Successfully reported this slideshow.

Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex Data Service

9

Share

1 of 89
1 of 89

Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex Data Service

9

Share

Download to read offline

Black Hat 2015

Recently, there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I'll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.

Black Hat 2015

Recently, there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I'll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex Data Service

  1. 1. SPREAD SPECTRUM SATCOM HACKING ATTACKINGTHE GLOBALSTAR SIMPLEX DATA SERVICE Colby Moore @colbymoore - colby@synack.com
  2. 2. WHO AM I? Colby Moore Synack R&D KD7SCT
  3. 3. INTRODUCTION
  4. 4. MOTIVATION • Try something new • Satellite hacking often too theoretical • Unexplored frontier • Systems are hopelessly broken • Inspire and collaborate
  5. 5. WHAT ARE WE GOINGTO LEARN? • RF signals and modulation • What is spread spectrum? • Selecting a target and reverse engineering • Exploiting the target
  6. 6. PREREQUISITES • High school mathematical knowledge • Lets keep things relatively “understandable” • Will provide resources (see github)
  7. 7. TARGETING
  8. 8. SELECTING ATARGET GovernmentCommercial
  9. 9. • SPOT - Consumer grade satellite tracking • Aging satellite network: voice, data, messaging • But wait… this tech is used everywhere. Jackpot.
  10. 10. WHERE IS IT USED? Military / Classified Trailers / Containers Air Quality Monitoring PersonnelTracking Fire Detection and Prevention Water Quality Monitoring Tank Level Gauging Perimeter / Border monitoring Asset / Vehicle Tracking Remote Meters Buoys Ship Movement Fishing vessel monitoring Power line monitoring Dispersed sensors and many more…
  11. 11. SIMPLEX DATA NETWORK “Simplex works where infrequent, small packets of data are to be collected” GPS Satellite Asset Globalstar Satellite Globalstar Ground StationThe Internet Globalstar Infrastructure User Infrastructure
  12. 12. BENT PIPE “A bent pipe satellite does not demodulate or decode the signal.A gateway station on the ground is necessary to control the satellite and route traffic to and from the satellite and to the internet.”
  13. 13. REDUNDANCY • Yes, the network only talks in one direction (simplex) • How is this reliable?
  14. 14. GROUND STATIONS AND COMMAND CENTERS Hundreds of ground stations Two Operations Centers
  15. 15. COVERAGE 48 satellites - 5850 km diameter footprint - 1410 km orbit - In service since 2000
  16. 16. SECURITY POSTURE
  17. 17. “Error 100: Database query failed - retrieving login information You have an error in your SQL Syntax;…” NOT SO MUCH…
  18. 18. –Globalstar “The received data is then forwarded to a user defined network interface that may be in the form of an FTP host or HTTP host where the user will interpret the data for further processing.”
  19. 19. INTELLIGENCE GATHERING
  20. 20. WHERETO LOOK
  21. 21. PRIOR RESEARCH Travis Goodspeed https://github.com/travisgoodspeed/pyspot Natrium42 https://web.archive.org/web/20120202211125/ http://natrium42.com/projects/spot/
  22. 22. STX-3 “Worlds’ smallest and lowest power consuming industrial- use satellite transmitter” DSSS? BPSK? What the &^#% is that?…
  23. 23. FREQUENCIES Globalstar L-Band Frequencies Globalstar Simplex Data Frequencies
  24. 24. THE BREAKTHROUGH Clues!
  25. 25. REVIEW OF WAVES AND MODULATION
  26. 26. WAVES Amplitude - A Phase - φ (radians) Time (t) Wavelength
  27. 27. TIME DOMAINVS. FREQUENCY DOMAIN Frequency DomainTime Domain Amplitude Time Frequency
  28. 28. ANALOG MODULATION • Amplitude Modulation (AM) • Frequency Modulation (FM)
  29. 29. AMPLITUDE MODULATION Carrier Modulating Signal (Data) Modulated Signal
  30. 30. FREQUENCY MODULATION Carrier Modulating Signal (Data) Modulated Signal
  31. 31. DIGITAL MODULATION • Amplitude Shift Keying (ASK / OOK) • Frequency Shift Keying (FSK) • Phase Shift Keying (PSK)
  32. 32. PHASE SHIFT KEYING (PSK) Modulated Signal Modulating Signal (Data) 0 0 1 1 0 1 1 1 0˚ 180˚ 0˚ 180˚ BPSK - Two phases (0 and 180 degrees) are used to represent 1 and 0
  33. 33. SPREAD SPECTRUM
  34. 34. SPREAD SPECTRUM MODULATION • Why is Spread Spectrum special? • WiFi, Bluetooth, GPS, and basically all modern RF communications • Processing Gain • Jam Resistant • CDMA
  35. 35. SPREAD SPECTRUM MODULATION • Frequency Hopping Spread Spectrum (FHSS) • Direct Sequence Spread Spectrum (DSSS)
  36. 36. DIRECT SEQUENCE SPREAD SPECTRUM (DSSS) • Mixes a slow signal with fast pseudo-random signal • Signal still contains original information but occupies much more bandwidth. BPSK Signal Occupies ~100Hz Spread BPSK Signal Occupies ~1.25Mhz
  37. 37. DSSS CONTD. Data Signal Pseudo Random Result 000000000000 111111111111 110001111001 010000101000 110001000110 010000010111 ⊕ ⊕
  38. 38. DSSS CONTD. Data Signal Pseudo Random Result 000000000000 111111111111 110001111001 010000101000 110001000110 010000010111 ⊕ ⊕
  39. 39. M-SEQUENCES AS PN CODES • Periodic binary codes that have strong autocorrelation properties • Commonly generated with LFSRs
  40. 40. M-SEQUENCES AND CORRELATION 0001 0001 0001 0010 0001 0100 0001 1000 4 0 0 0 M-Sequence: Shifted: Correlation: This makes looking for the m-sequence in a signal easy!
  41. 41. DECODINGTHEORY • Simple in practice. More difficult in theory • Mix incoming signal with PN sequence and the original BPSK signal will emerge. • Compensate for frequency differential between local and remote oscillators • Signal needs to be phase aligned with PN code
  42. 42. HARDWARE
  43. 43. TOOLS AND HARDWARE USRP B200 $675 GSP-1620 LHCP Antenna $65
  44. 44. MORE HARDWARE Dimension Engineering AnyVolt 3 $55 12v AC/DC Adapter $5SMA Cables $20 MiniCircuits ZX60-1614LN-S Low Noise Amplifier $150
  45. 45. ASSEMBLED CAPABILITY
  46. 46. SAMPLING Nyquist: Sample at least twice as fast as the signal’s fastest frequency. The human ear can’t hear frequencies higher than 20Khz. CD audio is sampled at 44.1Khz (twice the human range).
  47. 47. IQ MODULATION • Makes generation of signals easy in software! https://www.youtube.com/watch?v=h_7d-m1ehoY Basics of IQ Signals and IQ modulation & demodulation - A tutorial
  48. 48. PN RECOVERY
  49. 49. WHATTO EXPECT • Pseudo random sequence (1s and 0s) • Repeating • 255 bits long • 1.25 million “chips” per second Much like Bart in detention, the PN will repeat over and over and over…
  50. 50. PN RECOVERY • In order to decode the signal, we need to know the PN sequence • DSSS BPSK == BPSK BPSK DSSS BPSK LowFrequencyHighFrequency
  51. 51. SAMPLING REQUIREMENTS 32 Mhz ———— = 4 Mhz (> 1.25 x 2) 8 Mhz > 2x faster than 1.25 Mhz (Nyquist) Even multiple of 32 Mhz (USRP) 4 Mhz 3.2 samples —————— = —————— (not even) 1.25 Mcps 1 symbol 4 Mhz 5 4 samples —————— x —— = ————— 1.25 Mcps 4 symbol Even samples / symbol (Implementation Specific) *We can resample the signal from 4 to 5 Mhz. *
  52. 52. PN RECOVERY • PN Sequence is much shorter than bit length • PN repeats 49 times for each bit • PN ⊕ Data == PN (within a bit boundary) 1,250,000 chips 1 second 1 PN seq. 49 PN seq. ———————— x —————— x ————— = ————— 1 second 100.04 bits 255 chips 1 bit
  53. 53. PN RECOVERY
  54. 54. PN RECOVERY 11111111001011010110111010101011 10010011011010011001101000111011 01100010001001111010010010000111 10001010011100011111010111100111 01000010101100101000101100000110 01000110000110111111011100001000 00100101010010111110000001110011 0001101010000000101110111101100
  55. 55. DESPREADING
  56. 56. WHATTO EXPECT • Mix original signal with PN • Narrow band signal will emerge • Shown as sharp spike on FFT
  57. 57. REALTIME IS HARD • Unfortunately doing this is very computational intensive • Lots of room for optimizations • Record now, process later sh-­‐3.2#  time  python  sync.py   real   0m58.326s   user   0m48.754s   sys        0m0.909s 1.4 second capture (one packet) 4M samp/sec * 2 floats/samp * 4 bytes/float = 30.5 MB/sec
  58. 58. CORRELATION Correlation Time Slide PN against data and correlate at each step.
  59. 59. CODETRACKING Time (samples) Correlation Correlation Peak If we don’t compensate for misalignment, we will drift and lose correlation over time. Search for peaks, and track themStrong Correlation (PN aligned) No Correlation (PN unaligned) Early Late Aligned
  60. 60. CODETRACKING Time (samples) Correlation Early or late detection lets us keep track. Positive and negative correlations indicate bits! Consistent Correlation (PN aligned)
  61. 61. DESPREAD SIGNAL It works! Mix the PN against the signal. Original signal appears.
  62. 62. DECODING
  63. 63. EXTRACTING DATA Low Pass Filter Rational Resampler PSK Demodulator Decoder Signal Time Domain Frequency Domain 10100 0 0111 ……
  64. 64. PACKET FORMAT 000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011 001 01001101100011110100000Manufacturer ID Unit ID
  65. 65. LOCATION DECODING Latitude: bits 8:32 Longitude: bits 32:56 + - Latitude Northern Hemisphere Southern Hemisphere Longitude Eastern Hemisphere Western Hemisphere Convert to decimal (signed int MSB to LSB) Multiply by degrees per count 1. 2. 3.
  66. 66. CHECKSUM Packet (without preamble and CRC) 110 bits CRC (Code Provided) Compare If we known how to reproduce the checksum, we can create our own packets… no signing, no encryption, lets spoof! 000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011 24 bits
  67. 67. INTERCEPTING ON DOWNLINK • Bigger antennas and better equipment • RF downconversion • Doppler Shift • Multipath Worst Case Doppler Shift
  68. 68. TRANSMITTING
  69. 69. DISCLAIMER Transmitting on Globalstar’s frequencies may be illegal where you live and could interfere with critical communications. Donotdothis! Seriously,don’t. No one likes late night visits from the FCC.
  70. 70. TRANSMITTING MGA-2000 0.5W RF Amplifier $190.00 But if you like late night visits from the FCC… • This is actually the easy part. • ~.2 Watts power • Simply mix data, PN, and carrier and correct rates
  71. 71. BUT WAIT… ITS EASIER Spot Device Updater SPOT3FirmwareTool.jar Currently $49.99
  72. 72. DOES IT WORK? SpotTrace1 SpotTrace 2 Clone
  73. 73. IMPACT
  74. 74. EMERGENCY RESPONSE Real Emergency Fake Emergency Overwhelm emergency response center anonymously?
  75. 75. WHERE ELSE?
  76. 76. BUT WAIT,THERE’S MORE Lockheed Martin Flight Service (LMFS) Integration
  77. 77. CAPABILITY
  78. 78. Uplink Interception RF Beam Globalstar Attacker Attacker intercepts and plots pattern of life
  79. 79. SPOOFING LOCATION Planned Route Hijack Route Attacker hijacks truck, disables tracker, transmits location as if delivery is on track. FalseLocationData
  80. 80. TESTINGTHE CAPABILITY Reception Window
  81. 81. DEMO Video demo time. It’s better to not tempt the demo gods. ;)
  82. 82. CONCLUSIONS
  83. 83. "Like all companies and industries in the 21st century, including those that Wired reported on this week to expose hacking vulnerabilities like Chrysler, GM, Brinks and others, Globalstar monitors the technical landscape and its systems to protect our customers. Our engineers would know quickly if any person or entity was hacking our system in a material way, and this type of situation has never been an issue to date.We are in the business of saving lives daily and will continue to optimize our offerings for security concerns and immediately address any illegal actions taken against our Company." DISCLOSURE & RESPONSE • ~180 days ago • Friendly and concerned for user privacy, but no further communication
  84. 84. NEXT STEPS • Collaboration • Code optimization - realtime • Downlink interception • Data aggregation
  85. 85. CONCLUSIONS • Long lifecycle • Unpatchable • Security going forward • DSSS != security • Assume Insecure • Act accordingly • Higher standards
  86. 86. SPECIALTHANKS Alex K., Chris W., Cyberspectrum Meetup, David C., Michael Ossmann, Mom and Dad, Paul David,Tom Rondeau The Interns and
  87. 87. QUESTIONS / COMMENTS? https://github.com/synack/globalstar https://syn.ac/bh15satcom @colbymoore colby@synack.com code slides twitter email
  88. 88. IMAGE CREDITS • http://images.google.com

×