Satellite Telephony Security

5,161 views
4,747 views

Published on

This talk will provide an in-depth treatment of satellite telephony networks from a security perspective. The overall system seems secure, but in reality, it cannot be expected to be fully reliable.

We will briefly cover the satellite mobile system architecture, then discuss GMR (GEO-Mobile Radio) system elements, e.g. GSS (Gateway Station Subsystem), MES (Mobile Earth Station), AOC (Advanced Operation Center), and TCS (Traffic Control Subsystem) for GMR-1 systems and NCC (Network Control Center), GW (Gateway), SCF (Satellite Control Facility) and CMIS (Customer Management Information System) for GMR-2 systems.

From there, we will discuss the security issues of GMR system as it shares similar vulnerabilities with GSM–GMR is derived from the terrestrial digital cellular standard GSM and support access to GSM core networks, along with some interesting demos.

Time permitting, a question and answer session at the end of the presentation will allow participants to cover any additional issues in satellite telephony system they’d like to discuss.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,161
On SlideShare
0
From Embeds
0
Number of Embeds
704
Actions
Shares
0
Downloads
186
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Satellite Telephony Security

  1. 1. SatelliteTelephonySecurity
  2. 2. DON’T PANIC
  3. 3. “ WHEN TERRESTRIAL COMMUNICATION FAIL, WE PREVAIL! ” Arthur C. Clarke 1917-2008
  4. 4. Satellite Communications Broadcast Video to Cable Headends Local ISPs Direct Broadcast TV Video Last-mile Broadband Contribution Corporate Data Networks Teleport PSTN (Interactive & Multicast) End Users Teleport Internet End Users
  5. 5. Dan Veeneman Low Earth Orbit Satellites Dan Veeneman Future & Existing Satellite Systems Warezzman DVB Satellite Hacking Jim Geovedi, Raditya Iryandi, Hacking a Bird in the Sky: Hijacking VSAT Connection Jim Geovedi, Raditya Iryandi, Anthony Zboralski Hacking a Bird in the Sky: Exploiting Satellite Trust Relationship Adam Laurie $atellite Hacking for Fun & Pr0fit! Leonardo Nve Egea, Christian Martorella Playing in a Satellite Environment 1.2 Jim Geovedi, Raditya Iryandi Hacking Satellite: A New Universe to Discover Jim Geovedi, Raditya Iryandi, Raoul Chiesa Hacking a Bird in the Sky: The Revenge of Angry Birds Jim Geovedi Satellite Telephony Security: What Is and What Will Never Be1996 1998 2004 2006 2008 2009 2011
  6. 6. Satellite Phone
  7. 7. Satellite Phone Network
  8. 8. Satellite Orbits average distance to moon: 384,400 km Medium Earth Orbit Altitude: 8,000-20,000 km EARTH Low Earth Orbit Altitude: 500-2,000 km Geostationary Orbit Altitude: 35,786 km Highly Elliptical Orbit Altitude: >35,786 km
  9. 9. GEO (Geostationary Earth Orbit)Satellite OperatorsACeS, ICO, Inmarsat, SkyTerra, TerreStar, ThurayaLEO (Low Earth Orbit)Satellite OperatorsGlobalstar, Iridium
  10. 10. LEO Communication Satellite Constellation System Return Link Forward Link LEO LEO Satellite i Satellite i+1 Intersatellite Link (ISL) Orbital Altitude Feeder Feeder Terminal Terminal Downlink Uplink Downlink Uplink Gateway End User Terminal PSTN Cellular
  11. 11. Frequency Band Designations
  12. 12. TDMA (Time Division Multiple Access) f1 Transponder f1 f1 f1 f1
  13. 13. Timeframe Structure and Timeslots 1 hyperframe = 4,896 superframes = 19,584 multiframes = 313,344 TDMA frames (3h 28mn 53s 760ms) 0 1 2 3 4892 4893 4894 4895 1 superframe = 4 multiframes = 64 TDMA frames (2.56s) 0 1 2 3 1 multiframe = 16 TDMA frames (640 ms) 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1 TDMA frame = 24 timeslots (40ms) 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 1 timeslot = 78 bit durations (5/3ms) 1 bit duration = 5/234ms
  14. 14. CDMA (Code Division Multiple Access) ++++++++++++++++++++++++++++++++++++++++++ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx oooooooooooooooooooooooooooooooooooooooooo ------------------------------------------ Transponder f1 f1 f1 f1
  15. 15. Coverage: Iridium
  16. 16. Coverage: Inmarsat
  17. 17. Coverage: Thuraya
  18. 18. Spotbeams: Regional Coverage E F D A L G C B K H J E E E E E I F D F D F D F D F D A L A L A L A L A L G C G C G C G C G C B K B K B K B K B K H J H J H J H J H J E I E I E I E I E I E F D F D F D F D F D F DE A L A L A L A L A L A L D G C G C G C G C G C G CA L B K B K B K B K B K B K C H J H J H J H J H H J JB K I E I E I E I E I E I J F D F D F D F D F DI E A L A L A L A L A L F D G C G C G C G C G C A L B K B K B K B K B K G C H J H J H J H J H J B K I I E I E I E I H J E F D F D F D I F D A L A L A L A L G C G C G C G C B K B K B K B K H J H J H J H J E I E I E E I E I F D F D F D F D F D A L A L A L A L A L E G C G C G C G C G C F D B K B K B K B K B K A L H J H J H J H J H J G C I I I E I E I B K E E F D F D F D F D H J A L A L A L A L I G C G C G C G C B K B K B K B K H J H J H J H J I I
  19. 19. GMR (GEO-Mobile Radio Interface)
  20. 20. GSM GMR Release 1 Extension to SatelliteGPRS GMR Release 2 Evolution Path3GPP GMR Release 3
  21. 21. GMR-1
  22. 22. GMR-1 System Elements Space segment Feeder links Gateway Station Spotbeam coverage at L-Band GS SOC PSTN Mobile Earth Stations Gateway Stations
  23. 23. GMR-1 Protocol Architecture Satellite MES GSC + GTS + GSM MSC TCS GMR-1 Um-Interface CM CM GSM SIM MM MM RR RR BSSMAP BSSMAP GPS RECEIVER DLL DLL SCCP SCCP PHYS PHYS MTP MTP PHYS PHYS Spotbeams Feeder Link GSM/A-Interface L-Band Ku or C-Band (CCS7)
  24. 24. GMR-1 Logical Channel Mapping onto Physical Channel DOWNLINK LOGICAL PHYSICAL PHYSICAL CONTROL ENTITIES CHANNELS CHANNELS RESOURCE USER CHANNELS MAPPING TCH Timeslot Frequency Traffic Number (RF Channels) TDMA Frame Sequence CCH Time Control and RF Channel (Timeslots) Signalling UPLINK MOBILE EARTH STATION SATELLITE
  25. 25. GMR-1 (GSM-based) Services• Standard GSM-based services (Phase 2)• Roaming• Single number routing• Numbers and addressing• Authentication and privacy
  26. 26. GMR-1 Extended Services• Single-hopped terminal-to-terminal calls• Optimal routing• High penetration alerting• Position based services
  27. 27. GMR-2
  28. 28. GMR-2 System Elements Traffic GEO Satellite Signalling C-Band L-Band Gateway 1 C-Band C-Band C-Band PSTN User Terminals PN Gateway 2 PLMN Satellite Control Facility PSTN Gateway 3 PN Network Control Centre PLMN PSTN PN Customer Management Information System PLMN
  29. 29. C-band Regional Coverage for Signalling & Communication C-Band Traffic Signalling
  30. 30. L-band Spotbeams for MSS Users E F D A L G C B K H J E E E E E I F D F D F D F D F D A L A L A L A L A L G C G C G C G C G C B K B K B K B K B K H J H J H J H J H J E I E I E I E I E I E F D F D F D F D F D F DE A L A L A L A L A L A L D G C G C G C G C G C G CA L B K B K B K B K B K B K C H J H J H J H J H H J JB K I E I E I E I E I E I J F D F D F D F D F DI E A L A L A L A L A L F D G C G C G C G C G C A L B K B K B K B K B K G C H J H J H J H J H J B K I I E I E I E I H J E F D F D F D I F D A L A L A L A L G C G C G C G C B K B K B K B K H J H J H J H J E I E I E E I E I F D F D F D F D F D A L A L A L A L A L E G C G C G C G C G C F D B K B K B K B K B K A L H J H J H J H J H J G C I I I E I E I B K E E F D F D F D F D H J Traffic A L A L A L A L I G C G C G C G C Signalling B K B K B K B K H J H J H J H J I I
  31. 31. GMR-2 Gateway Internal Structure Databases HLR & VLR GA RF/IF TCE GSC MSC PSTN GA Gateway Antenna TCE Traffic Channel Equipment PN GSC Gateway Station Controller MSC Mobile Switching Center GSM
  32. 32. GMR Satellite Monitoring System Intercept ing
  33. 33. Satellite Phone Interception• Law-enforcements require tapping• Test equipment• Limited use of encryption• Modifiable phone equipment
  34. 34. Tactical InterceptionReceives L-band from satellite and line-of-sight from handsetStrategic InterceptionReceives L-band from satellite and C-bandfrom satellite
  35. 35. Satellite Interception Operation 1.5 GHz DOWN 1.6 GHz UP 6 GHz UP 3.5 GHz MES DOWN Gateway
  36. 36. Tactical Satellite Interception Operation 1.5 GHz DOWN 1.6 GHz UP 6 GHz 1.5 GHz UP DOWN 3.5 GHz MES DOWN 1.6 GHz RADIO LINE-OF-SIGHT Gateway Monitoring Agent
  37. 37. Tactical Satellite Interception Operation Satellite antenna Downconverter IF Channel 1 Channel 2 Uplink antenna
  38. 38. Call Analysis• Spotbeam IDs, GPS co- • TMSI called by MES. ordinates, operating frequency. • Mobile or Fixed Originated Call (Voice, Fax, Data or SMS).• Date, time and duration of call. • Terminal type.• MES IMSI. • Ciphering key sequence• GPS co-ordinates of MES. number.• Random Reference Number • RAND and SRES. (CallerID). • Encryption Algorithm
  39. 39. Strategic Satellite Interception Operation 1.5 GHz DOWN 1.6 GHz UP 6 GHz 1.5 GHz UP DOWN 3.5 GHz MES DOWN 3.5 GHz DOWN Gateway Monitoring Centre
  40. 40. FAQ
  41. 41. What’s next?
  42. 42. @geovedihttp://www.slideshare.net/geovedi/presentations

×