The document discusses the various aspects of satellite telephony security, emphasizing the importance of satellite communications during terrestrial communication failures. It covers different satellite orbits, TDMA and CDMA designations, and operational procedures related to satellite networks. Additionally, it addresses the interception of satellite phone communications, highlighting tactics and methods used for both tactical and strategic interception by law enforcement.

1. Satellite
Telephony
Security

2. DON’T PANIC

3. “ WHEN TERRESTRIAL
COMMUNICATION FAIL,
WE PREVAIL! ”
Arthur C. Clarke
1917-2008

4. Satellite Communications
Broadcast Video to
Cable Headends
Local ISPs
Direct Broadcast TV Video
Last-mile Broadband Contribution
Corporate Data Networks Teleport PSTN
(Interactive & Multicast) End Users
Teleport Internet
End Users

5. Dan Veeneman
Low Earth Orbit Satellites
Dan Veeneman
Future & Existing Satellite Systems
Warezzman
DVB Satellite Hacking
Jim Geovedi, Raditya Iryandi,
Hacking a Bird in the Sky: Hijacking VSAT Connection
Jim Geovedi, Raditya Iryandi, Anthony Zboralski
Hacking a Bird in the Sky: Exploiting Satellite Trust Relationship
Adam Laurie
$atellite Hacking for Fun & Pr0fit!
Leonardo Nve Egea, Christian Martorella
Playing in a Satellite Environment 1.2
Jim Geovedi, Raditya Iryandi
Hacking Satellite: A New Universe to Discover
Jim Geovedi, Raditya Iryandi, Raoul Chiesa
Hacking a Bird in the Sky: The Revenge of Angry Birds
Jim Geovedi
Satellite Telephony Security: What Is and What Will Never Be
1996 1998 2004 2006 2008 2009 2011

6. Satellite Phone

10. Satellite Phone Network

11. Satellite Orbits
average distance to moon:
384,400 km
Medium Earth Orbit
Altitude: 8,000-20,000 km
EARTH Low Earth Orbit
Altitude: 500-2,000 km
Geostationary Orbit
Altitude: 35,786 km
Highly Elliptical Orbit
Altitude: >35,786 km

12. GEO (Geostationary Earth Orbit)
Satellite Operators
ACeS, ICO, Inmarsat, SkyTerra, TerreStar, Thuraya
LEO (Low Earth Orbit)
Satellite Operators
Globalstar, Iridium

13. LEO Communication Satellite Constellation System
Return Link
Forward Link
LEO LEO
Satellite i Satellite i+1
Intersatellite Link
(ISL)
Orbital Altitude
Feeder Feeder Terminal Terminal
Downlink Uplink Downlink Uplink
Gateway
End User
Terminal
PSTN Cellular

14. Frequency Band Designations

15. TDMA (Time Division Multiple Access)
f1
Transponder
f1
f1
f1 f1

16. Timeframe Structure and Timeslots
1 hyperframe = 4,896 superframes = 19,584 multiframes = 313,344 TDMA frames
(3h 28mn 53s 760ms)
0 1 2 3 4892 4893 4894 4895
1 superframe = 4 multiframes = 64 TDMA frames (2.56s)
0 1 2 3
1 multiframe = 16 TDMA frames (640 ms)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 TDMA frame = 24 timeslots (40ms)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
1 timeslot = 78 bit durations (5/3ms)
1 bit duration = 5/234ms

17. CDMA (Code Division Multiple Access)
++++++++++++++++++++++++++++++++++++++++++
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
oooooooooooooooooooooooooooooooooooooooooo
------------------------------------------
Transponder
f1 f1 f1 f1

18. Coverage: Iridium

19. Coverage: Inmarsat

20. Coverage: Thuraya

21. Spotbeams: Regional Coverage
E
F D
A L
G C
B K
H J
E E E E E I
F D F D F D F D F D
A L A L A L A L A L
G C G C G C G C G C
B K B K B K B K B K
H J H J H J H J H J
E I E I E I E I E I E
F D F D F D F D F D F D
E A L A L A L A L A L A L
D G C G C G C G C G C G C
A L B K B K B K B K B K B K
C H J H J H J H J H H
J J
B K I E I E I E I E I E I
J F D F D F D F D F D
I E A L A L A L A L A L
F D G C G C G C G C G C
A L B K B K B K B K B K
G C H J H J H J H J H J
B K I I E I E I E I
H J E F D F D F D
I F D A L A L A L
A L G C G C G C
G C B K B K B K
B K H J H J H J
H J E I E I E
E I E
I F D F D F D
F D F D
A L A L A L A L A L E
G C G C G C G C G C F D
B K B K B K B K B K A L
H J H J H J H J H J G C
I I I E I E I B K
E E
F D F D F D F D H J
A L A L A L A L I
G C G C G C G C
B K B K B K B K
H J H J H J H J
I I

22. GMR (GEO-Mobile Radio Interface)

23. GSM GMR Release 1
Extension to Satellite
GPRS GMR Release 2
Evolution Path
3GPP GMR Release 3

24. GMR-1

25. GMR-1 System Elements
Space segment
Feeder links
Gateway Station
Spotbeam coverage
at L-Band
GS
SOC
PSTN
Mobile Earth Stations
Gateway Stations

26. GMR-1 Protocol Architecture
Satellite
MES GSC +
GTS + GSM
MSC
TCS
GMR-1 Um-Interface
CM CM
GSM
SIM
MM MM
RR RR BSSMAP BSSMAP
GPS
RECEIVER
DLL DLL SCCP SCCP
PHYS PHYS MTP MTP
PHYS PHYS
Spotbeams Feeder Link GSM/A-Interface
L-Band Ku or C-Band (CCS7)

27. GMR-1 Logical Channel Mapping onto Physical Channel
DOWNLINK
LOGICAL PHYSICAL PHYSICAL
CONTROL ENTITIES
CHANNELS CHANNELS RESOURCE
USER CHANNELS
MAPPING
TCH Timeslot Frequency
Traffic Number (RF Channels)
TDMA Frame
Sequence
CCH
Time
Control and RF Channel
(Timeslots)
Signalling
UPLINK
MOBILE EARTH STATION SATELLITE

28. GMR-1 (GSM-based) Services
• Standard GSM-based services (Phase 2)
• Roaming
• Single number routing
• Numbers and addressing
• Authentication and privacy

29. GMR-1 Extended Services
• Single-hopped terminal-to-terminal calls
• Optimal routing
• High penetration alerting
• Position based services

30. GMR-2

31. GMR-2 System Elements
Traffic GEO Satellite
Signalling
C-Band L-Band
Gateway 1 C-Band
C-Band
C-Band
PSTN User
Terminals
PN
Gateway 2
PLMN Satellite Control
Facility
PSTN
Gateway 3
PN Network Control
Centre
PLMN PSTN
PN Customer Management
Information System
PLMN

32. C-band Regional Coverage for Signalling & Communication
C-Band
Traffic
Signalling

33. L-band Spotbeams for MSS Users
E
F D
A L
G C
B K
H J
E E E E E I
F D F D F D F D F D
A L A L A L A L A L
G C G C G C G C G C
B K B K B K B K B K
H J H J H J H J H J
E I E I E I E I E I E
F D F D F D F D F D F D
E A L A L A L A L A L A L
D G C G C G C G C G C G C
A L B K B K B K B K B K B K
C H J H J H J H J H H
J J
B K I E I E I E I E I E I
J F D F D F D F D F D
I E A L A L A L A L A L
F D G C G C G C G C G C
A L B K B K B K B K B K
G C H J H J H J H J H J
B K I I E I E I E I
H J E F D F D F D
I F D A L A L A L
A L G C G C G C
G C B K B K B K
B K H J H J H J
H J E I E I E
E I E
I F D F D F D
F D F D
A L A L A L A L A L E
G C G C G C G C G C F D
B K B K B K B K B K A L
H J H J H J H J H J G C
I I I E I E I B K
E E
F D F D F D F D H J
Traffic A L A L A L A L I
G C G C G C G C
Signalling B K B K B K B K
H J H J H J H J
I I

34. GMR-2 Gateway Internal Structure
Databases
HLR & VLR
GA
RF/IF TCE GSC MSC
PSTN
GA Gateway Antenna
TCE Traffic Channel Equipment PN
GSC Gateway Station Controller
MSC Mobile Switching Center
GSM

35. GMR Satellite Monitoring System
Intercept
ing

36. Satellite Phone Interception
• Law-enforcements require tapping
• Test equipment
• Limited use of encryption
• Modifiable phone equipment

37. Tactical Interception
Receives L-band from satellite and line-of-
sight from handset
Strategic Interception
Receives L-band from satellite and C-band
from satellite

38. Satellite Interception Operation
1.5 GHz
DOWN
1.6 GHz
UP
6 GHz
UP
3.5 GHz MES
DOWN
Gateway

39. Tactical Satellite Interception Operation
1.5 GHz
DOWN
1.6 GHz
UP
6 GHz 1.5 GHz
UP DOWN
3.5 GHz MES
DOWN
1.6 GHz
RADIO LINE-OF-SIGHT
Gateway Monitoring
Agent

40. Tactical Satellite Interception Operation
Satellite
antenna
Downconverter
IF
Channel 1
Channel 2
Uplink
antenna

41. Call Analysis
• Spotbeam IDs, GPS co- • TMSI called by MES.
ordinates, operating
frequency.
• Mobile or Fixed Originated Call
(Voice, Fax, Data or SMS).
• Date, time and duration of call. • Terminal type.
• MES IMSI. • Ciphering key sequence
• GPS co-ordinates of MES. number.
• Random Reference Number • RAND and SRES.
(CallerID).
• Encryption Algorithm

42. Strategic Satellite Interception Operation
1.5 GHz
DOWN
1.6 GHz
UP
6 GHz 1.5 GHz
UP DOWN
3.5 GHz MES
DOWN 3.5 GHz
DOWN
Gateway
Monitoring
Centre

43. FAQ

44. What’s next?

47. @geovedi
http://www.slideshare.net/geovedi/presentations