Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex Data Service

SPREAD SPECTRUM SATCOM HACKING

ATTACKING THE GLOBALSTAR SIMPLEX DATA SERVICE

Colby Moore@colbymoore - [email protected]

WHO AM I?

Colby MooreSynack R&D

KD7SCT

INTRODUCTION

MOTIVATION

• Try something new

• Satellite hacking often too theoretical

• Unexplored frontier

• Systems are hopelessly broken

• Inspire and collaborate

WHAT ARE WE GOING TO LEARN?

• RF signals and modulation

• What is spread spectrum?

• Selecting a target and reverse engineering

• Exploiting the target

PREREQUISITES

• High school mathematical knowledge

• Lets keep things relatively “understandable”

• Will provide resources (see github)

TARGETING

SELECTING A TARGETG

over

nmen

tC

omm

erci

al

• SPOT - Consumer grade satellite tracking

• Aging satellite network: voice, data, messaging

• But wait… this tech is used everywhere. Jackpot.

WHERE IS IT USED?Military / Classified

Trailers / Containers Air Quality Monitoring

Personnel Tracking Fire Detection and Prevention

Water Quality Monitoring Tank Level Gauging

Perimeter / Border monitoringAsset / Vehicle Tracking

Remote Meters Buoys

Ship Movement Fishing vessel monitoring Power line monitoring

Dispersed sensorsand many more…

SIMPLEX DATA NETWORK

“Simplex works where infrequent, small packets of data are to be collected”

GPS Satellite

Asset

Globalstar Satellite

Globalstar Ground StationThe Internet

Globalstar Infrastructure

User Infrastructure

BENT PIPE

“A bent pipe satellite does not demodulate or decode the signal. A gateway station on the ground is

necessary to control the satellite and route traffic to and from the satellite and to the internet.”

REDUNDANCY• Yes, the network only talks in one direction (simplex)

• How is this reliable?

GROUND STATIONS AND COMMAND CENTERS

Hundreds of ground stations Two Operations Centers

COVERAGE

48 satellites - 5850 km diameter footprint - 1410 km orbit - In service since 2000

SECURITY POSTURE

“Error 100: Database query failed - retrieving login information You have an error in your

SQL Syntax;…”

NOT SO MUCH…

–Globalstar

“The received data is then forwarded to a user defined network interface that may be in the form of an FTP

host or HTTP host where the user will interpret the data for further processing.”

INTELLIGENCE GATHERING

WHERE TO LOOK

PRIOR RESEARCH

Travis Goodspeedhttps://github.com/travisgoodspeed/pyspot

Natrium42https://web.archive.org/web/20120202211125/

http://natrium42.com/projects/spot/

STX-3“Worlds’ smallest and lowest power consuming industrial-

use satellite transmitter”

DSSS? BPSK? What the &^#% is that?…

FREQUENCIES

Globalstar L-Band Frequencies

Globalstar Simplex Data Frequencies

THE BREAKTHROUGH

Clues!

REVIEW OF WAVES AND MODULATION

WAVES

Amplitude - APhase - φ (radians)

Time (t)

Wavelength

TIME DOMAIN VS. FREQUENCY DOMAIN

Frequency DomainTime Domain

Am

plit

ude

Time

Frequency

ANALOG MODULATION

• Amplitude Modulation (AM)

• Frequency Modulation (FM)

AMPLITUDE MODULATION

Carrier

Modulating Signal (Data)

Modulated Signal

FREQUENCY MODULATION

Carrier

Modulating Signal (Data)

Modulated Signal

DIGITAL MODULATION

• Amplitude Shift Keying (ASK / OOK)

• Frequency Shift Keying (FSK)

• Phase Shift Keying (PSK)

PHASE SHIFT KEYING (PSK)

Modulated Signal

Modulating Signal (Data)

0 0 1 1 0 1 1 1

0˚ 180˚ 0˚ 180˚

BPSK - Two phases (0 and 180 degrees) are used to represent 1 and 0

SPREAD SPECTRUM

SPREAD SPECTRUM MODULATION

• Why is Spread Spectrum special?

• WiFi, Bluetooth, GPS, and basically all modern RF communications

• Processing Gain

• Jam Resistant

• CDMA

SPREAD SPECTRUM MODULATION

• Frequency Hopping Spread Spectrum (FHSS)

• Direct Sequence Spread Spectrum (DSSS)

DIRECT SEQUENCE SPREAD SPECTRUM (DSSS)

• Mixes a slow signal with fast pseudo-random signal

• Signal still contains original information but occupies much more bandwidth.

BPSK SignalOccupies ~100Hz

Spread BPSK SignalOccupies ~1.25Mhz

DSSS CONTD.Data Signal

Pseudo Random

Result

000000000000 111111111111

110001111001 010000101000

110001000110 010000010111⊕

⊕

DSSS CONTD.

Data Signal

Pseudo RandomResult

000000000000 111111111111

110001111001 010000101000110001000110 010000010111

⊕

⊕

M-SEQUENCES AS PN CODES

• Periodic binary codes that have strong autocorrelation properties

• Commonly generated with LFSRs

M-SEQUENCES AND CORRELATION

0001 0001

0001 0010

0001 0100

0001 1000

4 0 0 0

M-Sequence:

Shifted:

Correlation:

This makes looking for the m-sequence in a signal easy!

DECODING THEORY

• Simple in practice. More difficult in theory

• Mix incoming signal with PN sequence and the original BPSK signal will emerge.

• Compensate for frequency differential between local and remote oscillators

• Signal needs to be phase aligned with PN code

HARDWARE

TOOLS AND HARDWARE

USRP B200$675

GSP-1620 LHCP Antenna$65

MORE HARDWARE

Dimension Engineering AnyVolt 3$55

12v AC/DC Adapter$5SMA Cables

$20

MiniCircuits ZX60-1614LN-SLow Noise Amplifier

$150

ASSEMBLED CAPABILITY

SAMPLINGNyquist: Sample at least twice as fast as the signal’s

fastest frequency.

The human ear can’t hear frequencies higher than 20Khz.CD audio is sampled at 44.1Khz (twice the human range).

IQ MODULATION• Makes generation of signals easy in software!

https://www.youtube.com/watch?v=h_7d-m1ehoYBasics of IQ Signals and IQ modulation & demodulation - A tutorial

PN RECOVERY

WHAT TO EXPECT

• Pseudo random sequence (1s and 0s)

• Repeating

• 255 bits long

• 1.25 million “chips” per second

Much like Bart in detention, the PN will repeat over and over and over…

PN RECOVERY• In order to decode the signal, we need to know the PN sequence

• DSSS BPSK == BPSK

BPSK DSSS

BPSK

Low

Fre

quen

cyH

igh

Freq

uenc

y

SAMPLING REQUIREMENTS 32 Mhz ———— = 4 Mhz (> 1.25 x 2) 8 Mhz > 2x faster than 1.25 Mhz (Nyquist)

Even multiple of 32 Mhz (USRP)

4 Mhz 3.2 samples—————— = —————— (not even) 1.25 Mcps 1 symbol

4 Mhz 5 4 samples—————— x —— = —————

1.25 Mcps 4 symbol

Even samples / symbol (Implementation Specific)

*We can resample the signal from 4 to 5 Mhz.

*

PN RECOVERY• PN Sequence is much shorter than bit length

• PN repeats 49 times for each bit

• PN ⊕ Data == PN (within a bit boundary)

1,250,000 chips 1 second 1 PN seq. 49 PN seq.———————— x —————— x ————— = ————— 1 second 100.04 bits 255 chips 1 bit

PN RECOVERY

PN RECOVERY111111110010110101101110101010111001001101101001100110100011101101100010001001111010010010000111100010100111000111110101111001110100001010110010100010110000011001000110000110111111011100001000001001010100101111100000011100110001101010000000101110111101100

DESPREADING

WHAT TO EXPECT

• Mix original signal with PN

• Narrow band signal will emerge

• Shown as sharp spike on FFT

REALTIME IS HARD• Unfortunately doing this is very computational intensive

• Lots of room for optimizations

• Record now, process later

sh-­‐3.2#  time  python  sync.py  

real   0m58.326s  user   0m48.754s  sys        0m0.909s

1.4 second capture (one packet)

4M samp/sec * 2 floats/samp * 4 bytes/float = 30.5 MB/sec

CORRELATIONC

orre

lati

on

Time

Slide PN against data and correlate at each step.

CODE TRACKING

Time (samples)

Cor

rela

tion

Correlation Peak

If we don’t compensate for misalignment, we will drift and lose correlation over time.

Search for peaks, and track

themStrong Correlation (PN aligned)

No Correlation (PN unaligned)

Early

Late

Aligned

CODE TRACKING

Time (samples)

Cor

rela

tion

Early or late detection lets us keep track.

Positive and negative correlations indicate bits!

Consistent Correlation (PN aligned)

DESPREAD SIGNAL

It works!

Mix the PN against the signal. Original signal appears.

DECODING

EXTRACTING DATA

Low Pass Filter

Rational Resampler

PSK Demodulator

Decoder

Signal

Time Domain

Frequency Domain

10100 0 0111 ……

PACKET FORMAT000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011

001 01001101100011110100000Manufacturer ID Unit ID

LOCATION DECODINGLatitude: bits 8:32Longitude: bits 32:56 + -

Latitude Northern Hemisphere

Southern Hemisphere

Longitude Eastern Hemisphere

Western Hemisphere

Convert to decimal(signed int MSB to LSB)

Multiply by degrees per count

1.

2.

3.

CHECKSUM

Packet (without preamble and CRC)110 bits

CRC

(Code Provided)Compare

If we known how to reproduce the checksum, we can create our own packets… no signing, no encryption, lets spoof!

000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011

24 bits

INTERCEPTING ON DOWNLINK

• Bigger antennas and better equipment

• RF downconversion

• Doppler Shift

• Multipath

Worst Case Doppler Shift

TRANSMITTING

DISCLAIMER

Transmitting on Globalstar’s frequencies may be illegal where you live and could interfere with critical communications.

Do no

t do

this! Seriously, don’t.

No one likes late night visits from the FCC.

TRANSMITTING

MGA-2000 0.5W RF Amplifier$190.00

But if you like late night visits from the FCC…

• This is actually the easy part.

• ~.2 Watts power

• Simply mix data, PN, and carrier and correct rates

BUT WAIT… ITS EASIER

Spot Device Updater SPOT3FirmwareTool.jar

Currently $49.99

DOES IT WORK?

Spot Trace1 Spot Trace 2

Clone

IMPACT

EMERGENCY RESPONSE

Real Emergency

Fake Emergency

Overwhelm emergency response center anonymously?

WHERE ELSE?

BUT WAIT, THERE’S MORE

Lockheed Martin Flight Service (LMFS) Integration

CAPABILITY

Uplink Interception

RF Beam

GlobalstarAttacker

Attacker intercepts andplots pattern of life

SPOOFING LOCATION

Planned Route

Hijack Route

Attacker hijacks truck, disables tracker, transmits location as if delivery is on

track.

False

Loca

tion D

ata

TESTING THE CAPABILITY

Reception Window

DEMO

Video demo time. It’s better to not tempt the demo gods. ;)

CONCLUSIONS

"Like all companies and industries in the 21st century, including those that Wired reported on this week to expose hacking vulnerabilities like Chrysler, GM, Brinks

and others, Globalstar monitors the technical landscape and its systems to protect our customers. Our engineers would know quickly if any person or entity was

hacking our system in a material way, and this type of situation has never been an issue to date. We are in the business of saving lives daily and will continue to

optimize our offerings for security concerns and immediately address any illegal actions taken against our Company."

DISCLOSURE & RESPONSE• ~180 days ago

• Friendly and concerned for user privacy, but no further communication

NEXT STEPS

• Collaboration

• Code optimization - realtime

• Downlink interception

• Data aggregation

CONCLUSIONS

• Long lifecycle

• Unpatchable

• Security going forward

• DSSS != security

• Assume Insecure

• Act accordingly

• Higher standards

SPECIAL THANKS

Alex K., Chris W., Cyberspectrum Meetup, David C., Michael Ossmann, Mom and Dad, Paul David, Tom Rondeau

The Interns

and

QUESTIONS / COMMENTS?

https://github.com/synack/globalstar

https://syn.ac/bh15satcom

@colbymoore

[email protected]

code

slides

twitter

email

IMAGE CREDITS

• http://images.google.com