Geostationary (GEO) satellites have been around for quite a while; they are commonly used for TV, mobile backhaul, defense and other purposes. A GEO satellite is usually broadcasting to a large geographical area. While an exact number cannot be given, the approximate broadcasting range of one satellite can cover up to a third of the Earth’s surface i.e. one GEO satellite can cover North America or Europe.
Major mobile operators like T‑Mobile, Vodafone, Rogers, Telmex and Orange utilize satellites for their backhaul to cover remote areas and provide a better service.
Mobile Satellite Backhaul between Base Station and Backend Server
Mobile operators typically buy satellite communication as a service and do not operate themselves. Despite the large coverage area, many satellites still to this day continue to utilize downlinks links with no encryption or extra protection for non-TV traffic. For backhaul, encryption levels vary from 10% observed scrambling on link layer to only 6% observed IPSec tunnels on network layers.
Recently, at the 39th Chaos Computer Club Conference, researchers Annie Dai, Nadia Heninger and Keegan Ryan showed in their presentation “Don’t look up: There are sensitive internal links in the clear on GEO satellites” that intercepting information from downlink GEO satellite traffic can be done using consumer-grade, off the shelf equipment and basic technical knowledge. This scanning hardware setup in total only cost the researchers less than $1000.
In a terrestrial mobile network, the backhaul between the cell tower and the telecommunication core network utilizes fiber or microwave links. Fiber interceptions usually cause network outages due to power interruption. Microwave links between high buildings are also not that easy to intercept. The backhaul consists of a control plane for setting up calls and sessions and a user plane which carries the actual data like application data, browsing etc. The network has to carry quite a huge amount of user plane data compared to the amount of control plane data. The user plane data is nowadays encrypted on application layer and the backhaul is generally considered “trusted”. For those reasons few operators encrypt the user plane on the backhaul. The control plane is considered more sensitive as it can reach deeply into the core network and “steer” actions. It is also technically much easier to protect it, as the volume is much lower compared to the user plane. Therefore, many operators chose only to encrypt the control plane with IPSec. But some operators regard the backhaul as fully trusted and apply no protection at all.
This approach of a “trusted backhaul” becomes dangerous when applied to satellite communication. The main difference is that a satellite communication is broadcasted to a whole continent and a “normal” backhaul is a dedicated cable or microwave link.
The data that the researchers intercepted and readable were from government, critical infrastructure providers, payment providers and mobile operators. From mobile operators (Telmex and T‑Mobile) they were able to extract typical backhaul data like: unencrypted SIP messaging, phone numbers and other metadata, unencrypted RTP packets with voice data. T‑Mobile took swift action and corrected their configuration error, but Telmex did not react before the 39C3 conference.
A slide about Telmex from the “Don’t Look Up” presentation at Chaos Computer Club
Many operators are using or consider using LEO (Low Earth Orbit) satellites like Starlink for resilience and coverage extension purposes. The attack presented was performed on GEO. But the reasons for focusing on GEO were pragmatic, the researchers had no experience with satellites and did not want to invest in more expensive equipment that is required for LEO, as one needs to track the movements of several satellites. While it is more technically challenging and expensive compared to stationary GEO satellites, the threshold is not that high, therefore it should be assumed that similar risks are possible for LEO. An attack is more complicated and requires more knowledge, but we don´t consider it impossible.
The recommendation is not to consider satellite backhaul to be trusted. Due to the wide area of broadcast, control and user plane traffic should be encrypted, even if there is a performance and price tag attached to it.
