Don’t Look Up: Sensitive internal links in the clear on GEO satellites [pdf]
Not even WPA or WEP. Just clear across the sky. And this is terrestrial.
My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default. But its still incredible to see them pretend like space is impossible to get to, ultimate obscurity.
The reason security is so bad everywhere is that nobody gets fired when there's a breach. It's just blamed on the hackers and everyone just goes on with life singing "We take security very seriously--this happened because of someone else!"
nobody gets fired when there's a breach
this must mean the consequences of such a breach has either not produced any visible damage, or the entity being damaged is uncaring (or have no power to care).
Imagine jailing doctors for every patient that died you would be out of doctors quite soon.
Eg. doctors do get sued and fired for malpractice, if they did something no other skilled doctor would reasonably do ("let's just use the instruments from the previous surgery").
- Oops! mistakenly left some instrument inside and sewed up the patient - Junior begging to do certain step of the surgery while the anesthesiologist asking them to just get a move on. - Administered a drug to a newborn baby which was supposed to be given to the mother. (My sister's colleague did this with no consequences)
Instead we're constantly asked to sign one-sided contracts ("EULAs") which forbid us from suing. If a company's incompetence results in my data being leaked on the internet, there's no consequences. And not a thing any of us can do about it.
The disadvantage of this is that the local data protection agencies haven't been handing out very big fines. Sometimes that's due to company law. In my country you'd fine the owning company, which in many cases will be a holding company. Since fine sizes are linked to revenue and a holding company typically has no revenue, this means fines are often ridicilously small.
this must mean the consequences of such a breach has either not produced any visible damage
Yeah lets say you were carrying unencrypted frames for Bills Burger Hut.
The largest extent of the damage might be sniffing some smtp credentials or something. Bill sends some spam messages, never figures out how it was done but their IP reputation is always in the toilet.
Lets then say instead of Bills Burger Hut, you are carrying traffic for critical mineral and food industries. The attacker isnt a scammer, but a hostile nation state. Customer never realises, but theres a large, long term financial cost because (TOTALLY NOT CHINA) is sharing this data with competitors of yours overseas, or preparing to drop your pants in a huge way for foreign policy reasons.
No one gets fired until after the worst case long term damage, and even then probably not.
In fact, the likely outcome is that the burden gets moved to the customer for L2 encryption and the cowboy never changes.
At least here in the EU we're moving toward personal responsibility for C level's who don't take IT and OT security serious in critical sectors, but in my anecdotal experience that is the first time anything regarding security has actually made decision makers take it serious. A lot of it is still just bureaucracy though. We have a DORA and NIS2 compliant piece of OT that is technically completely insecure but is compliant because we've written a detailed plan on how to make it secure.
I wont pretend that accountability in the physical engineering world is all smiles and rainbows but at least there are actual laws dictating responsibilities, certification and other real consequences for civil engineers. When a Professional Engineer in Canada signs-off (seal) on work they are legally assuming responsibility which means the practitioner could be held accountable in the event of professional misconduct or incompetence regarding the engineering work. There is no reason but corporate greed and corruption why there isn't similar legislation in North America for cybersecurity or software engineering where you have professional bodies certify people to be legally obligated to sign-off on work (and refuse work that isn't up to standards).
But this would require introducing actual legislation which god-forbid how could we do such a thing to the poor market! It would stifle their innovation at leaking everyone's data.
There's no reason we couldn't extend the same existing system of licensure[1] that professional engineers require.
Sure maybe its overkill for someone stringing together a python app, but if you're engineering the handling of any actual personal information then this work ought to be overseen by qualified, licensed and accountable professionals who are backed by actual laws.
[1]https://en.wikipedia.org/w/index.php?title=Regulation_and_li...
My bet is that in space there would be a noticable increase in heat/energy if they did encryption by default.
Why would it? The data originates from earth, and should be encrypted during the uplink leg too, so the crypto should all happen in the ground segment (or even well before it reached anything that could be considered part of the satellite setup, honestly).
Practically, you'll also want to be able to reconfigure spot beam to backhaul mappings or even cross-connect some spot beams to cut satphone-to-satphone voice latency in half etc.
That's not even considering constellations like Iridium that do actual packet switching in space.
I believe that’s one of the few things that even amateur radio operators are allowed to encrypt for that reason.
However, the software performance [of wireguard] is far below the speed of wire.
Panasonic told us that enabling encryption could incur a 20–30% capacity loss. In addition, when using IPsec, ESP and IP headers can introduce 20–30 bytes of overhead, which is nontrivial for small-packet applications like VoIP and video calls
Now, management, control, etc? Yeah those you need to decode in orbit.
Flow can be just as brick not-smart as fiber optic cables under the sea
Wouldn't this still leak metadata for routing?
Anything else could be masked by metadata encryption, rotating lower layer identifiers, and cover traffic. Not sure if any actual protocols do that though.
Encryption imposes additional overhead to an already limited bandwidth, decryption hardware may exceed the power budget of remote, off-grid receivers, and satellite terminal vendors can charge additional license fees for enabling link-layer encryption. In addition, encryption makes it harder to troubleshoot network issues and can degrade the reliability of emergency services.
So, the only suggestion that there would be greater heat/energy if they did encryption by default is the part about decryption (receiver) hardware having limited power budgets in some cases. There's more than what I copy-and-pasted above, but the overall message is that lots of organizations haven't wanted to pay the direct costs of enabling encryption... although they should.
EDIT: Link to Q&A https://satcom.sysnet.ucsd.edu/#qanda
The same could have easily been mandated for satellite links - no encryption, your packet won't get forwarded to the internet at the ground station, and any packets sent to you from the internet will be sent to you encrypted. And all this can be implementd without needing to touch the satellite itself, which will continue to forward what it sees as unencrypted traffic without any design changes. It could even have been implemented incrementally on existing running services, with old and new equipment working side-by-side, but all new ground stations required to support encryption, and with a sunset date for old equipment, and a rolling upgrade program.
DOCSIS got this right in 1999; the satellite industry has had 25 yeqrs to catch up.
- T-Mobile backhaul: Users' SMS, voice call contents and internet traffic content in plain text.
- AT&T Mexico cellular backhaul: Raw user internet traffic
- TelMex VOIP on satellite backhaul: Plaintext voice calls
- U.S. military: SIP traffic exposing ship names
- Mexico government and military: Unencrypted intra-government traffic
- Walmart Mexico: Unencrypted corporate emails, plaintext credentials to inventory management systems, inventory records transferred and updated using FTP
This is insane!
While it is important to work on futuristic threats such as Quantum cryptanalysis, backdoors in standardized cryptographic protocols, etc. - the unfortunate reality is that the vast majority of real-world attacks happen because basic protection is not enabled. Good reminder not take our eyes off the basics.
URI's leak company secrets. I'm sure there's some people at Google using Edge which are leaking company data to Microsoft. I'm sure there's some people at Microsoft using Chrome which are leaking data to Google.
Edge and Chrome both send back every URI you visit to "improve search results" or to "sync history across devices". It's not clear if this includes private mode traffic or not (they don't say).
Huge privacy hole to allow this, and nobody seems to be aware or care.
there's some people at Google using Edge
I'd be surprised if it's more than a handful of people with explicit exceptions for work-related tasks. Chrome is the norm.
For that to be in anyway useful for those companies (as a means to spy on their competitors), they'd have to be actively looking into the information to derive intelligence. Not really practical without some serious engineering, which would leave tons of evidence. It's not worth it. That's just not how these companies operate.
Was thinking about this as well. What evidence would it realistically leave? I mean - they are sending the uri's by default so no client side reverse engineering is needed. They say plainly they are doing this.
Yes, it's a lot of traffic.
IP spaces are well known. Easy to filter for corporate traffic. From there, it's a smorgasbord of internal URI's to dig through - anything with no domain name, or host.(companyname).com traffic. Also easy.
Maybe this ends up in a big data lake queryable by certain groups, but not anyone likely to spill the beans. NDA covers you there. This is not New York Times level corporate subterfuge. It's almost certainly not legal - and this is the important thing - the regulators haven't had the gumption to prosecute anti-competitive behavior in earnest since the 70's or earlier. What Microsoft went through in the 90's in retrospect was antitrust litigation with kid gloves on.
This armchair analyst sees no downside to such practices. Risk, but so little it doesn't matter.
Sure, insiders could spill the beans and violate their NDA's, but who the fuck is going to do more than levy a slap on the wrist for something too difficult to explain to Congress in a way that gets them to care?
Now, I think if you actually put your hands on the browsing history of congressmen harvested in this way, and put it into the public domain, you're going to get a bunch of regulators to all of a sudden care about antitrust enforcement again.
They do have privacy policies which say they won't sell that data, or use it for advertising or anything other than delivering the service. But - who knows if that is true? There's no oversight. And if they get caught breaking that privacy policy, who has the appetite these days to do anything meaningful in terms penalties? Nobody.
who knows if that is true? There's no oversight
The oversight is that those companies rely heavily on being trustworthy, and proving untrustworthy would be disastrous for their business models. Companies don't have to care right now because they have reason to believe Google, MS, et. al. aren't sniffing that data. If they came to believe they were?
Google alone is making $43 billion on Cloud and would prefer not to jeopardize that revenue stream.
The reason why this does not result in a significant loss of usage is because trustworthiness-usage is not a linear function or a even a continuous function -- it is a step function. To cause less usage, the loss-of-trust force has to be higher than the networking effect force. Otherwise, behavior does not change.
This is insane!
Not as insane as it was in the early 2000s…
while link-layer encryption has been standard practice in satellite TV for decades
Before Snowden, I would say 99% of ALL TCP traffic I saw on satellites was in unadulterated plain-text. Web and email mostly.
… the pipe was so fast, you could only pcap if you had a SCSI hard drive!
This is why NSA asked for (and got from SGI) a guranteed rate I/O API - to make sure that whstever the signal intelkigence platform sensors captured could be written to storage.
SMS was also a bit like this in its early days and you could read them coming off the local cell (also true of calls at a certain time, but I didn't see much of this).
I just did a quick search and apparently many pagers in the UK are still running cleartext POCSAG! https://www.reddit.com/r/RTLSDR/comments/1asnchu/are_uk_page...
Also a fun fact: For a long time it was only semi-officially known that the BND owned and operated the site. Officially it was called "Long distance telecommunications station of the Bundeswehr" and operated by the "Federal Office for Telecommunications Statistics"
Officially it has been transferred to the BND; experience suggests all data from there still goes straight back to Fort Meade… (And in exchange the BND gets some morsels back on people _they_ are not allowed to spy on publicly.)
we re-scanned with their permission and were able to verify a remedy had been deployed: T-Mobile, WalMart, and KPU.
The fact that critical infrastructure (e.g. utility companies using satellite links for remote-operated SCADA) was exposed is really scary too.
The fact that critical infrastructure (e.g. utility companies using satellite links for remote-operated SCADA) was exposed is really scary too.
Really serious security risks in critical/industrial infrastructure are ... numerous. And these aren't complex vulnerabilities, these are leaving the door open with default passwords, unencrypted traffic, and that sort of thing.
The new German ecard patient system is also trivial to hack, as shown multiple times on CCC. As long as no one goes to jail, they will continue like this.
Real-time military object telemetry with precise geolocation, identifiers, and live telemetry
Oops
Another round of OpSec training
His base satellite signal was unencrypted and a main reason he used it for this purpose. Our channel was scrambled, and only verifiable after our receiver with the decoder was connected. It was impressive seeing someone that good at their job make it look so easy, but after he explained the layman's version of orbital slots it became less magical. This is why magicians are meant to not tell you how the trick is done.
Penn and Teller play a lot with that idea, for example.
The best magic tricks tend to be the ones where knowing the secret doesn't ruin the trick, but instead changes it to a show about the skill of the performer. Nobody complains about "spoilers" at a virtuoso's concert, the joy of the performance & the skill of the performer are not ruined by knowing the music beforehand. I think the same can apply to magic, to books, to movies, etc. You can re-read a really good book, or re-watch a really good movie, and the experience won't be ruined by knowing the ending. It'll be different, but not worse. With magic the awe shifts from "how is that possible?" to "how did that person manage to put in the effort to do that so well‽".
I also liked watching The Masked Magician share some behind the scenes of tricks, and even knowing how it's done doesn't make the trick any less impressive.
remarkably, nearly all the end-user consumer Internet browsing and app traffic we observed used TLS or QUIC
There was a surprising amount of resistance to the push to enable TLS everywhere on the public Internet. I'm glad it was ultimately successful.
It is to protect commercial interests, I don't think that Google cares about the NSA looking at your personal data.
Google cares a lot about protecting the personal data they get from you, so that they and no one else can get it, at least not for free.
Because let's get real, 99% of the time, why do you need encryption? The reason is commercial activity. It is really important to protect your credit card number, otherwise no one would trust e-commerce. For paid service to work, you need to authenticate, and it means encryption, no paywall means no authentication and much less need for encryption. And even with "free" services, you need encryption to protect the account that shouldn't even be required in the first place. As for general communication, my guess is that hackers and governments alike are more interested in financial data than in casual conversation.
So by pushing TLS everywhere, Google is actually pushing for a more commercial, less open web. That it helps with general privacy (except against Google itself) is just a happy accident.
I'm glad it was ultimately successful.
What are you talking about? It was an absolute failure.
As soon as we got widespread TLS adoption, Cloudflare magically came along and wooed all the nerds into handing over all the plaintext traffic to a single company.
Can someone help me understand the use of "diameter" in this sentence. I am guessing it refers to the satellite's signal coverage of the Earth's surface. If that's the case, wouldn't something like arc degrees be a better measure? I just can't figure out how "diameter" can be used to describe a coverage arc or area.
I'm going to dust off the TBS DVB-S2X card and try to find a data transponder to test the DontLookup app. https://github.com/ucsdsysnet/dontlookup
Where I live, it's almost impossible to find any interest in FTA or pirated SAT TV.
att: ham radio operator interested in satellite radio :D
My understanding is that elsewhere, there's a lot more interesting stuff FTA so a lot more people have the hardware, and the hardware itself is more generic. So there's just more opportunity for someone to get bored and discover a new hobby a few degrees to the side of their usual watering hole.
Obviously the specific examples of end-users failing to encrypt are bad, but that's not really a problem with the satellites.
I'd blame the airline or their ISP provider for sending unencrypted traffic through the air like this. Not the satellite, but its top level customer. There's a big difference, IMHO, between your ISP being able to sniff your fiber traffic, and your traffic being observable from ~30% of the globe.