Post on 18-Aug-2015
SPREAD SPECTRUM SATCOM HACKING
ATTACKING THE GLOBALSTAR SIMPLEX DATA SERVICE
Colby Moore@colbymoore - colby@synack.com
MOTIVATION
• Try something new
• Satellite hacking often too theoretical
• Unexplored frontier
• Systems are hopelessly broken
• Inspire and collaborate
WHAT ARE WE GOING TO LEARN?
• RF signals and modulation
• What is spread spectrum?
• Selecting a target and reverse engineering
• Exploiting the target
PREREQUISITES
• High school mathematical knowledge
• Lets keep things relatively “understandable”
• Will provide resources (see github)
• SPOT - Consumer grade satellite tracking
• Aging satellite network: voice, data, messaging
• But wait… this tech is used everywhere. Jackpot.
WHERE IS IT USED?Military / Classified
Trailers / Containers Air Quality Monitoring
Personnel Tracking Fire Detection and Prevention
Water Quality Monitoring Tank Level Gauging
Perimeter / Border monitoringAsset / Vehicle Tracking
Remote Meters Buoys
Ship Movement Fishing vessel monitoring Power line monitoring
Dispersed sensorsand many more…
SIMPLEX DATA NETWORK
“Simplex works where infrequent, small packets of data are to be collected”
GPS Satellite
Asset
Globalstar Satellite
Globalstar Ground StationThe Internet
Globalstar Infrastructure
User Infrastructure
BENT PIPE
“A bent pipe satellite does not demodulate or decode the signal. A gateway station on the ground is
necessary to control the satellite and route traffic to and from the satellite and to the internet.”
“Error 100: Database query failed - retrieving login information You have an error in your
SQL Syntax;…”
NOT SO MUCH…
–Globalstar
“The received data is then forwarded to a user defined network interface that may be in the form of an FTP
host or HTTP host where the user will interpret the data for further processing.”
PRIOR RESEARCH
Travis Goodspeedhttps://github.com/travisgoodspeed/pyspot
Natrium42https://web.archive.org/web/20120202211125/
http://natrium42.com/projects/spot/
STX-3“Worlds’ smallest and lowest power consuming industrial-
use satellite transmitter”
DSSS? BPSK? What the &^#% is that?…
DIGITAL MODULATION
• Amplitude Shift Keying (ASK / OOK)
• Frequency Shift Keying (FSK)
• Phase Shift Keying (PSK)
PHASE SHIFT KEYING (PSK)
Modulated Signal
Modulating Signal (Data)
0 0 1 1 0 1 1 1
0˚ 180˚ 0˚ 180˚
BPSK - Two phases (0 and 180 degrees) are used to represent 1 and 0
SPREAD SPECTRUM MODULATION
• Why is Spread Spectrum special?
• WiFi, Bluetooth, GPS, and basically all modern RF communications
• Processing Gain
• Jam Resistant
• CDMA
SPREAD SPECTRUM MODULATION
• Frequency Hopping Spread Spectrum (FHSS)
• Direct Sequence Spread Spectrum (DSSS)
DIRECT SEQUENCE SPREAD SPECTRUM (DSSS)
• Mixes a slow signal with fast pseudo-random signal
• Signal still contains original information but occupies much more bandwidth.
BPSK SignalOccupies ~100Hz
Spread BPSK SignalOccupies ~1.25Mhz
DSSS CONTD.Data Signal
Pseudo Random
Result
000000000000 111111111111
110001111001 010000101000
110001000110 010000010111⊕
⊕
DSSS CONTD.
Data Signal
Pseudo RandomResult
000000000000 111111111111
110001111001 010000101000110001000110 010000010111
⊕
⊕
M-SEQUENCES AS PN CODES
• Periodic binary codes that have strong autocorrelation properties
• Commonly generated with LFSRs
M-SEQUENCES AND CORRELATION
0001 0001
0001 0010
0001 0100
0001 1000
4 0 0 0
M-Sequence:
Shifted:
Correlation:
This makes looking for the m-sequence in a signal easy!
DECODING THEORY
• Simple in practice. More difficult in theory
• Mix incoming signal with PN sequence and the original BPSK signal will emerge.
• Compensate for frequency differential between local and remote oscillators
• Signal needs to be phase aligned with PN code
MORE HARDWARE
Dimension Engineering AnyVolt 3$55
12v AC/DC Adapter$5SMA Cables
$20
MiniCircuits ZX60-1614LN-SLow Noise Amplifier
$150
SAMPLINGNyquist: Sample at least twice as fast as the signal’s
fastest frequency.
The human ear can’t hear frequencies higher than 20Khz.CD audio is sampled at 44.1Khz (twice the human range).
IQ MODULATION• Makes generation of signals easy in software!
https://www.youtube.com/watch?v=h_7d-m1ehoYBasics of IQ Signals and IQ modulation & demodulation - A tutorial
WHAT TO EXPECT
• Pseudo random sequence (1s and 0s)
• Repeating
• 255 bits long
• 1.25 million “chips” per second
Much like Bart in detention, the PN will repeat over and over and over…
PN RECOVERY• In order to decode the signal, we need to know the PN sequence
• DSSS BPSK == BPSK
BPSK DSSS
BPSK
Low
Fre
quen
cyH
igh
Freq
uenc
y
SAMPLING REQUIREMENTS 32 Mhz ———— = 4 Mhz (> 1.25 x 2) 8 Mhz > 2x faster than 1.25 Mhz (Nyquist)
Even multiple of 32 Mhz (USRP)
4 Mhz 3.2 samples—————— = —————— (not even) 1.25 Mcps 1 symbol
4 Mhz 5 4 samples—————— x —— = —————
1.25 Mcps 4 symbol
Even samples / symbol (Implementation Specific)
*We can resample the signal from 4 to 5 Mhz.
*
PN RECOVERY• PN Sequence is much shorter than bit length
• PN repeats 49 times for each bit
• PN ⊕ Data == PN (within a bit boundary)
1,250,000 chips 1 second 1 PN seq. 49 PN seq.———————— x —————— x ————— = ————— 1 second 100.04 bits 255 chips 1 bit
PN RECOVERY111111110010110101101110101010111001001101101001100110100011101101100010001001111010010010000111100010100111000111110101111001110100001010110010100010110000011001000110000110111111011100001000001001010100101111100000011100110001101010000000101110111101100
WHAT TO EXPECT
• Mix original signal with PN
• Narrow band signal will emerge
• Shown as sharp spike on FFT
REALTIME IS HARD• Unfortunately doing this is very computational intensive
• Lots of room for optimizations
• Record now, process later
sh-‐3.2# time python sync.py
real 0m58.326s user 0m48.754s sys 0m0.909s
1.4 second capture (one packet)
4M samp/sec * 2 floats/samp * 4 bytes/float = 30.5 MB/sec
CODE TRACKING
Time (samples)
Cor
rela
tion
Correlation Peak
If we don’t compensate for misalignment, we will drift and lose correlation over time.
Search for peaks, and track
themStrong Correlation (PN aligned)
No Correlation (PN unaligned)
Early
Late
Aligned
CODE TRACKING
Time (samples)
Cor
rela
tion
Early or late detection lets us keep track.
Positive and negative correlations indicate bits!
Consistent Correlation (PN aligned)
EXTRACTING DATA
Low Pass Filter
Rational Resampler
PSK Demodulator
Decoder
Signal
Time Domain
Frequency Domain
10100 0 0111 ……
PACKET FORMAT000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011
001 01001101100011110100000Manufacturer ID Unit ID
LOCATION DECODINGLatitude: bits 8:32Longitude: bits 32:56 + -
Latitude Northern Hemisphere
Southern Hemisphere
Longitude Eastern Hemisphere
Western Hemisphere
Convert to decimal(signed int MSB to LSB)
Multiply by degrees per count
1.
2.
3.
CHECKSUM
Packet (without preamble and CRC)110 bits
CRC
(Code Provided)Compare
If we known how to reproduce the checksum, we can create our own packets… no signing, no encryption, lets spoof!
000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011
24 bits
INTERCEPTING ON DOWNLINK
• Bigger antennas and better equipment
• RF downconversion
• Doppler Shift
• Multipath
Worst Case Doppler Shift
DISCLAIMER
Transmitting on Globalstar’s frequencies may be illegal where you live and could interfere with critical communications.
Do no
t do
this! Seriously, don’t.
No one likes late night visits from the FCC.
TRANSMITTING
MGA-2000 0.5W RF Amplifier$190.00
But if you like late night visits from the FCC…
• This is actually the easy part.
• ~.2 Watts power
• Simply mix data, PN, and carrier and correct rates
SPOOFING LOCATION
Planned Route
Hijack Route
Attacker hijacks truck, disables tracker, transmits location as if delivery is on
track.
False
Loca
tion D
ata
"Like all companies and industries in the 21st century, including those that Wired reported on this week to expose hacking vulnerabilities like Chrysler, GM, Brinks
and others, Globalstar monitors the technical landscape and its systems to protect our customers. Our engineers would know quickly if any person or entity was
hacking our system in a material way, and this type of situation has never been an issue to date. We are in the business of saving lives daily and will continue to
optimize our offerings for security concerns and immediately address any illegal actions taken against our Company."
DISCLOSURE & RESPONSE• ~180 days ago
• Friendly and concerned for user privacy, but no further communication
NEXT STEPS
• Collaboration
• Code optimization - realtime
• Downlink interception
• Data aggregation
CONCLUSIONS
• Long lifecycle
• Unpatchable
• Security going forward
• DSSS != security
• Assume Insecure
• Act accordingly
• Higher standards
SPECIAL THANKS
Alex K., Chris W., Cyberspectrum Meetup, David C., Michael Ossmann, Mom and Dad, Paul David, Tom Rondeau
The Interns
and
QUESTIONS / COMMENTS?
https://github.com/synack/globalstar
https://syn.ac/bh15satcom
@colbymoore
colby@synack.com
code
slides