Category: Satellite

Using the Don’t Look Up Tool to Eavesdrop on Insecure Private Satellite Communications

Over on YouTube, Rob VK8FOES has uploaded a video showing how to install and use the "dontlookup" open-source Linux Python research tool for evaluating satellite IP link security. Back in October, we posted about a new Wired article that discussed how many geostationary satellites are broadcasting sensitive, unencrypted data in the clear and how a cheap DVB-S2 receiver and satellite dish can be used to eavesdrop on them.

In the video, Rob discusses the new dontlookup tool, which is an excellent one-stop shop open-source tool for parsing IP data from these satellites. He goes on to show the full steps on how to install and use the tool in Linux. The end result is private internet satellite data being visible in Wireshark (blurred in the video for legal reasons). In the video description, Rob writes:

I thought I would make a video showcasing this new open-source Python tool for Linux. 'Don't look up' is the result of a research campaign conducted by a group of cyber security researchers from the USA for decoding DVB-S2 satellite data transponders.

Geostationary communications satellites are somewhat of a 'perfect target' to malicious threat actors, due to their downlink signals covering large portions of earth surface. This gives attackers are large attack surface to intercept IP traffic being transmitted from space. To most peoples surprise, little-to-no security, such as encryption, are being used on these data transponders!

This is all old news to myself, and the fans of my YouTube channel that have been following my TV-satellite hobby for the past couple of years. Most of this was already possible with consumer-grade satellite equipment and a Python application called GSExtract. However, the scope of GSExtract was a lot more narrower than that of DontLookUp, with the developers claiming to have achieved an exponential packet recovery rate compared to GSExtract.

Join me in this video today where I will be showing my users how to patch and build the TBS5927 USB satellite receiver drivers for RAW data capturing. I'll also be showcasing the software application called 'DVBV5-Zap' which interfaces with our satellite receiver to capture RAW data from a satellite. And finally, I will finish-off the video by demonstrating the actual usage of DontLookUp itself. To make the tutorial as accessible as possible, I'm doing the entire process inside a Linux virtual machine!

This tutorial will probably only work in DragonOS FocalX R37 Linux by the wonderful @cemaxecuter. You are welcome to try on other Linux distributions, but your mileage will vary! Also, due to the TBS5927 using something called a 'Isochronous Endpoint', it's only possible to use this satellite receiver via USB Passthrough in VMWare versions 17.5 and above. VirtualBox does not support Isochronous USB Endpoints in any version. It's always best to run Linux on 'bare-metal' by installing it directly to your PC's internal SSD, or running it from a bootable USB thumb drive.

Please understand that if you own an internal PCI-E satellite receiver card from TBS, it is not possible to 'pass it through' to Linux running inside in a Type-2 Hypervisor (VMware, VirtualBox etc.) Installing Linux on bare-metal is the only hope for PCI-E card owners. Thanks very much for watching!

HARDWARE:
TBS5927 USB Satellite Receiver
90cm 'Foxtel' Satellite Dish
Golden Media GM202+ LNB
Hills RG-6 Coaxial Cable (F-Type Connectors, 75 Ohm)

SOFTWARE:
VMWare Workstation 17.6.2
DragonOS FocalX R37 Linux
TBS 'Linux_Media' Drivers
'RAW Data Handling' Patch
DVBV5-Zap
DontLookUp

If you're interested in this topic, Rob's YouTube channel has many videos on this topic that are worth checking out.

Don't Look Up (No, Not The Movie): A New Research Tool To Evaluate Satellite IP Link Security!

Eavesdropping on Sensitive Data via Unencrypted Geostationary Satellites

Recently, Wired.com released an article based on research by researchers at UC San Diego and the University of Maryland, highlighting how much sensitive unencrypted data many geostationary satellites are broadcasting in the clear.

The researchers used a simple off-the-shelf 100cm Ku-band satellite dish and a TBS-5927 DVB-S/S2 USB Tuner Card as the core hardware, noting that the total hardware cost was about $800. 

Simple COTS hardware used to snoop on unencrypted satellite communications.
Simple COTS hardware used to snoop on unencrypted satellite communications.

After receiving data from various satellites, they found that a lot of the data being sent was unencrypted, and they were able to obtain sensitive data such as plaintext SMS and voice call contents from T-Mobile cellular backhaul and user internet traffic. The researchers notified T-Mobile about the vulnerability, and to their credit, turned on encryption quickly.

They were similarly able to observe uncrypted data from various other companies and organizations, too, including the US Military, the Mexican Government and Military, Walmart-Mexico, a Mexican financial institution, a Mexican bank, a Mexican electricity utility, other utilities, maritime vessels, and offshore oil and gas platforms. They were also able to snoop on users' in-flight WiFi data.

Cellular Backhaul
We observed unencrypted cellular backhaul data sent from the core network of multiple telecom providers and destined for specific cell towers in remote areas. This traffic included unencrypted calls, SMS, end user Internet traffic, hardware IDs (e.g. IMSI), and cellular communication encryption keys.

Military and Government
We observed unencrypted VoIP and internet traffic and encrypted internal communications from ships, unencrypted traffic for military systems with detailed tracking data for coastal vessel surveillance, and operations of a police force.

In‑flight Wi‑Fi
We observed unprotected passenger Internet traffic destined for in-flight Wi-Fi users on airplanes. Visible traffic included passenger web browsing (DNS lookups and HTTPS traffic), encrypted pilot flight‑information systems, and in‑flight entertainment.

VoIP
Multiple VoIP providers were using unencrypted satellite backhaul, exposing unencrypted call audio and metadata from end users.

Internal Commercial Networks
Retail, financial, and banking companies all used unencrypted satellite communications for their internal networks. We observed unencrypted login credentials, corporate emails, inventory records, and ATM networking information.

Critical Infrastructure
Power utility companies and oil and gas pipelines used GEO satellite links to support remotely operated SCADA infrastructure and power grid repair tickets.

The technical paper goes in depth into how they set up their hardware, what services and organizations they were able to eavesdrop on, and how they decoded the signals. The team notes that they have notified affected parties, and most have now implemented encryption. However, it seems that several services are still broadcasting in the clear.

A Small 11.2 GHz Motorized Radio Telescope with TV Dish and RTL-SDR

Thank you to Kaustav Bhattacharjee for writing in and submitting to us his project, where he created a small 11.2 GHz motorized radio telescope with a TV dish and an RTL-SDR. A full description of Kaustav's work can be found in a white paper he wrote on behalf of the Department of Physics at the Indian Institute of Technology Roorkee. In summary he writes:

Briefly put, the hardware Setup comprises a 66 cm parabolic dish, a standard Ku-band LNB with bias tee power injection as the frontend, an RTL-SDR V3 tuned to 1.45 GHz (due to downconversion) as the receiver and a Raspberry Pi 5 handling SDR data (via GNU radio) and stepper motor control (using GPIO pins). A heatmap of the southern sky at 0.9° resolution, showing a belt of geostationary satellites, is the primary result of interest!

We also want to point out that his rotor setup involves several 3D printed gears driven by two NEMA17 stepper motors. However, Kaustav notes that the long term resolution is limited due to cumulative backlash errors from the open-loop control scheme.

Kaustav's 11.2 GHz RTL-SDR Radio Telescope
Kaustav's 11.2 GHz RTL-SDR Radio Telescope
Geostationary satellites visualized with the radio telescope
Geostationary satellites visualized with the radio telescope

A Browsable Archive of Historical Weather Satellite Data

Thank you to Meti for writing in and sharing his browsable archive of historical weather satellite data (further information here). The archive is designed to store weather satellite data, whether in baseband IQ format, frames, or images, for scientific, educational, or preservation purposes.

With NOAA POES now fully shut down, the archive could be useful for individuals who didn't have the opportunity to decode a NOAA satellite for real, or perhaps for those who will want to relive their old hobby one day. Meti writes:

I've been working on setting a weather satellite data archive up; a lot of these incredible satellites are lost to time because people didn't save the data or had it deteriorate over the years, as has been proven with the ongoing POES decommissioning!

My goal is to create a browsable archive of historical satellite data that is downloadable and re-decodable by others who didn't and/or don't have the opportunity to catch the satellites in question themselves for scientific, educational, or just preservative purposes.

I've been working hard asking around various people and groups for the possibility of them keeping some data from as many different satellites as possible, but still have large gaps in several satellites. I was wondering if it were possible to try to publish this archival effort on the blog to try to get more outreach than word of mouth?

The archive currently stands at 430 gigabytes of data with about 100 more awaiting processing due to missing pipelines, already spanning more than 4 decades!

The archive currently stores a variety of different satellites and their data products, and some in the archive even have the raw IQ data, which occupies a significant amount of hard drive space.

However, Meti notes that many satellites are still missing from the archive, and he would like to reach out to the community for submissions. If you have any data from the following, please reach out to Meti.

GEO:
- Meteosat wefax
- Meteosat xRIT (Only have very limited data)
- GOES-N LRIT/MDL/GVAR/Sounder SD (Before it became EWS-G! So over the US)
- Elektro-L1 xRIT/RDAS

LEO:
- NOAA APT older than NOAA 12
- NOAA HRPT from any sat besides 15/18/19
- Seastar (OrbView-2) HRPT
- MetOp LRPT !!! (Metop-A transmitted for a few days) - Meteor M1 HRPT
- Meteor 3M APT/HRPT
- Meteor 1/Priroda/2 APT (other than Meteor 2-21. NOT M2!)
- FengYun 2A/B/C/D/E/F (S-)VISSR (Or LRIT)
- Fengyun 1 CHRPT

Catch-all
- Any L-band prior to ~2000
- Any VHF prior to ~1990
- Any anomalies - instrument failures leading to strange receptions (i.e. NOAA 17 failing APT broadcasts). THIS IS EXCLUDING NOAA-15 post 2020 and any user-side issues (weak reception, sample drops etc.)

You can find more information about the project and how to contribute on this linked page.

Satellite Archive. Currently over 430 GB Archived.
Satellite Archive. Currently over 430 GB Archived.

Amateur Weather Satellite Reception Beyond NOAA POES

With the recent decommissioning of NOAA POES (NOAA-15, NOAA-18, NOAA-19), many amateur weather satellite hobbyists might be asking themselves if the hobby is now dead.

While NOAA POES satellites were the easiest stepping stones into amateur weather satellite reception, the hobby has seen massive strides in enabling easier reception of other satellites over the past few years. Furthermore, in the near future, various new satellites are scheduled for launch, which should be receivable by amateurs.

Over on his blog, Jacopo has created a detailed post showing what satellites amateur hobbyists can still receive on the L-band and S-band. Some receivable satellites include Meteor-M,  Metop, Arctic Weather Satellite (AWS), STERNA, Elektro-L, GOES, EWS-G, Jason-3, UVSQSat-NG, DMSP, HINODE, ISS DATV and Proba 2.

While almost all of these satellites (apart from Meteor-M's LRPT 137 MHz signal) require a satellite dish and L-band, S-band, or X-band feed, recent products like our Discovery Dish can make setting up an L-band or S-band system significantly easier.

The Meteor-M series of satellites
The Meteor-M series of satellites

Moving SatDump Towards V2.0.0

Over on the SatDump blog developers Aang23 and Lego11 have recently uploaded a post discussing their plans to move SatDump towards Version 2.0.0. SatDump is currently the most comprehensive and popular software for SDR users wanting to decode images and data from satellites. 

The developers note that their update frequency has slowed down recently due to their focus on V2.0.0. The new version introduces significant under-the-hood changes that will make SatDump easier to manage and develop in the future, and also focuses on improved documentation.  

Users of SatDump will also see an improved GUI, new functionality such as crop, an SSTV decoder, support and improvements for a wide range of satellites, any many other improvements discussed in the post. 

We note that V2.0.0 has not yet been released. The post notes that at some point in the near future they will begin merging the new V2.0.0 branch into master, followed by frequency alpha releases, before finally releasing an official V2.0.0. 

SatDump V2.0.0 ALPHA with new GUI
SatDump V2.0.0 ALPHA with new GUI

Saveitforparts: Receiving NOAA-15 One Last Time

Over on YouTube Gabe from the saveitforparts channel has uploaded a new video discussing the decommissioning of NOAA-15 and NOAA-19. We also previously posted about this topic a few days ago, if you are interested.

NOAA-15 was scheduled to shut down on August 12, 2025, but due to anomalies with NOAA-19, the decommissioning date of NOAA-15 has been extended by a few days until the week of August 18th. NOAA-19 has recently been experiencing transmitter failures, and it may be impossible to receive signals from it at the moment, despite its expected decommissioning date of August 19, 2025.

In the video, Gabe also rushes to try and receive signals from all transmitters on NOAA-15 one last time, setting up VHF, L-Band, and S-Band receivers. He experiences some issues with weak signals, interference, and recording failures, but ultimately succeeds in capturing all three signals during one of the final passes of NOAA-15.

US Government Shutting Down More Weather Satellites

Tech Minds: Testing out Discovery Dish for Inmarsat and Hydrogen Line Radio Astronomy

Over on YouTube Matt from the Tech Minds YouTube channel has recently uploaded a new video where he tests out our Discovery Dish antenna. Discovery Dish is designed to be a low-cost, portable solution for receiving L-band and S-band weather satellites, Inmarsat satellites, conducting amateur hydrogen line radio astronomy, and more.

In the video, Matt unboxes the Discovery Dish and provides an overview of the build process before demonstrating its use in decoding AERO and STD-C messages on Inmarsat. He then shows the dish and Inmarsat feed being used to receive Iridium satellites, and how they can be decoded using iridium-extractor with a HackRF or Airspy R2.

Finally, Matt swaps out the Inmarsat feed for the Hydrogen Line feed. Using SDR#, the IF AVG plugin, and Stellarium, he was able to obtain a clear hydrogen line peak.

This Discovery Dish Is The ONLY Satellite Dish You Will Need!