This document summarizes a presentation about hacking the Globalstar simplex data service satellite network. It describes how the speaker analyzed the network's spread spectrum modulation and packet structure to intercept and decode signals. Methods are outlined for recovering the pseudo-random number sequence, despreading signals, and extracting location and payload data from packets. Potential impacts of the capabilities are discussed, such as spoofing emergency alerts or hijacking vehicle tracking data. The presentation concludes by calling for further collaboration and optimization of the techniques.

1. SPREAD SPECTRUM SATCOM
HACKING
ATTACKINGTHE GLOBALSTAR SIMPLEX DATA SERVICE
Colby Moore
@colbymoore - colby@synack.com

2. WHO AM I?
Colby Moore
Synack R&D
KD7SCT

4. INTRODUCTION

5. MOTIVATION
• Try something new
• Satellite hacking often too
theoretical
• Unexplored frontier
• Systems are hopelessly
broken
• Inspire and collaborate

6. WHAT ARE WE GOINGTO
LEARN?
• RF signals and modulation
• What is spread spectrum?
• Selecting a target and
reverse engineering
• Exploiting the target

7. PREREQUISITES
• High school mathematical
knowledge
• Lets keep things relatively
“understandable”
• Will provide resources
(see github)

8. TARGETING

9. SELECTING ATARGET
GovernmentCommercial

10. • SPOT - Consumer grade satellite tracking
• Aging satellite network: voice, data, messaging
• But wait… this tech is used everywhere. Jackpot.

11. WHERE IS IT USED?
Military / Classified
Trailers / Containers
Air Quality Monitoring
PersonnelTracking
Fire Detection and Prevention
Water Quality Monitoring
Tank Level Gauging
Perimeter / Border monitoring
Asset / Vehicle Tracking
Remote Meters
Buoys
Ship Movement
Fishing vessel monitoring
Power line monitoring
Dispersed sensors
and many more…

12. SIMPLEX DATA NETWORK
“Simplex works where infrequent, small packets of data are to be collected”
GPS Satellite
Asset
Globalstar Satellite
Globalstar Ground StationThe Internet
Globalstar Infrastructure
User Infrastructure

13. BENT PIPE
“A bent pipe satellite does not demodulate or decode
the signal.A gateway station on the ground is
necessary to control the satellite and route traffic to
and from the satellite and to the internet.”

14. REDUNDANCY
• Yes, the network only talks in one direction (simplex)
• How is this reliable?

15. GROUND STATIONS AND
COMMAND CENTERS
Hundreds of ground stations Two Operations Centers

16. COVERAGE
48 satellites - 5850 km diameter footprint - 1410 km orbit - In service since 2000

17. SECURITY POSTURE

18. “Error 100: Database query failed - retrieving
login information You have an error in your
SQL Syntax;…”
NOT SO MUCH…

19. –Globalstar
“The received data is then forwarded to a user defined
network interface that may be in the form of an FTP
host or HTTP host where the user will interpret the data
for further processing.”

20. INTELLIGENCE GATHERING

21. WHERETO LOOK

22. PRIOR RESEARCH
Travis Goodspeed
https://github.com/travisgoodspeed/pyspot
Natrium42
https://web.archive.org/web/20120202211125/
http://natrium42.com/projects/spot/

23. STX-3
“Worlds’ smallest and lowest power consuming industrial-
use satellite transmitter”
DSSS? BPSK? What the &^#% is that?…

24. FREQUENCIES
Globalstar L-Band Frequencies
Globalstar Simplex Data Frequencies

25. THE BREAKTHROUGH
Clues!

26. REVIEW OF WAVES AND
MODULATION

27. WAVES
Amplitude - A
Phase - φ (radians)
Time (t)
Wavelength

28. TIME DOMAINVS.
FREQUENCY DOMAIN
Frequency DomainTime Domain
Amplitude
Time
Frequency

29. ANALOG MODULATION
• Amplitude Modulation (AM)
• Frequency Modulation (FM)

30. AMPLITUDE MODULATION
Carrier
Modulating Signal (Data)
Modulated Signal

31. FREQUENCY MODULATION
Carrier
Modulating Signal (Data)
Modulated Signal

32. DIGITAL MODULATION
• Amplitude Shift Keying (ASK / OOK)
• Frequency Shift Keying (FSK)
• Phase Shift Keying (PSK)

33. PHASE SHIFT KEYING (PSK)
Modulated Signal
Modulating Signal (Data)
0 0 1 1 0 1 1 1
0˚ 180˚ 0˚ 180˚
BPSK - Two phases (0 and 180 degrees) are used to represent 1 and 0

34. SPREAD SPECTRUM

35. SPREAD SPECTRUM
MODULATION
• Why is Spread Spectrum special?
• WiFi, Bluetooth, GPS, and basically all modern RF
communications
• Processing Gain
• Jam Resistant
• CDMA

36. SPREAD SPECTRUM
MODULATION
• Frequency Hopping Spread Spectrum (FHSS)
• Direct Sequence Spread Spectrum (DSSS)

37. DIRECT SEQUENCE SPREAD
SPECTRUM (DSSS)
• Mixes a slow signal with fast pseudo-random signal
• Signal still contains original information but occupies much
more bandwidth.
BPSK Signal
Occupies ~100Hz
Spread BPSK Signal
Occupies ~1.25Mhz

38. DSSS CONTD.
Data Signal
Pseudo Random
Result
000000000000 111111111111
110001111001 010000101000
110001000110 010000010111
⊕
⊕

39. DSSS CONTD.
Data Signal
Pseudo Random
Result
000000000000 111111111111
110001111001 010000101000
110001000110 010000010111
⊕
⊕

40. M-SEQUENCES AS PN CODES
• Periodic binary codes that have strong
autocorrelation properties
• Commonly generated with LFSRs

41. M-SEQUENCES AND
CORRELATION
0001
0001
0001
0010
0001
0100
0001
1000
4 0 0 0
M-Sequence:
Shifted:
Correlation:
This makes looking for the m-sequence in a signal easy!

42. DECODINGTHEORY
• Simple in practice. More difficult in theory
• Mix incoming signal with PN sequence and the original
BPSK signal will emerge.
• Compensate for frequency differential between local and
remote oscillators
• Signal needs to be phase aligned with PN code

43. HARDWARE

44. TOOLS AND HARDWARE
USRP B200
$675
GSP-1620 LHCP Antenna
$65

45. MORE HARDWARE
Dimension Engineering AnyVolt 3
$55
12v AC/DC Adapter
$5SMA Cables
$20
MiniCircuits ZX60-1614LN-S
Low Noise Amplifier
$150

46. ASSEMBLED CAPABILITY

47. SAMPLING
Nyquist: Sample at least
twice as fast as the signal’s
fastest frequency.
The human ear can’t hear frequencies higher than 20Khz.
CD audio is sampled at 44.1Khz (twice the human range).

48. IQ MODULATION
• Makes generation of signals easy in software!
https://www.youtube.com/watch?v=h_7d-m1ehoY
Basics of IQ Signals and IQ modulation & demodulation - A tutorial

49. PN RECOVERY

50. WHATTO EXPECT
• Pseudo random sequence
(1s and 0s)
• Repeating
• 255 bits long
• 1.25 million “chips” per
second
Much like Bart in detention, the PN will
repeat over and over and over…

51. PN RECOVERY
• In order to decode the signal, we need to know the PN sequence
• DSSS BPSK == BPSK
BPSK DSSS
BPSK
LowFrequencyHighFrequency

52. SAMPLING REQUIREMENTS
32 Mhz
———— = 4 Mhz (> 1.25 x 2)
8 Mhz > 2x faster than 1.25 Mhz (Nyquist)
Even multiple of 32 Mhz (USRP)
4 Mhz 3.2 samples
—————— = —————— (not even)
1.25 Mcps 1 symbol
4 Mhz 5 4 samples
—————— x —— = —————
1.25 Mcps 4 symbol
Even samples / symbol
(Implementation Specific)
*We can resample the
signal from 4 to 5 Mhz.
*

53. PN RECOVERY
• PN Sequence is much shorter than bit length
• PN repeats 49 times for each bit
• PN ⊕ Data == PN (within a bit boundary)
1,250,000 chips 1 second 1 PN seq. 49 PN seq.
———————— x —————— x ————— = —————
1 second 100.04 bits 255 chips 1 bit

54. PN RECOVERY

55. PN RECOVERY
11111111001011010110111010101011
10010011011010011001101000111011
01100010001001111010010010000111
10001010011100011111010111100111
01000010101100101000101100000110
01000110000110111111011100001000
00100101010010111110000001110011
0001101010000000101110111101100

56. DESPREADING

57. WHATTO EXPECT
• Mix original signal with PN
• Narrow band signal will
emerge
• Shown as sharp spike on
FFT

58. REALTIME IS HARD
• Unfortunately doing this is very computational intensive
• Lots of room for optimizations
• Record now, process later
sh-­‐3.2#
time
python
sync.py
real
0m58.326s
user
0m48.754s
sys
0m0.909s
1.4 second capture (one packet)
4M samp/sec * 2 floats/samp * 4 bytes/float = 30.5 MB/sec

59. CORRELATION
Correlation
Time
Slide PN against data and correlate at each step.

60. CODETRACKING
Time (samples)
Correlation
Correlation Peak
If we don’t compensate for misalignment, we will drift and lose
correlation over time.
Search for
peaks, and track
themStrong Correlation (PN aligned)
No Correlation (PN unaligned)
Early
Late
Aligned

61. CODETRACKING
Time (samples)
Correlation
Early or late detection lets us keep track.
Positive and negative correlations
indicate bits!
Consistent Correlation (PN aligned)

62. DESPREAD SIGNAL
It works!
Mix the PN against the signal. Original signal appears.

63. DECODING

64. EXTRACTING DATA
Low Pass Filter
Rational Resampler
PSK Demodulator
Decoder
Signal
Time Domain
Frequency Domain
10100 0 0111 ……

65. PACKET FORMAT
000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011
001 01001101100011110100000Manufacturer ID Unit ID

66. LOCATION DECODING
Latitude: bits 8:32
Longitude: bits 32:56 + -
Latitude
Northern
Hemisphere
Southern
Hemisphere
Longitude
Eastern
Hemisphere
Western
Hemisphere
Convert to decimal
(signed int MSB to LSB)
Multiply by degrees per
count
1.
2.
3.

67. CHECKSUM
Packet (without preamble and CRC)
110 bits
CRC
(Code Provided)
Compare
If we known how to reproduce the checksum, we can create our own
packets… no signing, no encryption, lets spoof!
000000101100101001101100011110100000010100000000010011110000000100000010000010000000000000000100000000000000000000000000000011001000001010010011
24 bits

68. INTERCEPTING ON
DOWNLINK
• Bigger antennas and better equipment
• RF downconversion
• Doppler Shift
• Multipath
Worst Case Doppler Shift

69. TRANSMITTING

70. DISCLAIMER
Transmitting on Globalstar’s frequencies may be illegal where you live and could
interfere with critical communications.
Donotdothis!
Seriously,don’t.
No one likes late night visits from the FCC.

71. TRANSMITTING
MGA-2000 0.5W RF Amplifier
$190.00
But if you like late night visits from the FCC…
• This is actually the easy part.
• ~.2 Watts power
• Simply mix data, PN, and carrier and correct rates

72. BUT WAIT… ITS EASIER
Spot Device Updater SPOT3FirmwareTool.jar
Currently $49.99

73. DOES IT WORK?
SpotTrace1 SpotTrace 2
Clone

74. IMPACT

75. EMERGENCY RESPONSE
Real Emergency
Fake Emergency
Overwhelm emergency
response center
anonymously?

76. WHERE ELSE?

77. BUT WAIT,THERE’S MORE
Lockheed Martin Flight Service (LMFS) Integration

78. CAPABILITY

79. Uplink Interception
RF Beam
Globalstar
Attacker
Attacker intercepts and
plots pattern of life

80. SPOOFING LOCATION
Planned Route
Hijack Route
Attacker hijacks truck, disables tracker,
transmits location as if delivery is on
track.
FalseLocationData

81. TESTINGTHE CAPABILITY
Reception
Window

82. DEMO
Video demo time. It’s better to not tempt the demo gods. ;)

83. CONCLUSIONS

84. "Like all companies and industries in the 21st century, including those that Wired
reported on this week to expose hacking vulnerabilities like Chrysler, GM, Brinks
and others, Globalstar monitors the technical landscape and its systems to protect
our customers. Our engineers would know quickly if any person or entity was
hacking our system in a material way, and this type of situation has never been an
issue to date.We are in the business of saving lives daily and will continue to
optimize our offerings for security concerns and immediately address any illegal
actions taken against our Company."
DISCLOSURE & RESPONSE
• ~180 days ago
• Friendly and concerned for user privacy, but no further
communication

85. NEXT STEPS
• Collaboration
• Code optimization - realtime
• Downlink interception
• Data aggregation

86. CONCLUSIONS
• Long lifecycle
• Unpatchable
• Security going forward
• DSSS != security
• Assume Insecure
• Act accordingly
• Higher standards

87. SPECIALTHANKS
Alex K., Chris W., Cyberspectrum Meetup, David C., Michael Ossmann,
Mom and Dad, Paul David,Tom Rondeau
The Interns
and

88. QUESTIONS / COMMENTS?
https://github.com/synack/globalstar
https://syn.ac/dc15satcom
@colbymoore
colby@synack.com
code
slides
twitter
email

89. IMAGE CREDITS
• http://images.google.com