Satellite, Aerospace and Military ecosystem security at the K-band and above

Author: Nicholas Lemonias

Information Security Expert

.

M.Sc Information Security University of Derby

Keeping Things Simple !

Date: 28/5/2015 Advanced Information

Security

Part I Objectives - Presentation

IntroductionChapter 1

Overview and SynopsisChapter 2

Chapter 3

Pen-Testing & ExploitsChapter 4

Attacks and Mitigations

Part I Objectives - Presentation

Maritime System SecurityChapter 5

Unmanned Aerial VehiclesChapter 6

Chapter 7

AcknowledgementsChapter 8

Conclusion

Introduction - Switching your Landscape

The Past

Sputnik 1 in 1957 - The first satellite in Space.

Van Guard TV3 in Space , 1958. Yuri Garin was the first human to step

foot in Space, with Vostok spacecraft completing an orbit of Earth on April, 1961.

2014 - Launch of first 4k Spacecraft in space - by DirecTV covering US and Latin America.

The Future 2015 , Advanced Information Security

presenting cutting edge satellite security research on these eco-systems. The first presentation of its kind!

Picture Perfect!

Satellite Classification

Satellites are divergent in scope and function.Satellites can be classified in the most commoncategories, according to their orbit and alittude:

I. Lower Earth Orbit (LEO) is defined as any orbit up to approximately 2000km

II. Medium Earth Orbits or (MEO) is defined as any orbit up to 2000km

III.Geostationary Earth orbits (GEO) is defined as any orbit up to 2000km

IV.Higher Earth Orbits or (HEO) defines anything higher than the previous altitudes.

Satellite Modes and Frequencies

Satellite Modes and Frequencies II

Frequencies in MHz could be further distinguished in frequency bands such as: “VHF”, “UHF”, “SHF” and “EHF” dependending on their range.

VHZ distinguishes frequencies between 145.200 to 145.800 MHz in FM used by crewed spacecrafts in space.

UHF commonly at 435.000 to 438.000 for satellite communications (all modes), and “SHF” in 126.000 to 127.000.

EHF frequency band would be distinguished by frequencies of 400.000 to 700.200 MHz.

Multiplexing/Demultiplexing Signals at Transponder Level

• Time Division Multiplexing - TDM• Frequency Division Multiplexing - FDM

FDM - Used predominantly in communication systems (such as TV broadcasting). FDM proposes the prons of latency efficiency. The frquency is broken down into multiple channels, providing each client with the ability to accomodate a frequency channel band on the ecosystem.

TDM - Transponder channels derived in single time slots per frame. The disadvantage is that it is single carrier and used ephemerally.

How does it work?• A multiplexer generates an FDM signal from many channels. An

FDM signal itself is a modulated frequency ~ (on approximately 70mhz for FDM), and the signal is processed to the analogy of an uplink station, prior its final propagation to the satellite.A telephone channel for example, is assigned a certain frequency of FDM signalsExample: A telephone channel , is assigned a certain frequency of FDM

signals which are then modulated (MUX'ed) before being sent to the satellite ecosystem in Space.

Transponder Sample design and Frequencies

Categories of Satellite Systems

i. Meteorological Satellites – Observe atmospheric changes.ii. Communication Satellites – Provide communication facilities

iii. Broadcasting Satellites - Signal Repeaters.iv. Scientific – Utilizing technologies for scientific observations.

v. Navigation Satellites – Global Positioning System transmitters.vi. Rescue Satellites – For Rescue operations; they utilize Radio

Signals.vii. Earth Observatory Systems – Landsat Satellites equipped with

temperature observatory technology.viii. Military Satellites (A-SAT Killer Satellites) – Equipped with

high-tech electronics, Weapons, GPS, photographic equipment, Radar Imaging, Telescopes, Infrared Sensors and

Anti-Weapon interceptors.ix. Tether Satellites – Interconnected satellites.

x. Miniaturised – Lightweight Micro satellites. (see Space Dev Ltd)

xi. Geostationary Spacecrafts – Some crafts operate and provide the same functionalities as other types of satellites.

• Hackers hit the NOAA Satellite Operations network.

" Hackers from China breached the US federal weather network

(NOAA). NOAA satellites provide the

bulk of information for general weather models, advisories, warnings. ”

from Washington Post

November, 2014.

Hacking in the Space Sector

Notable Headlines from past years

• Chinese hackers suspected of interfering with US Satellites.

" Two US government satellites fell victim to cyber attacks in 2007 and 2008, claims report highlighting control systems vulnerabilities.

According to Bloomberg, the draft of a new annual report by the US-China Economic and Security Commission includes the claim that in October '07 and July, '08 hackers used the connection from a ground station to affect the operation of LandSat 7 and Terra (EOS AM-1) satellites, which are used for earth observation.”

from TheGuardian

October, 2011.

Sample Satellite Architecture for advanced users , please also seehttps://directory.eoportal.org/web/eoportal/satellite-missions/f/flying-laptop

Unmanned Aerial Vehicle - CNN News

" Insurgents were able to use a mass-market software program to view live feeds from U.S. military Predator drones monitoring targets in Iraq, a U.S. official indicated to CNN Thursday.”

from CNN NEWS

March, 2014.

Standards Protocols and Security

Standards of European Telecommunications Standards Insitute (ETSI) • DVB-S Thus the DVB-S (Digital Video Broadcasting for Satellite) is one of the most

commonly used standards for the transmission of video, audio and data via satellite. The Digital Video Broadcasting standard is a de-facto standard that supports the efficient operation of satellite infrastructures and ecosystems.The Digital Video Broadcasting system forms the basis for satellite communications.The DVB-S standard serves, as a functional block for satellite broadcasting, and interactive communication such as Broadband Internet services, military and corporate services for live feed emission and satellite broadcasting news.

• DVB-S2 - Digital Video Broadcasting for Satellite Version 2. The new standard brings additional enhancements in FEC Error Correction, ACM Modulation and Flexibility.

• DVB-RCS - Digital Video Broadcasting - via Return channel. This specifies an older air-interface for satellite architectures that support interactive communications, without the need for a local terrestrial infrastructure. Such models are two-way interactive communications where data communications are exchanged through a forward-link and a return carrier link. In DVB-RC2 architectures, the terminals are connected to a hub that provides access control and acts as a gateway between user nodes and the Internet. The forward link is broadcasted to a specific part of the world, and interoperates with DVB-S2. Additionally, the DVB-RCS2 architecture is considered to be commonly used in a mesh satellite architecture.

Satellite Architecture via RCS

Architectural Objectives of DVB-S2

• The DVB-S v.2 was developed based on the following architectural objectives:

(i) Best transmission (ii) Optimal performance (iii) Overall flexibility

(iii) Reasonable receiver complexity

DVB/S2 Characteristics

• The DVB-S v.2 supports the following enhancements:

(i) Forward Error Correction algorithm which forms its basis on the powerful LDPC - "Low Density Parity Check" coding methods.

(ii) Adaptive Coding and Modulation support

(iii) Overall flexibility and reasonable receiver complexity.

DVB-S2 Architectural Fundamentals

Data transmissions in DVB-S2 compatible ecosystems are attributed to it's design which processes data, in functional blocks of input and output signals.

Signal generation is therefore based on two levels of framing structures, the BBFRAMES at base-band (BB) level, which sets up the receiver’s flexibility as per the application design, and furthermore, the PLFRAME (PL) Physical layer frame, which can offer robust synchronisation.

Diagrammatical Architecture of DVB-S2

Architectural Objectives of DVB-S2

• The architecture of DVB-S2 forms its basis on the properties of the powerful LPDC coding, in conjuction to various additional modulations methods for optimum bandwidth and optimum utilisation provision.

Modulation Techniques

1. Amplitude Shift Keying

2. Frequency Shift Keying

3. Quadernary Phase Shifting Keying

4. Phase Shift Keying (BPSK)

Modulation Techniques

Amplitude Shift Keying (ASK)Used for low bitrates , predominantly in Fiber Optic.

Prons: SimplicityCons: Noise interference

Frequency Shift KeyingProns: Flexibility, Easy to Implement, Less errors Cons: High Bandwidth requirements such as radio transmissions or voice communication.

Used for low bit rate applications.

Quadernary Phase Shifting Keying

Prons: Encodes two bits per symbol, for less BER rates . It uses Differential QPSK.Cons: Noise Interference

Phase Shift Keying (BPSK)

Prons: More Bandwidth Cons: Noise Interference, Complex Detection (coherenet detection) - more complex than ASK, Ambiguity in Signal Output

DVB-S2 Channel Encoding and PSK Modulation

• DVB S/S2 define methods for channel encoding and ACM modulation modes. Modulation is a stream of 1 and 0's.

• Modulation techniques for broadcasting applications could be further categorised :

Quaternary Phase Shift Keying 8-ary Phase Shift Keying 8-ary Phase Shift Keying

The above are two common modulation methods for satellite broadcasting.

• 6QAM modulation, 16-ary Amplitude & Phase Shift Keying and 32-ary Amplitude Phase Shift Keying are modes defining "high level deployments used predominantly for "SNG News Gathering" applications, which are ephemeral transmissions.

Low Density Parity Check (LPDC)

) -,...,Kldpc,ι (ιKlpdc , ιl 110

• The LPDC coding is a feature part of the Forward Errror Correction algorithm.

Equation Formula:

Interplanetary Issue and "Ping Delay"

A distinctive problem with satellite architectures is the interplanetary distance of geosyncrhonous satellites above the equator of earth, which is approximately 44,600 mile segments.

The response time of a geo-scynchronous satellite is approximately 550 million seconds delay, while latencies can vary depending on altitude characteristics.

Frequency Multiplexing Techniques

Frequency multiplexing is a technique that provides spectral efficacy. The following are common frequency multiplexing techniques used in satellite communications.

The representation is in binary format, namely 0's and 1's.

FDMA - (Frequency Division Multiple Acces) Divides one single channel into multiple bands. CDMA (Spread Spectrum) Converts the analog signal and is then spread out over a wider bandwitdh. OFDMA - Orthogonal Frequency DivisionA modulation method that divides a channel into multiple narrow segments, that are

propagated orthogonally, so that each channel does not interfere with the other. SDMA (Frequency Reuse Technique) A single channel can be used simulateounsly, if the users are far from each other. Single Carrier FDMA (SC-FDMA) - Hybrid modulation with OFDMA characteristics

used predominantly with 3GPP Long Term Evolution and provides multiple access features.

CSMA-CD - Carrier Sense Multiple Access / with Collission Detection An older multiple access modulation technique with signal interference collission

detection.

Transport Stream Encapsulation

Interplanetary Issue and TCP/IP

• The Transmission Control Protocol perceives long response times as network congestion. Consequently, this causes the network to send and receive data at a slower rate.

(McKinney et. al, 2007) and (Pacheco et. al, 2011).

TCP/IP interoperability for DVBS/S2 satellite ecosystems i. The DVB-S provides high levels of interoperability with othe

r useful protocols, such as the Internet Protocol.

ii. The DVB-S2 is the newer version of the Digital Video Broadcasting Standard, and it comes with additional features.

iii. The Digital Video Broadcasting for Satellite standard entails support for the MPEG-2 Transport Stream (TS) system, which has gained recognition as an "interoperable network modality" , for utilisation in Internet compatible networks.

iv. The second generation of DVB standards supports the Generic Stream method, which allows the direct transmission of IP-based content using the Generic Stream Encapsulation (GSE) protocol, and this in addition to the Transport Stream (TS) protocol.

Shortcomings of TCP/IP Inter-operabilityin DVB-S2 networks

• Satellite communications face some specific challenges. Round Trip Time (RTT) is greatly increased, by long propagation delays due to the interplanetary problem. Which concludes that the use of the traditional TCP/IP over satellite networks, indicates sigificantly poorer performance with trade-offs in Quality of Service.

• However, special techniques can be used to accelerate TCP Performance. Performance Enhancing Proxies (PEP's) is one method, and their objective to hack the conventional TCP/IP functionality, by enahncing certain parametres, in scope to solve the interplanetary delay from Space to Earth.

• Thus Satellite communications are subject to propagation delays, low bandwitdth and high BER error rates.

• It is also evident that atmospheric, interstellar disruptions and cosmic radiation, aswell as colliding signals from electronic devices impede network performance and information throughput, with great impact signal attenuation, and Quality of Service. (Littman, 2002).

TCP Congestion control algorithms

• TCP TAHOE • RENO • NEW RENO • VEGAS • SACK • FACK• TCP Peach• TCP Peach Nuts• Window Scaling• Byte Counting• T/TCP• XCP Protocol

TCP/IP OSI 7 Layer Model - Satellite Security

Exploitation techniques and Tools

Active attacks against satellite ecosystems:

• Fabricate a message from an L2 source to the satellite end.

• Delete a message from an L2 source to the satellite end.

• Falsify a message from an L2 source to the satellite end.

• Fabricate the origin of the source of a message from an L2 host to the satellite end.

Transmission Protocols and Methods

i. Furthermore the DVB Broadcast networks could be regarded as part of a larger class of 'networks', which are referred to as " MPEG-2 transmission networks".

ii. Such networks make use of the MPEG-2 Transport Stream, a mechanism for combining elementary video, audio, and television program information in the “Transport Streams”. This mechanism provides delivery effectiveness in networks with propagation delay issues.

iii. The MPEG-2 protocol was designed for efficiency and ease of implementation in high-bandwidth broadcast applications, in "delay prone" networks.

MPEG 2 Transport Stream architecture

Security Testing Methodology

Hardware Configuration: Transceivers

Hardware Setup / Terminology

• Rx Power - Received Signal strength in dBm• Rx Snr - Received Signal to Noise ratio• ODU Telemetry - Outdoor Unit Status• Satellite Band - Satellite Frequency comes in a variety of Bands.• Elevation - Sat Elevation for dish pointing to the right angle• Azimuth - Calculates angle in the Spherical Coordinates system• LNB In/Out: Satellite signal connectors for i/o (Low Noise Block) conversion on the

transceiver.• Coaxial Cabling - A communication cable (RG-6) is one example

• PMT - Program Map Tables - PAT information that contain audio , video elementary streams.

• Preprocessing - Processing of video signal before its final presentation and encoding.• Null Packets - Empty packets for synchronizing bit rate sequence.• Transport Stream - entails the program streams in the multiplexing. Demultiplexing

and analysis of streams will reveal the packet identifiers (PIDs).

Upper Layer information / Terminology

Ground Station Setup

• We identify the satellite ecosystem at www.lyngsat.com , in real time. There are many websites that can help with this. Another one is Nasa's Interactive Satellite tracker which can be found at http://science.nasa.gov/iSat/

Reconnaissance Phase

Satellite Tracking - Orbitron

Satellite software can also be used for tracking the satellite ecosystem. In this example we have used Orbitron.

Mass Frequency Scanning / Blind Scanning Tools Crazyscan & EasyBlindScan

• The X-Band is a satellite frequency band

at higher altitudes. Aswell as referred to as the Super High Frequency Band.

• SHF ecosystems use military level encryption.• To identify such systems a satellite motor can be used, in

conjuction to blind scanning software such as CrazyScan or DVBSnoop on Linux (manual configuration would be needed).

• The signals, and the streams can then be recorded and analyzed. A malicious attacker can then try to decrypt data.

• A malicious attacker would look for misconfigured ecosystems, on frequencies that may lead to unencrypted data. Even the frequencies on LyngSat with dedicated scanning may lead to something interesting. We can use EasyBlindScan to scan them.

Mil & Gov Satellites - The "X" Band

Frequency Scanning Tools

Scanning Phase

Data Extraction - Wireshark

Hotbird 13 East. - From our live testing of a satellite system.

• Signal Analysis using tools such as SDR / RTL-SDR (initially)• Stream decoding and reverse engineering using specialized tools such as DVBAnalyzer, DTC-320 Stream Xpert, TSPE, TSReader, MPEG 2TS by Tektronix.• Transport Streams tools that fuzz and record encrypted streams for analysis.

• Patching tools int the wild with Cracked / reverse engineered encipherement systems • (The Last Drakkar, Fast CAS Editor to cite some basic example tools.

Reverse Enigneering, Patchingand Cryptanalysis

• Hardware level reversing of satellite transceivers or cards.

DVB-S Conditional Access 0

r r 1

56

S= P

S (S , (8r,..., 8r 7))

1 r 56

CS

0

r r1

56

S= C

E ES= (S, (K 8r,...,),(K 8r)) 1r 56

448 455

PS

Encryption Process

Decryption Process

The stream cipher is composed of two shift registers and combiner, with memory.Registers p, q, c are the bit registers. First operational mode of the cipher is the initialization mode , where the ciphers prepare the initial state. The second mode is for PRNG generation , where two pseudorandom bits per clock cycle are created.In the Key Scheduling phase the cipher uses the shared key K and the first encrypted block of the transport stream SB0 is an initialization nonce for the initial cipher state. All assumed bit registers are assigned a value of 0. A shared key is loaded to the bit registers.

K = k0, . . . , k63

Exploitation of the actual Satellite system in Space (While in Orbit...)

(CWE 400) - Resource Exhaustion Issue / Denial of Service attack from various spoofed sources.

• In this technique, an attacker sends information, to the satellite, directly with the uplink of thousands of "spoofed" hosts from different geo-locations.

• When the satellite moves to a new location (while in orbit), it will have to broadcast the data to each end host, and thus consequently creating great computational overhead to the ecosystem.

Other Attacks:

i. An attacker can cause the system to run out of bandwitdth and impede the availability of services.

ii. Denial of Service attack (Syn Flood) at the Transport Layer . However SYN packet cookies contained in messages sent by a client are used for securing against Transport layer attacks. Packet Authentication and Anti replay are techniques that can be used for mitigation of attacks.

iii. Recent satellite deployments try to prevent resource exhaustion issues by identifying if bandwitdh is over a predefined threshold. The use of this technique is not efficient because a user can instrument a DoS attack without exceeding the limit, and that means no other protection measures from the ecosystem. In a satellite communication that uses a two step verification to protect from DoS attack , it uses the sequence number in the packet. The Anti-DoS mechanism will then compute the MAC address value, against its private key trying to match this with the MAC value in the packet headers. The Network Control Center would then check data integrity. For the NCC to check the data integrity it uses a sequence number for each packet. An attacker could simply launch a Denial of Service by intercepting traffic and capturing messages of participating nodes, and to create spoofed deassociation requests to the NCC, to disrupt service to important paricipating entities in the communication. (T.Ma et. al, 2012).

Passive Attacks & Satellite Security

i. Passive attacks may easily be derived in DVB Networks using standard hardware equipment.

ii. For instance a transceiver could be configured into promiscuous mode, thus to enable total filtering and packet-forwarding of all incoming data over a device’s local interface (piping the output stream to the local interface for analysis).

MITM against Satellite communications

• In a Man-in-The-Middle attack , a malicious attacker is able to intercept traffic, to read plain-text information, and replay information back and forth, between end-points.

• Therefore a "Man-in-The-Middle " attack can

persist due to the lack of fundamental security services. Confidentiality, Integrity, and Non-Repudiation are paramount for the protection of information throughout the encapsulation, and data transmission in the communication.

Man In the Middle attack scenario

Replaying and Reordering attacksEquations

Replay attack 1 example by equation1. M (A) B: ‘Hi Bob, This is Alice ‘2. B M (A): R (The challenge)3. M (A) B ???

Replay attack 2 example by equation1. A (M) B: ‘Hi Bob, This is Alice ‘2. M (B) A: R (M predicts which R will be used later by B)3. A (M) B {R || B}K

1. M (A) B: ‘Hi Bob, This is Alice ‘2. B M (A): R (M predicted which R is used by B)3. M (A) B: {R || B}K

Sniffing, Fuzzing and Extracting

• A malicious adversary gains access to data structures through interception of communication. An attacker can then extract useful information about the infrastructure and participating entities. This is a critical security issue due to the fact that satellite communications operate by broadcasting bits of information. Such information could be sensitive addresses of L2 destinations, such as a Telecommand & Control earth station.

• This method enables attackers to monitor real-time information about who is communicating to which nodes, and the precise timing of transmissions. This information can be used for replicating legitimate users, gaining access to legitimate services, or even using the bandwitdth of those users to conduct DoS attacks on third-party networks.

Sniffing, Fuzzing and Extractingdata from Satellites

How could fuzzing help an intruder to take control of informational assets?

• Satellite systems operate on different frequencies. A determined attacker could "blind-scan" a range of frequencies in hope to find a frequncy channel of interest.

• Often times banks, financial institutions and even governments do rent space on satellite systems for a variety of purposes.

• An intruder could enumerate different frequencies in hope to acquire and extract bits of information. Private satellites often accomodate the needs of Public Sector. It wouldn't be uncommon for a satellite eco-system to accomodate the needs of different clients, on the same satellite ecosystem. As explained on Slide 7 a single frequency can furthermore accomodate the needs of multiple channels.

Mitigation

To mitigate against fuzzing attacks in satellite communications, a pedantic layered approach to security is necessary.

Often times encryption is a problem, due to the lightweight architecture of encapsulation protocols in Satellite Communication, that may be prone to overhead and slow response times, with the addition of any heavyweight security.

Replaying & Reordering Attacks againstSatellite systems A replay attack is one in which an attacker captures a vector, and

replays the fabricated packets to an end-point destination. The end-point destination thinks that the data originated from a trusted source. In a satellite communication Transport Streams and encapulated information can be recorded, analyzed and replayed to the participating entities. Mac Layer packet replay attacks are also a prominent issue.

Mitigation of replay attacks is possible using a message freshness mechanism and origin authentication. A common freshness mechanism is the utilisation of logical timestamps, e.g.: the use of existent logical timestamps in the Transmission Control Packet. As per (ISO/IEC 9798-1), there are three main types of freshness mechanisms:

1. Random Challenges (Nonce)2. Logical Timestamps3. Sequence Numbers

Denial of Service against the satellite system, while in orbit.

Physical Layer (L1) Security

DVB compatible systems are particularly weak in the context of physical-layer security. Broadcasting systems enable anyone with a suitable hardware transceiver to gain access to an unencrypted channel.

However, in the absence of physical-layer security (which most often is based on DVB-RCS encryption, there are no other adequate measure to protect against, either passive or active attacks in commercial satellite systems. It is pertinent to note that proprietary encryption algorithms are also used by Pay TV providers, as an alternative to deprecated DVB-RCS - but that's just an 1 layer that protects only certain pieces of information on that layer. Historically Denial of Service attacks at L1 were common but those were addressed with CDMA.

This is a core problem in present designs. The adoption of Standard Internet Security Protocols may solve the problem ephemerally, but it doesn't solve the inherent issues at the core of the problem.

Encapsulation Protocols & Methods

• The Generic Stream Encapsulation (GSE) protocol was architected, as an extensible encapsulation mechanism for Generic Stream (GS) transmission, for DVB-S2 broadcasting. The GSE Protocol is based on the ULE protocol and utilises the same extension header mechanisms.

GSE - Generic Stream Encapsulation

Encapsulation Protocols & Methods

• Multi-protocol Encapsulation (MPE) is a dominant method for encapsulating Internet Protocol (IP) packets into MPEG-2 Transport Streams, that are conveyed for DVB compatible ecosystems.

• The MPE Protocol is specified by the DVB Project as a standard protocol for IP transmissions over MPEG-2 networks. The MPE network layer datagrams are referred to as (PDU) and are framed within blocks called datagram sections "SNDUS".

Encapsulation Protocols & Methods• The Unidirectional Lightweight Encapsulation method is an

alternative to the MPE method, with the objective of providing simplicity, efficiency and configurability.

• However in comparison to MPE, the ULE offers simplicity, efficacy enhancements, IPV6/MPLS support (Multi-Protocol Label Switching) and greater flexibility with the support and interoperability with a number of other protocols.

• The (ULE) protocol has been adopted by the IETF as a standard protocol.

Network Security (L3) Satellite Infrastructures

• IPSec in Tunnel mode is susceptible to various attacks, such as eavesdropping, information leakage attacks, and replay attacks.

• IPsec in Transport mode is inadequate to provision total security for satellite communication.

• Unfortunately the idea of , addition of any other heavyweight encryption can impact network performance and QoS in satellite communications due to subtle and lightweight protocol characteristics that would cause High BER rates and attenuated performance.

IPSec, ML-IPSec and PEP Acceleration• Performance Enhancement Proxies can accelerate network performance.

However the use of TCP Header information is essential to their function.

• It is therefore elucidated that this co-existence of IPsec in Tunnel Mode prevents the use of Performance Enhancement Proxies and acceleration. The reason is that TCP Headers, need to be intact during the layered encapsulation/decapsulation.

• IPSec can lead to overhead for the lightweight specifications of MPEG-2 networks.

• Multicasting services are important in service provision over ULE, however IPSec can support tunnelling only between two IPSec devices, with manual key derivation which creates other problems in terms of efficacy in multicasting applications.

• Multi-Layer IPsec comes in with capabilities that favor Performance Enhancement Proxies. ML-IPSec permits access to a limited portion of the IP Datagram, adequate for the operation of network accelerators, and this technology solves the issue of security interoperability, with IPSEC.

ML-IPSec Function

• Similarly to IPSec the Composite

Security Association supplements information, with the addition of trusted zones.

• Data are broken down into smaller

blocks called zones. There can be a distinction between Zones (For example some information i.e: TCP Headers can be in Zone-1 whilst the rest of the packet in Zone-2. The CSA is composed of a mapping table (map with all zones), and and a relevant list that contains all Security Associations (SA’s), within a secure datagram.

• A sub-zone is a non contagious block of datagrams.

ML-IPSec Datagram

ML-IPSec Diagram- Inbound Processing

ML-IPSec Summary

• Multi-Layer IP Sec (ML-IPsec) is an extension to IP-Sec that resolves the issue between End-II-End security in standard IP-Sec. The function of TCP acceleration through Performance Enhancing Proxies (Bhutta et. al, 2011). Furthermore according to (Bhutta et. al, 2011)

• ML-IPsec provides enhancement in the functionality of standard IP-Sec, as a solution to the conflict currently present between IP-Sec and intermediate performance enhancement agents, such as TCP and application PEP agents. (Bhutta et. al, 2011) alleges that the concept of Multi-Layer IPsec has been previously researched as outlined by current subject literature (Annoni et. al, 2002), (Zhang et. al, 2004), and (Sing, et. al, 2005) in this chronological order.

• Multi-Layer IPsec provides the capabilities required by Performance Enhancement Proxies to access a limited portion of the IP Datagram adequate, for the correct function network accelerators, however with the interoperation of security (Bhutta et. al, 2011). Furthermore (Haitham et. al, 2011) clarifies that the operation of ML-IPSEC is based on the recommendations that ML-IPsec should be compatible to IPsec in format and computational processing, but also compatible for integration, to the data structures of an IPsec implementation

ML-IPSec Vs Security Barriers

• However while ML-IPsec (an extension of IPsec) solves a pragmatic problem of interoperation and interworking of IPsec and Performance Enhancement Proxies over a satellite, the barrier to adequate security in this case, is the problem of mobility, which often creates a plethora of other problems, such as that of flexibility, portability and usability. This can be a serious problem for users and service providers alike.

Maritime SATCOM Security

VSAT Sailor 900 for MARITIME - Sample Acquisition

" Sailor 900 VSAT is an easy and quick-to-deploy three-axis stabilized VSAT antenna with the highest RF performance in the 1m antenna class. Verified by extensive Eutelsat tests the Sailor 900 works with all leading Ku-band VSAT platforms. "

From Cobham Defense Website

Maritime Systems and SATCOMS

V-SAT Sailor 900 in Oil and Gas mining Platforms

V-SAT Sailor 900 Example

SATCOM Security - VSAT Sailor 900

VSAT 900 Sailor Authentication Bypass PoC exploit by

Advanced Information Security Corp

Source : https://github.com/offensive-security/exploit-database/blob/master/platforms/hardware/remote/35932.c

UAV Security - Attacks & Mitigations

Unmanned Aerial Vehicles

• UAV technology can be used for remotesurveillance.

• Governments and Militaries have invested billions in UAV technology and products.

• UAV Programming Software: Ardupilot Mega / NodeCopter, MultiWii, OpenPilot , Navio+ (open source autopilot platform cabaple of flying helicopters and UAV vehicles) , You can even use xbox-parrot from nodecopter.com to control them with your xbox controller.

• Base System - The backbone of the infrastructure for linking up the components

• Sensors (Infrared, GPS, Optical Flow, Cameras)• Wireless Communication Links - for providing

information to earth stations and vice versa (LOS and SATCOM).

• Avionics (Command Conversion)• Ground Control Station • Weapons• Fail-Safe operations (Self-Destruction or Return)

UAV Synopsis

Threats against UAV Systems (L1 and L2 attacks)

• Standard GPS Jamming

• Wifi Jamming / Deauthentication attacks

• Replay Attacks / Man In the Middle

• Drone Spoofing

Unmanned Aerial Vehicle Security

• Exploitation Toolset

SkyJack Skygrabberaircrack-ngnode-ar-drone

Rapsberry Pi (ARM based computer)

Unmanned Aerial Vehicle Security

Conclusion

• Any user located within coverage of a spot beam channel can receive and access transmitted satellite communications and this justifies and deepens the assertion that inherent mechanisms fail to provide adequate security.

• The flaws behind the lack of adequate security arise as a result of not adhering to the principles of Information Security as outlined by (Saltzer et. al , 1975)

• The forces behind the lack of adequate security in DVB-S2 is the bandwidth limitations that impede security, in MPEG-2 networks. Therefore this insecurity is inherent to the architecture of Digital Video Broadcasting for Satellite Broadcasting. Current protocol designs limit any credible options for heavyweight security.

Conclusion

Conclusion

• The lack of data integrity and data origin authentication in Transport-Stream acts as a barrier towards adequate security.

• An attempt to cover the holes which are the result of inherent flaws to the design of DVBS/S2, is the use of Standard Security protocols to bridge the issues.

Conclusion

• The non-interoperation of network accelerators such as Performance Enhancement Proxies is a major barrier towards the application of Standard Security protocol. Although Standard Security Protocols can offer some security and bridge the gaps, they do not address the issues at the core. The lightweight architecture of protocols and unavoidable delays due to interplanetary delays, prohibit the use of any heavyweight security.

Conclusion

• The non-interoperation of network accelerators such as Performance Enhancement Proxies is a major barrier towards the integration to Internet Protocol Security (IPsec) and other standard security methods.

• A main issue is the lack of inherent security in MPEG-2 protocols over DVB-S2. The Internet Protocol Interoperation consitutes them susceptible to attacks over the Internet. The lack of inherent encryption through-out the different encapsulation layers , does not prevent attacks on the confidentiality, integrity, availability and non repudiation.

• The lack of security metrics to provide Data Origin Authentication in standard MPEG-2 and DVB-S2 protocols, opens the communications to masquerading and forging attacks on the participating entities.

• The lack of a pedantic end-to-end layered approach is a pragmatic issue.

Acknowledgements

[REFERENCES]Digital Video Broadcasting (DVB) User guidelines for the second generation system for Broadcasting, Interactive Services, News Gathering and other broadband satellite applications (DVB-S2), ETSI TR 102 376, V1.1.1, February 2005.

http://www.etsi.org/deliver/etsi_tr/102300_102399/102376/01.01.01_60/tr_102376v010101p.pdfThai, Tuan Tran, Dino Martin Lopez Pacheco, Emmanuel Lochin, and Fabrice Arnal. "SatERN: a PEP-less solution for satellite communications." In Communications (ICC), 2011 IEEE International Conference on, pp. 1-5. IEEE, 2011.

Cruickshank, C., Bhutta, M.N.M, Ashworth, J.,Moseley, M. (2011). Redesigning of IPSec for interworking with satellite Performance Enhancing Proxies . In 6th International ICST Conference on Communications and Networking in China. Harbin , 17-19 Aug. 2011 .China: CHINACOM.. ISBN: 978-1-4577-0100-9, p1104-1109, China

Annoni, M., G. Boiero, N. Salis, H. S. Cruickshank, M. P. Howarth, and Z. Sun. "Interworking between multi-layer IPSEC and secure multicast services over GEO satellites." (2002).

Yin, R. K. (2003). Case Study Research: Design and Methods, 3rd edn. Vol. 5, Thousand Oaks,

Zhang, Y. S., 2004. A Multi-Layer IP Security Protocol for TCP. IEEE JOURNAL ON SELECTED AREAS

Zhang, Yongguang, and Bikramjit Singh. "A Multi-Layer IPSEC Protocol." In USENIX Security Symposium, vol. 9. 2000.

[Electronic Media]http://www.etsi.org/deliver/etsi_tr/102300_102399/102376/01.01.01_60/tr_102376v010101p.pdfhttp://upload.wikimedia.org/wikipedia/commons/7/74/X-37_spacecraft,_artist's_rendition.jpeg

https://www.youtube.com/watch?v=6F1xJM6neoo

http://si.wsj.net/public/resources/images/P1-AS938_Drone_D_20091216205401.jpg

http://www.etsi.org/deliver/etsi_en/302300_302399/30230701/01.04.01_60/en_30230701v010401p.pdf

http://upload.wikimedia.org/wikipedia/commons/thumb/d/d8/GSE_diagram.png/400px-GSE_diagram.png

http://www.ebay.co.uk/itm/DVBSky-S980CI-DVB-S2-USB-HD-Satellite-PC-Receiver-With-Common-Interface-Slot-/311314128181?pt=LH_DefaultDomain_3&hash=item487bc49d35

https://image-store.slidesharecdn.com/40e2e96b-80a6-43f4-b0e0-f97fc7d345bb-medium.jpeg

https://erg.abdn.ac.uk/future-net/digital-video/mpeg2-trans.html

http://www.milsatmagazine.com/cgi-bin/display_image.cgi?1391330950

https://lh4.ggpht.com/3jfcMq0FKu4D6FK9YdBqQbrwlb65uBRLMAoflxYv9VpC7C5RiYJUGlqJDFc7P13WCg=h900

http://www.acutec.com.au

http://upload.wikimedia.org/wikipedia/commons/f/f1/Shadow_200_UAV_(2).jpg

http://img.thesun.co.uk/aidemitlum/archive/01156/UFO-main_1156567a.jpg

http://upload.wikimedia.org/wikipedia/commons/8/88/Astronaut-EVA.jpg

http://www.nasa.gov

Greets to www.l33tsecurity.com and Eyeonsecurity.org for their legendary mark on security.