The document discusses satellite hacking, exploring various technical aspects, historical context, and types of satellites and their uses. It outlines definitions, launches, orbits, communication methods, and the security vulnerabilities associated with satellite technology. The content also highlights notable hacking cases, threats to satellite systems, and future outlooks for space technology.

1. Satellite Hacking
Intro by IndianZ
1
http://earthobservatory.nasa.gov/Features/Aerosols/page5.php

2. Whoami
# Datalynx, Basel
# Penetration Testing, IT-Forensic, *Security
# ISECOM OSSTMM
# Certified Tester OPST/Analyst OPSA
# University, Lucerne
# Master of Adv. Studies in Information Security
# Teaching CAS/MAS Information Security
# Security Articles, Demos, Speeches
# Computerworld, Digicomp and Hashdays
# https://www.indianz.ch/ 2

3. Disclaimer
# FX talked about satellite hacking @ berlinsides 6 months
ago (unpublished)
# A wish, more people of the community would join this topic
# So I started investigation into satellite technology, digital
video broadcasting and ham amateur radio
# Nights of research, gathered more than 3.6 GB public data
# Just started, not yet fully there where I want(ed) to be
# But for now, please fasten seatbelts for a short trip to space
3

4. Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
4
http://www.spacenews.com/images/Ariane5_ESA02.jpg

5. Definitions I/II
# Latin satelles = Companion or bodyguard
# Bodyguard = Etruskan origin (500 BC)
# Bird (in the sky) = Satellite (in orbit)
# Orbit = Path around Earth
# Payload = Module (Imagery, Radio, DVB-S(2), …)
# Downlink = Satellite to Earth
# Uplink = Earth to Satellite
# Beam = Uplink/Downlink Channel
# Footprint = Coverage of Satellite Beam 5

6. Example Footprint
6
http://en.wikipedia.org/wiki/Satellite_footprint

7. Definitions II/II
# Launch = Bring satellite with transport vehicle into orbit
# VSAT = Very Small Aperture Terminal (dish2dish)
# Doppler effect/shift = Radio RX/TX moving
# Beacon = Modulated Oscillator (telemetry)
# Transponder = Transmitter and responder (relay)
# Transceiver = Transmitter and receiver
# Apogee = Biggest Distance to Earth
# Perigee = Smallest Distance to Earth
# TT&C = Telemetry, Tracking & Command 7

8. Example TT&C Leuk CH
8
http://de.wikipedia.org/wiki/Onyx_%28Abh%C3%B6rsystem%29

9. History
# First Russian satellite: Sputnik 1957-10-04
# First US satellite: Explorer­1 1958­01­31
# First TV satellite: Telstar­1 AT&T 1962
# First Geostationary: Syncom­2 1963
# First Swiss: Swisscube 2009
# GPS: 24 satellites 1978 (­ 1994)
# Hubble Telescope: 1990
# MIR: 1986 – 2001
# ISS: 1998 ­ ? 9
http://en.wikipedia.org/wiki/Sputnik_1

10. Launches
# About 4'000 launches overall (?)
# About 100 launches in 2012
# Multiple payloads possible
# Nowadays approximately 3'000 satellites living (?)
# Operating lifespan between 5 to 20 years
# About 20 countries are “in space”
# About 22 official launch sites worldwide
10

11. Countries in space
# USA, Russia, Japan, China, France, India, Israel,
Australia, UK, Canada, Germany, Italy, Austria, Indonesia,
Brazil, Sweden, Luxembourg, Argentina, Saudi Arabia,
South Korea
# ESA (European Space Agency): Austria, Belgium, Czech
Republic, Denmark, Finland, France, Germany, Greece,
Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal,
Romania, Spain, Sweden, UK, Switzerland
# Private Organizations (Space Adventures, Virgin Galatic,
RocketShip Tours, …)
# Work in progress: North Korea, Iran, …
11

12. Launch sites
12
http://www.spacetoday.org/Rockets/Spaceports/LaunchSites.html

13. Orbits I/II
# LEO: Low Earth Orbit (circular orbit: 6.9 to 7.8 km/s), 200 to 1200 km
(elliptic orbit: 6.5 to 8.2 km/s)
# GTO: Geostationary Transfer Orbit, 200-800 km perigee / 36.000 km
apogee
# MEO: Medium Earth Orbit, 1.000 to 36.000 km
# GSO/IGSO: Geo Synchronous Orbit / Inclined GSO, 23h56min04s
around earth (analemma → 8)
# GEO: Geo Stationary Orbit (3.1 km/s), 35.786 km
# HEO: Highly Elliptical Orbit, Molniya (1.5 to 10.0 km/s), 200 to 15.000
km / 50.000 to 400.000 km
# Graveyard: around 335.786 km
# SSO: Sun Synchronous Orbit 13

14. Orbits II/II
LEO
Earth GSO
8 IGSO
GTO
HEO
MEO 8 GSO
IGSO
GEO
Graveyard 14

15. Celestial Coordinates
15
visual.merriam­webster.com/astronomy/astronomical­observation/celestial­coordinate­system.php

16. Physics
# Gravitational versus centripedal force
# Perigee = fast movement
# Apogee = slow movement
Orbit
Perigee
+ ­ + ­
(fast)
Earth Gravity Centripedal
Apogee
(slow)
16

17. Types
# Communication, Navigation, Recovery
# Imagery, Reconnaissance, Earth
Observation, Weather
# Anti-Satellite Weapons, Killer Satellites,
Kinetic Kill Vehicles
# Spacecraft, Spaceship, Space Station
# Astronomics, Bio
# Tether, Miniaturized
http://en.wikipedia.org/wiki/Tether_satellite 17
http://www.spacewar.com/images/raytheon­exoatmospheric­kill­vehicle­art­bg.jpg

18. Example Imagery
18
www.swisstopo.admin.ch/internet/swisstopo/de/home/products/images/satellite/satellite_CH.html

19. Layout I/II
19
http://www.thetech.org/exhibits/online/satellite/5/5.html

20. Layout II/II
20
http://commons.wikimedia.org/wiki/File:ISS_configuration_2011­05_en.svg

21. Dependencies I/II
# Finance: Backup transaction links
# Communication: Backup mobile/internet links, Amateur Radio
# Branch offices: Internet access/VPN/VSAT
# Transport: Navigation, Containers, Search & Rescue
# Military: Espionage, Reconnaissance
# News: Digital video broadcast
# Weather: Forecast
# Video telephony: IP-TV
# Geology: Maps, Resource discovery
# Astronomy: Observation, Reconnaissance 21

22. Dependencies II/II
# Navigation: GPS, Galileo, GLONASS, Compass,
IRNSS
# Satellite Phones: Iridium, Inmarsat, IsatPhone Pro,
BGAN, Fleet Broadband, Globalstar, Thuraya, TerreStar
# Satellite Internet: Businesscom Networks Ltd, CETel
GmbH, dsl2u, Filiago, HETAN@Home, STA-Network,
Sat Internet Services GmbH, Satlynx, satspeed,
SkyGate, StarDSL, Thuraya, getinternet s.a.r.l
# TV: Astra, Hotbird, Sky, UPC
22

23. Space debris I/III
~22'000 objects
23
http://orbitaldebris.jsc.nasa.gov/photogallery/beehives.html

24. Space debris II/III
~700'000 objects
24
CCC Camp 2011: http://www.youtube.com/watch?v=MBZFxV66zmc

25. Space debris III/III
Endeavour's radiator panel Challenger's front window
http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20080010742_2008009999.pdf 25
http://www.orbitaldebris.jsc.nasa.gov/photogallery/gallarypage

26. Tracking I/II
26

27. Tracking II/II
# Tools for Satellite Tracking
# Gpredict (win/linux) ;)
# Orbitron, Sattrack (win)
# Predict (linux)
# Online Databases
# http://www.n2yo.com/database/
# http://heavens-above.com/
# http://www.ucsusa.org/assets/documents/nwgs/
UCS_Satellite_Database_1-1-12.xls 27

28. Communication I/III
28
http://www.satcom­services.com/sat_freq.htm

29. Communication II/III
29
www.inetdaemon.com/tutorials/satellite/communications/frequency­bands/index.shtml

30. Communication III/III
# If !geo-stationary, object will move fast
# Time window for communication
# 5-10 minutes or 15-20 minutes
# Antennas need to follow the object (rotors)
# Doppler-Shift correction
# + approaching/- leaving
# Space weather influence
# Solar flares, plasma
# Electromagnetic waves, geomagnetics 30
http://www.hamqsl.com/solarvhf.gif

31. Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
31
http://www.spacenews.com/images/Ariane5_ESA02.jpg

32. Equipment (Annex!)
# Receiver(s)
# Antenna(s)
# Cables, Converters
32

33. Gqrx-sdr I/II
33

34. Gqrx-sdr II/II
34

35. NOAA Image (IR)
# National Oceanic and
Atmospheric Administration
# 137 MHz, analog 40 kHz
bandwidth
# 11.025 kHz WAV (-noise)
# PNG image black/white or
color
# Atpdec (sourceforge)
35
http://sourceforge.net/projects/atpdec/

36. Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
36
http://www.spacenews.com/images/Ariane5_ESA02.jpg

37. Past publications
# 2012 B.Driessen and R.Hund: Don‘t Trust Satellite Phones
# 2011 M.Moeckel: Space Debris
# 2011 J.Geovedi, R.Iryandi, R. Chiesa: Hacking a Bird in the Sky 2.0
# 2009 J.Geovedi, R. Iryandi: Hacking Satellite: A New Universe to Discover
# 2009 L.Nve Egea, Ch.Martorella: Playing in a Satellite Environment 1.2
# 2009 A.Laurie: $atellite Hacking for Fun & Pr0fit!
# 2008 J.Geovedi, R.Iryandi, A.Zboralski: Hacking a Bird in the Sky: Exploiting Satellite
Trust Relationship
# 2006 J.Geovedi, R.Iryandi: Hacking a Bird in the Sky: Hijacking VSAT Connection
# 2006 A.Adelbach: Broadcasting by Misuse of Satellite ISPs
# 2004 Warezzman: DVB Satellite Hacking
# 1998 D.Veeneman: Future & Existing Satellite Systems
37
# 1996 D.Veeneman: Low Earth Orbit Satellites

38. Hackers :p
# Satellite hackers come normally from 2
technology backgrounds:
# 1) DVB-S Scene
# 2) HAM Amateur Radio Scene
38

39. Digital Video Broadcasting
# DVB-T
# DVB Terrestrial, ETSI EN 300744 1997
# DVB-S/2
# DVB Satellite, ETSI EN 300421 1997/S2 EN 302307 2005
# DVB-C/2 = Cable
# DVB Cable, ETSI EN 300429 1994/C2 EN 302755 1998
# DVB-H = Handheld
# DVB-SH = Handheld over Satellite 39

40. DVB drone pr0n
Predator drone
(Source: Wikipedia)
(Source: Youtube)
40
(Source: skygrabber.com)

41. HAM radio
# HAM = Amateur Radio Operator
# Acronym for Hertz,Armstrong,Marconi (3 radio pioneers)
# A poor operator, a plug. (G.M.Dodge's telegraph instructor)
# Amateur radio license by governmental regulatory
authority (Bakom in CH), registered call sign
# About 3 million HAM operators worldwide
# USKA: Union Schweizer Kurzwellen-Amateure
# Visit them @ the #center!
41

42. HAM frequencies
42
http://en.wikipedia.org/wiki/Amateur_radio

43. MilSat frequencies :p
43
http://www.satellitenwelt.de/

44. Hacker Projects
# Mur.sat
# Nano satellite with sensors (art)
# Hacker Space Global Grid
# Fallback infrastructure
# Censorship avoidance
# ANGST
# Arduino n’ Gameduino Satellite Tracker
44

45. Press citations :p
# Satellites could come under cyber siege...
# Aging fleet has become a prime target ...
# We’re going to fight from space and we’re going
to fight into space...
# Malicious cyber activities directed against U.S.
satellites...
# Satellite-based networks: at risk from hackers...
# Attacks against satellite systems...
45

46. Top 10 threats I/II
# Tracking
# Tracking: over web data and software
# Listening
# Listening: the right equipment, frequencies and location
# Interacting
# Interacting: protocols and authentication used, radio
transmissions need official license!
# Using
# Take over a bird (or a TT&C), use payloads, make pictures,
transmit something (DVB or radio)
# Scanning/attacking
# Anonymous PoC 2010 by Leonardo Nve Egea
# Scanning, DoS and spoofing possible
46

47. Top 10 threats II/II
# Breaking
# Old technologies used: up to 20 (!) years lifespan
# X.25 used (→ x25bru.c and http://www.0xdeadbeef.info/ ;)
# GRE used (→ IRPAS + gre.c from Phenoelit ;)
# Jamming
# Frequencies are known, you are in range and have power ;)
# Mispositioning
# Raging transponder spoofing, direct commanding, command
replay, insertion after confirmation but prior to execution
# Grilling
# Activating all solar panels when exposed to sun (!)
# Overcharging energy system (charge controller?)
# Collisioning?
47

48. Collisioning!
48
scitechgate.com/ensuring­the­space­security­has­become­essential­for­human­advancement/

49. Collisions
# 1978 Kessler syndrome (aka Kessler effect, collisional
cascading or ablation cascade)
# 8 known high speed collisions
# 1985 US antisatellite missile test (P78-1)
# 1996 Cerise satellite collided with space debris
# 2006 Satellite collision (Dart/Mublcom)
# 2007 Chinese anti-satellite missile test (Fengyun)
# 2009 Satellite collision (Iridium 33/Kosmos-2251)
# 3 times space debris collided with Mir station
49

50. Known hacking cases
● 2012 Iridium/Inmarsat phones, german researchers
● 2010 Anonymous scan/attack over satellites, L. N. Egea
● 2009 Predator drones (DVB Skygrabber) Afghanistan
● 2009 FLTSAT-8, Brasilian hackers, socker radio chats
● 2008 Landsat-7/Terra AM-1 over Norway TT&C (.CN?)
● 2007 Intelsat broadcast, Liberation Tigers of Tamil Eelam
● 2002 Sinosat-1 broadcast, Falun Gong banner China TV
● 1990 Pay-TV Decoding (Premiere Europe)
● 1990 Freeloaders, pr0n/ free phone calls over satellites
● 1980 Satellite radio listening, signals decoding
50

51. Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
51
http://www.spacenews.com/images/Ariane5_ESA02.jpg

52. Satellite Future
# NASA did stop shuttle usage (because of costs and
accidents) in 2011
# ISS now gets logistics over SpaceX Dragon space
capsule (US private organization) or Sojuz (TMA-M)
spacecrafts (Russia)
# NASA plans to be back in space with Space Launch
System (SLS) by 2017 and permanent moon base by
2024
# China plans own space station by 2020
52

53. Personal Outlook
# I‘m not alone in the community covering this topic
# Highly complex field, merged technologies
# Not much proof-of-concepts yet completed
# Preparing for HAM radio license (to be able to send)
# Just started investigating, expect more to come
# If somebody wants to join the research, feel free :)
# Especially guys with DVB experience are welcome ;)
53

54. Questions?
Comments?
Discussion?
54
http://earthobservatory.nasa.gov/Features/Aerosols/page5.php

55. Agenda
# Introduction
# Equipment
# Satellite Hackers
# Future Outlook
# Annex
55
http://www.spacenews.com/images/Ariane5_ESA02.jpg

56. References I/III
# http://www.satellitenwelt.de/
# http://www.heavens-above.com/
# http://blog.makezine.com/2009/07/22/catching-satellites-on-
ham-radio/
# http://www.levinecentral.com/ham/grid_square.php
# http://www.uska.ch/
# http://www.bakom.admin.ch/themen/frequenzen/01576/01578/i
ndex.html?lang=de
# http://www.bakom.admin.ch/themen/frequenzen/00652/00653/i
ndex.html?lang=de
56

57. References II/III
# http://www.n2yo.com/database/
# http://www.ucsusa.org/assets/documents/nwgs/UCS_Satellite_
Database_1-1-12.xls
# http://www.hamqsl.com/
# http://gpredict.oz9aec.net/
# http://sourceforge.net/projects/gqrx/
# https://github.com/csete/gqrx
# http://dvbsnoop.sourceforge.net/
# http://www.amsat.org/
# http://atpdec.sourceforge.net/ 57

58. References III/III
# http://www.oz9aec.net/index.php/gnu-radio/gnu-radio-blog/451-
howto-receive-and-decode-noaa-apt-images-with-the-funcube-
dongle-and-gqrx
# http://www.oz9aec.net/index.php/gnu-radio/gnu-radio-blog/477-
noaa-apt-reception-with-gqrx-and-rtlsdr
# http://www.thiecom.de/
# http://sat.mur.at/
# http://shackspace.de/wiki/doku.php?id=project:hgg
# http://brainwagon.org/the-arduino-n-gameduino-satellite-
tracker/
58

59. Receiver
# AOR AR8200 Mk3
# Frequency range: 100 kHz bis 3000 MHz
# no gaps ;)
# Costs: ~650 CHF (550 €/665 $)
# BNC-Connector
59
http://www.thiecom.de/ar8200mark3.htm

60. Antennas I/II
# 2m Groundplane
# Frequency range: 145 MHz
# (Resonance at 290 + 435 MHz ;)
# Costs: ~60 CHF (50 €/60 $)
# HAM Radio
# UHF-/BNC-Connector
60
http://www.winklerantennenbau.de/gp2.htm

61. Antennas II/II
# Arrow II Portable Antenna (2m/70cm)
# Frequency range: 144 MHz / 436 MHz
# Costs: ~150 CHF (115 €/140 $)
# HAM Radio
# BNC-Connector
61
http://www.arrowantennas.com/arrowii/146­437.html

62. Funcube receiver
# FunCube Radio Dongle
# Frequency range: 64 ­ 1'700 MHz
# Gap 240MHz / 420MHz
# Costs: ~200 CHF (170 €/200 $)
# Software: qthid, gqrx­sdr
# Audio Recording ;)
# SMA­Connector
62
http://www.funcubedongle.com/

63. Hama DVB receiver
# Hama Nano DVB-T Dongle
# Frequency range: 48 - 860 MHz
# Costs: ~70 CHF (60 €/70 $)
# Software: gqrx-sdr, me-tv
# SDR-functionality ;)
# Coax Connector MCX
63
http://www.hama.de/portal/picType*awd4/action*2599/articleId*179025#picture

64. TeVii DVB receiver
# TeVii S660 USB-S2 box
# Frequency range: 950 - 2150 MHz
# Costs: ~72 CHF (60 €/78 $)
# DVB-S/S2 (TV and Radio)
# Software: MyTeVii, TeViiData, linux-dvb-apps
# LNB Connector
64
http://www.tevii.com/products_s660_1.asp

65. DVB satellite dish
# DVB-S/-S2 Camping Dish (35 cm)
# Frequency range: 10.7 – 12.75 GHz
# Output 950 – 2150 MHz
# Costs: ~72 CHF (60 €/78 $)
# Sharp LNB Single
# Low-noise block downconverter
65
http://en.buchmann.ch/catalog/product_info.php?products_id=28653