[Paper Review] Wireless Signal Injection Attacks on VSAT Satellite Modems
VSAT Satellite Modem Vulnerability Analysis
Background Knowledge
What is VSAT?
VSAT stands for Very Small Aperture Terminal, referring to a ground station that uses a small antenna. Satellites are placed in geostationary orbit (GEO) and redirect signals to a ground-based hub station, which is connected to the internet and handles responses.
VSAT typically operates at data rates between 4 Kbps and 16 Mbps across C, Ku, and Ka frequency bands.
- C-band frequency: 3.7–4.2 GHz
- Ku-band: 12–18 GHz
- Ka-band: 26.3–39.8 GHz
It can be used for internet access on maritime vessels or in areas where cellular networks are unavailable, such as deserts, mountains, and the Arctic. In many countries outside of Korea, internet infrastructure outside major cities is limited, making satellite internet equipment like VSAT widely used in such regions.\
Three Components of VSAT
https://www.youtube.com/watch?v=NXqLMmGwJm0

Central Hub

Central Hub Located on the ground, the central hub is connected to the internet and serves as a communications hub.
Satellite
Simply relays signals from the central hub to the endpoint, and vice versa.\
Endpoint
The remote endpoint device communicates with the satellite. Data received at the endpoint is delivered to televisions, phones, computers, or other devices capable of decoding and utilizing the information.
Threat Model
1)Attack the Central Hub

The central hub is connected to the internet and processes internet data requested by endpoints. An attacker penetrates the central hub via the internet to disrupt the satellite internet network.
Attack Cases:
February 2022: Russia attacked Viasat, a satellite communications service provider, in an attempt to knock out Ukraine's satellite internet, which resulted in satellite internet outages across Europe. Conclusion: Malicious firmware was distributed from the central hub to satellite modem devices, causing internet disruption. (https://cyberconflicts.cyberpeaceinstitute.org/law-and-policy/cases/viasat) According to the company's official statement, attackers accessed the central hub through a misconfigured VPN. They then issued legitimate-looking commands to remote endpoints and rendered thousands of satellite modems inoperable.\
영상 : https://www.youtube.com/watch?v=EzO8nRVJqeg
June 2023: An attack on the satellite communications system of the Russian company Dozor-Teleport was reported. Dozor-Teleport is a Russian satellite communications provider serving various organizations, including power lines, oil fields, Russian military units, Northern Fleet vessels, nuclear power plants, and the Federal Security Service (FSB). (https://www.kratosdefense.com/constellations/articles/russian-satellite-service-provider-dozor-teleport-targeted-by-cyberattack)
2)Attacking the Satellites

Vulnerabilities existing in the satellite itself can be exploited to adversely affect satellite modems. (Ref. Satellite Cybersecurity Reconnaissance: Strategies and their Real-world Evaluation)
3)Attacking the VSAT Endpoint

A direct attack is attempted on the satellite modem at the VSAT endpoint. This section focuses on explaining attacks of this type.
Attacking the VSAT Endpoint
The VSAT modem (iDirect's Newtec MDM2200) and the protocol stack for central hub ↔ modem communication were reverse-engineered down to the physical layer. This revealed software and protocol vulnerabilities in the satellite modem.
Using SDR (Software Defined Radio), three wireless attacks against the satellite modem were implemented:
- Reset the modem
- Update a malicious firmware
- Obtain a remote admin shell
Case Study

ODU (Outdoor Unit)

IDU (Indoor Unit)

Internal Structure of the Satellite Modem – Signal Processing Flow

Demodulator
Performs demodulation of RF signals into binary data.
Digital-to-Analog Converter (DAC)
Performs modulation of digital signals into analog signals.
FPGA (Field Programmable Gate Array)
Unlike standard IC chips that always perform the same fixed operations, an FPGA allows users to freely reprogram its internal circuitry. It can implement enormous numbers of digital circuits composed of logic gates such as OR, AND, and NOR.\

Attack Vector 1: LAN Domain Vulnerability Analysis
A shell was obtained by exploiting a Command Injection vulnerability in the satellite modem's admin page.
- After gaining the shell, data flow was analyzed, and key processes were identified — including those handling satellite communication protocols and performing firmware updates.
Analysis of the s3p.ko kernel module, which handles data communicated between the satellite (more precisely, the central hub) and the modem, revealed that communications between the satellite and modem are unencrypted.
sw_download Vulnerability Analysis

-
The sw_download process opens UDP port 49152, through which firmware data is received during firmware updates.
The binary and the OS had no memory protection mechanisms such as ASLR or stack canaries.

- Inspection of firmware update packets confirmed the absence of authentication and encryption.


Analysis of the modem driver confirmed an RCE (Remote Code Execution) vulnerability in sw_download, along with the absence of encryption and authentication. Analysis of modem_controller also confirmed that encryption could be bypassed.
Attack Vector 2. RF Domain Analysis

- Physical disassembly and analysis of hardware and datasheets revealed how the hardware operates, including the existence of two separate signal processing pipelines — one for transmission and one for reception — which clarified how RF signals are processed.

- Using the previously obtained shell, the researchers analyzed how protocols are processed — which proved highly useful.
The modem communicates with the central hub using the DVB-RCS (Digital Video Broadcasting – Return Channel via Satellite) protocol, a standard protocol for satellite communications. DVB-RCS was originally widely used in the TV broadcasting domain. Protocol processing is handled by the S3P module. The implementation differs slightly from the standard specification.
DVB-S2 Packet Structure
Supports various modulation schemes including QPSK, 8PSK, and 16APSK, and uses BCH and LDPC error correction codes.
Frame Descriptions:
1. BBFrame (Base-Band Frame)
- Components: Header (frame type, length, CRC, etc.), Payload (actual data), CRC-8 (8-bit checksum for data integrity).
- Features: Fixed length per frame; optional padding data. Supports Generic Stream Mode (suitable for asynchronous data such as IP) and Transport Stream Mode (suitable for MPEG-TS).
2. FECFrame (Forward Error Correction Frame)
- Construction: BCH (Bose-Chaudhuri-Hocquenghem) code is added to BBFrame for integrity, then LDPC (Low-Density Parity-Check) is applied for high error recovery.
- Features: Fixed size — 64,800 bits (Normal Frame) or 16,200 bits (Short Frame). Provides reliable communication over long satellite link distances and high-noise environments.
3. XFECFrame (eXtended Forward Error Correction Frame)
- The final output after LDPC encoding is applied to the FECFrame. The data structure immediately before being passed to the transport layer. Direct mapping between XFECFrame and PLFrame occurs in DVB-S2.
4. PLFrame (Physical Layer Frame)
- Components: PL Header (start signal and frame type), Payload (XFECFrame data), Pilot Symbols (for synchronization).
- Features: Modulation and transmission parameters are applied at the PLFrame level. Supports QPSK, 8PSK, 16APSK, 32APSK. Optimized for satellite channel physical characteristics, supporting signal synchronization, timing recovery, and channel correction.
Summary of Full Transmission Process:
- BBFrame – Packages raw data
- FECFrame – Adds error correction codes
- XFECFrame – Extends FECFrame and finalizes transmission prep
- PLFrame – Adds modulation and synchronization; converts to actual signal
MEPG-TS

MPEG-TS (Moving Picture Experts Group – Transport Stream) is a data format designed for digital video and audio transmission, used in broadcast standards such as DVB and ATSC. It multiplexes multiple data streams into a single, larger stream.
Key Purposes:
- Real-time streaming support: Suitable for live broadcasting, IPTV, and satellite TV where error recovery is critical.
- Multiplexing: Integrates multiple audio, video, and data streams into one transport stream.
- Error recovery and verification: Designed to recover corrupted data during transmission.

- After DVB-S2 and MPEG-TS layers, communication proceeds using IP, TCP/UDP.

- The previously analyzed protocol stack was implemented using SDR and tested.

SDR Equipment
USRP B200 Used to generate and transmit RF signals (also capable of receiving and demodulating). Output frequency is limited to 70 MHz – 6 GHz.

- Block Upconverter UMT-TV BUC-Ku002-10.6 v2.0 Since the USRP B200 outputs up to 6 GHz, this device converts the USRP's IF signal to satellite frequency bands (Ku-band, C-band, Ka-band).

Power Injector UMT-TV DC Injector IDCI with IP Ctrl — Used for power supply.

Antenna UMT-TV Offset Feed Used to transmit Ku-band (12–18 GHz) and C-band (4–8 GHz) satellite signals.
Implementation Transmitter


- GNU Radio was used to implement the forward channel.

- Forward Channel: Central Hub → Satellite → Endpoint
- Return Channel: Endpoint → Satellite → Central Hub
- Downlink: Satellite → Central Hub or Endpoint
- Uplink: Central Hub or Endpoint → Satellite

- A DVB-RCS packet containing "Hello, World!" was sent to the satellite modem via GNU Radio, and the modem successfully processed the packet — confirming that the DVB-RCS signal was correctly implemented.

- This means that SDR-generated DVB-RCS packets can now be used to provide input to each of the modem's daemons. If vulnerabilities exist in those daemons, they can be triggered via the SDR-generated signals.
Attack Scenarios
1. Connection Reset
- Jamming is used to force the modem to reinitialize. If the modem fails to receive a valid signal continuously, it automatically resets the system.
2. Malicious Firmware Update

-
After the modem resets, a malicious firmware update can be mounted.
A firmware update request packet — containing firmware version, size, and port information — is sent to the swdownload daemon. If the version number is higher than the currently installed version, the modem receives firmware data via UDP port 49152 of the swdownload daemon.

Since there is no authentication or encryption for firmware update packets, malicious firmware can be uploaded with ease. In testing, a different CRC value was intentionally used to avoid bricking the device.
3. Remote Code Execution

A buffer overflow vulnerability in the swdownload process (used for firmware updates) is exploited.
The vulnerability is triggered during processing of update signal messages: received messages are copied into a buffer without size validation. The buffer is 80 bytes, so sending a message larger than 80 bytes allows overwriting the return address.
By triggering the BOF vulnerability, a shell was successfully obtained.
Demo Video

(https://www.youtube.com/watch?v=-pxmly8xeas — starting at 31:45)
The demo shows the TX LED lighting up after an RF signal is transmitted. Normally the TX LED should not be illuminated, but the attack caused it to turn on.