Satellite links contain a surprising amount of unencrypted traffic – and perhaps even more surprising is the fact that the researchers who discovered that unencrypted traffic did it using about $650 of consumer-grade equipment.
In a paper published this week, researchers from the University of California San Diego and the University of Maryland College Park detailed their efforts to scan the geosynchronous (GEO) satellite links that provide IP backhaul to remote critical infrastructure, telecom, government, military, and commercial users.
“We perform the first broad scan of IP traffic on 39 GEO satellites across 25 distinct longitudes with 411 transponders using consumer-grade equipment,” said the paper authored by UCSD’s Wenyi Morty Zhang and other researchers.
“We found 50% of GEO links contained cleartext IP traffic,” they said, noting that “while link-layer encryption has been standard practice in satellite TV for decades, IP links typically lacked encryption at both the link and network layers.”
Unencrypted satellite traffic detected by the researchers included cellular backhaul traffic from major service providers, including cleartext call and text contents, job scheduling and industrial control system (ICS) data for utility infrastructure, military asset tracking, inventory management for global retail stores, and in-flight Wi-Fi.
Google’s Vinoth Deivasigamani shared the researchers’ work in a LinkedIn post and noted, “While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. – the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Lets not take our eyes off the basics.”
First Widespread Study of Satellite IP Traffic Security
GEO satellites have been the main means of delivering reliable high-speed communication to remote sites for decades, the researchers said. There are 590 GEO satellites orbiting the planet and thousands of GEO network links, they said. Each satellite may carry traffic for dozens of networks on its transponders, covering a diameter of “thousands of kilometers” or as much as a third of the Earth’s surface.
“Unfortunately, GEO satellites have been shown to be particularly susceptible to interception attacks,” they said. Enthusiasts readily share open databases of satellite coordinates and transponders, “and the popularity of satellite television has given rise to high-quality free software for finding and decoding GEO satellite signals.”
The researchers’ goal was to “demonstrate the feasibility of an attacker whose goal is to observe satellite traffic visible from their position by passively scanning as many GEO transmissions from a single vantage point on Earth as possible. This form of widescale interception has previously been assumed to only be feasible with state actor-grade equipment and software.”
They said their research demonstrates that “a low-resource attacker” using low-cost commercially off-the-shelf (COTS) equipment “can reliably intercept and decode hundreds of links from a single vantage point.”
“[W]hile content scrambling is standard for satellite TV, it is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas,” they said. “Our study provides concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks, unlike on the Internet where TLS is default, a finding that has been until now essentially impossible for external researchers to legally measure.”
Satellite Data Study Raises Security, Privacy Concerns
The researchers detailed a range of findings, from the exposure of consumer data to military communications.
In cellular networks, satellite backhaul is commonly used to connect remote cell towers to the core network, transmitting control plane and user data like voice calls, SMS, and Internet traffic, they said. They found unencrypted cellular backhaul traffic “from multiple telecommunications providers with multiple tower connections per provider.”
They observed unencrypted (DNS, ICMP, SIP, SNMP) and encrypted (IPSec and TLSv1.2) traffic from “sea vessels owned by the US military.”
They detailed a 10-month disclosure process alerting organizations ranging from major cellular carriers and the U.S. Military to financial companies – and more revelations will follow. “Pending ongoing disclosure, a future version of this document will contain further details on other unencrypted infrastructure and industrial data we observed, including utilities, maritime vessels, and offshore oil and gas platforms,” they said.
“There is a clear mismatch between how satellite customers expect data to be secured and how it is secured in practice; the severity of the vulnerabilities we discovered has certainly revised our own threat models for communications,” the researchers said. “Cell phone traffic is carefully encrypted at the radio layer between phone and tower to protect it against local eavesdroppers; it is shocking to discover that these private conversations were then broadcast to large portions of the continent, and that these security issues were not limited to isolated mistakes.
“Similarly, there has been a concerted effort over the past decade or two to encrypt web traffic because of widespread concern about government eavesdropping through tapping fiber-optic cables or placing equipment in Internet exchange points; it is also shocking to discover that this traffic may simply be broadcast to a continent-sized satellite footprint.”
