Spread Spectrum Satcom Hacking
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Untertitel |
| |
| Serientitel | ||
| Anzahl der Teile | 109 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/36342 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 2385 / 109
12
19
20
23
24
29
32
33
36
51
58
60
62
66
67
68
69
70
71
77
82
84
85
88
89
92
98
99
103
104
107
00:00
HackerDienst <Informatik>Güte der AnpassungSimplexverfahrenSoftwareschwachstelleHackerComputeranimation
00:39
Mooresches GesetzMultiplikationsoperatorComputersicherheitComputerVorzeichen <Mathematik>UnternehmensarchitekturDreiecksfreier GraphBasis <Mathematik>ClientHackerVorlesung/Konferenz
01:22
FitnessfunktionKollaboration <Informatik>Güte der AnpassungDifferenteBitGeradeURLMinimumFlächeninhaltDatenmissbrauchPhysikalische TheorieHacker
02:03
Reverse EngineeringPunktspektrumBitProjektive EbeneReverse EngineeringPunktspektrumRechenschieberMAPMathematikVorlesung/KonferenzComputeranimation
02:44
CodeFlächeninhaltDigitalsignalDienst <Informatik>MittelwertWiederherstellung <Informatik>Physikalisches SystemPuls <Technik>SchwebungSampling <Musik>NormalvektorFlächeninhaltArithmetisches MittelHackerPhysikalisches SystemInterpretiererCodeTermPuls <Technik>TypentheorieWiederherstellung <Informatik>Digitalisierung
03:33
ObjektverfolgungGradientRechnernetzVektorpotenzialSoftwareschwachstelleProjektive EbeneGeradeMinimumUnternehmensarchitekturHilfesystemURLProdukt <Mathematik>Vorlesung/Konferenz
04:33
SimplexverfahrenRechnernetzBandmatrixNichtlinearer OperatorPhysikalisches SystemInternetworkingURLInformationSimplexverfahrenCASE <Informatik>Dienst <Informatik>Message-PassingMetadatenProzess <Informatik>
05:31
KontrollstrukturWorkstation <Musikinstrument>GatewayInternetworkingRechnernetzMenütechnikZufallszahlenVerschlingungBenutzerfreundlichkeitVerschiebungsoperatorDivergente ReiheFrequenzPhysikalisches SystemTypentheorieOrbit <Mathematik>RechnernetzDatentransferMultiplikationsoperatorSimplexverfahrenHecke-OperatorRichtung
06:02
Workstation <Musikinstrument>RechenwerkInklusion <Mathematik>MittelwertGamecontrollerEinsOrtsoperatorBildschirmfensterRadiusPatch <Software>Web SiteMAPComputeranimation
06:46
DatenbankLoginInformationRechnernetzProzess <Informatik>ComputersicherheitClientBitWeb SiteHackerFuzzy-LogikInjektivitätFortsetzung <Mathematik>VektorpotenzialInternetworkingFiletransferprotokollVorlesung/Konferenz
07:25
Physikalisches SystemProgrammfehlerQuick-SortIntegralInformationDatenbankWeltformelHardwareVorlesung/Konferenz
08:01
Gotcha <Informatik>Protokoll <Datenverarbeitungssystem>Physikalisches SystemURLInterface <Schaltung>MikrocontrollerInternetworkingDiagrammMultiplikationsoperatorKapillardruckDatenflussIntegralSimplexverfahrenRechnernetzTransmissionskoeffizientDatenbankLeistung <Physik>
09:01
SimplexverfahrenFrequenzRechnernetzFrequenzSimplexverfahrenCASE <Informatik>Spannweite <Stochastik>DatenbankLeckPunktBitrateZweiFolge <Mathematik>TypentheorieParametersystemTransmissionskoeffizientLesen <Datenverarbeitung>Vorlesung/Konferenz
09:52
WellenlehrePunktOrtsoperatorCharakteristisches PolynomParametersystemPhasenumwandlungMateriewelleFrequenz
10:22
Public-domain-SoftwareGraphSelbstrepräsentationFrequenzWellenlehreZeitbereichPublic-domain-SoftwareKartesische KoordinatenKomponente <Software>TypentheorieMultiplikationsoperatorDifferenteEindeutigkeit
11:03
AnalogieschlussFreier LadungsträgerAnalogieschlussBasis <Mathematik>DigitalsignalFrequenzCASE <Informatik>Freier LadungsträgerSenderWellenlehreSchlüsselverwaltungVerschiebungsoperatorParametersystem
11:55
Freier LadungsträgerTaskVerschiebungsoperatorDigitalsignalFrequenzVerschiebungsoperatorWellenlehreFreier LadungsträgerDigitalisierungParametersystemVorlesung/Konferenz
12:35
PhasenumwandlungBinärcodeFokalpunktDreiecksfreier GraphWellenlehreMinimalgradBitOrdnung <Mathematik>SymboltabelleCASE <Informatik>SummierbarkeitPunktspektrum
13:12
COMProzess <Informatik>Prozess <Informatik>FrequenzCodeCDMAPunktRauschenBandmatrixMultiplikationsoperatorKategorie <Mathematik>Wort <Informatik>Folge <Mathematik>MehrrechnersystemFormation <Mathematik>ComputeranimationVorlesung/Konferenz
14:10
Gerichtete MengePunktspektrumZufallszahlenInformationBandmatrixFrequenzRechter WinkelDifferenteTypentheorieFokalpunktCASE <Informatik>BitrateWellenformBandmatrixShape <Informatik>InformationMultiplikationsoperatorFolge <Mathematik>TransmissionskoeffizientPseudozufallszahlenHyperbelverfahrenVorlesung/KonferenzComputeranimation
15:06
Codierung <Programmierung>BinärdatenRückkopplungFolge <Mathematik>Kategorie <Mathematik>AutokorrelationsfunktionPseudozufallszahlenSchieberegisterInformationFunktion <Mathematik>FrequenzKomponente <Software>MultiplikationsoperatorBinärcodeDatentransferGreen-FunktionArithmetisches MittelLFSR
16:01
TypentheorieFolge <Mathematik>UmwandlungsenthalpieKorrelationsfunktionPhasenumwandlungComputeranimation
16:38
CodePhasenumwandlungPhysikalische TheorieFrequenzDifferentialGotcha <Informatik>Kategorie <Mathematik>TransmissionskoeffizientFrequenzFolge <Mathematik>AutokorrelationsfunktionPhysikalische TheoriePunktspektrumDifferentialDatentransferVorlesung/Konferenz
17:19
HardwarePhysikalische TheorieSoftwareHardwareUmwandlungsenthalpieWhiteboardBandmatrixÜberlagerung <Mathematik>CodeTypentheorieVakuumpolarisationRauschenDongleSoftware Radio
18:07
HardwareDigitaltechnikRauschenBitPunktHardwareQuaderHackerVorlesung/Konferenz
18:42
StichprobeFrequenzHaar-MaßStichprobenumfangFrequenzProzess <Informatik>AnalogieschlussOrdnung <Mathematik>WellenlehreComputerSpannweite <Stochastik>HardwarePunktDigitalsignalSoftware RadioReelle ZahlSoftwareComputeranimation
19:23
SoftwareSoftwareHardwarePhasenumwandlungYouTubeProzess <Informatik>StichprobenumfangSoftware RadioGeradeComputeranimationVorlesung/Konferenz
19:58
Wiederherstellung <Informatik>ExpertensystemZufallszahlenGotcha <Informatik>WellenlehreFolge <Mathematik>HardwareBitrateDickeZweiBitVerschiebungsoperatorGraphProzess <Informatik>Dreiecksfreier GraphAbstandGrenzschichtablösungGruppenoperationSpieltheorieVorlesung/Konferenz
21:13
SymboltabelleSampling <Musik>Folge <Mathematik>Komponente <Software>MultiplikationSoftware RadioStichprobenumfangCASE <Informatik>SymboltabelleZahlenbereichPunktBitrateHardwareFrequenzSoftwareVorlesung/Konferenz
22:04
Wiederherstellung <Informatik>RandwertLESBitMultiplikationsoperatorRandwertFolge <Mathematik>ResultanteRechenbuchCodeBinärdatenSchnittmengeGraphDatenflussSymboltabelleFunktion <Mathematik>StichprobenumfangSechseckTexteditorMini-DiscComputeranimation
22:58
Wiederherstellung <Informatik>ExpertensystemSchlüsselverwaltungSimplexverfahrenCodeFolge <Mathematik>RechnernetzMixed RealityNormalvektorFormation <Mathematik>InformationFunktion <Mathematik>Graph
23:45
NP-hartes ProblemEchtzeitsystemProzess <Informatik>DatensatzHardwarePunktBitrateAlgorithmische ProgrammierspracheEchtzeitsystemZweiCodeProzess <Informatik>Software RadioBus <Informatik>Hyperbelverfahren
24:20
Relation <Informatik>CodeObjektverfolgungStichprobeDatentransferKorrelationsfunktionPunktEinfache GenauigkeitFolge <Mathematik>Mixed RealityMultiplikationsoperatorFrequenz
25:07
ObjektverfolgungCodeKorrelationsfunktionMultiplikationsoperatorDifferentialBitFrequenzKorrelationZoomSchwingungBitrateWellenformIndexberechnungSoftware
25:51
DateiformatSinusfunktionMessage sequence chartCodierung <Programmierung>ZeitbereichSelbstrepräsentationBitPunktBimodulSchnittmengeFolge <Mathematik>EindeutigkeitDateiformatKonstanteBinärcodeRechter WinkelGerade
26:48
MinimalgradZählenDezimalzahlFront-End <Software>InformationBitHilfesystemMinimalgradPaarvergleichURLIntegralDateiformatCodeZählenVorlesung/Konferenz
27:27
Doppler-EffektVerschiebungsoperatorCASE <Informatik>PaarvergleichVorzeichen <Mathematik>SoftwareChiffrierungNatürliche ZahlTypentheorieEreignishorizontDoppler-EffektStrahlensätzeHardware
28:17
SenderMereologieFreier LadungsträgerSoftwareGamecontrollerSimplexverfahrenFrequenzCodeInternetworkingLeistung <Physik>PunktFreier LadungsträgerMereologieBitrateFolge <Mathematik>
29:23
AppletZahlenbereichSerielle SchnittstelleAblaufverfolgungSpielkonsoleSystemprogrammFirmwareFunktionalApp <Programm>ComputerQuick-SortKlasse <Mathematik>Kartesische KoordinatenSchreiben <Datenverarbeitung>
29:56
ZustandsdichteFunktionalSoftwareKlon <Mathematik>E-MailZellularer AutomatZahlenbereichAblaufverfolgungSpielkonsoleWeb SiteProgrammfehler
30:28
Exogene VariableBitDatentransferSoftwareDienst <Informatik>Exogene VariableVerkehrsinformationMultifunktionHilfesystemCASE <Informatik>Arithmetisches Mittel
31:32
Physikalisches SystemRegelkreisNichtlinearer OperatorUmwandlungsenthalpie
32:13
Automatische HandlungsplanungDienst <Informatik>CASE <Informatik>MultiplikationsoperatorURLMusterspracheSoftwareschwachstelleRoutingComputerspielMobiles InternetDatentransferFigurierte ZahlFrequenz
33:20
SoftwaretestBildschirmfensterTransmissionskoeffizientGeradeRoutingResultantePunkt
33:56
Grundsätze ordnungsmäßiger DatenverarbeitungSharewareBitVideokonferenzTouchscreenProgrammMini-DiscRechter WinkelPerfekte GruppeDatentransferComputeranimation
34:53
Personal Area NetworkKonstanteCodeBitCoxeter-GruppeUmwandlungsenthalpieMultiplikationsoperatorParametersystemBinärcodeMini-DiscSchlüsselverwaltungKorrelationsfunktionHochdruckProgrammverifikation
35:53
SystemprogrammierungPhysikalisches SystemExogene VariableGruppenoperationMereologieProgrammfehlerPatch <Software>App <Programm>Befehl <Informatik>GeradeSoftwareschwachstelleMinimumQuick-SortPhysikalisches SystemExogene VariableDatenmissbrauchStab
37:23
Ext-FunktorCodeGlobale OptimierungEchtzeitsystemStandardabweichungGeradeMinimumPhysikalisches SystemCodeHilfesystemHyperbelverfahrenChiffrierungFirmwareDreiecksfreier GraphComputerspielProtokoll <Datenverarbeitungssystem>Produkt <Mathematik>ComputersicherheitStandardabweichungTeilbarkeitComputeranimation
38:37
CodeGlobale OptimierungDifferenteSoftwaretestSoftwareDatenstrukturInformationDateiformatEndliche ModelltheorieSpannweite <Stochastik>AbstandURLOrdnung <Mathematik>Quick-SortInterpretiererUmwandlungsenthalpieTwitter <Softwareplattform>E-MailHyperbelverfahren
Transkript: Englisch(automatisch erzeugt)
00:01
track one. This is the 1 o'clock talk as you well know. We have Colby Moore. He's going to talk about SATCOM hacking. He reportedly found some vulnerabilities and some satellites. So he's going to talk about that. This is a rerun of his talk that he gave at Black Hat. So please
00:21
help me welcome Colby Moore. Thanks guys. Good afternoon DEF CON. Thanks for coming out. So today we're going to talk about spread spectrum signals and hacking the global star simplex data service. But first who am I? I'm a mechanical
00:42
engineer that loves computer security. I'm currently working at CINAC on the R&D team. I got interested in satellites and radios a long time ago when I got my ham radio license. And yes ladies, that's my call sign. So radio me. I'm single. So what is this company CINAC that
01:02
I work for? Basically we're a new spin on security for the enterprise. We have an army of vetted security researchers out there. They hack our clients on a bounty basis for pretty crazy payouts in my opinion. So if you have spare cycles and you want to make some money, come join our red team. If you guys are concerned about security in your enterprise, come talk to us as well. Anyway, a little
01:23
introduction here. Why am I doing this? I wanted to try something new and was pretty frustrated with the lack of diversity in the talks lately. Satellites are kind of the ultimate hack. And there seems to be one satellite hacking talk just about every year. But often they're kind of theoretical. So I wanted to try to do something a little bit
01:41
more concrete. So I've been doing a lot of location based privacy research at CINAC and so location monitoring satellites seemed like a good fit. Bottom line I want to take a stab at something different and hopefully inspire some collaboration on future research in this unexplored area. And I'll be releasing some tools after the talk so hopefully
02:01
we can collaborate a little bit. So what are we going to learn? We're going to talk a little bit about RF signals and modulation, about what is spread spectrum. We're going to select a target and reverse engineer it and hopefully exploit it if everything goes well. And the goal of my research here is kind of do it for less than a thousand dollars. It started as kind of a side project. I wanted to
02:21
do it on the cheap. So hopefully you guys will be able to do it too. There's quite a bit of material to cover as they mentioned but I'll zip through it. Slides will be online if you guys need to look at it later. You can e-mail me, whatever. So prerequisites. My intent is to keep it pretty high level at first but with enough detail to get you guys started. Really all you're going to need is the high
02:41
school mathematical knowledge to start taking a look at this stuff. So for you guys that came to Patrick and my talk last year, you know we like to define some key terms up front. So here we have the term, the Vegas interpretation and then it's hacker meaning. So here for a chip it's a pulse of a spread spectrum code, not a poker chip. Coverage, we're not
03:03
referring to the size of your bikini. It's the area in which the satellite service is available. Recovery, I'm sure you guys are recovering this morning. But we'll be recovering the unknown PN code, spreading code from the signals. And a bent pipe, it's not a normal pipe. It refers to a
03:22
type of satellite system that repeats the data when it's sent up, it comes right back down. And then sampling, I'm sure you guys did a lot of sampling last night. But we're just going to be recording a signal digitally. So targeting, how do we choose our target? And there's a lot of potential targets out there. This doesn't even cover them all.
03:40
But picking the right one was key. You know, do we go commercial, do we go military? Bottom line, the technology needed to be consumer accessible and cheap. We're just going to do this as a side project. But I wanted something to be popular and have a really high impact. We want any vulnerabilities we find to be worthwhile. So as familiar with GlobalStar's spot line of consumer products, I use them
04:02
when I'm out backpacking and personally I think they're pretty great. They make asset trackers for tracking your car or your yacht and personal locator beacons to call for help when you're lost out in the wild or your ship sinking at sea or something like that. So I started looking deeper into the tech and it turns out that the commercial offerings use the same technology as the consumer tech. So basically you
04:22
could buy a $50 dirt cheap consumer device for research and the research would translate directly to all the enterprise devices out there. Not to mention anything found was going to be high impact because it's pretty widely deployed. So where is this technology used? Really it's used everywhere. It's designed to be integrated anywhere you need
04:40
low bandwidth off the grid communication. Most interestingly it's heavily used in SCADA systems, big gas and oil operations, military and predominantly asset tracking shipping containers, armored cars, expensive things. So all this tech operates on what's called the simplex data service. How does that work? In the case of asset trackers,
05:02
devices can also send back arbitrary information as well. The tracker gets this location from GPS satellites and then it beams that data and some other metadata up to the GlobalStar satellites and that simply repeats the data back down into the GlobalStar ground station which interprets the data packets and forwards the data on over the internet to back in infrastructure or to the customer infrastructure for
05:23
processing. I kind of liken this to think of it as SMS for the satellite world. Just really small, concise messages. So the GlobalStar system is a series of low earth orbit bent pipe satellites. And the way a bent pipe satellite works is that whatever signal goes up, it simply repeats it, shifts it
05:41
to a different frequency and sends it right back down to be received by the ground stations. And this keeps the cost of the satellite low and future usability really flexible. But notice the data link is one direction, simplex, the simplex data network. So how the heck is that reliable? Well it turns out that each data packet is sent multiple times to ensure successful transmission. So what's the deal
06:05
with these ground stations? Turns out there's hundreds of them all around the globe and they handle the reception of the satellite data. There's also two main control centers. One is in San Jose, California. I forget where the other one is. But they're in charge of operating the actual satellites and positioning them and such. So
06:22
here's the coverage map from GlobalStar's website. You can see that there's patches with no coverage out in the ocean, down in Antarctica. And that's because there's no ground station there to receive the data from the satellite. Each ground station provides up to a couple thousand mile window radius for reception. So you can see down in South Africa
06:40
there's this nice blob down there. They actually just added this one maybe a couple months ago to get coverage down there. So before I start working, I always like to do a little bit of ground work just to get the idea of a client's general security posture. So I had a look at their website and I was having issues signing up for an account and logging in. I tried to log in and it looks
07:01
to me like potential SQL injection. I'm getting that warm, fuzzy hacker feeling. This is going to be a fun target to hack on. And so as I'm digging a little deeper, it turns out the data from the ground stations appears before the clients over FTP and HTTP. Yeah, there's no S on there. So
07:20
maybe it would just be easier to sniff this data over the Internet, but we're going to try to do it over the air just for the hell of it. So things are looking pretty good in general for finding some sort of bug. So let's dig deeper into the actual satellite system itself. But where do we look for information on Global Stars hardware? Of course, Google, you know, I think we all do it. But the FCC database turned out to be like the best wealth of
07:42
information. If you have an RF transmitting device in the U.S., you need to register with the FCC to make sure you're not stepping on anyone's toes. There are a lot of academic papers on Global Star as well. And I found a lot of integrator spec sheets, company proprietary information that was just kind of left out there. So that helped a lot.
08:02
But I wanted to make sure someone else hadn't already broke the system. So I looked for some prior research. It turns out Travis Goodspeed looked at the Bluetooth protocol of one of Global Stars devices a while back, really cool research. And then Natrium 42, some guy on the Internet, maybe he's here, looked at the GPS to microcontroller interface on board an old spot personal locator beacon. But I
08:22
wanted to dive deeper. This was all great research, but it didn't really deal with the device to satellite communications. So again, looking at the FCC database, a chip called the STX3 kept coming up and being referenced. Turns out it's one of the transmitters used by the Simplex data network. And it was designed for integrators to put in their creations. It's low cost, low
08:43
power and you can see it's wicked tiny. That's the chip itself that talks to the satellite. So there are some nice diagrams that came with this chip. And on the diagrams I kept seeing this DSSS and BPSK coming up. We'll talk about that more in a minute. I really had no idea what it was at the time, but it turns out to be pretty critical to what we're doing. So the FCC databases,
09:04
they also came up with Global Stars various frequency ranges as well as the specific range for the Global Star Simplex data network, which we need to know. In this case, the devices we're looking at operate at around 1.6 gigahertz in frequency. So I kept digging and I found this leak manufacturer spec sheet from a company called Axon. They used
09:23
to make transmitter chips for the Global Star Simplex data network. And it referenced all these parameters that I couldn't help feel like were important, but I had no idea what they were. So of note, let's see what it says here. We see that DSSS again and something called a 255 chip PN sequence at a rate of 1.25 megachips per second and then
09:42
reference to a data rate of 100.4 bits per second. After a little reading, it turns out these are parameters for a certain type of spread spectrum modulation, but we'll talk about that more in a minute. So before we talk about spread spectrum, we need to have a basic review of waves and modulation for those that aren't familiar. So remember that radio signals are transmitted on radio waves
10:03
and data is encoded on waves by modulating various parameters of that wave. Remember that waves have three main characteristics that we can modify. They have the wavelength, essentially the frequency, how many cycles per second the wave moves. And the phase, the position of the wave relative to a fixed point. As well as the amplitude, essentially the height of the wave. And we
10:24
can look at waves in a few different ways. You guys are probably familiar with the time domain representation of a wave, where time is on the X axis and amplitude is on the Y axis. But often we're working with signals, when we're working with signals, we look at the frequency domain representation, where frequency is on the X axis and
10:40
amplitude is on the Y axis. So essentially, this shows us what frequency components make up a signal. If you looked at the frequency domain representation of, you know, let's say 100 kilohertz sine wave on this representation, it would show a sharp spike at 100 kilohertz on the frequency domain graph. But oftentimes, signals may contain other frequency components. So this graph may take on a very unique look for different types of signals
11:02
we're looking at. So let's start and see kind of how analog modulation is done and we'll move on from there. But we're going to look at both AM and FM, both of which you guys probably use on a regular basis in your car radios. So to send an analog AM signal, essentially you have a carrier
11:20
wave at the desired frequency you want to transmit on. And then you vary the amplitude of this frequency according to your data, the modulating signal. And the resulting signal is what gets sent out over the air and transmits whatever. Notice how we varied one parameter, in this case the amplitude, to send the data over the air. And instead of modulating the carrier analogly, we could have simply varied it between two
11:41
different amplitudes to encode a digital data signal instead. And then sending a digital data signal over AM is often called OOK for on off keying or ASK for amplitude shift keying. So we can do the same thing to frequency modulate data except we vary the carrier frequency according to
12:03
the modulating signal instead of the amplitude. So again, we could have shifted it between two distinct frequencies to encode digital data on this wave. And the method of encoding digital data on a frequency modulated wave is called FSK for frequency shift keying. So as we talked about,
12:22
digital AM is ASK or OOK and digital FM is called FSK. But we can also vary the third parameter, the phase, in a manner that's called phase shift keying. And we can do this to encode digital data on a wave. So for this talk we're going to focus on BPSK. Remember we saw that earlier in that tech
12:40
doc. It stands for binary phase shift keying. Basically it's alternating a wave 180 degrees in and out of phase in order to encode binary data on this wave. And a 180 degree phase shift is simply achieved by flipping the wave upside down or just multiplying it by negative one. So here, each cycle of the wave corresponds to one symbol, a bit
13:00
in this case. Okay, so I know it's kind of brief, but we have the necessary knowledge on how signals are modulated. So let's go one step deeper and talk about what is spread spectrum. Spread spectrum is basically a way to take a narrow band signal, one that doesn't take up too much bandwidth to transmit, and it spreads it out over a much, much, much
13:21
wider frequency range. And this gives it the ability to be much more jam resistant and introduces a property called processing gain. Essentially this processing gain, the more you spread the signal, the more gain you get at the receiving end. Essentially you can transmit further. The processing gain actually allows for a spread spectrum signal to be received even if it's below the noise floor at
13:43
the receiving point. Spreading a signal also allows for what's called CDMA properties. This stands for code division multiple access. You've probably heard about it in reference to your cell phones. What this means is that multiple devices can transmit on the same frequency at the same time and all the data can still get through. And this is achieved through the use
14:02
of each device having a unique what we call spreading code. Remember we saw something earlier in the tech doc called a PN sequence or a PN code. This is the same thing. Now there's two types of spread spectrum. DSSS and FHSS. And the difference is that the DSSS operates around one
14:20
frequency as shown there on the left. Whereas the FHSS hops between multiple frequencies. So as you can see on the four peaks on the right. For the sake of this talk we're just going to focus on DSSS as that was referenced in the doc. So to create a DSS signal in this case, a relatively slow BPSK signal in the case of these transmitters, 100 bit per
14:42
second signal is mixed with a very, very, very fast pseudo-random signal, the PN sequence. And the resulting signal contains all the original information but is spread out over a much larger bandwidth. So here you can see the data BPSK signal is then spread to 1.25 megahertz. That's 12,500 times wider. Notice the shape of the
15:02
waveforms are very similar in these two. This is going to be important later. So here's a more concrete example. Our data signal is just zero and one modulated very slowly. Our pseudo-random sequence is a binary signal that changes much, much faster. The higher frequency shown there in green. And we mix those two signals together to get a resulting
15:22
signal with a much higher frequency component. You see there in the red. But how do we recover the data? You simply mix the output signal with the pseudo-random signal one more time and the original data falls right back out. So that's how this whole DSS thing works. So now we talked about
15:41
these PN sequences briefly. Basically all they are is that they're periodic binary codes that have strong auto correlation properties. Meaning that they're a binary sequence that repeats over and over and over. And just as an interesting piece of information if you guys end up trying something at home, they're commonly generated using linear feedback shift registers. So for this research we're going to look at
16:03
a specific type of PN sequence called an M sequence. Again we saw that in the original spec doc. And what's interesting about them is that they correlate strongly with themselves at a phase shift of zero. Very, very, very poorly at any other phase shift. So let's take a look. Up there on the left we're comparing a very short M sequence. Zero, zero, zero, one. And we're comparing it to
16:22
itself. And at a phase shift of zero it has a perfect correlation of four. If we shift it once to the left, the correlation goes to zero and stays at zero until we bring it back into phase. This is nice because it makes searching for this PN sequence and any other signal very easy. We just look for it using correlation. So this spread
16:41
spectrum stuff is simple in theory but it's really more difficult in practice. In theory you simply mix the signal being received with the appropriate PN sequence and the signal will emerge. But in a perfect world our transmitter and our receiver are going to have, they're not going to be tuned to the exact same frequency. So we need to accommodate for this frequency differential somehow. Also
17:02
remember if the PN is not properly aligned with itself in incoming data, it won't work. You'll just get a garbage signal out. So we need a way to phase align the PN sequences. So keep thinking about how we might do that and it uses those auto correlation properties we talked about just a while ago. All right. So we've kind of got a little rough idea
17:22
of the theory but now to put it into practice we need to actually build some hardware and do something. So to do this I use software defined radio along with Python and radio to write all my code. I also needed an appropriate antenna that I ended up getting off of eBay. So for those that wish to try this at home, just know that global star antennas
17:42
are left hand circular polarized. So it's a specific type of antenna that you'll need to look up. But that's a little bit out of the scope of this talk. And for those of you who are familiar with RTL, SDR, the really cheap software defined radio dongle, unfortunately you won't be able to use it for this. It doesn't cover enough bandwidth. So I use the USRP B200, a great board to get it for
18:01
about 600 bucks. And I think a lot of the other SDRs on the market work just fine. So we also needed a low noise amplifier for receiving some weak signals and supporting cabling and voltage regulators to supply it. I got this LNA off of a company called Mini Circuits. It was, what, 150 bucks. So not too bad. So at this point, I packaged it all up
18:23
into a box because these things are pretty fragile and hackers are clumsy or I'm clumsy and I didn't really want to break the hardware. So anyway, I mounted the antenna on the outside of the box so we can take this thing places and aim it at things. I had it up in my black hat hotel room and was aiming it over at McCarran and sniffing up data from the airport. So we'll get to try that out. All right, so how
18:44
does this hardware work? Essentially, the software defined radio, it listens for radio waves which are analog coming in and it converts them to digital data that our computer can process. And it does this by taking samples of the wave. So this guy named Nyquist back in the day came to the realization that while sampling, you need to sample
19:01
it at least twice as fast as a signal's highest frequency in order to accurately reproduce a signal while sampling. A real world example of this is that the human ear can't hear frequencies higher than 20 kilohertz. And if you recall CD audio, if you guys still use CDs, is sampled at 44.1 kilohertz. That's just over twice the human frequency hearing range.
19:25
So you should also know that software defined radio hardware uses what's called IQ sampling or modulation to receive and send these signals. This topic is a little too much to get into for now, but know that for each sample data taken, two values are recorded. The I, the in phase value and the Q,
19:41
the quadrature value. And using this IQ modulation has a benefits of processing signals in software. But if you're interested, I suggest you check out this YouTube video. It does a really, really good job explaining much better than I'll be able to do. But bottom line, you don't need to understand this unless you're going to try this research at home. So the first step to decoding satellite transmissions
20:02
is to figure out that PN sequence so we can extract the data from the waves. So let's put our hardware to work. So remember that we're looking for a signal, the PN sequence, that is 255 bits in length. It repeats over and over and over again. And it repeats at a rate of 1.25 million chips per second. Here I should mention that a chip is the same thing as
20:22
a bit. We just name it differently so we can distinguish it from actual data bits. So now interestingly enough, we can treat a DSSS spread spectrum BPSK signal the same as we treat BPSK. So check out this graph. It's kind of hard to show. But we can see that the BPSK signal above
20:40
shifts the wave at its transition, but once every several wave cycles. The DSSS BPSK signal shifts the wave much, much, much faster, but in the same way as the BPSK signal. So this means that we can use an ordinary BPSK demodulator to receive the spread data. Now, the downside of doing this is that receiving the data this way is
21:01
that we don't receive any of the processing gain benefit we talked about from spreading a signal. So this technique only works over really short distances. But it's perfectly legitimate. So I was able to do this across the room, maybe 100 feet away. So to accurately receive the data, we need to set our hardware to sample the data correctly. And
21:21
we have to meet a few different criteria. First, the USRP, the software defined radio I use, can only sample at multiples of 32 megahertz. We also need to sample twice as fast as the highest frequency component. In this case, that's the PN sequence in the signal, 1.25 megahertz due to what Nyquist had to say. We also need to
21:41
sample at a rate that provides an even number of samples per symbol. In this case, an even number of samples per chip. So we achieve all this by sampling at a rate of 4 megahertz and then resampling the signal, essentially just interpolating data points along it to get an upsampled signal of 5 megahertz. And what's special about this 5 megahertz signal is that it has a sampling rate that
22:00
corresponds to 4 samples per symbol, which is an even number. But now how do we get the actual PN sequence out of this data we're going to see over the air? Well, we know from doing some calculations that the PN sequence repeats 49 times for each bit of data that's sent. And since the PN sequence doesn't cross any bit boundaries, we can simply XOR the PN sequence with a fixed
22:21
bit of data, you know, the first bit of data, and the resultant is the actual PN code. So let's use GNU radio to decode the signal as BPSK and it will output the appropriate data disk. So here you can see a GNU radio flow graph I used to do this and you can see the PSK
22:41
demodulator has a setting of 4 samples per symbol from our calculations. So the PSK demodulator outputs the decoded symbols to a binary file that will then examine in a hex editor. So if you look at the data in the hex editor, we can clearly see that there's a repeating sequence of data, 255 bits long. This is starting to sound kind of familiar. Well, it turns out that repeating sequence of data
23:01
is the PN code. And it turns out this is pretty much the keys of the kingdom for intercepting all this data. This code is used by all simplex data network devices to encode the data sent over the air. So now that we have the code, let's try de-spreading some data. You may recall that we need to mix the PN code with incoming signal to receive the
23:21
information. And if all goes well, we should expect our output signal to contain a very strong narrow band signal shown as a sharp peak down in that graph below. So above is what the normal simplex data network signal looks like, kind of that lumpy thing. And the graphic below shows what we
23:41
should see after we de-spread the data, just that nice sharp spike in there. So now before we begin, it's important to know that working with these signals is a very computationally intense procedure. Receiving a signal at 4 MHz with a software-defined radio works out to a data rate of about 30.5 megabytes per second. So for the purposes of this work, we're going to record the data and then post-process
24:01
later. But eventually it will be possible to use more robust custom hardware, you know, think FPGAs, to do this work in realtime. But that sounds like a pain in the butt, so we're just going to record and do it later. So big thanks to some of my interns over there for helping me optimize this code. It used to take about a minute to run. Now it takes about like 40 seconds. All right. So how do we de-spread
24:22
the data? First we need to lock on to the mixed PN sequence in the signal. And we do this by correlating the received data signal against the recovered PN at every single point in time. So essentially we're sliding the PN against the received data signal and correlating. And if we plot the correlations over time, when the PN is perfectly aligned, we'll see a sharp spike in the correlation. And that's what you're seeing up there. So this is how we know
24:42
when to mix the two signals together to de-spread the data. So if we align the PN on the first correlation spike only due to some frequency mismatch, we'll fall out of correlation over time as shown there on the left. So we fix this by adjusting the PN forward or backward at each and every correlation peak to ensure its alignment. At this point,
25:02
once we're in alignment, we simply mix the data together and the signal should fall out. So let's try that. So after compensating for the frequency differential there, you can see on the left that the correlation over time stays pretty constant with a slight oscillation. But that's okay. And if we zoom in, or I guess zoom out really far, we can see the correlations over a whole data packet. And you can
25:22
see the negative and positive correlations representing actual data bits flying over the air. So if we look at the signal coming out of our software spreader, sure enough we see that sharp spike in the center indicative of our signal in question. This means we de-spread our data successfully, theoretically. So zooming way in on that sharp
25:40
peak, we can see that the waveform looks like a BPSK signal. It's operating at around 100 hertz and we know that that's the data rate in question that we're looking for. So things are looking pretty promising. So now that we're maybe receiving data, let's try to decode it, like what's inside. So if we look at the time domain representation of
26:00
the signal, you can clearly see there's actual data bits coming over there. So that's satellite data. So now let's clear up the signal and do something with it. Namely we just low pass filter it and pipe it into a PSK demodulator. So at that point the data pretty much falls right out. You can see at the top I got this nice binary string out of that data. But we need to validate it. So I found a spec
26:22
sheet online that references the data packet format which is shown right up there. And it starts with a preamble, essentially a constant unique binary sequence that tells the receiver when the packet is starting. And then it's called by manufacturer ID, as well as a bunch more data. So if we convert that manufacturer ID set of bits to decimal, sure
26:40
enough it lines up with the ESN written on the back of the device. So I'm pretty sure that means we're doing something right. So now the data packets also contain just about any information you want. And this is kind of up to the end integrator. But these devices predominantly are used to send location data in asset trackers. So everyone uses
27:01
the same data format. So it can be ingested the same on the back end. So after extensive comparison, again, with some help of the interns, we threw out the bits 8 to 32 are latitude and 32 to 56 are longitude. You simply convert those binary bits to decimal and multiply it by a degrees per count value and that will give you the actual latitude and longitude. So I've kind of got a snippet of the code
27:21
there. It will be online later if you guys want to kind of craft your own packets. We'll talk more about that. So the data packets also contain a checksum. Long story short we figured out how to calculate the checksum but this means not only can we validate packets, we should be able to create our own. From what we saw, the comparison and the devices we
27:41
looked at, there was no encryption, no signing or no other protection. So theoretically we can inject our own data back into the satellite network. So now recall that we're doing all this interception here on the data uplink from the device to the satellite. But due to the event type nature of the global star satellites, the data on the downlink is exactly the same as the data on the uplink. So
28:03
except we just need to compensate for a few other things like Doppler shift and multipath interference. So this is a kind of avenue for future research if any of you guys are interested in helping out. Essentially with a bigger dish, a little better hardware, we can start receiving a ton more data doing the same method. But all right, so now we figured out these data packets. Can we
28:22
inject it back into the network? So warning, seriously, don't transmit on global star frequencies. It's probably illegal where you live and it might interfere with critical emergency communications. Fortunately, the simplex frequencies aren't used for satellite control per se. So it's not like you're going to make it fly sideways or anything. But if you wanted to transmit, that's actually the
28:46
easy part. So don't try this at home. Wink, wink. So all you do is really you simply mix the data together with the PN sequence and the carrier all at the appropriate rates
29:02
which are listed here in this talk. I'm not going to be providing my code that I designed but if you're savvy enough you should be able to do it. But really all you need is about .2 watts of power and you can get an appropriate amplifier on the internet for 200 bucks and you can write the code and get new radio. It's pretty simple. But what if there was an easier way? Well, global star provides an
29:25
OSX firmware update utility for one of their spot trace devices. Their personal asset trackers. And inside the application package there's a tool, spot 3 firmware tool dot jar and it contains all sorts of interesting functionality that's never called by the actual consumer firmware updater app. So if you look in the jar there's a
29:45
debug console class which references something in the spot device class called write ESN, electronic serial number. So what if we wrote a Java app to call that debug console? Sure enough hidden functionality right there in the software on their website. The debug console essentially lets us
30:02
update the ESN of any of these spot trace devices out there. So we can change the serial number of these devices, essentially cloning it. I mean think cloning cell phones, cloning whatever. So to prove this I cloned one of my spot trackers with the other's ESN and told it to transmit and sure enough I got a tracking email back that confirmed, yeah, we were able to clone the device. So for
30:22
$50 you can clone satellite network devices and maybe spoof some coordinates and shenanigans. But besides the obvious of using the network to transmit your own custom data or expanding capabilities at your service, maybe sending more packets than you're allowed to per hour, what can
30:40
we do with the data transmission capability? Can we get in a little bit more trouble? So first these devices are used very commonly in emergency response. So one scenario I thought of is what if an attacker spoofed thousands of false emergencies using these devices and jammed up the emergency response center preventing aid from getting to an actual emergency? Or what about monitoring for help requests from these devices and then
31:02
just canceling the help requests? I mean it's kind of a dick move but someone might do it. So I talked to a really, really well known reporter a couple days ago and she used to work out in the Middle East as a correspondent for about ten years and she said that many of the journalists out there use these spot devices to track their whereabouts in case they're kidnapped. So they're relying on these devices to, you know, so people know where
31:23
they are. So what if a foreign adversary was sniffing up this data and then like arresting our reporters or people are using these for their safety? Like that's not cool. So it turns out these chips are also used in access control systems by law enforcement and even for animal tracking so I
31:40
think it would be hilarious to say that a wild grizzly had relocated itself into suburban California and see what all the world's got to mention that they're used heavily in SCADA systems and I'm going to refrain from naming any specifics because I know you guys are a bunch of hooligans and we'll probably get in some trouble but they're commonly used in water quality sensors, pipeline
32:00
monitoring and a lot of big oil and gas operations. So I was thinking what if there's a big rival oil company that wanted to figure out where its competitor was drilling? Well why not just fire up your own base station and just have a look for yourself? But wait there's more. Lockheed Martin flight services, the contractor that handles flight planning for the FAA allows these devices, these spot devices
32:21
to be used to track any VFR flight. So what if an attacker made an airplane appear to deviate from its original flight plan into tightly controlled airspace? You know I obviously haven't tried this but it would be interesting to see what happened. So to demonstrate some of this I built a little capability which I'm going to talk a little bit about and the way it works is that I sit with the device in
32:43
the uplink path of the transmitter and listen. So this is what I was doing in my hotel room a couple of nights ago and over time I'm able to pick up countless transmissions from access trackers and map their patterns of life. I did some research a year ago at ShmooCon talking about mapping patterns of life from mobile vulnerability location tracking
33:01
and you know we were able to monitor users over a fixed period of time and figure out where's home, where's work just by where they are at different times of the day. So pattern of life is really key to tracking somebody and this makes it really easy to identify what a target is and where it goes. In this case we're going to monitor an armored car route. Now that I know where the armored car is I know
33:23
where to hijack it and I can hijack the car, disable its beacon and begin spoofing their beacon's ID with my transmitter and spoof GPS coordinates that the armored car is on route when in reality I'm driving it somewhere else and robbing the bank blind. So you know think fast and furious. So you might ask does this work?
33:42
Short answer is yes but I needed a high vantage point. So clearly the only solution was to go out and start working on my private pilot's license so I could intercept the data from the air. So I've been flying with this thing and we're going to see where it keeps going but the results are pretty promising so far. So I'm going to do a little demo, show you guys a little bit up close how this works. I
34:00
decided to not tempt the live demo gods today but I've broken up the video kind of step by step so we can kind of talk about it a little bit. So bear with me here while I fire up the video. Is that up there full screen? I can't. Perfect. So we're going to wait for a data signal from an
34:25
attacker or someone to transmit so the attacker is intercepting the data right there. So it captures the data, it writes the data out to disk and then we're going to throw that data in our D spreading python program here and I've kind of cropped the video because it takes about
34:41
a minute to analyze the data packet. So it locks on to the PN signal and I'll finish up here and then we can see that's a pretty constant correlation over time. That's what we're looking for. So that means we locked on to the PN signal successfully. Then we're going to throw that back into some
35:01
guinea radio code to kind of visualize what we got and you're going to be able to see that really sharp peak in the middle. Then we're going to zoom in up there and you'll be able to see the live data bits flying by. And then meanwhile this is writing those data bits out to disk for us to analyze. And then we're going to go ahead
35:25
and analyze those data bits. We should get the binary packet data out if all goes well. So there's the binary of the packet. Now let's throw that into the packet decoder and verifier. It will successfully validate a packet and print out its parameters. So this could all be online as
35:40
well as some more to dive into the actual user specific data and translate that into a latitude and longitude. So let's go back to the presentation. All right. So a couple conclusions, a few parting thoughts for you guys. I disclosed to Globalstar's senior engineering staff about
36:01
180 days ago. And they were actually really friendly in the response and seemed very concerned. I get the impression they don't deal with a lot of these disclosures. It's not very typical. So I provided an in-depth technical detail write up for them in hopes of helping out and never really heard back. After the news broke recently they issued a statement saying that they take privacy very seriously and they have monitoring in
36:21
place to detect these sort of attacks. Unfortunately half this attack is passive and there's no way that can be detected. And the transmitting portion if targeted really has a low probability of being detected. So in some of the recent statements Globalstar seemed quite defensive and I don't know about you guys but I tend to get a little bit upset or find it upsetting when manufacturers get this way rather than addressing the actual issue at hand. In my
36:43
experience these vulnerabilities are always discovered one way or another. And it's better to get them addressed sooner than later. Last year I disclosed a bug to Grindr about being able to track their users through their mobile dating app and they said it wasn't an issue and didn't patch it. And six months later the Egyptian police got a hold of that bug through other channels and began using it to arrest gay men in Egypt. So you know I really
37:02
hate for these vulnerabilities to be used for bad and I'd rather see that these get patched and that we're able to make these systems a lot safer for the end users. So I sincerely hope that Globalstar is serious about their statement addressing these issues and I hope other manufacturers are paying attention as well. But I'm really looking forward to seeing the solutions or seeing
37:20
what solutions come out of the community. Bottom line there's still a lot of work to be done. I'm releasing my code on GitHub later. Apologies I don't have it up yet. It's been kind of crazy here at the conference. You know parties and things. But it will be up soon. And I'd love to collaborate on improving this whole system maybe intercepting data on the downlink. So if any of you guys are
37:40
interested let's work on this together. I have a feeling we're only at the tip of the iceberg of seeing where this thing is used. So we're going to start seeing a lot of interesting things fall out. So if you're interested help out. In conclusion I still believe Globalstar makes a good product. But there's a couple takeaways. Remember that the aerospace products and satellites and airplanes they have a long life cycle and we're kind of stuck with
38:01
them for years to come. And the way that Globalstar system is implemented it's not really patchable or easily patchable. You know a lot of the devices don't support firmware upgrades. Or they're so far out in the boonies that it's not realistic. So the best thing to do going forward is to add a layer of encryption on top of this existing protocol. And remember that obscurity is not security. Spread spectrum alone won't protect your data. And
38:23
consumers just assume someone can snoop in your data and act accordingly. I think we hear this a lot. Hold manufacturers to a higher standard. Demand security. And if not demand to know how your data is being transmitted. Is it encrypted? If not how so? So big thanks to the interns over there for
38:41
helping out with testing and code optimization. Yeah. Thanks guys. And then to Synack as well for funding this different crazy research. But yeah the code will be live later. Hit me up if it doesn't come up. Feel free to email me, tweet me. I know this is a lot to cover. I'm always happy to talk. So thanks for coming out. Questions,
39:03
comments? We got five minutes. Can we use the bent pipe to tunnel information or like you know from one location to another sneak in some information? Are you saying can
39:20
we use the bent pipe to send other information? That's a question. I don't recommend it. But there's nothing. I mean someone probably is. You have to speculate. But yeah it really repeats anything it hears on that 1.6 gigahertz range and beams it back down on about 7 gigahertz so you can build your own receiver and use your own personal satellite
39:40
network. So like does it need to be on a particular protocol or like a packet structure or like it transmits anything that it receives? I'm sorry I missed that. Does it need to be encoded in a specific format? So the data can really be in any format. The bent pipe doesn't do any interpretation. It just simply it's a repeater. So you could probably need to be
40:03
some sort of spread spectrum in order to get it over that distance. But you could use a model very similar to what they're doing here. Thank you. Anyone else? Feel free to come up after. Cool. Thanks guys. Appreciate it.