You Only Need $750 to Pilfer Unencrypted Data From Satellites, Researchers Say (gizmodo.com) 20
"A new study published on Monday found that communications from cellphone carriers, retailers, banks, and even militaries are being broadcast unencrypted through geostationary satellites..." reports Gizmodo. "The team obtained unencrypted internet communications from U.S. military sea vessels and even communications regarding narcotics trafficking from Mexican military and law enforcement."
Researchers from the University of California, San Diego (UCSD) and the University of Maryland scanned 39 of these satellites from a rooftop in Southern California over three years. They found that roughly half of the signals they analyzed were transmitting unencrypted data, potentially exposing everything from phone calls and military logistics to a retail chain's inventory. "There is a clear mismatch between how satellite customers expect data to be secured and how it is secured in practice," the researchers wrote in their paper titled "Don't Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites...." "They assumed that no one was ever going to check and scan all these satellites and see what was out there. That was their method of security," Aaron Schulman, a UCSD professor and co-lead of the study, told Wired....
Even more surprisingly, the researchers didn't need any fancy spy gear to collect this data. Their setup used only off-the-shelf hardware, including a $185 satellite dish, a $140 roof mount with a $195 motor, and a $230 tuner card. Altogether, the system cost roughly $750 and was installed on a university building in La Jolla, San Diego.
With their simple setup, the researchers were able to collect a wide range of communication data, including phone calls, texts, in-flight Wi-Fi data from airline passengers, and signals from electric utilities. They even obtained U.S. and Mexican military and law enforcement communications, as well as ATM transactions and corporate communications... When it came to telecoms, specifically, the team collected phone numbers, calls, and texts from customers of T-Mobile, AT&T Mexico, and Telmex... It only took the team nine hours to collect the phone numbers of over 2,700 T-Mobile users, along with some of their calls and text messages.
T-Mobile told Gizmodo the lack of encryption was "a vendor's technical misconfiguration" affecting "a limited number of cell sites" and was "not network-wide... [W]e implemented nationwide Session Initiation Protocol (SIP) encryption for all customers to further protect signaling traffic as it travels between mobile handsets and the network core, including call set up, numbers dialed and text message content. We appreciate our collaboration with the security research community, whose work helps reinforce our ongoing commitment to protecting customer data and enhances security across the industry."
Indeed, the researchers write that "Each time we discovered sensitive information in our data, we went through considerable effort to determine the responsible party, establish contact, and disclose the vulnerability. In several cases, the responsible party told us that they had deployed a remedy. For the following parties, we re-scanned with their permission and were able to verify a remedy had been deployed: T-Mobile, WalMart, and KPU."
The researchers acknowledge that exposure "was limited to a relatively small number of cell towers in specific remote areas."
Even more surprisingly, the researchers didn't need any fancy spy gear to collect this data. Their setup used only off-the-shelf hardware, including a $185 satellite dish, a $140 roof mount with a $195 motor, and a $230 tuner card. Altogether, the system cost roughly $750 and was installed on a university building in La Jolla, San Diego.
With their simple setup, the researchers were able to collect a wide range of communication data, including phone calls, texts, in-flight Wi-Fi data from airline passengers, and signals from electric utilities. They even obtained U.S. and Mexican military and law enforcement communications, as well as ATM transactions and corporate communications... When it came to telecoms, specifically, the team collected phone numbers, calls, and texts from customers of T-Mobile, AT&T Mexico, and Telmex... It only took the team nine hours to collect the phone numbers of over 2,700 T-Mobile users, along with some of their calls and text messages.
T-Mobile told Gizmodo the lack of encryption was "a vendor's technical misconfiguration" affecting "a limited number of cell sites" and was "not network-wide... [W]e implemented nationwide Session Initiation Protocol (SIP) encryption for all customers to further protect signaling traffic as it travels between mobile handsets and the network core, including call set up, numbers dialed and text message content. We appreciate our collaboration with the security research community, whose work helps reinforce our ongoing commitment to protecting customer data and enhances security across the industry."
Indeed, the researchers write that "Each time we discovered sensitive information in our data, we went through considerable effort to determine the responsible party, establish contact, and disclose the vulnerability. In several cases, the responsible party told us that they had deployed a remedy. For the following parties, we re-scanned with their permission and were able to verify a remedy had been deployed: T-Mobile, WalMart, and KPU."
The researchers acknowledge that exposure "was limited to a relatively small number of cell towers in specific remote areas."
Small number (Score:5, Informative)
was limited to a relatively small number of cell towers in specific remote areas
Probably Stingrays. Cell tower emulators. Since these are typically operated by third partys (TLA law enforcement), they don't have the encryption keys installed to secure the data. No problem. It appears that many telecoms fall back to unencrypted mode* rather than dropping the calls.
*Years ago, I had a nice Motorola StarTac that included an unencrypted warning icon. When it broke, I was unable to acquire a replacement with this feature. Rumor has it that the TLAs were very unhappy with this feature and strongly recommended that it be dropped.
Re: (Score:3)
There are as many criminals operating stingrays as law enforcement. You don't hear about it because police departments don't look for it, and users can't detect it.
I never heard of the lock icon, but I do remember a year or two ago hearing that iOS and Android were now offering a feature that warned when your phone received excessive tower handoff requests that typically happen with stingray activity. Not sure if that's still there or not.
Re: (Score:2)
A year or two ago. Yeah. I heard the same thing. And I haven't seen the product release yet. I suspect that the devs probably got a call from some TLA suggesting that their lives would be a lot more comfy if they spent them developing Candy Crush or some other garbage.
Re:Small number (Score:4, Insightful)
Why $750? Why not a RTL-SDR, with good timing, with a good dish and LNB, and just do everything else in software?
Re: (Score:2)
Why $750? Why not a RTL-SDR, with good timing, with a good dish and LNB, and just do everything else in software?
Because physics still matters. I think you missed a chapter in your RF engineering text. RTL-SDR gear is a fun toy, but it’s built around an 8-bit tuner with a 2.4 MHz bandwidth ceiling. The GEO Ku-band transponders in this study are running symbol rates up to 70 MS/s — two orders of magnitude higher. To capture that cleanly, you need a tuner and demodulator that can lock onto and maintain DVB-S2X carriers, apply proper forward-error correction, and handle multi-megabit baseband I/Q streams wi
Re: (Score:2)
Old Nokia GSM phones would display an icon if the regular GSM encryption was disabled as well.
yea bull shit (Score:2)
encryption cost money cpu power and bandwith, they just turned it on in the ones found.
Careful, you'll break a tooth (Score:3)
Maybe look at other points in the system? (Score:2)
It should be assumed that all Internet traffic is sniffed and logged by some hostile force. This is why VPNs are so common, even Apple and iCloud Relay (which is browser based) is becoming the de facto standard, especially once Firefox "bakes in" similar functionality. This is also why traffic should go either over TLS, or some UDP protocol with end to end encryption on a different layer.
Ideally, if two sites "know" each other, it is always good to go with certificates on both sides (SSH, for example). T
Lots of data is unencrypted (Score:4, Insightful)
Police radio? CB radio?
If you don't want data to be read. encrypt it. Don't rely on the links to protect you. As soon as your WiFi data gets to the AP, it's no longer encrypted.
Re: (Score:3)
Police radios these days are often trunked which is about as best you can do - many places require unencrypted radios because it's your right to be able to audit law enforcement - the same set of rights that let you record the police (audio, video). Many have switched to trunked radio systems which helps get better frequency utilizat
Re: (Score:2)
Police radio? CB radio?
If you don't want data to be read, encrypt it. Don't rely on the links to protect you. As soon as your WiFi data gets to the AP, it's no longer encrypted.
That’s security Darwinism, and it’s nonsense. This is modern civilization, not Hobbes’ state of nature -- red in tooth and claw, where life is nasty, brutish, and short. Civilization exists precisely so people don’t have to live like prey animals, constantly scanning for predators before they drink at the watering hole. We built laws, standards, and infrastructure so that ordinary citizens can draw a bath without worrying about contamination, flip a light switch without checking the
Re: (Score:2)
The link doesn't need encryption if the application layer is encrypted.
Relying on link encryption is an illusion. As soon as the packets hit the internet, it's open.
Re: (Score:2)
It would be nice... (Score:1)
It would be nice if certain websites wouldn't refuse to work if you're using a vpn.
They try to hide that fact too, with messages like, "we're sorry, something went wrong" and similar. Turns out all you have to turn is turn off your VPN and suddenly it works. Companies should at least be honest and use messages like, "Hey, asshole, turn off your VPN and we'll let you use our site."
Re: It would be nice... (Score:3)
The generic "something went wrong" errors, or the even better "access denied" errors, are a pretty clear message to me that the business in question wants me to go to a competitor with a working site.
Yeah, I *could* turn off my VPN and pihole and ublock, or spend 10 minutes figuring out which pieces of JavaSpam I have to allow to make it work. Or I could just find what I want at Advance Auto instead of O'Reilly, thanks.
this is about infrastructure, not hacking (Score:2)
This is just the latest in a long line of network-security papers I’ve read through the years that are more than a little disturbing. Using less than $750 in consumer hardware — a motorized Ku-band dish, a tuner card, and open-source software — they intercepted real, unencrypted IP traffic from 39 geosynchronous satellites and 411 transponders. What they found was pretty damning: plaintext phone calls, SMS messages, ATM authentication traffic, power-grid control data, and corporate invento