Satellites can bring a digital signal to places where the Internet
seems like a miracle: off-the-grid desert solar farms, the Arctic or an
aircraft carrier at sea. But in beaming data to and from the world’s
most remote places, satellite Internet may also offer its signal to a
less benign recipient: any digital miscreant within thousands of miles.
In a presentation at the Black Hat security conference in Arlington,
Va., Tuesday, Spanish cybersecurity researcher Leonardo Nve presented a
variety of tricks for gaining access to and exploiting satellite
Internet connections. Using less than $75 in tools, Nve, a researcher
with security firm S21Sec, says that he can intercept Digital Video
Broadcast (DVB) signals to get free high-speed Internet. And while
that’s not a particularly new trick–hackers have long been able to
intercept satellite TV or other sky-borne signals–Nve also went a step
further, describing how he was able to use satellite signals to
anonymize his Internet connection, gain access to private networks and
even intercept satellite Internet users’ requests for Web pages and
replace them with spoofed sites.
“What’s interesting about this is that it’s very, very easy,” says
Nve. “Anyone can do it: phishers or Chinese hackers
it’s like a very
big Wi-Fi network that’s easy to access.”
In a penetration test on a client’s network, Nve used a Skystar 2 PCI
satellite receiver card, a piece of hardware that can be bought on
eBay
for $30 or less, along with open source Linux DVB software
applications and the network data analysis or “sniffing” tool Wireshark.
Exploiting that signal, Nve says he was able to impersonate any user
connecting to the Internet via satellite, effectively creating a
high-speed, untraceable anonymous Internet connection that that can be
used for nefarious online activities.
Nve also reversed the trick, impersonating Web sites that a satellite
user is attempting to visit by intercepting a Domain Name System (DNS)
request–a request for an Internet service provider (ISP) to convert a
spelled out Web site name into the numerical IP address where it’s
stored–and sending back an answer faster than the ISP. That allows him
to replace a Web site that a user navigates to directly with a site of
his choosing, creating the potential for undetectable cybercrime sites
that steal passwords or installs malicious software.
In his tests on the client’s network, Nve says he was also able to
hijack signals using GRE or TCP protocols that enterprises use to
communicate between PCs and servers or between offices, using the
connections to gain access to a corporation or government agency’s local
area network.
The Barcelona-based researcher tested his methods on geosynchronous
satellites aimed at Europe, Africa and South America. But he says
there’s little doubt that the same tricks would work on satellites
facing North America or anywhere else.
What makes his attacks possible, Nve says, is that DVB signals are
usually left unencrypted. That lack of simple security, he says, stems
from the logistical and legal complications of scrambling the signal,
which might make it harder to share data among companies or agencies
and–given that a satellite signal covers many countries–could run into
red tape surrounding international use of cryptography. “Each [country]
can have its own law for crypto,” says Nve. “It’s easier not to have
encryption at the DVB layer.”
Nve isn’t the first to show the vulnerability of supposedly secure
satellite connections. John Walker, a British satellite enthusiast, told
the BBC in 2002 that he could watch unencrypted NATO video feeds from
surveillance sorties in the Balkans. And the same lack of encryption
allowed insurgents to hack into the video feed of unmanned U.S. drone
planes scouting Afghanistan, the Wall Street Journal reported in December.
In fact, the techniques that Nve demonstrated are probably known to
other satellite hackers but never publicized, says Jim Geovedi, a
satellite security researcher and consultant with the firm Bellua in
Indonesia. He compares satellite hacking to early phone hacking or
“phreaking,” a practice that’s not well protected against but performed
by only a small number of people worldwide. “This satellite hacking
thing is still considered blackbox knowledge,” he wrote in an e-mail to
Forbes. “I believe there are many people out there who conduct similar
research. They may have some cool tricks but have kept them secret for
ages.”
At last year’s Black Hat D.C. conference, British cybersecurity
researcher Adam Laurie demonstrated how he intercepts satellite signals
with techniques similar to Nve, using a DreamBox satellite receiver and
Wireshark. But Nve argues that his method is far cheaper–Laurie’s
DreamBox setup cost around $750–and that he’s the first to demonstrate
satellite signal hijacking rather than mere interception.
“I’m not just talking about watching TV,” says Nve. “I’m talking about doing some very scary things.”
Comments
Post a Comment