Satellite Hacking

Intro by IndianZ

1
http://earthobservatory.nasa.gov/Features/Aerosols/page5.php
 Whoami

# Datalynx, Basel
# Penetration Testing, IT-Forensic, *Security
# ISECOM OSSTMM
# Certified Tester OPST/Analyst OPSA
# University, Lucerne
# Master of Adv. Studies in Information Security
# Teaching CAS/MAS Information Security
# Security Articles, Demos, Speeches
# Computerworld, Digicomp and Hashdays
# https://www.indianz.ch/ 2
 Disclaimer

# FX talked about satellite hacking @ berlinsides 6 months

ago (unpublished)
# A wish, more people of the community would join this topic
# So I started investigation into satellite technology, digital
video broadcasting and ham amateur radio
# Nights of research, gathered more than 3.6 GB public data
# Just started, not yet fully there where I want(ed) to be
# But for now, please fasten seatbelts for a short trip to space

3
 Agenda

# Introduction
# Equipment
# Satellite Hackers
# Future Outlook

# Annex

4
http://www.spacenews.com/images/Ariane5_ESA02.jpg
 Definitions I/II

# Latin satelles = Companion or bodyguard
# Bodyguard = Etruskan origin (500 BC)
# Bird (in the sky) = Satellite (in orbit)
# Orbit = Path around Earth
# Payload = Module (Imagery, Radio, DVB-S(2), …)
# Downlink = Satellite to Earth
# Uplink = Earth to Satellite
# Beam = Uplink/Downlink Channel
# Footprint = Coverage of Satellite Beam 5
Example Footprint

6
http://en.wikipedia.org/wiki/Satellite_footprint
 Definitions II/II

# Launch = Bring satellite with transport vehicle into orbit

# VSAT = Very Small Aperture Terminal (dish2dish)
# Doppler effect/shift = Radio RX/TX moving
# Beacon = Modulated Oscillator (telemetry)
# Transponder = Transmitter and responder (relay)
# Transceiver = Transmitter and receiver
# Apogee = Biggest Distance to Earth
# Perigee = Smallest Distance to Earth
# TT&C = Telemetry, Tracking & Command 7
 Example TT&C Leuk CH

8
http://de.wikipedia.org/wiki/Onyx_%28Abh%C3%B6rsystem%29
 History

# First Russian satellite: Sputnik 1957-10-04

# First US satellite: Explorer­1 1958­01­31
# First TV satellite: Telstar­1 AT&T 1962
# First Geostationary: Syncom­2 1963
# First Swiss: Swisscube 2009
# GPS: 24 satellites 1978 (­ 1994)
# Hubble Telescope: 1990
# MIR: 1986 – 2001
# ISS: 1998 ­ ? 9
http://en.wikipedia.org/wiki/Sputnik_1
 Launches

# About 4'000 launches overall (?)

# About 100 launches in 2012
# Multiple payloads possible
# Nowadays approximately 3'000 satellites living (?)
# Operating lifespan between 5 to 20 years
# About 20 countries are “in space”
# About 22 official launch sites worldwide

10
 Countries in space

# USA, Russia, Japan, China, France, India, Israel,

Australia, UK, Canada, Germany, Italy, Austria, Indonesia,
Brazil, Sweden, Luxembourg, Argentina, Saudi Arabia,
South Korea
# ESA (European Space Agency): Austria, Belgium, Czech
Republic, Denmark, Finland, France, Germany, Greece,
Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal,
Romania, Spain, Sweden, UK, Switzerland
# Private Organizations (Space Adventures, Virgin Galatic,
RocketShip Tours, …)
# Work in progress: North Korea, Iran, …
11
 Launch sites

12
http://www.spacetoday.org/Rockets/Spaceports/LaunchSites.html
 Orbits I/II

# LEO: Low Earth Orbit (circular orbit: 6.9 to 7.8 km/s), 200 to 1200 km
(elliptic orbit: 6.5 to 8.2 km/s)
# GTO: Geostationary Transfer Orbit, 200-800 km perigee / 36.000 km
apogee
# MEO: Medium Earth Orbit, 1.000 to 36.000 km
# GSO/IGSO: Geo Synchronous Orbit / Inclined GSO, 23h56min04s
around earth (analemma → 8)
# GEO: Geo Stationary Orbit (3.1 km/s), 35.786 km
# HEO: Highly Elliptical Orbit, Molniya (1.5 to 10.0 km/s), 200 to 15.000
km / 50.000 to 400.000 km
# Graveyard: around 335.786 km
# SSO: Sun Synchronous Orbit 13
Orbits II/II

LEO

Earth GSO
8 IGSO
GTO
HEO

MEO 8 GSO
IGSO
GEO

Graveyard 14
 Celestial Coordinates

15
visual.merriam­webster.com/astronomy/astronomical­observation/celestial­coordinate­system.php
 Physics

# Gravitational versus centripedal force
# Perigee = fast movement
# Apogee = slow movement
Orbit

Perigee
+ ­ + ­
(fast)
Earth Gravity Centripedal

Apogee
(slow)

16
 Types

# Communication, Navigation, Recovery

# Imagery, Reconnaissance, Earth
Observation, Weather
# Anti-Satellite Weapons, Killer Satellites,
Kinetic Kill Vehicles
# Spacecraft, Spaceship, Space Station
# Astronomics, Bio
# Tether, Miniaturized

http://en.wikipedia.org/wiki/Tether_satellite 17
http://www.spacewar.com/images/raytheon­exoatmospheric­kill­vehicle­art­bg.jpg
 Example Imagery

18
www.swisstopo.admin.ch/internet/swisstopo/de/home/products/images/satellite/satellite_CH.html
 Layout I/II

19
http://www.thetech.org/exhibits/online/satellite/5/5.html
 Layout II/II

20
http://commons.wikimedia.org/wiki/File:ISS_configuration_2011­05_en.svg
 Dependencies I/II

# Finance: Backup transaction links

# Communication: Backup mobile/internet links, Amateur Radio
# Branch offices: Internet access/VPN/VSAT
# Transport: Navigation, Containers, Search & Rescue
# Military: Espionage, Reconnaissance
# News: Digital video broadcast
# Weather: Forecast
# Video telephony: IP-TV
# Geology: Maps, Resource discovery
# Astronomy: Observation, Reconnaissance 21
 Dependencies II/II

# Navigation: GPS, Galileo, GLONASS, Compass,

IRNSS
# Satellite Phones: Iridium, Inmarsat, IsatPhone Pro,
BGAN, Fleet Broadband, Globalstar, Thuraya, TerreStar
# Satellite Internet: Businesscom Networks Ltd, CETel
GmbH, dsl2u, Filiago, HETAN@Home, STA-Network,
Sat Internet Services GmbH, Satlynx, satspeed,
SkyGate, StarDSL, Thuraya, getinternet s.a.r.l
# TV: Astra, Hotbird, Sky, UPC

22
 Space debris I/III

~22'000 objects

23
http://orbitaldebris.jsc.nasa.gov/photogallery/beehives.html
 Space debris II/III

~700'000 objects
24
CCC Camp 2011: http://www.youtube.com/watch?v=MBZFxV66zmc
 Space debris III/III

Endeavour's radiator panel   Challenger's front window

http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20080010742_2008009999.pdf 25
http://www.orbitaldebris.jsc.nasa.gov/photogallery/gallarypage
Tracking I/II

26
 Tracking II/II

# Tools for Satellite Tracking

# Gpredict (win/linux) ;)
# Orbitron, Sattrack (win)
# Predict (linux)
# Online Databases
# http://www.n2yo.com/database/
# http://heavens-above.com/
# http://www.ucsusa.org/assets/documents/nwgs/
UCS_Satellite_Database_1-1-12.xls 27
Communication I/III

28
http://www.satcom­services.com/sat_freq.htm
 Communication II/III

29
www.inetdaemon.com/tutorials/satellite/communications/frequency­bands/index.shtml
 Communication III/III

# If !geo-stationary, object will move fast

# Time window for communication
# 5-10 minutes or 15-20 minutes
# Antennas need to follow the object (rotors)
# Doppler-Shift correction
# + approaching/- leaving
# Space weather influence
# Solar flares, plasma
# Electromagnetic waves, geomagnetics 30
http://www.hamqsl.com/solarvhf.gif
 Agenda

# Introduction
# Equipment
# Satellite Hackers
# Future Outlook

# Annex

31
http://www.spacenews.com/images/Ariane5_ESA02.jpg
 Equipment (Annex!)

# Receiver(s)
# Antenna(s)
# Cables, Converters

32
Gqrx-sdr I/II

33
Gqrx-sdr II/II

34
 NOAA Image (IR)

# National Oceanic and

Atmospheric Administration
# 137 MHz, analog 40 kHz
bandwidth
# 11.025 kHz WAV (-noise)
# PNG image black/white or
color
# Atpdec (sourceforge)
35
http://sourceforge.net/projects/atpdec/
 Agenda

# Introduction
# Equipment
# Satellite Hackers
# Future Outlook

# Annex

36
http://www.spacenews.com/images/Ariane5_ESA02.jpg
 Past publications

# 2012 B.Driessen and R.Hund: Don‘t Trust Satellite Phones

# 2011 M.Moeckel: Space Debris
# 2011 J.Geovedi, R.Iryandi, R. Chiesa: Hacking a Bird in the Sky 2.0
# 2009 J.Geovedi, R. Iryandi: Hacking Satellite: A New Universe to Discover
# 2009 L.Nve Egea, Ch.Martorella: Playing in a Satellite Environment 1.2
# 2009 A.Laurie: $atellite Hacking for Fun & Pr0fit!
# 2008 J.Geovedi, R.Iryandi, A.Zboralski: Hacking a Bird in the Sky: Exploiting Satellite
Trust Relationship
# 2006 J.Geovedi, R.Iryandi: Hacking a Bird in the Sky: Hijacking VSAT Connection
# 2006 A.Adelbach: Broadcasting by Misuse of Satellite ISPs
# 2004 Warezzman: DVB Satellite Hacking
# 1998 D.Veeneman: Future & Existing Satellite Systems
37
# 1996 D.Veeneman: Low Earth Orbit Satellites
 Hackers :p

# Satellite hackers come normally from 2

technology backgrounds:

# 1) DVB-S Scene

# 2) HAM Amateur Radio Scene

38
 Digital Video Broadcasting

# DVB-T
# DVB Terrestrial, ETSI EN 300744 1997
# DVB-S/2
# DVB Satellite, ETSI EN 300421 1997/S2 EN 302307 2005
# DVB-C/2 = Cable
# DVB Cable, ETSI EN 300429 1994/C2 EN 302755 1998

# DVB-H = Handheld
# DVB-SH = Handheld over Satellite 39
 DVB drone pr0n

Predator drone
(Source: Wikipedia)
(Source: Youtube)

40
(Source: skygrabber.com)
 HAM radio

# HAM = Amateur Radio Operator

# Acronym for Hertz,Armstrong,Marconi (3 radio pioneers)
# A poor operator, a plug. (G.M.Dodge's telegraph instructor)
# Amateur radio license by governmental regulatory
authority (Bakom in CH), registered call sign
# About 3 million HAM operators worldwide
# USKA: Union Schweizer Kurzwellen-Amateure
# Visit them @ the #center!
41
HAM frequencies

42
http://en.wikipedia.org/wiki/Amateur_radio
MilSat frequencies :p

43
http://www.satellitenwelt.de/
 Hacker Projects

# Mur.sat
# Nano satellite with sensors (art)
# Hacker Space Global Grid
# Fallback infrastructure
# Censorship avoidance
# ANGST
# Arduino n’ Gameduino Satellite Tracker

44
 Press citations :p

# Satellites could come under cyber siege...

# Aging fleet has become a prime target ...
# We’re going to fight from space and we’re going
to fight into space...
# Malicious cyber activities directed against U.S.
satellites...
# Satellite-based networks: at risk from hackers...
# Attacks against satellite systems...
45
 Top 10 threats I/II

# Tracking
# Tracking: over web data and software
# Listening
# Listening: the right equipment, frequencies and location
# Interacting
# Interacting: protocols and authentication used, radio
transmissions need official license!
# Using
# Take over a bird (or a TT&C), use payloads, make pictures,
transmit something (DVB or radio)
# Scanning/attacking
# Anonymous PoC 2010 by Leonardo Nve Egea
# Scanning, DoS and spoofing possible
46
 Top 10 threats II/II

# Breaking
# Old technologies used: up to 20 (!) years lifespan
# X.25 used (→ x25bru.c and http://www.0xdeadbeef.info/ ;)
# GRE used (→ IRPAS + gre.c from Phenoelit ;)
# Jamming
# Frequencies are known, you are in range and have power ;)
# Mispositioning
# Raging transponder spoofing, direct commanding, command
replay, insertion after confirmation but prior to execution
# Grilling
# Activating all solar panels when exposed to sun (!)
# Overcharging energy system (charge controller?)
# Collisioning?
47
 Collisioning!

48
scitechgate.com/ensuring­the­space­security­has­become­essential­for­human­advancement/
 Collisions

# 1978 Kessler syndrome (aka Kessler effect, collisional

cascading or ablation cascade)
# 8 known high speed collisions
# 1985 US antisatellite missile test (P78-1)
# 1996 Cerise satellite collided with space debris
# 2006 Satellite collision (Dart/Mublcom)
# 2007 Chinese anti-satellite missile test (Fengyun)
# 2009 Satellite collision (Iridium 33/Kosmos-2251)
# 3 times space debris collided with Mir station
49
 Known hacking cases
● 2012 Iridium/Inmarsat phones, german researchers
● 2010 Anonymous scan/attack over satellites, L. N. Egea

● 2009 Predator drones (DVB Skygrabber) Afghanistan

● 2009 FLTSAT-8, Brasilian hackers, socker radio chats

● 2008 Landsat-7/Terra AM-1 over Norway TT&C (.CN?)

● 2007 Intelsat broadcast, Liberation Tigers of Tamil Eelam

● 2002 Sinosat-1 broadcast, Falun Gong banner China TV

● 1990 Pay-TV Decoding (Premiere Europe)

● 1990 Freeloaders, pr0n/ free phone calls over satellites

● 1980 Satellite radio listening, signals decoding

50
 Agenda

# Introduction
# Equipment
# Satellite Hackers
# Future Outlook

# Annex

51
http://www.spacenews.com/images/Ariane5_ESA02.jpg
 Satellite Future

# NASA did stop shuttle usage (because of costs and

accidents) in 2011
# ISS now gets logistics over SpaceX Dragon space
capsule (US private organization) or Sojuz (TMA-M)
spacecrafts (Russia)
# NASA plans to be back in space with Space Launch
System (SLS) by 2017 and permanent moon base by
2024
# China plans own space station by 2020

52
 Personal Outlook

# I‘m not alone in the community covering this topic

# Highly complex field, merged technologies
# Not much proof-of-concepts yet completed
# Preparing for HAM radio license (to be able to send)
# Just started investigating, expect more to come
# If somebody wants to join the research, feel free :)
# Especially guys with DVB experience are welcome ;)

53
 Questions?
Comments?
Discussion? 

54
http://earthobservatory.nasa.gov/Features/Aerosols/page5.php
 Agenda

# Introduction
# Equipment
# Satellite Hackers
# Future Outlook

# Annex

55
http://www.spacenews.com/images/Ariane5_ESA02.jpg
 References I/III

# http://www.satellitenwelt.de/
# http://www.heavens-above.com/
# http://blog.makezine.com/2009/07/22/catching-satellites-on-
ham-radio/
# http://www.levinecentral.com/ham/grid_square.php
# http://www.uska.ch/
# http://www.bakom.admin.ch/themen/frequenzen/01576/01578/i
ndex.html?lang=de
# http://www.bakom.admin.ch/themen/frequenzen/00652/00653/i
ndex.html?lang=de
56
 References II/III

# http://www.n2yo.com/database/
# http://www.ucsusa.org/assets/documents/nwgs/UCS_Satellite_
Database_1-1-12.xls
# http://www.hamqsl.com/
# http://gpredict.oz9aec.net/
# http://sourceforge.net/projects/gqrx/
# https://github.com/csete/gqrx
# http://dvbsnoop.sourceforge.net/
# http://www.amsat.org/
# http://atpdec.sourceforge.net/ 57
 References III/III

# http://www.oz9aec.net/index.php/gnu-radio/gnu-radio-blog/451-
howto-receive-and-decode-noaa-apt-images-with-the-funcube-
dongle-and-gqrx
# http://www.oz9aec.net/index.php/gnu-radio/gnu-radio-blog/477-
noaa-apt-reception-with-gqrx-and-rtlsdr
# http://www.thiecom.de/
# http://sat.mur.at/
# http://shackspace.de/wiki/doku.php?id=project:hgg
# http://brainwagon.org/the-arduino-n-gameduino-satellite-
tracker/

58
 Receiver

# AOR AR8200 Mk3

# Frequency range: 100 kHz bis 3000 MHz
# no gaps ;)
# Costs: ~650 CHF (550 €/665 $)
# BNC-Connector

59
http://www.thiecom.de/ar8200mark3.htm
 Antennas I/II

# 2m Groundplane
# Frequency range: 145 MHz
# (Resonance at 290 + 435 MHz ;)
# Costs: ~60 CHF (50 €/60 $)
# HAM Radio
# UHF-/BNC-Connector

60
http://www.winklerantennenbau.de/gp2.htm
 Antennas II/II

# Arrow II Portable Antenna (2m/70cm)

# Frequency range: 144 MHz / 436 MHz
# Costs: ~150 CHF (115 €/140 $)
# HAM Radio
# BNC-Connector

61
http://www.arrowantennas.com/arrowii/146­437.html
 Funcube receiver

# FunCube Radio Dongle
# Frequency range: 64 ­ 1'700 MHz
# Gap 240MHz / 420MHz
# Costs: ~200 CHF (170 €/200 $)
# Software: qthid, gqrx­sdr
# Audio Recording ;)
# SMA­Connector
62
http://www.funcubedongle.com/
 Hama DVB receiver

# Hama Nano DVB-T Dongle

# Frequency range: 48 - 860 MHz
# Costs: ~70 CHF (60 €/70 $)
# Software: gqrx-sdr, me-tv
# SDR-functionality ;)
# Coax Connector MCX

63
http://www.hama.de/portal/picType*awd4/action*2599/articleId*179025#picture
 TeVii DVB receiver

# TeVii S660 USB-S2 box

# Frequency range: 950 - 2150 MHz
# Costs: ~72 CHF (60 €/78 $)
# DVB-S/S2 (TV and Radio)
# Software: MyTeVii, TeViiData, linux-dvb-apps
# LNB Connector

64
http://www.tevii.com/products_s660_1.asp
 DVB satellite dish

# DVB-S/-S2 Camping Dish (35 cm)

# Frequency range: 10.7 – 12.75 GHz
# Output 950 – 2150 MHz
# Costs: ~72 CHF (60 €/78 $)
# Sharp LNB Single
# Low-noise block downconverter

65
http://en.buchmann.ch/catalog/product_info.php?products_id=28653