1
Satellite HackingIntro by IndianZ
http://earthobservatory.nasa.gov/Features/Aerosols/page5.php
2
Whoami
# Datalynx, Basel
# Penetration Testing, IT-Forensic, *Security
# ISECOM OSSTMM
# Certified Tester OPST/Analyst OPSA
# University, Lucerne
# Master of Adv. Studies in Information Security
# Teaching CAS/MAS Information Security
# Security Articles, Demos, Speeches
# Computerworld, Digicomp and Hashdays
# https://www.indianz.ch/
3
Disclaimer
# FX talked about satellite hacking @ berlinsides 6 months ago (unpublished)
# A wish, more people of the community would join this topic
# So I started investigation into satellite technology, digital video broadcasting and ham amateur radio
# Nights of research, gathered more than 3.6 GB public data
# Just started, not yet fully there where I want(ed) to be
# But for now, please fasten seatbelts for a short trip to space
4
Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
http://www.spacenews.com/images/Ariane5_ESA02.jpg
5
Definitions I/II
# Latin satelles = Companion or bodyguard
# Bodyguard = Etruskan origin (500 BC)
# Bird (in the sky) = Satellite (in orbit)
# Orbit = Path around Earth
# Payload = Module (Imagery, Radio, DVB-S(2), …)
# Downlink = Satellite to Earth
# Uplink = Earth to Satellite
# Beam = Uplink/Downlink Channel
# Footprint = Coverage of Satellite Beam
6
Example Footprint
http://en.wikipedia.org/wiki/Satellite_footprint
7
Definitions II/II
# Launch = Bring satellite with transport vehicle into orbit
# VSAT = Very Small Aperture Terminal (dish2dish)
# Doppler effect/shift = Radio RX/TX moving
# Beacon = Modulated Oscillator (telemetry)
# Transponder = Transmitter and responder (relay)
# Transceiver = Transmitter and receiver
# Apogee = Biggest Distance to Earth
# Perigee = Smallest Distance to Earth
# TT&C = Telemetry, Tracking & Command
8
Example TT&C Leuk CH
http://de.wikipedia.org/wiki/Onyx_%28Abh%C3%B6rsystem%29
9
History
# First Russian satellite: Sputnik 1957-10-04
# First US satellite: Explorer1 19580131
# First TV satellite: Telstar1 AT&T 1962
# First Geostationary: Syncom2 1963
# First Swiss: Swisscube 2009
# GPS: 24 satellites 1978 ( 1994)
# Hubble Telescope: 1990
# MIR: 1986 – 2001
# ISS: 1998 ?http://en.wikipedia.org/wiki/Sputnik_1
10
Launches
# About 4'000 launches overall (?)
# About 100 launches in 2012
# Multiple payloads possible
# Nowadays approximately 3'000 satellites living (?)
# Operating lifespan between 5 to 20 years
# About 20 countries are “in space”
# About 22 official launch sites worldwide
11
Countries in space
# USA, Russia, Japan, China, France, India, Israel, Australia, UK, Canada, Germany, Italy, Austria, Indonesia, Brazil, Sweden, Luxembourg, Argentina, Saudi Arabia, South Korea
# ESA (European Space Agency): Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Romania, Spain, Sweden, UK, Switzerland
# Private Organizations (Space Adventures, Virgin Galatic, RocketShip Tours, …)
# Work in progress: North Korea, Iran, …
12
Launch sites
http://www.spacetoday.org/Rockets/Spaceports/LaunchSites.html
13
Orbits I/II
# LEO: Low Earth Orbit (circular orbit: 6.9 to 7.8 km/s), 200 to 1200 km (elliptic orbit: 6.5 to 8.2 km/s)
# GTO: Geostationary Transfer Orbit, 200-800 km perigee / 36.000 km apogee
# MEO: Medium Earth Orbit, 1.000 to 36.000 km
# GSO/IGSO: Geo Synchronous Orbit / Inclined GSO, 23h56min04s around earth (analemma → 8)
# GEO: Geo Stationary Orbit (3.1 km/s), 35.786 km
# HEO: Highly Elliptical Orbit, Molniya (1.5 to 10.0 km/s), 200 to 15.000 km / 50.000 to 400.000 km
# Graveyard: around 335.786 km
# SSO: Sun Synchronous Orbit
14
Orbits II/II
Earth
GEO
LEO
MEO
GTOHEO
Graveyard
8GSOIGSO
8 GSOIGSO
15
Celestial Coordinates
visual.merriamwebster.com/astronomy/astronomicalobservation/celestialcoordinatesystem.php
16
Physics
# Gravitational versus centripedal force
# Perigee = fast movement
# Apogee = slow movement
Earth Gravity Centripedal
Orbit
++
Apogee(slow)
Perigee(fast)
17
Types
# Communication, Navigation, Recovery
# Imagery, Reconnaissance, Earth Observation, Weather
# Anti-Satellite Weapons, Killer Satellites, Kinetic Kill Vehicles
# Spacecraft, Spaceship, Space Station
# Astronomics, Bio
# Tether, Miniaturized
http://en.wikipedia.org/wiki/Tether_satellitehttp://www.spacewar.com/images/raytheonexoatmospherickillvehicleartbg.jpg
18
Example Imagery
www.swisstopo.admin.ch/internet/swisstopo/de/home/products/images/satellite/satellite_CH.html
19
Layout I/II
http://www.thetech.org/exhibits/online/satellite/5/5.html
20
Layout II/II
http://commons.wikimedia.org/wiki/File:ISS_configuration_201105_en.svg
21
Dependencies I/II
# Finance: Backup transaction links
# Communication: Backup mobile/internet links, Amateur Radio
# Branch offices: Internet access/VPN/VSAT
# Transport: Navigation, Containers, Search & Rescue
# Military: Espionage, Reconnaissance
# News: Digital video broadcast
# Weather: Forecast
# Video telephony: IP-TV
# Geology: Maps, Resource discovery
# Astronomy: Observation, Reconnaissance
22
Dependencies II/II
# Navigation: GPS, Galileo, GLONASS, Compass, IRNSS
# Satellite Phones: Iridium, Inmarsat, IsatPhone Pro, BGAN, Fleet Broadband, Globalstar, Thuraya, TerreStar
# Satellite Internet: Businesscom Networks Ltd, CETel GmbH, dsl2u, Filiago, HETAN@Home, STA-Network, Sat Internet Services GmbH, Satlynx, satspeed, SkyGate, StarDSL, Thuraya, getinternet s.a.r.l
# TV: Astra, Hotbird, Sky, UPC
23
Space debris I/III
http://orbitaldebris.jsc.nasa.gov/photogallery/beehives.html
~22'000 objects
24
Space debris II/III
~700'000 objects
CCC Camp 2011: http://www.youtube.com/watch?v=MBZFxV66zmc
25
Space debris III/III
Endeavour's radiator panel Challenger's front window
http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20080010742_2008009999.pdfhttp://www.orbitaldebris.jsc.nasa.gov/photogallery/gallarypage
26
Tracking I/II
27
Tracking II/II
# Tools for Satellite Tracking
# Gpredict (win/linux) ;)
# Orbitron, Sattrack (win)
# Predict (linux)
# Online Databases
# http://www.n2yo.com/database/
# http://heavens-above.com/
# http://www.ucsusa.org/assets/documents/nwgs/UCS_Satellite_Database_1-1-12.xls
28
Communication I/III
http://www.satcomservices.com/sat_freq.htm
29
Communication II/III
www.inetdaemon.com/tutorials/satellite/communications/frequencybands/index.shtml
30
# If !geo-stationary, object will move fast
# Time window for communication
# 5-10 minutes or 15-20 minutes
# Antennas need to follow the object (rotors)
# Doppler-Shift correction
# + approaching/- leaving
# Space weather influence
# Solar flares, plasma
# Electromagnetic waves, geomagnetics
Communication III/III
http://www.hamqsl.com/solarvhf.gif
31
Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
http://www.spacenews.com/images/Ariane5_ESA02.jpg
32
Equipment (Annex!)
# Receiver(s)
# Antenna(s)
# Cables, Converters
33
Gqrx-sdr I/II
34
Gqrx-sdr II/II
35
NOAA Image (IR)
# National Oceanic and Atmospheric Administration
# 137 MHz, analog 40 kHz bandwidth
# 11.025 kHz WAV (-noise)
# PNG image black/white or color
# Atpdec (sourceforge)
http://sourceforge.net/projects/atpdec/
36
Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
http://www.spacenews.com/images/Ariane5_ESA02.jpg
37
Past publications
# 2012 B.Driessen and R.Hund: Don‘t Trust Satellite Phones
# 2011 M.Moeckel: Space Debris
# 2011 J.Geovedi, R.Iryandi, R. Chiesa: Hacking a Bird in the Sky 2.0
# 2009 J.Geovedi, R. Iryandi: Hacking Satellite: A New Universe to Discover
# 2009 L.Nve Egea, Ch.Martorella: Playing in a Satellite Environment 1.2
# 2009 A.Laurie: $atellite Hacking for Fun & Pr0fit!
# 2008 J.Geovedi, R.Iryandi, A.Zboralski: Hacking a Bird in the Sky: Exploiting Satellite Trust Relationship
# 2006 J.Geovedi, R.Iryandi: Hacking a Bird in the Sky: Hijacking VSAT Connection
# 2006 A.Adelbach: Broadcasting by Misuse of Satellite ISPs
# 2004 Warezzman: DVB Satellite Hacking
# 1998 D.Veeneman: Future & Existing Satellite Systems
# 1996 D.Veeneman: Low Earth Orbit Satellites
38
Hackers :p
# Satellite hackers come normally from 2 technology backgrounds:
# 1) DVB-S Scene
# 2) HAM Amateur Radio Scene
39
Digital Video Broadcasting
# DVB-T# DVB Terrestrial, ETSI EN 300744 1997
# DVB-S/2# DVB Satellite, ETSI EN 300421 1997/S2 EN 302307 2005
# DVB-C/2 = Cable
# DVB Cable, ETSI EN 300429 1994/C2 EN 302755 1998
# DVB-H = Handheld
# DVB-SH = Handheld over Satellite
40
DVB drone pr0n
Predator drone(Source: Wikipedia)
(Source: Youtube)
(Source: skygrabber.com)
41
HAM radio
# HAM = Amateur Radio Operator
# Acronym for Hertz,Armstrong,Marconi (3 radio pioneers)
# A poor operator, a plug. (G.M.Dodge's telegraph instructor)
# Amateur radio license by governmental regulatory authority (Bakom in CH), registered call sign
# About 3 million HAM operators worldwide
# USKA: Union Schweizer Kurzwellen-Amateure
# Visit them @ the #center!
42
HAM frequencies
http://en.wikipedia.org/wiki/Amateur_radio
43
MilSat frequencies :p
http://www.satellitenwelt.de/
44
Hacker Projects
# Mur.sat
# Nano satellite with sensors (art)
# Hacker Space Global Grid
# Fallback infrastructure
# Censorship avoidance
# ANGST
# Arduino n’ Gameduino Satellite Tracker
45
Press citations :p
# Satellites could come under cyber siege...
# Aging fleet has become a prime target ...
# We’re going to fight from space and we’re going to fight into space...
# Malicious cyber activities directed against U.S. satellites...
# Satellite-based networks: at risk from hackers...
# Attacks against satellite systems...
46
Top 10 threats I/II
# Tracking# Tracking: over web data and software
# Listening# Listening: the right equipment, frequencies and location
# Interacting# Interacting: protocols and authentication used, radio
transmissions need official license!# Using
# Take over a bird (or a TT&C), use payloads, make pictures, transmit something (DVB or radio)
# Scanning/attacking# Anonymous PoC 2010 by Leonardo Nve Egea# Scanning, DoS and spoofing possible
47
Top 10 threats II/II
# Breaking# Old technologies used: up to 20 (!) years lifespan# X.25 used (→ x25bru.c and http://www.0xdeadbeef.info/ ;)# GRE used (→ IRPAS + gre.c from Phenoelit ;)
# Jamming# Frequencies are known, you are in range and have power ;)
# Mispositioning# Raging transponder spoofing, direct commanding, command
replay, insertion after confirmation but prior to execution# Grilling
# Activating all solar panels when exposed to sun (!)# Overcharging energy system (charge controller?)
# Collisioning?
48
Collisioning!
scitechgate.com/ensuringthespacesecurityhasbecomeessentialforhumanadvancement/
49
# 1978 Kessler syndrome (aka Kessler effect, collisional cascading or ablation cascade)
# 8 known high speed collisions
# 1985 US antisatellite missile test (P78-1)
# 1996 Cerise satellite collided with space debris
# 2006 Satellite collision (Dart/Mublcom)
# 2007 Chinese anti-satellite missile test (Fengyun)
# 2009 Satellite collision (Iridium 33/Kosmos-2251)
# 3 times space debris collided with Mir station
Collisions
50
Known hacking cases
● 2012 Iridium/Inmarsat phones, german researchers● 2010 Anonymous scan/attack over satellites, L. N. Egea● 2009 Predator drones (DVB Skygrabber) Afghanistan● 2009 FLTSAT-8, Brasilian hackers, socker radio chats● 2008 Landsat-7/Terra AM-1 over Norway TT&C (.CN?)● 2007 Intelsat broadcast, Liberation Tigers of Tamil Eelam ● 2002 Sinosat-1 broadcast, Falun Gong banner China TV● 1990 Pay-TV Decoding (Premiere Europe)● 1990 Freeloaders, pr0n/ free phone calls over satellites● 1980 Satellite radio listening, signals decoding
51
Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
http://www.spacenews.com/images/Ariane5_ESA02.jpg
52
# NASA did stop shuttle usage (because of costs and accidents) in 2011
# ISS now gets logistics over SpaceX Dragon space capsule (US private organization) or Sojuz (TMA-M) spacecrafts (Russia)
# NASA plans to be back in space with Space Launch System (SLS) by 2017 and permanent moon base by 2024
# China plans own space station by 2020
Satellite Future
53
# I‘m not alone in the community covering this topic
# Highly complex field, merged technologies
# Not much proof-of-concepts yet completed
# Preparing for HAM radio license (to be able to send)
# Just started investigating, expect more to come
# If somebody wants to join the research, feel free :)
# Especially guys with DVB experience are welcome ;)
Personal Outlook
54
Questions?Comments?Discussion?
http://earthobservatory.nasa.gov/Features/Aerosols/page5.php
55
Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
http://www.spacenews.com/images/Ariane5_ESA02.jpg
56
# http://www.satellitenwelt.de/
# http://www.heavens-above.com/
# http://blog.makezine.com/2009/07/22/catching-satellites-on-ham-radio/
# http://www.levinecentral.com/ham/grid_square.php
# http://www.uska.ch/
# http://www.bakom.admin.ch/themen/frequenzen/01576/01578/index.html?lang=de
# http://www.bakom.admin.ch/themen/frequenzen/00652/00653/index.html?lang=de
References I/III
57
# http://www.n2yo.com/database/
# http://www.ucsusa.org/assets/documents/nwgs/UCS_Satellite_Database_1-1-12.xls
# http://www.hamqsl.com/
# http://gpredict.oz9aec.net/
# http://sourceforge.net/projects/gqrx/
# https://github.com/csete/gqrx
# http://dvbsnoop.sourceforge.net/
# http://www.amsat.org/
# http://atpdec.sourceforge.net/
References II/III
58
# http://www.oz9aec.net/index.php/gnu-radio/gnu-radio-blog/451-howto-receive-and-decode-noaa-apt-images-with-the-funcube-dongle-and-gqrx
# http://www.oz9aec.net/index.php/gnu-radio/gnu-radio-blog/477-noaa-apt-reception-with-gqrx-and-rtlsdr
# http://www.thiecom.de/
# http://sat.mur.at/
# http://shackspace.de/wiki/doku.php?id=project:hgg
# http://brainwagon.org/the-arduino-n-gameduino-satellite-tracker/
References III/III
59
# AOR AR8200 Mk3
# Frequency range: 100 kHz bis 3000 MHz
# no gaps ;)
# Costs: ~650 CHF (550 €/665 $)
# BNC-Connector
Receiver
http://www.thiecom.de/ar8200mark3.htm
60
# 2m Groundplane
# Frequency range: 145 MHz
# (Resonance at 290 + 435 MHz ;)
# Costs: ~60 CHF (50 €/60 $)
# HAM Radio
# UHF-/BNC-Connector
Antennas I/II
http://www.winklerantennenbau.de/gp2.htm
61
# Arrow II Portable Antenna (2m/70cm)
# Frequency range: 144 MHz / 436 MHz
# Costs: ~150 CHF (115 €/140 $)
# HAM Radio
# BNC-Connector
Antennas II/II
http://www.arrowantennas.com/arrowii/146437.html
62
# FunCube Radio Dongle
# Frequency range: 64 1'700 MHz
# Gap 240MHz / 420MHz
# Costs: ~200 CHF (170 €/200 $)
# Software: qthid, gqrxsdr
# Audio Recording ;)
# SMAConnector
Funcube receiver
http://www.funcubedongle.com/
63
# Hama Nano DVB-T Dongle
# Frequency range: 48 - 860 MHz
# Costs: ~70 CHF (60 €/70 $)
# Software: gqrx-sdr, me-tv
# SDR-functionality ;)
# Coax Connector MCX
Hama DVB receiver
http://www.hama.de/portal/picType*awd4/action*2599/articleId*179025#picture
64
# TeVii S660 USB-S2 box
# Frequency range: 950 - 2150 MHz
# Costs: ~72 CHF (60 €/78 $)
# DVB-S/S2 (TV and Radio)
# Software: MyTeVii, TeViiData, linux-dvb-apps
# LNB Connector
TeVii DVB receiver
http://www.tevii.com/products_s660_1.asp
65
# DVB-S/-S2 Camping Dish (35 cm)
# Frequency range: 10.7 – 12.75 GHz
# Output 950 – 2150 MHz
# Costs: ~72 CHF (60 €/78 $)
# Sharp LNB Single
# Low-noise block downconverter
DVB satellite dish
http://en.buchmann.ch/catalog/product_info.php?products_id=28653