The Air Has Ears

Modern SIGINT and how insecurities with commercial satellite internet allow the west to spy on the Islamic State

The aftermath of a US coalition air strike on a Daesh military facility. Intelligence for precision attacks against ISIS as well as early warning for terror plots organized by the rogue state is likely being gathered by eavesdropping on IS’ telecom infrastructure

Recently Der Spiegel published a story on how Daesh / ISIS has been able to maintain an international communications network its territory despite the concerted military and intelligence efforts of both a US-led coalition and a Syrian/Russian task force. Daesh’s connection to the outside world has been maintained thanks to their use of commercial satellite internet.

Through straw purchases and other shady dealings with large commercial SATCOM (satellite communications) vendors, Daesh has been able to build a surprisingly robust telecom infrastructure within their rogue state. In addition to providing internet to loyal subjects of their regime, Daesh has also been able to communicate with remote agents as well as conduct black market operations to sell oil from their captured oil fields and refineries — a critical area of revenue for the regime.

Daesh has been under siege by coalition air strikes and military activity for over six months now. Der Spiegel’s article is quick to question why then the murderous regime’s satellite internet infrastructure continues to operate — seemingly with impunity. After all the first targets hit in war tend to be Command and Control (or C2) targets: mechanisms for the command infrastructure of an enemy to communicate and organize.

Given that Daesh’s connection to the outside world (and in many cases their entire telecom infrastructure) relies on dubious links to commercial satellite internet providers, why doesn’t the US and Russia just kick them offline or bomb their SATCOM equipment into oblivion?

Simple. We want them to use their satellite internet, because we’re listening to everything that they say.

An US Air Force signals intelligence officer operating a combat radio

Signals Intelligence (or “SIGINT”) is the practice of eavesdropping or even tampering with an enemy’s telecommunications infrastructure. Ever since the dawn of radio, SIGINT organizations that eavesdrop on sensitive enemy communication have been a critical part of warfare.

Effective SIGINT led to the interception and decryption of the Zimmerman Telegraph, which was a major provocation for the United States to enter into World War 1 on the side of the British Empire. The victory of the Allies in World War 2 was largely a result of effective SIGINT: both from the interception and decryption of Nazi messages by British Army SIGINT and similar eavesdropping and cryptanalysis of Imperial Japanese radio communication by US Navy forces (the latter of which was critical to the US’ victory at Midway).

It has been almost a century since British forces intercepted the Zimmerman Telegram. But modern SIGINT has remained surprisingly true to its roots.

Satellite communication, like telegraph messages of old, is comprised of radio communication transmitted over open airwaves. Anti-Daesh intelligence organizations intercept this communication and use a variety of cryptoanalytical and technological techniques to access the sensitive information held within those messages.

Satellite internet allows remote users communicate wirelessly with constellations of geostationary satellites, which mediate communications between them and ground-based gateway facilities connecting those users to the web

Accessing the internet through a satellite modem is very similar to watching satellite TV. Users have a satellite modem, which is pointed at a constellation of communication satellites held high above the earth in geostationary (or GEO) orbit. GEO satellites relay communications between remote modems and ground-based gateway facilities. These gateways connect physically to the internet, and push relayed messages from the web back to users via the same satellite constellation.

During this process, information about the user’s browsing activity (as well as any other non-HTML based internet traffic) is transmitted over open airwaves. Anyone with a radio that can interpret K-band traffic — the IEEE-defined spectrum of 18Ghz to 40Ghz reserved for satellite communication — and a powerful enough receiver can listen in on satellite communication: whether it’s mobile phone conversations, 4G LTE wireless data traffic, or satellite internet.

Because of this relative ease of intercepting satellite communication, one would think that robust cryptography or other means of hiding/scrambling data in plain sight would be used to secure satellite communication. This is however not the case with most commercial satellite internet protocols, and most satellite internet is transmitted unencrypted in the user’s uplink to the GEO constellation and the downlink of internet data from the ISP’s ground-based gateway.

A screenshot from Nve Leonardo’s BlackHat 2012 talk on hacking DVB satellite internet. With only $75, Nve was able to eavesdrop on any European satellite internet connection and even attack users via a Man in the Middle (MitM) attack

A great example of what hackers can do with commercial satellite internet can be seen in infosec researcher Nve Leonardo’s 2012 BlackHat talk on compromising DVB. DVB (or Digital Video Broadcasting) is a a family of satellite communication protocols frequently used by commercial SATCOM providers for high fidelity video and internet. DVB is ubiquitous as the means that most remote TV news correspondents are able to report “in the field” on current events, and in Europe, where many of Daesh’s ISPs originate, it is the primary protocol for satellite internet.

While DVB is great at providing HD video and internet, it contains minimal security mechanisms and no encryption. As a result, Nve was able to write a software tool that used a readily-available $75 satellite modem to eavesdrop on satellite internet traffic and interpret what data users were sending and receiving. Even more glaring, Nve showed how he could inject traffic into a user’s communication with a satellite, allowing him to tamper with webpages that a user saw or even insert malware if he so wished.

Given that all it took Nve Leonardo to compromise the most commonly used satellite internet protocol in Europe (and arguably in the world) was a modem he bought at the Spanish equivalent of Macy’s and some “1337 hax0r skillz,” one can imagine what squadrons of naval electronic warfare planes and the full intellectual horsepower of US National Security Agency can do. If ISIS is using DVB to supply their regime with internet — and they likely are — we are likely having a field day with every bit of communication they send and receive from the outside world.

The AGM-88 HARM missile: a RADAR and radio transmitter-seeking missile that serves as a particularly violent way to kick someone off their internet connection. If the US and other Western powers really wanted to knock out ISIL’s telcom infrastructure all they would need to do is fire a few of these over Syria and Northern Iraq

The insecurity of DVB and other satellite communication protocols is very convenient in this case. Daesh is a very difficult group to spy on. Having their only means of communicating with the outside world being a porous, easily hacked protocol allows us to gather critical information on their internal command structure, their military, and any terror plots they may hatch against targets abroad. And barring the use of physical “runners” to shuttle messages across ISIS’ boarders (note: these are easily tracked and neutralized thanks to drones like the Predator and the Reaper), commercial satellite internet remains the regime’s only means of communicating.

However insecurity is a double edged sword. DVB is used by many legitimate users such as rural internet users, major media companies, and cruise ships. The insecurity of this protocol allows potentially malicious hackers to intercept and tamper with such legitimate traffic, potentially causing confusion and damage in the process.

DVB is only one of many remarkably insecure satellite data protocols. Most cell phone conversations and data are easily hacked, as their only defense is a “clownshoes” encryption algorithm known as RC4

Satellite internet using DVB is by no means the only problematic commercial SATCOM protocol that’s widely used and surprisingly insecure. GSM, arguably the most common cell phone communication protocol on the planet, is “protected” by a minimal encryption protocol known as RC4.

RC4 is a stream cipher that has serious problems with how it generates shared keys. The cipher presides over many types of radio data protocols (such as WEP-based WiFi and cell conversations) due to its speed. But it also renders those communications dangerously insecure. It’s so easy to crack that breaking RC4 was an extra credit project given in my undergrad cryptography class in college.

The insecurity of satellite and radio communication protocols allows us to gather necessary intelligence on Daesh. It also allows skilled malicious hackers to potentially cause chaos and havoc with mobile data and internet essential to our way of life. This highlights the need for companies and individuals to incorporate robust software-based encryption in order to maintain their privacy, and is also a major reason why such encryption is so contentiously loathed by intelligence organizations and government agencies.

But that’s another blog post…

Like what you read? Give Andy Manoske a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.