Cybersecurity for Satellites by Jaden Furtado

Transcript

1. Cybersecurity for Satellites Securing the last frontier

2. None

3. Who am I? • Researcher @R.U.D.R.A. Cybersecurity Pvt. Ltd. •

   Part time artist and musician • Work with Web, IT, OT, AI/ML, SDRs, etc • Helped secure Government and Private Orgs Trying my best to make the world a safer place :)

4. Disclaimers

5. You do some research! The objective is to serve as

   an introduction, to get you curious, and not an end-to-end guide!

6. Respect the allocated frequencies when working with radios!

7. None

8. When there aren’t enough cat pictures in a presentation

9. Let’s get started!

10. A Road Trip in Jan

11. Power plants, roads, desert, computers, and food!!!

12. Hosting the radio hacking village at SINCON 24

13. None

14. How do Satellites work?

15. How do Satellites work?

16. A look at Satellite Subsystems (LEO)

17. Telemetry, Tracking, Commands, and Monitoring systems(TTC&M)

18. None

19. From a business perspective • 3rd party Hardware components •

    3rd party Software components • The Hardware+Software = Operating System, in this case are satellites

20. Do Satellites matter?

21. Where are satellite systems in play? • In ships and

    maritime vessels • In planes • In trains • In Finance • In power-plants, factories, hospitals, etc

22. Attack Vectors for Satellites? https://medium.com/the-aerospace-corporation/protecting-space-systems-from-cyber-attack-3db773aff368

23. Initial Access

24. The User Segment • Very vulnerable!!!! • Easy to access

    and exploit • Hard-coded and Default credentials • High Impact Vulnerabilities are present • Usually results in a complete compromise • Possibility of pivoting to the Control segment
25. None
26. None
27. None

28. It’s a wireless world: Space and Control Segments

29. Steps? Step 1: Work out the position of your satellite

    Step 2: Start listening to communications(uplink and downlink) Step 3: Reverse engineer the signal Step 4: Craft your own signal

30. Step 1: Working out the orbit of a satellite Eccentricity

    (e) — shape of the ellipse, describing how much it is elongated compared to a circle (not marked in diagram). Semi-major axis (a) — half the distance between the apoapsis and periapsis. Inclination (i) — vertical tilt of the ellipse with respect to the reference plane, measured at the ascending node (where the orbit passes upward through the reference plane, the green angle i in the diagram). Longitude of the ascending node (Ω) — horizontally orients the ascending node of the ellipse (where the orbit passes from south to north through the reference plane, symbolized by ☊) Argument of periapsis (ω) : angle measured from the ascending node to the periapsis (the closest point the satellite body comes to the primary body around which it orbits)

31. So you’ve worked out the position. Now what? Step 2

32. None

33. Listening into Radio Streams • A directional Yagi Uda Antenna

    • SDRs(HackRF, RTL-SDR)

34. Simulating Communications (use GRC)

35. Step 3: Get the uplink working!

36. How to Download Weather Satellite Images from Space

37. None

38. Vulnerabilities in Satellite Communication Protocols? SDL protocol https://public.ccsds.org/Pubs/132x0b3.pdf

39. Satellite Radio Frequencies

40. Satellite Communication is supposed to be encrypted

41. But is it?

42. I DO NOT KNOW

43. Why did I not dive into this section?

44. Are these isolated incidents? NO!

45. Space Odyssey: An Experimental Software Security Analysis of Satellites Johannes

    Willbold (et al)

46. A history of vulnerabilities

47. Why do these issues occur? • Lack of knowledge •

    Pressure from management • Mistakes • Lack of oversight and regulations
48. None

49. https://youtu.be/OoJsPvmFixU?si=tJA09Zf_N-As92WK

50. What can we do about it?

51. For the engineers Say YES to: • Safety • Testing

    your systems • Sound design and engineering solutions Say NO to: • Hiding functionality/safety issues using software! • “Hacky” solutions • Cutting corners • Unneeded complexity

52. For the System Integrators • People make mistakes! Ensure redundancy!

    • Understand everything going into your end product! • Audit the software/hardware before using it • Test the end system exhaustively

53. For the executives • Would you use your own satellites?

    • Work WITH, and NOT AGAINST your engineers • Do NOT Pressurize your engineers to cut corners • Understand risk! • Good for Business != Good Engineering

54. Regulators Do you have a complete oversight of what is

    truly going on?

55. What is the worst thing that could happen?

56. None

57. How to get into this domain?

58. Your options… • Partner with academia (IIT Kanpur C3i Labs,

    Trust Labs IIT Bombay, IIT Madras, Confluence Labs BITS Pilani) • Partner with a cybersecurity research company • Partner with government agencies (ISRO, NCIIPC, CERT-India, MeiTY, RAW, etc) • Do it independently

59. Recommended Reading https://users.dimi.uniud.it/~antonio.dangelo/MMS/materials/Guide_to_Digital_Signal_Process.pdf

60. None

61. Main takeaway from this talk… • OWASP Top 10 •

    Lack of encryption • Hardcoded passwords

62. Thank you :)

63. References • Satellite-Based Communications Security: A Survey of Threats, Solutions,

    and Research Challenges • https://act-on.ioactive.com/acton/attachment/34793/f-42451503-f44b-45a6-b5 e2-2ec8603db3c1/1/-/-/-/-/IOActive%20-%20Last%20Call%20For%20Satcom %20Security%20-%20Santamarta.pdf • GNU Radio Wiki • Contact of Containership Dali with the Francis Scott Key Bridge and Subsequent Bridge Collapse

64. Appendix

65. The Wave Equation

66. What is an IQ data file? • Signal data is

    stored in the form of IQIQIQIQIQIQ where I+jQ • “In-phase" and "Quadrature" • Raw signal data • Equivalent to A*sin(wt+alpha) • Sufficient to plot the current position of a wave in time

67. What inference can we draw from this? A wave is

    a function of • Frequency • Amplitude • Phase * • Time Wave = W(f,A,p,t) + c, where c is a damping factor We cannot control time!!!!!!!!!!!!

68. Fourier Transforms

69. What is sampling? Process of converting a continuous-time signal into

    a discrete time signal

70. Sampling theorem If a continuous time signal contains no frequency

    components higher than W hz, then it can be completely determined by uniform samples taken at a rate f samples per second where f≥2W or, in term of the sampling period T≤1/2W

71. Aliasing • Caused due to inadequate sampling • An incorrect

    interpretation of signal data

72. Decimation Given a series of M samples, discard M-1 samples

73. Interpolation • Given a sample, add M-1 samples between this

    and the next • Increase wave resolution

74. Filters? Filters out signals(either in the higher or lower or

    both)

75. Modulation Superimposing a low-frequency signal on a high-frequency carrier signal.

76. Amplitude Modulation

77. Control the amplitude to send signals

78. AM Transmitter Circuit

79. Frequency Modulation

80. Control frequency to send data

81. FM Transmitter Circuit https://www.circuits-diy.com/simple-fm-transmitter-circuit-using-transistor/

82. Phase Modulation

83. Control phase to send data

84. Phase modulator circuit

85. Can you see why we need SDRs?

86. Demodulation? Do the opposite of Modulation!

87. Threats faced by Satellites https://publications.cispa.saarland/3934/1/SatSec-Oakland22.pdf

88. http://orbitalmechanics.info/

89. TLE format