was really the starting off point. And then, it started out as literally just a summer of mini project. It was supposed to be six weeks, but we found so much information in those six weeks that I’ve sort of pivoted my PhD research around this satellite communications. and everywhere we look, it just gets more and more fascinating, and honestly worse and worse. (laughs) - Fair enough. - You know, here between us, just between friends, can you tell us what was the most interesting piece of traffic that you kind of stumbled across? - Oh, that’s so hard.

23:51 - I mean, it’s really a different definition of interesting, right? Like I forget if I mentioned this in my briefing or not, but for example, there were two friends, like one guy was on a plane and one guy was on the ground just like chatting about some wild dream they had or this guy’s like mom popped up in a burning building and started trying to feed him. And like, so you get all this like real, you know, it’s real people who were affected. And then like I mentioned, being able to track this, this billionaire’s yacht, right. And that’s kind of a different world to know what the people in the yacht are eating for lunch that day, based off of the like Web APIs that they’re using to manage their food system. And so, it’s just a different world of security problems.

24:27 - I don’t think being able to listen to the internet is something a hacker expects to get from any perspective. And the fact that it’s so inexpensive and easy in a satellite world, is I think especially concerning. - Yeah but definitely, like, yeah. Not, not great. We do have someone calling out that this is one of the coolest talks that they’ve gotten to see. - I’m flattered. - Yeah. It was a really good talk and I’m definitely glad that I got to do this QA session with you. - It was fun research to do, so, I get it.

25:03 - - Have you talked to any of the, I know there’s, there’s some products for like reviving old satellites, and talking with them. Have you talked with those guys at all? And it’s like, like they, they might have like additional knowledge about like talking to satellites or different research projects that you might be interested in doing. - No, I haven’t done that, but it is a very, very related field, right? - Yeah. - Because to some extent, reverse engineering to satellite that you can’t touch, is the same as exploiting one. A lot of the cases it’s really understanding the systems.

25:34 - It’s the entirety of the security properties. And so yeah, that’s definitely a fascinating area I’d want to explore. - Yeah, I do know that they, they’ve also gotten special permission to do a bunch of transmissions to satellites as part of it, as part of the revival stuff. So yeah, that was, they did a talk, I wanna say two years ago, about Mick Moon, which was their headquarters for satellite communications. - That’s awesome. - Yeah. Some people are making references to DOCSIS work from earlier Def Cons, I don’t know how, if that’s necessarily related, ‘cause DOCSIS is a cable protocol. - Yeah, I don’t know anything about it.

26:19 - So if it is related, I completely missed it, but, definitely something for someone else to contribute. - And The Geek is asking about new radio and SDR again, which you did briefly cover, but so. - Yeah, I think it’s possible. I think it’s just a little bit harder. These things are pre-made and just easier to use, and so widely available. But it’s easier to just pick up a satellite, you know, yourself. - Yeah. Makes sense. - I think you’re getting high compliments from Mav there, talking about how this feels very much like, you know, the old Alexa park content, so, oh, people are loving this. - Yeah. - I’m really flattered, yeah. It was cool stuff to do.

27:03 - It was a little frightening at times, but really enjoyable research. And I think space is a place people haven’t done a lot of exploring. I mean, there obviously are other people before me, but I think there’s a lot of low hanging fruit for people who are interested in kind of living the days when hacking was maybe not easy, but terrifying. (laughs) - Well done. - All right, we’re approaching the end of the session. Any final shout outs or anything you want to do before we sign off? - One other thing I might hit on, as I mentioned, Electronic Flight Bag in the talk, as kind of an interesting component of the aviation stuff.

27:43 - I didn’t know it at the time when I was recording the talk, but they’re actually two, Village Talks on Electronic Flight Bags. One happened yesterday by Matt Gaffney, and I thought it was really cool. And then there’s one tonight by David Robinson. So if you’re interested in kind of the aviation side and what it might mean to hack in EFB, I definitely recommend checking those out. I know I will be. - That’s awesome. And I think that at least the vast majority of our Village Talks are also being recorded and put on YouTube.

28:11 - I don’t know specifically if that village is. It’s an opt in opt out kind of thing, so it was up to everyone. But it may already be available on YouTube, the one yesterday may already be available on YouTube for people if they want to go watch it as well. Okay. Well, thank you very much for joining us for the QA session. Thank you for making such great content for Def Con. Thank you for being a part of our virtual experience. - Thanks, it was great. Great talking to you all. - All right. .