Exploring Radio Frequency Attacks in Outer Space
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 85 | |
| Autor | ||
| Mitwirkende | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/62201 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 3054 / 85
24
28
29
47
51
53
59
60
62
70
72
75
80
84
85
00:00
FrequenzArithmetischer AusdruckSichtenkonzeptHackerMereologieSpywareVerschlingungDigitalisierungData MiningMessage-PassingFlächeninhaltSoftwareOffice-PaketSoftware EngineeringExogene VariableComputeranimation
01:13
Minkowski-MetrikSatellitensystemEreignishorizontHackerZeitbereichWurm <Informatik>Workstation <Musikinstrument>DatentransferRechter WinkelSoftwarepiraterieInstantiierungCracker <Computerkriminalität>TransponderHardwareMultiplikationsoperatorRelativitätstheorieTwitter <Softwareplattform>HackerVerschlingungProzess <Informatik>BildschirmmaskeGesetz <Physik>GeradeInzidenzalgebraSpieltheorieOrbit <Mathematik>DifferenteDomain <Netzwerk>Physikalisches SystemSystemplattformComputersicherheitInformationFlächentheorieWellenlehreTeilmengeObjekt <Kategorie>SoftwareentwicklerGamecontrollerTermKugelCybersexMinkowski-MetrikAggregatzustandGasströmungAnonymisierungBildgebendes VerfahrenEndliche ModelltheorieZahlenbereichGefangenendilemmaViewerMessage-PassingEinsService providerRechter WinkelProtokoll <Datenverarbeitungssystem>MathematikNatürliche ZahlSichtenkonzeptVersionsverwaltungGruppenoperationOrtsoperatorInternetworkingPrimidealZentrische StreckungTransponderZellularer AutomatDienst <Informatik>ModemNichtlinearer OperatorDualitätstheorieComputeranimation
08:02
SpeicherabzugProzess <Informatik>ZahlenbereichKartesische KoordinatenKontextbezogenes SystemGraphShape <Informatik>InformationPuls <Technik>NeuroinformatikPhysikalismusGrundraumWellenlehreEinsMathematikFrequenzMusterspracheSummierbarkeitMinkowski-MetrikFlächeninhaltGarbentheorieSymboltabelleStreaming <Kommunikationstechnik>SignalverarbeitungRauschenComputeranimation
10:17
Inverser LimesMateriewelleMinkowski-MetrikEinfügungsdämpfungFreewareUltraviolett-PhotoelektronenspektroskopieLeistung <Physik>SatellitensystemAbstandHackerQuadratzahlRuhmasseKugelAbstandMultiplikationsoperatorPhysikalismusEnergiedichteOrdnung <Mathematik>Ausdruck <Logik>GrundraumEinfügungsdämpfungLeistung <Physik>SpieltheorieZahlenbereichCheat <Computerspiel>Software RadioFlächeninhaltWellenlehreFlächentheorieProjektive EbeneComputeranimation
12:15
BitDomain <Netzwerk>Minkowski-MetrikGamecontrollerWurm <Informatik>Physikalismusp-BlockBildgebendes VerfahrenEndliche ModelltheorieComputeranimation
13:42
SchlussregelDatentransferWidgetSpannweite <Stochastik>Leistung <Physik>SimulationSatellitensystemSpezialrechnerDynamische GeometrieGrenzschichtablösungDatenmodellAbstandSinusfunktionSchlussregelFrequenzOffice-PaketWurm <Informatik>DreiBildschirmfensterFolge <Mathematik>Spannweite <Stochastik>ZeitzoneNichtlinearer OperatorURLQuelle <Physik>PunktRadikal <Mathematik>ProgrammierumgebungHardwareAbstandWellenlehreMultiplikationsoperatorZahlenbereichEndliche ModelltheoriePhysikalisches SystemEinfügungsdämpfungAutonomic ComputingSimulationOrdnung <Mathematik>GeradeDatensatzGraphCharakteristisches PolynomBildschirmmaskeEin-AusgabeTermMinkowski-MetrikRöhrenflächeOrbit <Mathematik>EchtzeitsystemProzess <Informatik>MomentenproblemQuick-SortVerdünnung <Bildverarbeitung>EntscheidungstheorieComputerspielReelle ZahlSoftwaretestComputeranimation
19:16
SpywareBroadcastingverfahrenWorkstation <Musikinstrument>SoftwarepiraterieSatellitensystemMessage-PassingOrbit <Mathematik>InzidenzalgebraFrequenzSchaltnetzFlächeninhaltBitQuick-SortTransponderVerschiebungsoperatorAnalogieschlussMehrwertnetzUmwandlungsenthalpieBroadcastingverfahrenLeistung <Physik>Computeranimation
21:20
SimulationSatellitensystemGammafunktionW3C-StandardWorkstation <Musikinstrument>FrequenzNormalvektorSinusfunktionEingebettetes SystemOrdnung <Mathematik>PunktNichtlineares GleichungssystemMAPMultiplikationsoperatorAbstandProtokoll <Datenverarbeitungssystem>Message-PassingBitDatenflussMinkowski-MetrikLeistung <Physik>Spannweite <Stochastik>Open SourceNatürliche ZahlEndliche ModelltheorieProgrammbibliothekLuenberger-BeobachterMultigraphProzess <Informatik>HorizontaleGeradeProgrammschleifeDokumentenserverZweiKontextbezogenes SystemDifferenteRechenschieberFrequenzOrbit <Mathematik>VerschlingungFlächentheorieOrtsoperatorMultiplikationQuick-SortMereologieObjekt <Kategorie>BenutzerbeteiligungKugelComputeranimation
24:45
Gerichteter GraphMenütechnikSystemverwaltungFlächeninhaltLokales MinimumSkalarproduktProtokoll <Datenverarbeitungssystem>InformationOrdnung <Mathematik>ProgrammierumgebungMinimumSymboltabelleMessage-PassingDiagrammBimodulHardwareNummernsystemMAPInhalt <Mathematik>Endliche ModelltheorieDatenflussReelle ZahlGraphMultigraphTopologieComputeranimation
26:08
TeilbarkeitSymboltabellePunktZahlenbereichGerichteter GraphBitrateStichprobeFrequenzSchnelle Fourier-TransformationGraphische BenutzeroberflächeRahmenproblemPhasenumwandlungWiederherstellung <Informatik>SynchronisierungStreaming <Kommunikationstechnik>SimulationFunktion <Mathematik>NormalvektorCodeInterpolationNormierter RaumQuellcodeKommunikationsdesignParametersystemHook <Programmierung>StandardabweichungSichtenkonzeptElektronischer FingerabdruckVariableProgrammierumgebungInhalt <Mathematik>DifferenzkernMAPElektronische PublikationOrdnung <Mathematik>Message-PassingLeistung <Physik>Funktion <Mathematik>Computeranimation
27:27
Formale SpracheThreadBitVideokonferenzWellenlehreFunktion <Mathematik>Message-PassingLeistung <Physik>ComputersimulationProzess <Informatik>FehlermeldungSpywareOpen SourceFundamentalsatz der AlgebraAuswahlaxiomPublic-domain-SoftwareComputeranimation
29:05
RFIDTwitter <Softwareplattform>E-MailGreen-FunktionHackerTermMinkowski-MetrikNormalvektorBitUmwandlungsenthalpieTransponderPuls <Technik>GeradeGenerator <Informatik>BroadcastingverfahrenFrequenzMultiplikationsoperatorFlächeninhaltMechanismus-Design-TheoriePhysikalisches SystemOrdnung <Mathematik>Innerer PunktRichtungMomentenproblemTypentheorieExploitHackerAnpassung <Mathematik>ComputersicherheitRechter WinkelE-MailBenutzerbeteiligungAttributierte GrammatikAggregatzustandMessage-PassingMAPTemperaturstrahlungDokumentenserverProgrammierumgebungMusterspracheAuflösungsvermögenOrbit <Mathematik>Quick-SortGrößenordnungPhysikalismusIntegriertes InformationssystemRadikal <Mathematik>CASE <Informatik>EntscheidungstheorieSpeichermodellOpen SourceDatenflussComputerforensikComputeranimation
35:25
Twitter <Softwareplattform>E-MailGreen-FunktionHackerMinkowski-MetrikCybersexInjektivitätPhysikalisches SystemMinkowski-MetrikInhalt <Mathematik>ExploitComputersimulationComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
James Pavur is here to talk about satellite hacking. Thanks for coming. Hi everyone, I'm James Pavur. I work with the Directorate for Digital Services, which is part of the Pentagon's new Chief Digital and AI office.
00:20
I do all kinds of weird things there, from like rapid response software engineering to cybersecurity stuff to policy stuff, depending on what matters to the country on any given day. But today, what I want to talk about has been an interest of mine for a long time, and that is satellite cybersecurity, and in particular, how we protect the radio links
00:41
we use to talk to satellites. In this talk, we'll kind of go over why satellite cybersecurity is becoming so important. We'll look at the history of satellite radio exploitation, which has been going on for decades. We'll develop two new threat models, one that looks at using radio attacks against rocket launches, and one that looks at using radio attacks to hijack other people's satellites
01:01
and transmit your own messages. And then we'll conclude by talking about how people like you in the audience might contribute to future research in this area. So satellite cybersecurity has been in the limelight lately. Many of you have probably heard of KASAT, which is a satellite over Europe operated by the company Viasat.
01:21
And in February, more or less concurrent with Russia's invasion of Ukraine, there was a cyber attack on Viasat's network. It caused a disruption first in modems located within Ukraine, but it quickly spread to thousands of modems across the continent of Europe and affected not just those modems,
01:40
but the systems which rely on those modems. Most notably, about 5,000 wind turbines in Germany were disrupted and lost access to critical weather and operational data for a pretty long time. Now, the Viasat attack was not a radio jamming attack like we'll be talking about today, but it does tell us some interesting stuff for kind of positioning this talk
02:01
and why space security is important. Viasat is a commercial space company. They sell internet services to governments, but also to many civilians, many wind turbines, many people who just need to browse the internet. And we see how satellites with this inherently dual use nature are becoming increasingly popular targets for adversaries,
02:21
both at wartime and in peace, and we see why that can be bad. It can affect people who are unrelated to a conflict as kind of spillover collateral damage. And space security is a domain where that spillover risk is very, very high, and so securing these systems is very important. When you're in geostationary Earth orbit,
02:40
you can't see the silly lines that people draw on maps. You see a third of the Earth's surface at any given time. And so when we think about how we protect satellites, simply passing a law in your country that is like you're not allowed to hack satellites is meaningless because that satellite radio signal is accessible from just across the border. A satellite in the Earth orbit will cross over dozens of countries every single day,
03:03
and so technical controls to make it harder to attack these systems are really important to develop. One way to think about how to protect the future of space missions is to take a look at the past. It turns out satellite hacking has been going on for a very long time. I recently published a paper
03:21
that looks at about 100 different satellite cybersecurity incidents, and everyone from big nation-state players like the Soviet Union and the United States to individuals who just wanted fame and notoriety have played the satellite hacking game. And one trend I picked out is that overwhelmingly, people target the radio link for satellites.
03:41
This makes a lot of intuitive sense, right, because satellites are often very custom, very bespoke pieces of hardware. They work in kind of weird ways, and as an attacker, you may not know how the space platform works, but radio waves follow some very basic physical principles. There are only so many communication protocols used to transmit radio signals,
04:00
and so it's a very common target for attackers to hit satellites. In recent years, we've seen an increase in attacks like the one with Viasat, targeting satellite ground stations. Also makes a lot of sense. Satellite ground stations are becoming more like commercial IT systems that are just plugged into antennas that talk to satellites, and so they're more exploitable. My guess is that middle line, the satellite payload, so the thing in orbit,
04:22
will end up getting many more attacks this decade than in previous decades, as those also become more commodity IT. But regardless, the bread and butter of space hacking has been, and I think will continue to be, radio-based attacks. The first radio-based attack I found was in the 1970s. There was a dispute between the Soviet Union
04:41
and the United States over, the Soviet Union asserted that the US was transmitting what's basically propaganda into Soviet territory from US satellites, and they said that they had a sovereign right to jam these illegal radio signals on someone else's satellite. They weren't the first country to assert or execute this right. There are many countries who view satellite jamming
05:00
as an acceptable form of information control, and it's a big policy debate that's still happening today in terms of when is it appropriate to interfere with radio signals from satellites, because they are those inherently internationally visible objects. I think one of the biggest space security developments, though, wasn't in the sphere of big nation states. It was actually an individual,
05:21
a guy going by the pseudonym Captain Midnight, transmitted this image to thousands of viewers of HBO satellite television one night. He was protesting recent changes in HBO's subscriber model, and what's interesting about this attack is that it was just a guy. He was a satellite radio enthusiast, but he certainly wasn't a nation state,
05:42
and he didn't just jam the radio signal. He actually hijacked it and transmitted his own message. Within a matter of months, Congress had passed specific legislation making this activity, interfering with satellite radio signals, a felony punishable by up to 25 years in prison. So one, don't try this at home, kids,
06:01
but two, I think it's really important to see how big of a move this was in terms of threat modeling. From Captain Midnight to today, there are too many incidents to list, but there are a couple ones that I think are worth highlighting. We see increased activity from non-state actor groups. So for example, Falun Gong, which is kind of a religious and protest movement in China,
06:20
heavily persecuted by the Chinese Communist Party, hijacked a satellite TV signal to broadcast a message out during prime viewing hours about their movement. This is something that lots of non-state actor groups do, whether they be terrorists sending threats or activist movements trying to get a message out to an audience they otherwise can't reach. We're seeing more non-state activity in the space radio interference game.
06:42
On kind of the smaller scale of things, there was also a really interesting incident in 2009 where a number of Brazilian truckers were arrested for hijacking a US military satellite transponder and using it as basically a long-range cell service. So FleetSat 8 was a military-operated satellite, and these ham radio enthusiasts were basically using it
07:02
to transmit messages to each other across the Amazon. What's interesting here is that these individuals were not incredibly well-resourced hackers. They weren't like space people. Their primary job was trucker. Their secondary enthusiasm was for ham radio, and they were still able to engage in these attacks.
07:21
One final incident I think is worth mentioning is in 2018, Norway and Finland accused Russia of interfering with GPS signals during some NATO war exercises from a base in the Arctic. And we'll talk about GPS interference today. It's actually not that technically hard of an attack to pull off. But I think what's interesting is that this was not
07:41
a precursor to an invasion of Norway by Russia. This was something done during a time of un-peace or relative peace just as a form of harassment. And as we think about securing space assets, this idea that countries may mess with each other's space assets during times of peace I think is particularly concerning and a good motivator for why we need space cybersecurity now.
08:02
So how do these kinds of jamming attacks happen? What's the basic principle of interfering with satellite radio signals? We start with an antenna. This is a piece of metal. It's of a certain size and a certain shape. And you apply electrical pulses to the antenna and it generates an electromagnetic wave, which is basically a thing in the universe
08:22
that emanates out from the antenna. And that wave has a particular shape, a particular pattern in which it modulates. And that pattern is dictated by how you apply those electrical pulses to the stick of metal that is your antenna. Now, when you look at this electromagnetic wave on a receiving antenna, you can apply some math to this shape
08:41
and you can basically convert the information that's encoded in the stream back to the pulses that were used to generate it. And you can say all of the pulses that fall into this quadrant of the graph are the number one, all the ones that fall into this quadrant of the graph are the number zero. And that's the core idea of digital signal processing.
09:00
It's taking something physical in the world and converting it into kind of a symbol space that can be used to communicate information between computers. Now, when a jammer gets involved, what ends up happening is this math operates not just on the legitimate wave that's being sent, but kind of a summation of both the legitimate wave plus an illegitimate wave on a very similar frequency.
09:22
And so when you sum these waves together and they're carrying different messages, you no longer have that nice, neat constellation of symbols that map to specific sections on a graph. So now you don't know what's a zero and what's a one, your information is corrupted and can no longer be received. And this is just a physical fact of the way radios work, so it's very hard to get around.
09:42
Even more interestingly, if our attacker has a lot of power, if their jammer is really, really strong, they can actually engage in a hijacking attack. When you add their malicious signal to the very weak legitimate signal, the legitimate signal is basically background noise and you end up with a nice, neat constellation again, but with the wrong information.
10:00
So this is how something like the Captain Midnight attack is possible. So what's special about satellites in the context of radio jamming? What makes it a particularly interesting area to think about jamming attacks? I think one of the most important numbers in satellite radio communications is something called free space path loss.
10:20
And it's expressed by this formula here. It's basically how much weaker a radio signal gets the further away from a transmitter you are. And you don't have to worry about the numbers, but it's a square of the distance is the important thing. So every step further from the antenna you go, the signal gets much, much weaker. This makes sense if you kind of think of a radio wave
10:40
as a sphere that emanates out from an antenna and the surface area of that sphere will have the same amount of energy on it. But as the sphere gets further and further away, it inflates like a balloon and eventually dissipates into the universe. And so as the balloon inflates, you get less and less energy hitting your antenna and that drops off really dramatically.
11:00
So this concept of free space path loss is why attacks like this are possible. So this is a news article from 2016 when Pokemon Go was really popular about people who were using software-defined radios to spoof their GPS signals and cheat at the game and basically appear in different continents and stuff. And if you aren't super familiar with radio jamming,
11:21
this might not make any sense to you, right? Like a GPS satellite is a billion dollar government project. It's gotta have a great, powerful, really high-end transmitter. Software-defined radio is like 200 bucks off the shelf. So how can you win out? And if we plug in the numbers to that free space path loss equation, we can start to see why. So the signal that comes from a GPS satellite is really weak
11:43
by the time it travels all 20,000 kilometers from MEO to the Earth's surface to the antenna on your cell phone. Meanwhile, the signal that comes from a relatively weak transmitter on your lab bench is still much stronger because it doesn't have that massive amount of time to be losing power to free space path loss.
12:04
And that's the crux of a GPS interference attack. You take advantage of physical proximity in order to be able to override GPS signals. If you have the right protocols, you can even spoof them. But fundamentally, it's just about shouting the loudest. So we've talked a little bit about GPS interference, but let's spice it up a little and think about GPS interference attacks
12:22
in a different domain. So specifically, GPS interference attacks in space and looking at kind of specifically rocket launches and what happens if a rocket doesn't know where it is because of GPS interference. So this image here is from the European Space Agency's Vega mission,
12:42
which is a fairly typical rocket launch, but it does have one interesting thing, which is that it's not launching just one satellite. There are dozens of satellites that are sharing the cost of this ride to space. And they come from entities who don't necessarily know each other or trust each other. They don't have any relationship prior to the launch. This particular mission carried everything
13:01
from an asset belonging to a Russian Nuclear Physics Institute to Israeli tech startup to the Air Force of Thailand on a shared journey towards the stars. And in our threat model today, we're going to imagine that one of these entities is malicious. They put a CubeSat, a small satellite onto this rocket that is designed to try to disrupt the mission
13:22
by causing GPS interference that makes the rocket not know where it is. Turns out, you can't just walk up to Elon Musk with a block of C4 and say, please attach this to your rocket. I promise I won't blow it up. There are safety controls on rocket launches that try to make CubeSats and secondary payloads
13:41
not threaten the overall mission. In the US, the dominating documents for this are something called the CubeSat Design Specification, which dictates how CubeSats and small satellites should look and behave, and the Air Force Space Manual, which dictates kind of how rocket launches should behave and how secondary payloads should keep them safe. And if we dig into these documents,
14:01
the situation looks quite grim for our attacker, our radio jammer. There are all kinds of very sensible rules that get in the way of radio jamming. Stuff like CubeSats aren't allowed to turn on while they're attached to the launch vehicle. They have to have these little switches that are pressed down and keep them turned off. Or when you separate from the launch vehicle, you have to wait 45 minutes in low Earth orbit
14:21
before you can start transmitting radio signals. But what's interesting about these rules, if we delve into them, is that the way they're enforced is often just a matter of paperwork. Nobody's checking each other's CubeSats to be sure they comply. The person who built the CubeSat either contracts out or conducts themself a day in the life test
14:40
where they kind of pretend the launch is happening and record what occurred, and they sign a form saying that the CubeSat behaves like it's supposed to. This works great when everyone shares the same goals of having a safe rocket launch, but it doesn't necessarily hold up quite so well when someone is either deceptive or deceived in how their CubeSat behaves, if it behaves differently on orbit.
15:02
What we're gonna do today is try to break some of these rules and then see how far a notional CubeSat, a very small, inexpensive satellite, can get in terms of GPS interference in low Earth orbit, so after the rocket has launched. During the launch period, our CubeSat is gonna behave just like it's supposed to.
15:21
It's gonna be turned off. It's gonna look like a fairly regular CubeSat. It's not gonna do anything while we're attached to the rocket, but the moment we separate from the launch vehicle, so when we're in orbit, we're gonna start misbehaving. We're gonna start to transmit radio signals 45 minutes before we're supposed to, and these radio signals are going to be designed to overlap with GPS signals,
15:41
so they're gonna target the specific frequency that comes from GPS satellites. Now, why would someone want to do this sort of thing? It turns out rockets are super dangerous, and if they stray from their flight path, you can either hurt a lot of people on the ground or accidentally start World War III, and so there are very low tolerances
16:00
for rockets that misbehave. Traditionally, there's actually a guy on the ground called a range safety officer who has a big red button, and if the rocket's telemetry says that it's going off of its path, they can press that button and trigger what's called a flight termination sequence. The rocket will self-destruct, the goal being to burn up before it hits the ground. Now, what's changing these days is we're starting
16:22
to move towards these devices called AFTSs, autonomous flight termination systems, and they use sensor data from the launch vehicle, specifically GPS inputs and accelerometer data, in order to make that fly, no fly decision in real time, and they can trigger a flight termination without a human in the loop.
16:40
This is really, really great if you lose communications with your rocket and still need to terminate the mission, but it means that if you can't trust the sensor data coming into your AFTS because it might be vulnerable to an attack, then there are all kinds of risks to the overall safety of the mission. So, in order to understand if a CubeSat could mess with this sensor data, we have to model a couple of things.
17:01
First, we have to model the motion of the CubeSat, so I did this using a astrodynamics tool called FreeFlyer, and it turns out it's a very low-tech process. You basically have these tubes called P-PODs, which are attached to the launch vehicle. They have a spring on one end and a door on the other, and at some point in the mission, the door opens, and the spring just kind of gently yeets the CubeSat out into space, and it just drifts away
17:23
from the rocket at a fairly low speed, which means that you've got this really long window of time when you've got a proximity advantage. You've got that free space path loss advantage, and you're kind of hanging out close to the rocket. If we take those numbers and then plug them in to some basic models, like free space path loss,
17:41
how strong we'd expect a radio signal to be from an antenna on the CubeSat, we can get a sense of what a jammer might theoretically be able to get into an antenna on the rocket that it's separated from, and so that's what I did here. You've got this dotted line at the top, which is what the GPS signal would be if there was no interference going on, and then the curved lines,
18:01
the further down the graph they are, the more disruption there is to GPS communications. If we map these models from the simulation to the characteristics of high-end GPS receivers today, we can get a sense of what this means. The green zone is where the GPS reception would be basically perfect.
18:21
You wouldn't have any dilution of precision. You'd know where the rocket was. The yellow zone is where you start to have issues, and then the red zone is where you have serious degradation in GPS performance and may not be able to determine the location of the rocket. Now, this isn't to say that it's easy to launch a CubeSat and blow up a rocket. I think there's a lot of operational challenges in actually doing that, but I think it is worth highlighting
18:42
that the radio environment, even when you're thinking about assets that are in space, is not necessarily a safe or trusted environment. Radio waves are inherently public physical phenomenon, and so when you design your space missions or when you think about space hardware or rocket design, you need to keep in mind that you can't necessarily
19:00
trust radio data at face value or trust that it will be there for you when you need it. So this is an example of an attack where we mess with a signal that is coming from space to something close to the ground, but there's a different way to look at space jamming, which is to flip things around and look at signal hijacking attacks, so attacks like the Captain Midnight incident.
19:23
These are scenarios where you want to get a broadcast satellite in orbit to transmit your message instead of the message that it's supposed to be transmitting for its owner. To understand these kinds of signal hijacking attacks, it's good to have a basic understanding of how broadcast satellites work, and this applies to most broadcast satellites.
19:41
There's a bit of a shift towards more complicated devices, but most of them work like this still. You've got a ground station, which could be something that's physically constructed, a big antenna on a rooftop, or it could be like a van, like the sort of van you see following a news crew, and you point the dish on that ground station up at a satellite in orbit and transmit a message
20:02
on a specific radio frequency towards a device on the satellite, which is called a transponder, and transponders are basically these analog antenna setups, and they'll receive a frequency on one signal, or they'll receive a signal on a specific frequency, and then they'll take that signal and they'll send it out again on a different frequency
20:21
down to the customer, so it'll be over a really wide area underneath that satellite and picking up the message that's being sent. Now, the important thing to know about these transponders is that they are very, very dumb. Satellites are expensive, you don't want them to break, and many of these are basically analog devices.
20:40
If you send a message on the right frequency to a transponder in the right spot in orbit, it will dutifully relay that like a bent pipe. It just takes whatever comes in and sends whatever comes out. Now, many of you have probably figured out where this is going, right? If you are an attacker and you can send a sufficiently strong signal into that pipe,
21:02
what comes out the other side will be a combination of your very, very strong signal, and the legitimate transmitter's relatively weak signal, and you will be able to take over the message and send the broadcast that you want. So, what does enough power look like in this kind of situation?
21:21
I've gone ahead and put together a little web tool that you all can actually play with after the conference. There'll be a link at the end of the slides to model these sorts of scenarios and see kind of how power interacts with geography in space. So, we've gotten our model here. We have an attacker antenna and a defender antenna. We can control the power levels of both antennas
21:41
and their position, and then we can set up our simulation. So, we can pick a specific satellite and see how much power the two antennas could get up to that device. So, I'm gonna look at Viasat-2 first. This is a satellite in geostationary Earth orbit, so it's 30,000 kilometers away and doesn't move relative to the Earth's surface. From way up here, the attacker and defender ground station
22:01
are basically the same distance away from the satellite. So, the attacker will need a jammer that is basically as strong as a legitimate transmitter in order to overwhelm that signal and take over. And that makes sense, right? When you're really far away, the distances on the Earth's surface don't matter quite as much as just the raw power that you can pump into a signal.
22:20
If we take a look at closer satellites, though, those in low Earth orbit, things start to get a little bit more interesting. So, I'm gonna pull up a low Earth orbiting satellite here called Aqua. This is an Earth observation satellite, so it loops around the Earth every day, taking pictures for like scientific research and stuff. And we'll go ahead and look at how geography can affect jamming potential
22:41
in the context of low Earth orbit. So, I've set Aqua to kind of crest over the horizon here into the Northern Hemisphere. We're gonna take our attacker and we'll go ahead and move them up to Michigan. So, they're in a very different spot from the defender. And then we'll wait a few seconds as Aqua starts to kind of go over the horizon and make contact with the defender ground station.
23:03
And at some point, it'll come in range of the defender and the defender will be able to start transmitting legitimate radio signals to Aqua. So, I've got the attacker jammers very low now. We've got regular communications right now. And then as we turn up the jammer, we can see that at a relatively low level of jamming power,
23:21
the attacker is able to take advantage of this geographic positioning to overwhelm the legitimate signal. This is true for every satellite in low Earth orbit. The very nature of low Earth orbit means there will always be a point in time and a point in space where an attacker can have a very fundamental geographic advantage for jamming. The attacker can always build a cheaper jammer
23:42
than a defender. Now, as the satellite crest the horizon and moves away from the attacker's line of sight, they will get weaker and weaker and the defender will regain their communications advantage. But I think it's at least interesting to note how the geography of low Earth orbit in particular creates these interesting opportunities for jamming attacks. This tool is open source.
24:01
You all can play around with it. It's built on some really neat JavaScript libraries. You can model all kinds of different satellites and time periods. So you can look at orbits over multiple weeks or you can pick other objects like the space station, for example, or a Starlink satellite and just get an intuitive feel for how geography interacts with when jammers
24:21
can talk to satellites and how strong they need to be. And that's part of the equation is the power side, but there's also the protocol side, right? You need to be sure the message that you're sending over this bent pipe is meaningful to the receivers on the other side. So I've also put together a model in GNU radio using flow graphs that can actually let you walk through the process of generating these signals.
24:42
And this is in the same Git repository that'll be at the end of the slide deck. And these are two flow graphs here. They're using an awesome out of tree module for DVBS2, digital video broadcasting for satellite, which is a common protocol for satellite radio communications. The top flow graph is the legitimate transmitter. The bottom flow graph is the illegitimate one.
25:02
They're both basically the same except the message inside is different. They're transmitting different content. And then I've got this receiver model here. So we basically combine the signal from the two transmitters. We add them together in order to simulate that interference environment. And then we pass it to a DVBS2 demodulator and receiver
25:21
and convert that back into a video feed. You could take these flow graphs and apply them to real world hardware. But for simulations, it's really nice to just be able to do it all on a computer. So in that model here, we can have the jammer at no jamming. And then we can look at the constellation diagram that we've got, and we'll see those four nice neat dots
25:40
that we would expect from this particular encoding scheme. So this means there's no jamming, there's no disruption. The signal's coming through as we want it to. If we turn on the jammer just a little bit, make it like roughly equal to the legitimate signal, we'll see that constellation has degraded. We no longer have those four symbols. We can't tell what's a one, what's a zero. And the information we're transmitting
26:01
has been broken at a physical level. If we ramp the jammer all the way up, and then we look again at the constellation diagram, we'll see those four nice neat dots again. But the idea here is that it's probably transmitting the wrong content. It's transmitting the attacker's content. So we can actually take a look at what this looks like on the receiver side, someone who has their satellite dish
26:22
pointed at this jammed environment. So I'm gonna run three simulations. The first one is with no jamming, so we'll kick that off. We'll set the jammer to zero, and we'll look at the constellation here. And it's gonna be that nice, neat, orderly constellation that we would expect from a undisturbed satellite signal.
26:42
Next, we'll go ahead and kick off a medium jamming scenario. So this is where the jammer and the transmitter will have equal levels of power. And if we look at the constellation, it will be that degraded kind of meaningless constellation. And we would assume that the receiver's going to get no useful data out of it. And then finally, I'll kick off a third scenario here
27:02
with a hijacking attempt. So we're gonna transmit the strongest signal we can. And all three of these scenarios are saving the output to some files on my machine that we'll be able to look at and actually parse out the signal that's coming through them. So this last one here, we're gonna ramp that jammer way up and then take a look at the constellation.
27:20
And we'll see the constellation is nice and neat like we'd expect, but hopefully it's carrying the wrong message. So now I'm gonna pop open a tool called TS Duck, which is a really awesome open source tool for working with MPEG transport streams, which are commonly used by satellite TV and data providers. And we'll go ahead and look at these signals and we'll try to pipe them to a video player
27:42
and see what's going on. So I'll first take a look at the scenario with no jamming and pipe the output of that process to VLC. And we'll see the legitimate video play here. So after a few seconds, we'll see this is like some public domain footage from the International Space Station. It's undisturbed. This is the video that we would expect to be sending.
28:02
Going through that whole simulated radio pipeline and coming out like this. The next scenario we're gonna look at is where the jammer has equal power to the transmitter. So I'm gonna go ahead and run that now. And what we'll see is before we turn on the jammer, we'll actually get a little bit of our legitimate video. And then once the jammer comes on, we'll start to see a bunch of error messages as it's no longer able to decode that video feed
28:22
and eventually gives up. So this is where we've canceled the signal. Finally, we'll look at the hijacking scenario. And again, we should expect to see a little bit of the legitimate feed when it comes up. But then pretty much instantaneously, the attacker signal is going to take over
28:40
and it's gonna transmit a malicious message. And the attacker has now hijacked it and they're able to transmit their own video to the people who are listening to this satellite feed. And that's the crux of satellite signal hijacking. If you shout loud enough and in the right way, people will have no choice but to hear you. And it's a very fundamental attack that's based off of kind of the physical way
29:01
these satellites operate and the way radio waves work. So where do we go from here? What's kind of the next thing to think about in terms of satellite jamming attacks? The attacks that we talked about today are very fundamental, right? They're just a matter of screaming really, really loud. They're the most basic ideas of jamming
29:22
applied maybe to a novel environment, space, but there's nothing too weird going on here. That said, there's a lot of research to be done in how you can effectively mess with satellites or other radio signals with less power. So there are sophisticated jamming techniques that involve sending pulses at specific intervals
29:41
or using a weaker transmitter that sends very specifically crafted messages in order to mess with the receiving end. And I think people here are like really interested in RF jamming attacks, spending some time thinking about what sort of sophisticated attacks can be conducted against these DVBS satellite broadcasts could be a really fruitful area for research
30:00
and finding exploits against some space systems. On the defending side, on the side of protecting these assets, there are all kinds of unsolved questions. So there are ways we can deal with jamming. One of the most common techniques is basically frequency hopping. You shift frequencies according to some pre-agreed pattern and the jammer doesn't know which frequency to jam next. So they're always one step behind you
30:22
and you can transmit your message. There are all kinds of problems with like setting up that pre-agreed pattern that makes it difficult. And also frequency hopping maybe doesn't work in cases where the satellite is already in orbit and doesn't support that kind of behavior. So there are some questions to think about how we can upgrade our existing satellites
30:40
to maybe make those bent pipes more reliable. Is there something we can install on ground stations like the customer terminals to detect pirated broadcasts using cryptography? Is there some way we can upgrade our in-orbit satellites with these very dumb mechanical transponders in order to make them more capable of detecting and preventing these attacks? So if you're really interested in like hardware design
31:02
type stuff around radios, I think this is a fruitful area to dive into. There's also the detection and forensics side. And this matters quite a lot because satellite dishes are super directional. When you point a dish at the sky, the beam doesn't spread very far. The side lobes from your antenna don't go very far from your transmitter.
31:21
And so if a satellite is being jammed, it can be really hard to figure out who's jamming it and where they are so that you can arrest them or disrupt the jamming. And so thinking about how we might forensically detect satellite jammers and locate them and how we might increase the attribution to satellite jamming attacks. I think there's like a really high risk
31:42
that people will think they can get away with satellite radio interference without being detected. And I think there's a good chance those people are right in the status quo. And coming up with ways to make nation states face like diplomatic costs for engaging in jamming attacks or make individuals face criminal risk when they do it can be one way to really protect these systems by just deterring attackers before they even get
32:02
to the stage of messing with the satellites. And that kind of ties into the last theme here, which is talking about the policy and norms that we wanna have for space cybersecurity and space jamming. I started this talk by talking about how the Soviet Union and the United States got into a fight in the United Nations about what kind of jamming
32:23
countries are allowed to do. And these discussions are happening all the time. Questions about what acceptable behavior looks like when we're talking about treating the space environment and the radio environment and what the red lines are, what countries and individuals and businesses are allowed to do in this space. So if you have policy chops, legal chops, lobbying chops,
32:43
it's a place to apply that to and kind of think about how we set the norms for the next generation of space missions. So if I were to pick three key takeaways from this talk, I think the first is the physicality of space. Satellites are dictated by their environment
33:02
in a way that very few other information systems are designed. Satellites are constantly under attack from the sun, from temperatures, from radiation. And so when you build satellites, you make adaptations to deal with this incredibly hostile environment of outer space. And those adaptations like having very, very dumb
33:20
transponders that are super reliable in that hostile environment can lead to cybersecurity risks. And so as security researchers who are trying to find like new and weird exploits in space assets, I think starting with the physics and the kind of the physicality of space assets is a really great way to mine out interesting ideas for space exploitation.
33:41
It's also worth noting that there's nothing new about space cybersecurity. People have been doing it for decades and looking at some of these hacker heroes of the past and learning from the discoveries they made can be a really great way to think about how we can protect systems in the future. The space world is changing a lot right now.
34:01
We are launching orders of magnitude more satellites every year than we ever have before. Thousands of satellites will go up in orbit this year and next year and the year after. And the design decisions we make in building these satellites today will end up shaping what security looks like in space for decades to come.
34:21
So people like you all in the audience who care about cybersecurity, who already know that it's something that matters for space assets can have a really important voice in shaping this next generation of space missions, whether that's coming to conferences like DEF CON, going to things like the aerospace village, or working in the space industry, or committing to open source projects, or doing your own security research.
34:41
The next five years are probably some of the most important times for space cybersecurity, maybe ever. It's a really big moment for what space looks like for people and being someone to jump on that now is I think a really important thing to do. There's a need for people. There's someone in this audience who's better at radios than me, who's better at astrodynamics than me
35:02
and getting your voices in this discussion can go a long way towards making everyone who depends on space a bit safer. So that's basically it for me. There's a little bit of time for questions. I think if you want to shoot me an email afterwards, you can also do that. All of the resources from this talk,
35:21
so like that little web demo, the new radio flow graphs, all of that are available at the skit repository, so you can check that out. If you're interested in jobs, I can think of few places that need an injection of DEFCON as badly as the Department of Defense. We work on really cool and weird systems at DDS. Hit me up if that excites you. Be happy to connect you with people.
35:41
And then check out the other space stuff. There's a really cool talk on Saturday on hijacking an old retired satellite that will take some of these principles I've done through simulations and actually make them real. And then there's tons of cool content at the Aerospace Village all weekend on space exploitation. I'm gonna stop talking now. Happy to hear any questions and hopefully you all enjoyed the brief.
36:02
Thank you. Thank you. Thank you.