This is relying on the classical approach of the ground equipment operated by satellite operator or internet provider relying on satellite. The upstream and the downstream are independent from each other. Usually you have two independent channels for encapsulation : a DVB-S/DVB-S2 (with MPE encapsulation) on the downstream and a proprietary DVB-RCS (a strange concept for a standard ;-) on the upstream.
By so, it was somehow difficult to keep track of active terminal as packet encapsulation and decapsulation as this is often independent infrastructure doing so. By so, an attacker could benefit from this lack of state tracking, by injecting packet in one direction to have a functional transmission channel. This allows collateral attacks on the downstream when the traffic is unauthenticated and in clear (like some explained in the slides at BlackHat).
To limit such attacks, an authentication and encryption layer/scheme must be provided on the downstream (and a smaller scale, on the upstream). Some VSAT equipment suppliers implement such scheme (including protocol keys distribution scheme among terminals) but it's not regularly the case due to incompatibilities with existing terminals or other limitations.
I was under the impression that most satellite internet setups used regular phone lines instead of actually using a satellite uplink. Are we not talking about consumer setups here?
That was the case some years ago (and still for some old services). But a lot of new "DVB-RCS"-like services (e.g. , Newtec Sat3Play or Hughes broadband) now use the uplink as a return channel (usually in Ku or Ka band) instead of regular phone lines.
OK... Now, how about control channels and "rooting" a satellite? Because there must be some communication from the ground for things like transponder relocation and attitude control.
Even better, how about enabling the military functions in all US commercial satellites? They all have military override abilities to serve as communication backups if the primaries are taken out during war.
This could be exploited to create small mobile "pirate datacenters." Such equipment could be mounted on a small truck or RV. An entire "pirate cloud" could be established with redundant datacenters going offline to relocate. I wonder if it would be easy to hide such uplinks amongst legitimate signals and avoid detection by police in a country like China.
17-slide version: http://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/...
105-slide version: http://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/...