VSAsTer: Uncovering Inherent Security Issues in Current VSAT

System Practices
Johannes Willbold Moritz Schloegel Robin Bisping
Ruhr University Bochum CISPA Helmholtz Center for ETH Zürich
Bochum, Germany Information Security Zurich, Switzerland
[Link]@[Link] Saarbrücken, Germany bispingr@[Link]
[Link]@[Link]

Martin Strohmeier Thorsten Holz Vincent Lenders

Cyber-Defence Campus, armasuisse CISPA Helmholtz Center for Cyber-Defence Campus, armasuisse
Science and Technology Information Security Science and Technology
Thun, Switzerland Saarbrücken, Germany Thun, Switzerland
[Link]@[Link] holz@[Link] [Link]@[Link]

ABSTRACT Security Issues in Current VSAT System Practices. In Proceedings of the 17th
Recent geopolitical events have exposed our critical dependence on ACM Conference on Security and Privacy in Wireless and Mobile Networks
(WiSec ’24), May 27–30, 2024, Seoul, Republic of Korea. ACM, New York, NY,
the wireless infrastructure used to facilitate worldwide communica-
USA, 12 pages. [Link]
tion. State-sponsored groups are actively attacking and exploiting
space-based communication networks, causing outages and serious
economic damage. Despite initial research findings pointing out a 1 INTRODUCTION
lack of security, such networks enjoy growing adoption and are still Today’s world is hard to imagine without satellites. They provide a
placed at the heart of today’s communication infrastructure, rang- number of crucial functions, ranging from global navigation and po-
ing form the transportation sector over oil rigs to consumer internet. sitioning systems to phone connections, imaging data, and general-
Worryingly, the command and control networks that support this purpose data links. Recent conflicts, such as the Russian invasion
satellite-based communication have received little attention from of Ukraine, have further substantiated the value of satellite images
the security community so far. for military purposes [47], and space-based communication com-
This paper addresses this research gap and conducts a systematic plemented or replaced terrestrial systems [29]. One crucial part of
security assessment of the Very Small Aperture Terminal (VSAT) this critical satellite infrastructure are Very Small Aperture Termi-
ecosystem. More specifically, we investigate the attack surface of nal (VSAT) systems, which are two-way communication systems
the underlying command and control networks and analyze the whose ground stations use dishes smaller than 3.8 meters. VSAT sys-
systems currently used by industry-leading vendors. Through sys- tems transmit voice, data, and video over satellites in geostationary
tematic reverse engineering, we uncover a number of wide-reaching orbit. As a single satellite can cover large areas of the Earth, VSAT
vulnerabilities that illustrate the perilous position of the satellite systems are mainly used in long-distance transportation, i. e., ship-
industry. We then systematically formulate a phase-based threat ping and aviation, as well as very remote places. This makes them
model to categorize these issues and uncover several inherently attractive targets for attackers, in particular nation-state actors
insecure design practices. targeting critical infrastructure.
Recently, two high-profile cases of such attacks have illustrated
CCS CONCEPTS the impact in practice: The KA-SAT incident [49], also referred to as
• Security and privacy → Systems security; Domain-specific ViaSat incident, and the Dozor-Teleport incident. Both have taken
security and privacy architectures. place in the context of Russia’s war against Ukraine. On the eve of
the Russian invasion, 45,000 endpoints connected to Viasat’s KA-
KEYWORDS SAT network were rendered inoperable by the AcidRain malware,
not only in Ukraine but across Europe [27, 42, 49]. In June 2023,
vsat, satellites, service networks, security analysis, vulnerabilities
the Russian satellite communication provider Dozor-Teleport, who
ACM Reference Format: provides services to the Russian state and military, was knocked off
Johannes Willbold, Moritz Schloegel, Robin Bisping, Martin Strohmeier, the grid for 15 hours. While details are sparse, the provider blamed
Thorsten Holz, and Vincent Lenders. 2024. VSAsTer: Uncovering Inherent
a breach of their cloud infrastructure, which enabled the unknown
Permission to make digital or hard copies of part or all of this work for personal or attackers to exfiltrate data and take control of the network [25, 50].
classroom use is granted without fee provided that copies are not made or distributed While these high-profile attacks show the criticality of VSAT
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for third-party components of this work must be honored. networks, few technical details of the vulnerabilities exploited are
For all other uses, contact the owner/author(s). publicly known. This fact is aggravated by a general lack of security
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea research on VSAT networks. Existing research focuses on the easy-
© 2024 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-0582-3/24/05. to-analyze payload traffic, i. e., the internet traffic passed through
[Link] the VSAT network. This type of traffic is publicly documented and

288
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea Johannes Willbold et al.

comparably easy to capture and analyze, allowing to study the

confidentiality and integrity of user data [35, 36]. However, the se-
curity of this payload has little to do with the security of the actual
VSAT network itself. In particular, payload traffic and command and
control traffic are separated. The latter is crucial to maintaining
the VSAT network’s security properties; undermining its integrity
potentially risks the entire network and, thus, critical infrastruc-
ture. The ViaSat and Dozor-Teleport incidents have shown that
malicious actors have an interest in these systems and have success-
fully identified critical vulnerabilities that can be exploited. What
Figure 1: VSAT Network: The VSAT hub routes the user plane
remains unknown is how difficult or easy it was to penetrate these
traffic from the individual remote networks to the internet.
systems or how many other security vulnerabilities exist. Without
a public security analysis or documentation, it is challenging to
assess the state of security of VSAT systems. While existing secu-
rity frameworks, such as SPARTA [46] or ESA’s SpaceShield [15],
allow for retroactively modeling specific incidents once details are 2.1 VSAT Networks
known, their generic nature makes the reverse process challeng- VSAT networks are wireless networks using satellites to distrib-
ing: It is difficult to derive threats specific to one particular system ute network traffic over long distances into (potentially remote)
from their universal overview. In particular, these frameworks fail areas. In these networks, an antenna sends the network signal to
to capture the intrinsic internals of VSAT networks, such as their a satellite, which acts as a bent pipe and redirects the traffic to a
emphasis on recoverability due to the geographical remoteness and different destination on Earth [19] (see Figure 1). Arriving at the
varying volatility and persistence of configurations. destination, the signal is picked up by another antenna, facilitat-
In this work, we address this research gap by systematically ing communication between the two (or more) antennas via the
studying VSAT networks, in particular their command and control satellite [8]. In a common VSAT network, a central hub acts as a
traffic, and the security properties of these systems. Based on our gateway to the internet for the entire network. Each VSAT end-
study, we derive a VSAT-specific threat taxonomy that enables a point in the network communicates with the gateway via a satellite
systematic security assessment of potential threats. In addition, (or a larger constellation) using uplink (ground-to-satellite) and
we underpin our results by an experimental security analysis of downlink (satellite-to-ground) traffic streams. The data stream from
two VSAT terminals, including one that has been targeted in a the hub to the endpoint is thereby called forward link and includes
recent real-world attack. Our analysis shows that VSAT networks an uplink to the satellite followed by a downlink to the endpoint.
suffer from inherent critical security flaws that enable attackers In contrast, the return link is the traffic flow from the endpoint
to fully compromise them. Studying whether the attack vectors in via an up- and downlink to the VSAT hub. We now describe VSAT
our threat taxonomy translate into actual vulnerabilities, we find network components in more detail.
critical flaws in both analyzed VSAT terminals, demonstrating the
dire state of VSAT network security. Based on the lessons learned, VSAT Endpoint. A VSAT endpoint connects a Local Area Network
we discuss three inherently insecure VSAT network design practices (LAN) to the VSAT network. The endpoint uses an antenna with
and sketch how they could be addressed. a radio transmitter and receiver. The receiver is connected via
a cable to a modem device, which handles the signal processing
Contributions. In summary, our contributions are: through (de)-modulation, DVB-S de/encoding, and error correction.
After the signal processing, the traffic is passed on to the network
• We are the first to systematically analyze VSAT networks; management, which performs the protocol handling as usually seen
in particular, we include the command and control traffic in network modems and routers. As such, this part of the VSAT
in our security assessment, which previous work has not endpoint is also referred to as the VSAT modem, which handles the
considered. network and endpoint management protocols and often acts as a
• We derive a VSAT-specific threat taxonomy that allows us router for the local network.
to systematically assess VSAT-internal threats, taking into
account recoverability and varying configurations of such VSAT Hub. The VSAT hub connects all VSAT endpoints in the
networks. VSAT network to the internet. Like endpoints, hubs consist of an
• We experimentally validate our taxonomy through an exper- antenna and network management equipment. The dimensions
imental security analysis of two VSAT systems and uncover are several magnitudes larger than in an endpoint, as the signal
critical vulnerabilities in both. strength and traffic amount of the entire network have to be pro-
cessed. Due to the scale and complexity of the radio and network
equipment, there is usually dedicated staff with specialized domain
2 BACKGROUND knowledge to operate the hub. Additionally, the hub deploys all
Before presenting our threat taxonomy, we provide a brief technical services required to manage and configure the network and its
background on VSAT networks in general and discuss recent VSAT endpoints.
security incidents.

289
VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea

PEP not disclosed, ViaSat reported that around 30,000 replacement end-
points had been shipped to distributors, and the European Union
Router
Internet Agency for Cybersecurity (ENISA) estimated that the attack im-
Remote Site
LAN Network Interface pacted at least 27,000 devices. Collateral damage included the outage
Web Intf.
C2 Traffic of remote monitoring and control for over 5,800 wind turbines in
Germany, which remained offline for several weeks [10].
Config. Updates Telemetry ViaSat’s own incident report only confirmed the attack and
that the attackers executed “legitimate, targeted management com-
mands on numerous residential modems simultaneously”, enabling
Figure 2: VSAT Endpoint Software: The network interface them to download the AcidRain wiper malware [49].
separates internet and C2 traffic. Further open-source investigations argued that a known Fortinet
vulnerability played a decisive role, as VPN appliances by the com-
pany were used by Gateway Earth Stations, control centers, and
2.1.1 Network Traffic. VSAT network traffic is divided into user the affected endpoints [6, 42]. From here, the attackers could move
plane traffic, e.g., internet traffic and control plane traffic, i.e., command- laterally via the satellite network to target the vulnerable endpoints
and-control (C2) traffic. Figure 2 highlights a VSAT endpoint’s com- and use the built-in update mechanism to deploy the malware.
mon software components, which are split into an internet forward-
ing part (upper half) and a command-and-control network part Dozor-Teleport Incident. The second attack on satellite systems
(lower half). All network traffic is physically handled by the same to receive global attention in the context of the war against Ukraine
hardware and interacts with the same VSAT network. Thus, a net- was an attack on the Russian satellite ISP Dozor-Teleport [28]. The
work interface separates internet and C2 traffic from the same details remain vague even several months later. However, it is estab-
physical link. lished that the website and the Dozor-Teleport network went down
around 02:00 on June 29, 2023, for about 15 hours. Full normal oper-
User Plane Traffic. The user plane traffic is the network’s main ations were only established over a week later, on July 7, 2023. The
payload and is forwarded at the hub, e. g., to the internet. Due ISP has significant upstream connections and serves power lines, oil
to the substantial latency of Geostationary Orbit (GEO) satellites, fields, Russian military units, Northern Fleet ships, a nuclear power
hubs provide a Performance Enhancing Proxy (PEP), which pre- plant, and the Russian Federal Security Service, making a targeted
acknowledges Transmission Control Protocol (TCP) connections attack likely [50]. Dozor-Teleport cited cloud infrastructure as a
to prevent timeout errors in user applications on the endpoint’s potential attack vector, which caused the ISP’s satellite terminals
LAN [18, 37]. The internet traffic is often submitted using the DVB- to fail and enabled the attackers to exfiltrate internal data [25].
S2, a digital broadcasting standard.
Starlink DoS Attacks. As reported widely, the communication
Control Plane Traffic. The hub uses the control plane, which capabilities of the Starlink constellation have been playing a cru-
forms the C2 network, to maintain, monitor, and configure the cial role during the Ukraine war, enabling the Ukrainian army
endpoints remotely. This network is separated from the user plane, to communicate flexibly and effectively during front-line opera-
which can either be implemented as logical separation using, e.g., a tions [13, 22]. This makes Starlink an obvious target, and Russia has
Virtual Private Network (VPN), or using an OSI layer 2 separation reportedly been trying to disable it or at least reduce its reliability
that utilizes separate DVB message structures. Additionally, satellite by jamming the Ukrainian Starlink terminals. The signal structure
telemetry, tracking, and command (TT&C) also utilizes a control of the Starlink downlink has been reverse-engineered publicly [20].
plane, which is again entirely separate from the VSAT control plane Starlink has several properties that help defend against jamming
and not the subject of this paper. The control plane is used to deploy and denial of service compared to legacy constellations. Besides
(persistent) changes, such as software updates, key exchanges, and a more effective software update capability, inherent system and
configurations. Finally, each endpoint provides a telemetry service hardware features such as the large number of satellites, the highly
that supplies the hub with Quality of Service (QoS) and status directional, comparatively small spot beams, and the ability to
information. choose between the available satellites provide significant resilience
and redundancy [13, 22, 39].
2.2 VSAT Security Incidents While the alleged jamming attacks fall on the side of traditional
Recently, three security incidents have illustrated grave security electronic warfare and are a practical cat-and-mouse game, they
issues within VSAT systems. We briefly review these incidents to illustrate the exposed position of VSAT systems for both GEO and
motivate the need for a threat taxonomy. LEO constellations today.
KA-SAT Incident. The most high-profile VSAT incident was al-
legedly conducted to support the Russian invasion of Ukraine on 3 VSAT THREAT TAXONOMY
February 24, 2022. The attackers targeted the US satellite ISP Vi- Our goal is to systematically capture all software security threats,
aSat, concretely their KA-SAT network, which supports critical both those observed in recent incidents and potential ones relevant
infrastructures and military applications [27]. to VSAT systems and enumerate them in a taxonomy. To this end,
The attack left the affected endpoints incapable of accessing we first discuss the goals an attacker may have w.r.t. VSAT systems,
the network. Although the exact number of affected devices was introduce the security goals, and then present a threat model that

290
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea Johannes Willbold et al.

accounts for the unique lifecycle phases of these systems and their requirement; however, we think it is crucial due to the nature of a
attack surface. VSAT network and the remote location of endpoints.

3.1 Attacker Goals Availability. Since the VSAT network is usually the only point
of connection for remote installations, it is paramount that the
In the first step, we identify three realistic attacker goals based on network service is available at all times.
previous incidents and related work.
Integrity. In cases where attackers establish themselves as AitM
3.1.1 Denial of Service. Many recent real-world VSAT security on the link, e. g., as shown by Pavur et al. [35] and our experimental
incidents, all with geopolitical significance, had the goal of Denial security analysis (cf. Section 4), it is crucial to mitigate network
of Service (DoS). traffic tampering.
Endpoint. The ViaSat incident targeted the endpoints in the net- Confidentiality. Confidentiality is of special relevance for VSAT
work: After compromising the VSAT hub, the attackers deployed networks since VSAT traffic is often broadcast over large geograph-
malware to the endpoints that overwrote the flash memories and ical areas, which allows attackers to intercept traffic without being
made it a persistent DoS. The overwritten flashes and broken recov- located close to the target.
ery prompted on-site intervention, making the DoS so costly.
Hub. The service outage during the Dozor-Teleport incident in- 3.3 VSAT Lifecycle Phases
dicates that attackers compromised at least parts of the VSAT hub. We now introduce a model to describe the different lifecycle phases
This shows that the VSAT hub, like in the endpoint DoS vector, is a of VSAT systems with a strong focus on recoverability to account
potential target. Unlike the endpoint vector, hub services can gen- for the system’s remoteness and inaccessibility. The model allows
erally be restored from a centralized place with technical experts us to describe different types of data persistence and volatility and
already present. Since such attacks are usually only temporary, we how each data type can be restored after an incident. Therefore, we
classify hub DoS attacks as temporary DoS. divide the operational time frames into five phases, where phase
refers to a time frame from an endpoint’s point of view. Initially,
Link. As seen in the Starlink DoS attempts in Ukraine, attackers
the endpoint is (i) commissioned. Then, its regular operation cycle
target the physical link of VSAT networks to disrupt operations.
begins: Upon every restart, the endpoint is first (ii) initialized before
3.1.2 Attacker-in-the-Middle. Pavur et al.’s research on maritime entering the (iii) operational state. At times, it may be subject to (iv)
VSAT internet traffic [36] has proposed an attack where malicious maintenance. During an incident, the endpoint may be compromised
actors would complete a pending TCP handshake before the legiti- and require (v) recovery.
mate hub could do so, hijacking a VSAT-established TCP connection
as Attacker-in-the-Middle (AitM). In Section 4.2.3, we experimen- 3.3.1 Commissioning Phase. Endpoints are first introduced into a
tally verify a similar VSAT link hijack. VSAT network using a commissioning process to generate infor-
mation required for a first connection. There, so-called beamtables
3.1.3 Eavesdropping. Given that eavesdropping attacks can be are generated, which contain information on the satellite beam, fre-
purely passive, it is nearly impossible to verify that one has occurred. quency, and pointing. The endpoint also receives a certificate that
Regardless, research by Pavur et al. showed that large portions of uniquely identifies it. For example, this certificate is used in com-
VSAT internet traffic are unencrypted [35], making eavesdropping mercial networks to verify paying customers. The commissioning
relatively simple from a technical standpoint. In addition, docu- phase introduces configuration that usually never changes.
ments leaked by Snowden indicated that intelligence agencies have
identified VSAT traffic as an interesting target and carry out related 3.3.2 Initialization Phase. The initialization phase supplies the
operations [30]. endpoint with volatile and temporary configurations that change
somewhat frequently and can be re-requested by the endpoint, e. g.,
3.2 Security Goals after a restart. This information includes shared keys, which can be
re-exchanged, network addresses, and layout information supplied
Based on the attacker goals and previous incidents, we formulate
through a protocol such as Dynamic Host Configuration Protocol
four primary security goals.
(DHCP). The hub also checks if an endpoint is still eligible, e. g., if
Recoverability. So far, whenever attackers achieve persistence a customer is still a valid client. The phase is mostly characterized
on endpoints, the incident prompts intervention from maintainers by supplying information needed for regular operation.
to recover the assets. However, we argue that there must be a
3.3.3 Operational Phase. An endpoint spends the overwhelming
path to recover the compromised parts. For hubs, the available
majority of its lifecycle in the operational phase, where it carries
specialized personnel can carry out this task, but this is not the
out its designed duties. This phase features two different types of
case for endpoints. Due to their (potentially very) remote location,
traffic belonging to service operations and service control.
endpoints should be able to recover from every software fault fully
autonomously. Even if an endpoint’s software is entirely wiped, Service Operations. Ultimately, endpoints operate to receive net-
there must be a procedure to re-establish the broken image and work traffic, such as internet traffic transmitted using DVB-S2. This
reconnect to the network without the physical intervention of a network traffic is part of the network’s service offered to the cus-
human (operator). Hence, we consider recoverability as a security tomers of the VSAT endpoint and what most research papers so far
goal, primarily with endpoints in mind. This represents a strong exclusively focused on [5, 35, 36, 45].

291
VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea

Initialization Initialization Incident Initialization

Service Operations Service Operations + Control Service Operations

Service Control Mainatenance Service Control

Comissioning Operational Operational Recovery Operational

Figure 3: Exemplary VSAT Phases Timeline: The endpoint phases can be imagined on a timeline.

Service Control. To continuously provide service operations, the 3.4 Phase-based Threat Model
hub periodically sends service control information to the endpoints. With knowledge of the different phases, we can now systematically
Such information includes QoS monitoring, Adaptive Coding and capture and categorize phase-specific threats that undermine one of
Modulation (ACM), which adapts coding and modulation (e. g., to the four security goals. Figure 5 shows all threats identified during
account for weather conditions), highly precise time synchroniza- the following discussion, as well as the interfaces we later use to
tion, and multistream control information, used to divide service model attackers and phase transitions that describe which endpoint
traffic into multiple traffic streams for different applications. This lifecycle phase can transition into which other.
information is sent every few seconds or even several times per
second often times in multi-casts.
3.4.1 Commissioning. The commissioning service adds new end-
3.3.4 Maintenance Phase. Software and firmware updates, critical points to the VSAT network. Since, at this point, the endpoint is
service signaling, and persistent configuration are managed during non-connectable, there can also be no transition to the recovery
maintenance. The phase usually performs lasting and persistent ac- phase, making recoverability not applicable. The commissioning
tions on the endpoint that can fundamentally change the operation phase’s availability can be crucial, e. g., during an ongoing incident
of the endpoint and can only be changed by another maintenance to bring a backup endpoint device online, or, considering a longer
phase or recovery phase. timescale, to replace broken endpoints. If attackers compromise
recoverability, then new terminal commissioning is the only path
3.3.5 Recovery Phase. The recovery phase is triggered automat- to reconnect remote sites to the network again. Therefore, denying
ically if an endpoint enters an invalid or non-connectable state, commissioning is referred to as endpoint installation suppression.
as shown in Figure 4. The phase should restore an endpoint to Maliciously tampering with connection-related information in-
a connectable state without requiring physical intervention. This tegrity, such as beamtables, serves the purpose of establishing a
assumes that (1) the faulty phase identifies it is currently in a non- link AitM attacker. Another attack vector targets the endpoint’s
connectable state, (2) the faulty phase successfully transitions into identity information, such as a certificate, to replace a network
the recovery phase, and (3) the recovery phase successfully recov- identity. We refer to them as network parameter replacement and
ers the endpoint. The recovery phase should be able to recover an endpoint impersonification, respectively. Attackers may compromise
endpoint from an attack, even if it has corrupted the software image confidentiality by identifying the new network user and their per-
used for regular operations or has affected the endpoint’s ability sonal information that is required to issue an identifying certificate,
to connect. During our analysis, we found that current endpoint resulting in a network user identification threat.
implementations fail to recover from security incidents targeting
the endpoint’s recoverability (cf. Section 4). 3.4.2 Initialization. This phase retrieves volatile and temporary
network information that can be recovered by re-executing this
phase. The availability of the initialization phase is critical to
supply endpoints after a restart with volatile configuration, such
Provisoning Decomission as keys, and network addresses, i. e., through DHCP. This is criti-
cal, as during incident response, an updated software image might
Non-Connectable prompt a terminal restart. The Threat against this phase’s availabil-
ity impacts the re-attachment of an endpoint, resulting in endpoint
Initialization Operations Maintenance attachment denial. Endpoint must identify faults and transition into
Connectable the recovery [Link] refer to threats that inhibit this process
and thus prevent the recoverability process as recovery denial. This
threat is not specific to the initialization phase, but applies to the
Recovery operations and maintenance phases as well. Threats against this
Non-Connectable phase’s integrity attempt to interfere with a key exchange, network
address signalling, or the endpoint authorization process. Since the
integrity (but not availability) is threatened, an attacker might at-
Figure 4: VSAT Endpoint Phases: Certain phases can move tempt to establish themselves as AitM by hijacking the mentioned
to specific other phases key exchanges or by maliciously influencing the network addresses

292
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea Johannes Willbold et al.

Non-Connectable Connectable Non-Connectable

Recovery

Decomission
Operations

Commission Initialization Service Operations Service Control Maintenance Recovery

- EP Replacement Suppression - VSAT Service Denial - Incident Response Suppression
- Endpoint Attachment Denial - Endpoint Desynchronization - Recovery Data Purging
- Endpoint Impersonification - Recovery Denial - Recovery Denial
- Recovery Denial - QoS Degradation - Recovery Denial
- Network Param. Replacement - User Plane Traffic Tampering - Endpoint Intrusion
- Network User Identification - AitM Establishment - Recovery Denial - Recovery Poisoning
- User Plane Traffic Eavesdrop. - Network Configuration Leak

Comission Interface Initialization Interface Traffic Interface Control Interface Management Interface Recovery Interface

Legend: Connection Phase Regular Phase Interface

Figure 5: VSAT Phase Threats: Each phase has associated threats and an interface to model attackers

communicated. We refer to this category as AitM establishment. In- 3.4.5 Maintenance Phase. The maintenance phase aims to make
formation retrieved in this phase, such as the endpoint’s IP address, persisting changes on the endpoint, such as software updates or
is usually not confidential. Exchanged keys must be confidential; configuration changes that alter the general operations of the net-
however, we omit these considerations since all commonly used work. The availability of the maintenance phase is especially crit-
key exchanges assume an eavesdropping attacker. ical during an ongoing security incident to patch vulnerabilities
or change endpoint [Link] all maintenance during
an active incident would be related to incident response, we con-
3.4.3 Service Operations. In the service operation phase, internet sider threats to the maintenance phase’s availability as incident
traffic is routed to the endpoint, usually using DVB-S2. The avail- response suppression. Link AitM attackers (cf. Section 3.1.2) might
ability of the network service is paramount and the core goal of all compromise integrity to tamper with software updates or configu-
surrounding security implications, which almost all aim to ensure ration, either to achieve persistent DoS or to escalate the attack to an
the uninterrupted availability of transferring network payload traf- endpoint-side AitM, both of which require endpoint-side software
fic. We summarize these availability threats as VSAT service denial. or configuration changes. As such, we refer to them as endpoint
Attackers that aim to inject malicious information in legitimate user intrusion. Attackers may comprise confidentiality by leverage a net-
plane traffic manipulate integrity, resulting in user plane traffic work configuration leak if they are not part of the VSAT network or
tampering. Confidentiality of network traffic is paramount due to if the distributed configuration differs between endpoints to gain
the ease of eavesdropping. user plane traffic eavesdropping deserves network insights.
special attention due to the difficulties in securing TCP-based traffic
for GEO VSAT systems described by Pavur et al. [37]. In essence,
the long distance for GEO-based systems imposes prolonged round- 3.4.6 Recovery Phase. The recovery phase aims to restore infor-
trip times of 600 ms. This long delay in connection with TCP’s mation that allows an endpoint to return to a state where it is
three-way handshake results in slow and sluggish connections. connectable to the VSAT network. Considering that the majority of
Vendors compensate this with PEP that pre-acknowledge TCP con- recent incidents aimed to perform a persistent DoS (cf. Section 3.1.1),
nections to shorten round-trip times for the initial handshake to the security of this phase is crucial. In our model, this phase repre-
the local endpoint device. However, this requires introspection of sents the recovery plan, such that we do not discuss recoverability
TCP connections, making many VPN solutions, e.g., IPSec-based here. The availability of the recovery phase can either be impeded
solutions, incompatible as they do not expose the necessary TCP by removing the data used as a recovery source or by denying the
headers. Instead, SATCOM vendors rely on custom TCP header routine that recovers this data. Hence, we refer to recovery data
exposing solutions, which are often proprietary with few, if any, purging and recovery denial, respectively. Tampering with the re-
public insights into their security. covery data aims to break recovery data integrity and to restore
malicious instead of intended data to the device, resulting in re-
covery poisoning. The recovery phase can only restore data from
3.4.4 Service Control. The service control manages information one of the other phases. Hence, we omit specific confidentiality
that is required for service operations, such as time synchroniza- considerations, as each phase’s confidentiality considerations apply
tion, adaptive coding updates, and channel declarations, which are respectively.
typically updated every few seconds if not multiple times a second.
Service control information ensures the QoS of the service oper-
ations and keeps it operational. An attacker breaks this phase’s 3.5 Phase Interfaces
integrity by either crafting slightly wrong messages to degrade To model an attacker’s access to individual phases, we introduce
the QoS or crafting entirely wrong packets to desynchronize the interfaces, shown in Figure 5 as orange boxes. Each phase has one
hub and endpoint, thus resulting in degraded availability through corresponding interface, either in a protected or open state. An in-
QoS degradation or endpoint desynchronization. Since information terface is considered open if traffic from the phase is not integrity
for QoS, time synchronization, and similar services do not reveal protected, constituting a trusted downlink vulnerability. Interfaces
meaningful insights, we omit confidentiality considerations. with trusted downlink can be accessed by any attacker. In contrast,

293
VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea

(a) An Injection Attacker can inject (b) A Rogue VSAT Hub can inject and (c) A (Semi-)Privileged Attacker com-
traffic into antennas receive traffic from the VSAT network promises a hub service

Figure 6: Our attacker models vary in their ability to interact with the network and increase in strength from (a) to (c)

the protected interface requires a specific attacker model; for exam- Semi-Privileged Attacker. We consider a semi-privileged attacker
ple, the initialization interface requires a semi-privileged attacker that compromised parts of a hub, e. g., from the internet, through a
with access to the services emitting initialization traffic. Further, conventional cyberattack. During this process, the attacker gained
our model accounts for multi-stage attacks, where an attacker first control over a hub’s services (cf. Figure 6c) that do not distribute
compromises a phase, which opens access to another phase. For ex- persistent configuration. Hence, this semi-privileged attacker can
ample, a vulnerability compromising the initialization phase might influence traffic of the initialization and service control phase, as the
open the management interface for attackers, since an attacker- configuration for these phases is by definition non-persistent and
controlled maintenance service location has been specified. To restored through a reboot. However, such an attacker may escalate
illustrate this, an arrow leading from a phase block to an interface privileges by exploiting vulnerabilities in other phases, as we will
means that whatever vulnerability was identified in that phase, show in Section 4.3.
opens an interface to an attacker. We will later demonstrate this in
our experimental analysis. Privileged Attacker. A privileged attacker has access to all hub
services, all cryptographic material, and all technical details avail-
able about the network. In our model, such an attacker may interact
3.6 Attacker Models with all phases but the recovery phase. Hence, even though this at-
The previously described interfaces allow us to model attackers with tacker has every ability to push configuration and software updates,
varying levels of privileged access. Based on the point of attack (i. e., a well-implemented recovery phase should protect even against
the link or the hub), we identify four different attackers. Notably, such powerful attackers.
we disregard attackers from the endpoint’s LAN.
The introduction of attacker models completes our threat tax-
3.6.1 Link Attacker. A link attacker injects arbitrary traffic either onomy: We have systematically studied attacker, derived security
directly to an endpoint’s antenna or via a satellite that relays the goals suited to thwart these attacks, and surveyed how these relate
signal (cf. Figures 6a and 6b). We distinguish the link attackers based to the individual lifecycle phases of a VSAT system. This way, we
on their capability to receive both the endpoint’s return link and systematically identified all relevant threats to VSAT networks.
forward link, or only the latter. link attackers can only interfere with
interfaces vulnerable to trusted downlink. 4 EXPERIMENTAL ANALYSIS
We now conduct an experimental security analysis of two VSAT
One-Way Traffic Injector. A one-way traffic injector, as shown in
systems based on the taxonomy previously defined.
Figure 6a, might stand next to the victim endpoints or utilize a drone.
In any case, the attacker can use a Software-Defined Radio (SDR) Responsible Disclosure. Following best practices, we have respon-
to emit arbitrary malicious signals and network packets into the sibly disclosed our findings to the affected providers. We contacted
antenna as if they were coming from the real VSAT network. iDirect as Newtec merged with iDirect in 2020. Following the merger,
Newtec no longer appears to have an independent operational pres-
Rogue VSAT Hub. Extending the one-way traffic injector, an at-
ence. We disclosed the vulnerabilities to iDirect ourselves and with
tacker could impersonate a VSAT hub (cf. Figure 6b) resembling a
the help of the Swiss National Cyber Security Centre (NCSC). iDi-
rogue base station known from mobile network security topics [3, 9].
rect recently confirmed that they received the report, and we are
This is significantly more complex, as an attacker must either inter-
collaborating to provide all necessary technical details. ViaSat con-
cept and inject traffic in the beam between endpoint and satellite
firmed having received the report, but—as far as we know—has not
or place a full ground station near the real VSAT hub.
taken any further action.
3.6.2 Hub Attacker. We consider attacks that have compromised
parts or all of the VSAT hub, letting us model incidents such as the 4.1 Analysis Method
ViaSat attacker. To avoid always assuming an omnipotent attacker, We perform an experimental security assessment of two VSAT
we also consider a semi-privileged attacker. systems to explore the attack surface. We work bottom up: First,

294
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea Johannes Willbold et al.

we dump and extract the endpoint’s software. Then, we start by

manually reverse engineering applications related to VSAT’s net-
work handling. After reverse engineering the applications related
to wireless protocol handling, we verify our understanding using Initialization Interf. Control Interface Management Interf.
an experimental test setup and injecting traffic. To avoid traffic Trusted Downlink Trusted Downlink Trusted Downlink
radio transmission, we patch the endpoint to directly receive the
traffic via the LAN port. With a solid understanding of how the Initialization Operations Maintenance
application communicates, we focus on the higher level and study - AitM Establishment - Endpoint Desyc. - Endpoint Intrusion
how the application interfaces with the network to initially register - Incident Resp. Supp.
- Network Conf. Leak
to the network, receive updates, or receive configurations. Finally, Recovery
we reverse engineer communication protocols (where needed) and - Recovery Data Purging
uncover vulnerabilities in the protocol parsing logic. - Recovery Denial

4.2 iDirect MDM-Series Figure 7: MDM2200 Vulnerabilities: Overview of all vulnera-

In our first analysis, we study the MDM-series from iDirect, which bilities per phase and their interactions
deploys the Newtec Dialog VSAT network [31]. iDirect operates
through resellers that buy an iDirect VSAT hub and iDirect end-
was analyzed by Pavur et al. [37]. This internet traffic is encrypted
points, which are distributed to customers. iDirect’s systems hold
using the respective key.
a 56% market share in commercial planes and private jets [21] as
The service operations encompass timing packets to synchronize
well as over 50% market share in maritime applications [11]. This
an exact time between hub and endpoints, packets to adapt coding
dominant market position makes iDirect an interesting target, with
and modulation, and multi-input stream identifiers that determine
any found issues potentially impacting a significant portion of the
how an endpoint should distribute traffic across multiple chan-
worldwide VSAT installations. However, it should be mentioned
nels. All of this information has to be provided continuously for
that the underlying Sat3Play technology in our case study certainly
uninterrupted operations.
has a far lower market share as iDirect is also offering other solu-
The endpoint’s maintenance phase consists of software updates
tions such as their iDirect Velocity and Evolution.
and persistent endpoint configuration. To this end, the hub con-
In the following, we describe our experimental setup, followed
tinuously sends update signalization packets that specify a port
by a brief technical analysis, a security analysis, and two proof-of-
and multicast address on which endpoints must listen to receive
concept attacks we tested on a real device.
the currently up-to-date software image. All software images are
Experimental Setup. We conducted our experiments on a stan- permanently and repeatedly broadcast, which is also referred to
dard live setup with the iDirect MDM 2200 (NTC 22.99) endpoint internally as lifeline. It provides a last chance to receive a non-
connected to a commercial satellite antenna. The endpoint runs the corrupted software image and is therefore categorized as as part of
software version [Link] from October 2014 — we ensured that the the recovery phase. Persistent endpoint configuration is performed
most current updates provide the same version. The endpoint had over a custom protocol using Google’s protobuf serialization format.
been replaced by the ISP and freshly installed in March 2021 to re- There is a total of 15 configuration messages, including a session
place our older terminal, showing the longevity of VSAT endpoints. key message, an endpoint certification message, and a network config-
In total, our setup costs $500 upfront for endpoint and installation, uration message, which sets the network addresses for the endpoint,
as well as $70 monthly for active internet service over the endpoint. a name server, and the internet gateway. The custom configuration
We further validated our analysis on a previous endpoint version messages have a field determining if it is encrypted.
(iDirect NTC 22.18), which runs the exact same software version but The endpoint’s recovery phase internally detects a corrupted soft-
compiled for PowerPC, including all the same vulnerabilities. We ware image by calculating a checksum at boot time and switching
extracted the endpoint’s software by gaining initial remote code to a redundant flash chip. From there, it then attempts to retrieve
execution via a web interface command injection vulnerability. No- a fresh image via the lifeline. However, all aspects, including the
tably, we only used this vulnerability to extract the software, not internal boot arguments, can be modified with root access.
for further exploitation. 4.2.2 Security Analysis. We conducted a security analysis and iden-
tified five issues.
4.2.1 Technical Description. The endpoint uses a private RSA key
generated during commissioning to connect to the network as part Trusted Downlink & Configuration Leak. Even when the endpoint
of the initialization phase. With this key, it can decrypt two session receives a valid key for C2 traffic, it generally does not encrypt or
keys, one used for internet traffic and the other for C2 traffic. Inter- authenticate C2 traffic. Consequently, any application sending or
estingly, the endpoint works even without a private RSA key and receiving C2 traffic must implement cryptographic protection in-
uses the airmac address (equivalent to a MAC address) as the key dividually. Yet, only the application responsible for configuration
for the internet traffic, while the C2 key is not set. messages implements encryption and uses the encryption indica-
The endpoint deploys the Enhanced TCP (ETCP) protocol dur- tion field in the custom protobuf -based protocol. On the contrary,
ing the service operations phase, which relies on a Performance software update packets are not protected, allowing attackers to
Enhancing Proxy (PEP) that pre-acknowledges TCP traffic. PEP broadcast arbitrary software updates through the trusted downlink

295
VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea

on the maintenance interface, leading to an endpoint intrusion vul- Privileged RCE via Signal Injection. The endpoint accepts mainte-
nerability. Additionally, all messages from the service control phase nance traffic at any time, without protection via a trusted downlink
are unprotected, allowing attackers to send arbitrary information to on the management interface. There, we can use a single mali-
the control interface. Further, since many messages related to ACM cious packet and leverage a memory corruption vulnerability in the
and input stream identifiers are not protected through encryption, software update mechanism that allows attackers to gain remote
this leads to a network configuration leak. code execution on any endpoint using a single update signalization
packet, thereby exploiting the endpoint intrusion. The application
Encryption Bypass. While the configuration message protocol is parses a string of an arbitrary length in a stack buffer of limited
encrypted, this encryption can be bypassed. The modem handles size using the sscanf function. The exploitation process is only
each packet in plain text if a specific header field is set to zero. hindered through a non-executable stack. As the program runs with
Subsequent processing steps process this packet the same as other root privileges, we are able to write to both redundant flash images,
packets that arrive encrypted. From our reverse engineering efforts, allowing us to wipe the recovery routine, successfully exploiting
we determined this header field to be a packet counter, where the recovery data purging vulnerability.
the first packet (with counter zero) is unencrypted. While this Moreover, a Rogue VSAT Hub attacker can send this malicious
poses no inherent problem on its own (and may even be required packet to all endpoints via the broadcast address over the satellite,
for scenarios where the first packet of a key exchange cannot be since they are continuously listening on the lifeline. We note that an
encrypted), the subsequent program logic contains a bug that allows injection attacker with a sufficiently strong antenna could also break
misuse of this behavior. More precisely, the packet counter field is all endpoints by relaying traffic via the satellite to all endpoints.
not validated but taken as specified in the packet (i.e., it is attacker- Due to ethical and legal reasons, we can obviously not test the
controlled), allowing the sending of arbitrary unencrypted packets. vulnerability on the entire VSAT network. However, we verified
This causes an AitM establishment vulnerability. this attack in a lab environment, targeting only our endpoint by
using the broadcast address instead of the individual address.
Weak Cryptography. Configuration messages, use Blowfish [43]
in Electronic Codebook (ECB) mode, allowing attackers to re-order, VSAT Session Takeover. An endpoint requires a continuous stream
add, remove, and replay blocks arbitrarily. Attackers can be reason- of time synchronization packets as part of the service control phase.
ably assumed to have plain-text knowledge of such messages as Sending broken packets or jamming these packets for five seconds
they receive similar messages. This allows attackers to replay old causes the endpoint to lose synchronization with the hub, resulting
configurations, leading to an incident response suppression, even if in an endpoint desynchronization. The endpoint then attempts to
encryption was enforced. restore the network connection by returning to the initialization
phase, which accepts the following traffic without protection, re-
Memory Corruption. We noticed a lack of modern software de- sulting in a trusted downlink on the initialization interface. From
fenses, such as Address Space Layout Randomization (ASLR) or there, the attacker can answer the renewed synchronization attempt
stack cookies, which mitigate consequences of memory corruption before the legitimate hub can (e. g., through physical proximity),
vulnerabilities. Further, discouraged C functions (e. g., strcpy or allowing the attacker to set parameters that send the traffic to the
sprintf) are widely used throughout the software. After an initial attacker. The attacker can answer the initial request from the hub
analysis, we found two memory corruption vulnerabilities in the and thus perform an AitM establishment from malicious parameters
update signalization process and a tool that writes software images sent to the endpoint. Again, we experimentally verified this attack
to the flash memory. These vulnerabilities provide attackers with using our wireless test setup.
root privileges. Recall that the recovery code is not separated and In summary, even the weakest attacker can take over an endpoint;
can be modified by a privileged user, rendering the MDM-series a rogue hub can even take over the entire network.
vulnerable to recovery data purging.
4.3 ViaSat Surfbeam
4.2.3 Proof-of-Concept Attacks. We experimentally verify the fea- We evaluate the Surfbeam 2 system from ViaSat, which was at-
sibility of two proof-of-concept attacks using vulnerabilities shown tacked in Ukraine during the ViaSat incident (cf. Section 2.2). Via-
in Figure 7 to ensure that our previous analysis did not miss any Sat, a significant player in the industry, delivers satellite systems
countermeasures. For both PoCs, we use our weakest attacker possi- to governments, including tactical products to the US and other
ble, a one-way traffic injector (cf. Section 3.6). We tested both attacks militaries [48]. In addition, ViaSat offers its service in many cate-
with a full wireless setup, for which we implemented Newtec’s S3P gories, such as maritime applications, in-flight connectivity (1,500
implementation of the DVB-RCS protocol. The protocol utilizes aircraft in 2021), and consumer applications, with around 600,000
multiple forward carrier channels manually configured at each subscribers in the US [48].
endpoint. We transmit our exploit signal on each carrier channel
to target endpoints regardless of their configuration. Finally, the Experimental Setup. We conducted our analysis by purchasing a
antenna expects signals to be transmitted on the 𝐾𝑢 -band, which Surfbeam 2 (RM4100) on eBay for $60 after the ViaSat incident. The
are then down-converted to L-band using a low-noise block (LNB). system used software version [Link].9 from 2017 (according to
Since regular SDR are usually limited to around 6 GHz, we utilize a timestamps of files and information included in license files), which
block upconverter (BUC), specifically a UMT-TV BUC-Ku002-10.6 is the firmware version involved in the incident [42]. We obtained
v2.0. The total cost of our setup is about 1000$. root access via a UART port and dumped the software [24].

296
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea Johannes Willbold et al.

point any endpoint to it. As the URL’s traffic is trusted, this is a

(1) (2)
trusted downlink into the maintenance phase, see path (2) in Fig-
Managment Interface
ure 8. Hence, the attacker can send arbitrary packets during the
Initialization Interface
maintenance phase, making them fully privileged. Further, through
Trusted Downlink
the CWMP client, an attacker can extract the configuration stored
Initialization on the endpoint, resulting in a network configuration leak.
- AitM Establishement Maintenance
Update Decryption Bypass. By default, decryption of updates is
Recovery - Endpoint Intrusion only attempted for a single system vendor; even then, it can be
- Network Configuration Leak
- Recovery Data Purging
overruled by uploading an empty, specifically named file. For other
- Recovery Denial vendors, the endpoint checks for another file to enforce update
decryption, overruling the default non-encryption. Removing that
file essentially disables encryption. Crucially, the CWMP client on
Figure 8: Surfbeam Vulnerabilities: Overview of all vulnera-
the endpoint allows the CWMP server to add and remove these files,
bilities per phase and their interactions
thus bypassing all update decryption and signature requirements.

Shared Recovery Resources. Since the recovery phase relies on

4.3.1 Technical Analysis. The system uses DVB-S2 for the physi- the same binary on the same operating system that an attacker
cal layer forward link and DOCSIS Media Access Control (MAC) would compromise as part of the endpoint intrusion, an attacker
layers for the data link layer. The MAC layer thereby consists of can arbitrarily break the lifeline recovery procedure, resulting in
sublayers, including a security layer that provides an encrypted recovery data purging and recovery denial.
and authenticated link. The initialization phase of the endpoint
includes the necessary DOCSIS messages that register the endpoint 4.3.3 Proof-of-Concept Attack. We verify the exploitability of our
for the current session with the network, set up the public key findings. For simplicity reasons, we tweaked the device’s traffic
management, receive DHCP messages, and conduct further setup. application to accept traffic from the LAN as if it were coming from
Importantly, these DHCP messages use vendor-specific options (cf. the antenna. Note that this change has no effect on exploitability
RFC 2132 [12]) to hold unconventional configuration values that but simplifies implementation.
can modify the URL of configuration servers. The service operations For our PoC exploit, we assume a semi-privileged attacker that
phase exchanges internet traffic with the hub and is secured by sends a malicious DHCP packet to the endpoint after putting it into
encryption and authentication via the DOCSIS MAC security layer. the DHCP accepting mode using the respective DOCSIS dynamic
The service control layer exchanges messages for synchronizing service addition flow. The DHCP packet sets the address of the
timing, adjusting frequency offsets and the power level, amongst CWMP server using the vendor-specific DHCP options. The end-
other things. The maintenance phase uses CPE WAN Management point then restarts the CWMP client with the new address. Since
Protocol (CWMP) configuration messages and performs software the new address is not restricted, the client sends a request to the
updates. The updates can be downloaded via at least four different new server address, and due to missing service authentication, the
methods, through File Transfer Protocol (FTP), a script using wget, client accepts the malicious CWMP server address and starts the
and two approaches through the CWMP client. The downloaded CWMP communication. After connecting, the server instructs the
image is then unwrapped and decrypted using a secret key stored client to download a new software image by providing a download
on the endpoint before it is installed. The recovery phase consists URL, which is again not restricted or authenticated. Hence, the
of a separate image download mechanism, the lifeline. The lifeline client starts downloading the image and then attempts to decrypt
works akin to the process described for iDirect via multicast. it if necessary, which was not the case. However, we verified that
the vendor-based decryption enforcement could be bypassed by
4.3.2 Security Analysis. Figure 8 details all the vulnerabilities we uploading the corresponding configuration file before the update.
found via our threat model and the potential exploitation path. Further, since software updates are not signed, the client cannot
Service Location Tampering. During the initialization phase, a verify if the update is legitimate. Hence, the endpoint installs the
semi-privileged attacker can send DHCP messages used for tem- attacker-controlled image and reboots. We verified this until the
porary configuration and during the endpoint’s boot-up phase. step of rebooting, which we omitted to avoid any chance of break-
Figure 8 (left) models this attacker, taking the path through the ing our terminal; however, we verified that the tampered software
Initialization Interface (1). Notably, DHCP allows for the specifica- image was stored in the correct boot location.
tion of service addresses through vendor-specific options, such as Our experimental analysis of two endpoints reveals a dire state
the URL of the CWMP or FTP server. Thus, an attacker can use a of security, allowing an attacker to take control of an endpoint and
single DHCP message to set the URL of the FTP/CWMP server to even break the recovery method in both cases.
one they control, which is an AitM establishment vulnerability.
Missing Service Authentication. Neither FTP nor CWMP clients 5 INSECURE VSAT DESIGN PRACTICES
verify that the target URL is in the VSAT hub or network range. We discuss three inherently insecure VSAT network design prac-
Further, there is no server authentication towards the client, which tices we discovered during the development of our threat taxonomy
allows an attacker to set up a rogue FTP or CWMP server and and the experimental analyses.

297
VSAsTer: Uncovering Inherent Security Issues in Current VSAT System Practices WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea

Problematic Trust Hierarchies. The ViaSat experiment reveals a have discussed attacks on LEO-based internet communication [17].
problem that is inherently difficult to address. While the clients Pavur et al. have revisited the topic of VSAT and DVB-S security,
on the endpoint trust the service address to be valid, this issue proving that the same issues concerning integrity and confiden-
can be solved through certificates. More worryingly, even if such tiality still exist but that impact (e. g., on maritime and aviation
server authentication is enforced, an attacker who compromises the customers) and ease of exploitation have grown [4, 35, 36]. This
maintenance service can still break all endpoints in the network by is also evidenced by recent surveys in the sector: Pavur and Mar-
distributing malicious updates, prompting on-site personnel. This tinovic have outlined the history of space incidents and the need
aspect is captured in our taxonomy, as the management interface for renewed space security research efforts [34]. Tedeschi et al. in-
access immediately leads to an endpoint intrusion. This shows a trust vestigate link-layer security in satellite communications beyond
hierarchy where all endpoints must fully trust the hub. We believe navigation satellites [45]. Finally, Yue et al. survey the literature
this to be an inherent weakness. A solution could be decentralized with a focus on LEO satellite security and reliability [51].
approaches [16] such as witnessing [32, 44], where several endpoints Increased concerns over the wireless spoofing of non-authenti-
would have to find software and configuration updates to be valid cated satellites to unsuspecting ground users have been analyzed
before co-signing them. recently by Salkied et al. [40, 41] Countermeasures to such threats
have also been addressed recently. Oligeri et al. [33] and Jeder-
Inherently Broken Recovery. Our threat taxonomy underlines the mann et al. [23] propose transparent defense mechanisms based
importance of the recovery phase, even under adversarial circum- on physical-layer properties. Abdelsalam et al. [1] survey open
stances. Ideally, a mechanism would test if a given software update problems in transparent physical layer security for satellites.
or configuration allows for network connection and otherwise rolls
back a software image or piece of configuration. This should be 7 CONCLUSION
feasible in general, assuming that, during a DoS attack, hubs are
In this paper, we introduced a threat taxonomy that enables accurate
only compromised for a limited time before dedicated staff recovers
and multi-stage modeling of attacks against VSAT systems while
them from the incident. Such a system would require non-shared
accounting for network-intrinsic details. We derive attacker goals
resources that an attacker cannot access with a compromised update.
from recent VSAT incidents and distill them into security goals.
This would require a dedicated routine to recover from a malicious
We emphasize the recoverability security goal, which is required to
software image. Crucially, this routine must have a different root
secure remote sites without possible physical intervention. Next,
of trust on the endpoint. While existing research explores tech-
we divide VSAT network operations into six phases and formulate
niques to identify faulty software updates, they do not account for
threats against each phase based on the security goals. We evaluate
malicious updates [7, 38].
the practicality of our threat model using two real-world VSAT
Unintuitive Network Designs. Our threat taxonomy reveals an- systems, one of which was involved in a recent large-scale incident.
other problem: In our ViaSat experiment, an attacker could use Finally, we discuss the vulnerabilities inherent in current VSAT
a single DHCP packet to gain the ability to distribute malicious systems designs.
software updates. This issue arises because the packet mixes tem-
porary configuration with typically persistent configuration, such ACKNOWLEDGMENTS
as the URL of the FTP and CWMP server. This mix of configuration We thank Knut Eckstein from the European Space Agency for his
types leads to AitM establishment. While it appears trivial that an helpful feedback. The work was partially supported by the MKW-
attacker who can distribute such configurations may set these URLs, NRW research training group SecHuman.
this might not be obvious to someone configuring the network. A
network administrator setting VPN and firewall rules knows DHCP REFERENCES
but might be unaware of this obscure and unintuitive extension. [1] Nora Abdelsalam, Saif Al-Kuwari, and Aiman Erbad. 2023. Physical Layer Security
At first glance, this problem is not VSAT-specific. However, in the in Satellite Communication: State-of-the-art and Open Problems. arXiv preprint
arXiv:2301.03672 (2023).
VSAT industry, it is common practice that one company builds the [2] André Adelsbach and Ulrich Greveler. 2005. Satellite Communication with-
endpoints and hubs and sells them to another company hosting the out Privacy–Attacker’s Paradise. In Sicherheit 2005, Schutz und Zuverlässigkeit.
network. Due to this practice, such counterintuitive information is Gesellschaft für Informatik eV, 257–268.
[3] Michel Barbeau and Jean-Marc Robert. 2006. Rogue-base Station Detection in
easily lost or buried in manuals. WiMax/802.16 Wireless Access Networks. Annales des Télécommunications 61
(2006), 1300–1313.
Based on our results, we believe that in order to secure VSAT [4] Georg Baselt, Martin Strohmeier, James Pavur, Vincent Lenders, and Ivan Mar-
networks, it is at least necessary to break the aforementioned trust tinovic. 2022. Security and Privacy Issues of Satellite Communication in the
Aviation Domain. In International Conference on Cyber Conflict.
hierarchy and to enable endpoints to reliably perform recovery. [5] Przemysław Bibik, Stanisław Gradolewski, Wojciech Zawiślak, Jacek Zbudniewek,
Radoslav Darakchiev, Jerzy Krçżel, Mateusz Michalski, and Krzysztof Strzelczyk.
6 RELATED WORK 2012. Problems of Detecting Unauthorized Satellite Transmissions from the VSAT
Terminals. In 2012 Military Communications and Information Systems Conference
Adelsbach and Greveler first pointed out the significant attack sur- (MCC).
[6] Nicolò Boschetti, Nathaniel G Gordon, and Gregory Falco. 2022. Space Cyberse-
face of the unencrypted DVB-S ecosystem [2]. Later, presentations curity Lessons Learned from The ViaSat Cyberattack. In AIAA ASCEND.
at hacker conferences picked up the threat with further proof-of- [7] Stephen Brown and Cormac J Sreenan. 2009. Software Update Recovery for
concept attacks [14, 26]. In recent years, there has been renewed Wireless Sensor Networks. In International Conference on Sensor Applications,
Experimentation and Logistics.
interest in the topic, fuelled by the explosive growth of satellite [8] D.M. Chitre and J.S. McCoskey. 1988. VSAT Networks: Architectures, Protocols,
infrastructure. In the wake of these developments, Giuliari et al. and Management. IEEE Communications Magazine 26 (1988), 28–38.

298
WiSec ’24, May 27–30, 2024, Seoul, Republic of Korea Johannes Willbold et al.

[9] Merlin Chlosta, David Rupprecht, Thorsten Holz, and Christina Pöpper. 2019. LTE [32] Kirill Nikitin, Eleftherios Kokoris-Kogias, Philipp Jovanovic, Nicolas Gailly, Linus
Security Disabled: Misconfiguration in Commercial Networks. In ACM Conference Gasser, Ismail Khoffi, Justin Cappos, and Bryan Ford. 2017. CHAINIAC: Proactive
on Security and Privacy in Wireless and Mobile Networks (WiSec). Software-Update Transparency via Collectively Signed Skipchains and Verified
[10] International cyber law: interactive toolkit. 2022. Viasat KA-SAT Attack (2022) — Builds. In USENIX Security Symposium.
International Cyber Law: Interactive Toolkit. [Link] [33] Gabriele Oligeri, Savio Sciancalepore, and Roberto Di Pietro. 2020. GNSS Spoofing
[Link]?title=Viasat_KA-SAT_attack_(2022)&oldid=3408. Detection via Opportunistic IRIDIUM Signals. In ACM Conference on Security
[11] Digital Ship. 2020. Marlink Remains Largest Retail VSAT Service Provider in and Privacy in Wireless and Mobile Networks (WiSec).
2019. [Link] [34] James Pavur and Ivan Martinovic. 2022. Building a Launchpad for Satellite Cyber-
item/6826-marlink-remains-largest-retail-vsat-service-provider-in-2019. security Research: Lessons from 60 Years of Spaceflight. Journal of Cybersecurity
[12] Ralph Droms and Steve Alexander. 1997. DHCP Options and BOOTP Vendor (2022), tyac008.
Extensions. RFC 2132. [Link] [Link] [35] James Pavur, Daniel Moser, Vincent Lenders, and Ivan Martinovic. 2019. Secrets
[Link]/info/rfc2132. in the Sky: On Privacy and Infrastructure Security in DVB-S Satellite Broadband.
[13] Kate Duffy. 2022. Elon Musk says Russia has stepped up efforts to jam SpaceX’s In ACM Conference on Security and Privacy in Wireless and Mobile Networks
Starlink in Ukraine. [Link] (WiSec).
ramps-up-efforts-jam-starlink-ukraine-2022-5. [36] James Pavur, Daniel Moser, Martin Strohmeier, Vincent Lenders, and Ivan Marti-
[14] Leonardo Egea. 2010. Playing in a Satellite Environment 1.2. http: novic. 2020. A Tale of Sea and Sky: On the Security of Maritime VSAT Commu-
//[Link]/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC- nications. In IEEE Symposium on Security and Privacy (S&P).
[Link]. [37] JC Pavur, Martin Strohmeier, Vincent Lenders, and Ivan Martinovic. 2021. QPEP:
[15] European Space Agency. 2023. Space Attacks and Countermeasures Engineering An Actionable Approach to Secure and Performant Broadband from Geostation-
Shield (SPACE-SHIELD). [Link] ary Orbit. In Symposium on Network and Distributed System Security (NDSS).
[16] Tiago M Fernández-Caramés and Paula Fraga-Lamas. 2018. A Review on the Use [38] Alexandru Radovici, Ioana Culic, Daniel Rosner, and Flavia Oprea. 2020. A
of Blockchain for the Internet of Things. IEEE Access 6 (2018), 32979–33001. Model for the Remote Deployment, Update, and Safe Recovery for Commercial
[17] Giacomo Giuliari, Tommaso Ciussani, Adrian Perrig, and Ankit Singla. 2021. Sensor-based IoT Systems. Sensors 20 (2020), 4393.
ICARUS: Attacking Low Earth Orbit Satellite Networks. In USENIX Annual Tech- [39] Bingyin Ren, Hailong Ge, Guangfei Xu, and Yongxin Zhang. 2023. Anti-Jamming
nical Conference (ATC). Analysis and Application of Starlink System. In International Conference on
[18] Se Gi Hong and Chi-Jiun Su. 2015. ASAP: Fast, Controllable, and Deployable Mul- Networking, Informatics and Computing (ICNETIC).
tiple Networking System for Satellite Networks. In IEEE Global Communications [40] Edd Salkield, Simon Birnbach, Sebastian Kohler, Richard Baker, Martin Strohmeier,
Conference (GLOBECOM). and Ivan Martinovic. 2023. Firefly: Spoofing Earth Observation Satellite Data
[19] Yurong Hu and V.O.K. Li. 2001. Satellite-based Internet: A Tutorial. IEEE Com- through Radio Overshadowing. In Workshop on the Security of Space and Satellite
munications Magazine 39 (2001), 154 – 162. Systems (SpaceSec).
[20] Todd E Humphreys, Peter A Iannucci, Zacharias M Komodromos, and Andrew M [41] Edd Salkield, Marcell Szakály, Joshua Smailes, Sebastian Köhler, Simon Birnbach,
Graff. 2023. Signal Structure of the Starlink Ku-Band Downlink. IEEE Trans. Martin Strohmeier, and Ivan Martinovic. 2023. Satellite Spoofing from A to Z:
Aerospace Electron. Systems PP (2023), 1–16. On the Requirements of Satellite Downlink Overshadowing Attacks. In ACM
[21] iDirect. 2020. iDirect-Corporate-Fact-Sheet. [Link] Conference on Security and Privacy in Wireless and Mobile Networks (WiSec).
uploads/2020/01/[Link]. [42] Ruben Santamarta. 2022. VIASAT Incident: From Speculation to Technical De-
[22] Valerie Insinna. 2022. SpaceX Beating Russian Jamming Attack was ‘Eyewatering’: tails. [Link]
DoD Official. Breaking Defense (2022). [Link] [Link].
spacex-beating-russian-jamming-attack-was-eyewatering-dod-official/. [43] Bruce Schneier. 1993. Description of a new variable-length key, 64-bit block
[23] Eric Jedermann, Martin Strohmeier, Matthias Schäfer, Jens Schmitt, and Vincent cipher (Blowfish). In International Workshop on Fast Software Encryption.
Lenders. 2021. Orbit-based Authentication using TDOA Signatures in Satellite [44] Ewa Syta, Iulia Tamas, Dylan Visher, David Isaac Wolinsky, Philipp Jovanovic,
Networks. In ACM Conference on Security and Privacy in Wireless and Mobile Linus Gasser, Nicolas Gailly, Ismail Khoffi, and Bryan Ford. 2016. Keeping
Networks (WiSec). Authorities "Honest or Bust" with Decentralized Witness Cosigning. In IEEE
[24] Eric Johnston. 2022. KA-SAT Technical System: My Guess as to How it Works. Symposium on Security and Privacy (S&P).
[Link] [45] Pietro Tedeschi, Savio Sciancalepore, and Roberto Di Pietro. 2022. Satellite-
[25] Kratos. 2023. Threat Briefing: Russian Satellite Service Provider Dozor-Teleport based Communications Security: A Survey of Threats, Solutions, and Research
Targeted by Cyberattack. [Link] Challenges. Computer Networks 216 (2022), 109246.
russian-satellite-service-provider-dozor-teleport-targeted-by-cyberattack. [46] The Aerospace Corporation. 2023. Space Attack Research & Tactic Analysis
[26] Adam Laurie. 2009. $atellite Hacking for Fun & Pr0fit! Blackhat. (SPARTA). [Link]
[27] Katrina Manson. 2023. The Satellite Hack Everyone is Finally Talking About. [47] Patrick Tucker. 2022. As Satellite Images Reshape Conflict, Worries Mount About
Bloomberg (2023). [Link] Keeping Them Safe. [Link]
hack-ukraine/#xj4y7vzkg. images-reshape-conflict-worries-mount-about-keeping-them-safe/366265/.
[28] Joseph Menn. 2023. Cyberattack Knocks out Satellite Communications for [48] ViaSat. 2021. Q4 FY21, Shareholder Letter. [Link]
Russian Military. Washington Post (2023). [Link] files/393791ed-ba16-4116-a556-cebf19ae5eb1.
technology/2023/06/30/satellite-hacked-russian-military/. [49] Viasat Corporate. 2022. KA-SAT Network Cyber Attack Overview. [Link]
[29] Christopher Miller, Mark Scott, and Bryan Bender. 2022. UkraineX: How Elon [Link]/about/newsroom/blog/ka-sat-network-cyber-attack-overview/.
Musk’s Space Satellites Changed the War on the Ground. [Link] [50] AJ Vicens. 2023. Russian Telecom Confirms Hack after Group Backing Wagner
eu/article/elon-musk-ukraine-starlink/. Boasted about an Attack. Cyberscopp (2023). [Link]
[30] Glyn Mood. 2016. New Snowden Leaks Reveal “Collect it All” Surveillance was satellite-hack-wagner/.
Born in the UK. [Link] [51] Pingyue Yue, Jianping An, Jiankang Zhang, Jia Ye, Gaofeng Pan, Shuai Wang, Pei
collect-all-signals-surveillance-born-in-uk/. Xiao, and Lajos Hanzo. 2023. Low Earth Orbit Satellite Security and Reliability:
[31] newtec. 2016. MDM2200 IP Satellite Modem. [Link] Issues, Solutions, and the Road Ahead. IEEE Communications Surveys & Tutorials
uploads/2016/11/[Link]. 25 (2023).

299