 As I said, welcome to track one. This is the one o'clock talk as you well know. We have Colby Moore. He's going to talk about satcom hacking. He reportedly found some vulnerabilities and some satellites. So he's going to talk about that. This is a rerun of his talk that he gave at Black Hat. So please help me welcome Colby Moore. Thanks, guys. Good afternoon, DEF CON. Thanks for coming out. Today we're going to talk about spread spectrum signals and hacking the global star simplex data service. But first, who am I? I'm a mechanical engineer that loves computer security. I'm currently working at SINAC on the R&D team. I got interested in satellites and radios a long time ago when I got my ham radio license. And yes, ladies, that's my call sign. So radio me, I'm single. So what is this company SINAC that I work for? Basically we're a new spin on security for the enterprise. We have an army of vetted security researchers out there and they hack our clients on a bounty basis for pretty crazy payouts in my opinion. So if you have spare cycles and you want to make some money, come join our red team. If you guys are concerned about security in your enterprise, come talk to us as well. But anyway, a little introduction here. You know, why am I doing this? I wanted to try something new and I was pretty frustrated with kind of the lack of diversity in the talks lately. Satellites are kind of the ultimate hack and there seems to be one of satellite hacking talk just about every year. But often they're kind of theoretical. So I wanted to try to do something a little bit more concrete. So I've been doing a lot of location-based privacy research at SINAC and so location monitoring satellites seemed like a good fit. Bottom line I want to take a stab at something different and hopefully inspire some collaboration on future research in this unexplored area. And I'll be releasing some tools after the talk so hopefully we can collaborate a little bit. So what are we going to learn? We're going to talk a little bit about RF signals and modulation about what is spread spectrum. We're going to select a target and reverse engineer it and hopefully exploit it if everything goes well. And the goal of my research here is kind of do it for less than a thousand dollars. I started as kind of a side project. I wanted to do it on the cheap. So hopefully you guys will be able to do it too. There's quite a bit of material to cover as they mentioned but I'll zip through it. Slabs will be online if you guys need to look it later. You can email me or whatever. All right. So prerequisites. My intent is to keep it pretty high level at first but with enough detail to get you guys started. Really all you're doing is high school mathematical knowledge. So for you guys that came to Patrick and my talk last year, you know we like to define some key terms up front. So here we have the term, the Vegas interpretation and then it's hacker meaning. So here for a chip it's a pulse of a spread spectrum code, not a poker chip. Coverage, you know we're not referring to the size of your bikini. It's the area in which the satellite service is available. Recovery, I'm sure you guys are wondering this morning but we'll be recovering the unknown PN code or spreading code from the signals. A bent pipe. It's not a normal pipe. It refers to a type of satellite system that repeats the data when it's sent up. It comes right back down. And then sampling. I'm sure you guys did a lot of sampling last night. But we're just going to be recording a signal digitally. So targeting. How do we choose our target? And there's a lot of potential targets out there. This doesn't even cover them all. But picking the right one was key. Do we go commercial? Do we go military? Bottom line, the technology needed to be consumer accessible and cheap. We're just going to do this as a side project. But I wanted something that would be popular and have a really high impact. We want any vulnerabilities we find to be worthwhile. So as familiar with Global Star's spotlight on consumer products, I use them when I'm out backpacking and personally I think they're pretty great. They make asset trackers for tracking your car or yacht. And personal locator beacons to call for help when you're lost out in the wild. Or your ship sinking at sea or something like that. So I started looking deeper into the tech and it turns out that the commercial offerings use the same technology as the consumer tech. So basically you could buy a $50 dirt cheap consumer device for research and the research would translate directly to all the enterprise devices out there. Not to mention anything found is going to be high impact because it's pretty widely deployed. So where is this technology used? Really it's used everywhere. It's designed to be integrated anywhere you need low bandwidth off the grid communication. Most interestingly, it's heavily used in SCADA systems, big gas and oil operations, military, and predominantly asset tracking, things shipping containers, armored cars, expensive things. So all this tech operates on what's called the Simplex Data Service. And how does that work? In the case of asset trackers, devices can also send back arbitrary information as well. The tracker gets its location from GPS satellites and then it beams that data and some other metadata up to the global star satellites and that simply repeats the data back down into the global star ground station which interprets the data packets and forwards the data on over the internet to global stars back in infrastructure or to the customer infrastructure for processing. I kind of liken this to, think of it as SMS for the satellite world, just really small, concise messages. So the global star system is a series of low earth orbit bent pipe satellites. And the way a bent pipe satellite works is that whatever signal goes up, it simply repeats it, ships it to a different frequency and sends it right back down to be received by the ground stations. And this keeps the cost of the satellite low and future usability really flexible. But notice the data link is one direction, Simplex, the Simplex Data Network. So how the heck is that reliable? Well it turns out that each data packet is sent multiple times to ensure successful transmission. So what's the deal with these ground stations? Turns out there's hundreds of them all around the globe and they handle the reception of the satellite data. There's also two main control centers, one's in San Jose, California, I forget where the other one is, but they're in charge of operating the actual satellites and positioning them and such. So here's the coverage map from global stars website. And you can see that there's patches with no coverage out in the ocean, down in Antarctica. And that's because there's no ground station there to receive the data from the satellite. Each ground station provides up to a couple thousand mile window radius for reception. So you can see down in South Africa there's this nice blob down there. They actually just added this one maybe a couple months ago to get coverage down there. So before I start working I always like to do a little bit of ground work just to get the idea of a client's general security posture. So I had to look at their website and I was having issues signing up for an account and logging in. And I tried to log in and it looks to me like potential SQL injection. So I'm getting that warm fuzzy hacker feeling that this is going to be a fun target to hack on. And so as I'm digging a little deeper it turns out the data from the ground stations appears to be forward to clients over FTP and HTTP. Yeah, there's no S on there. So maybe it just be easier to sniff this data over the internet, but we're going to try to do it. Just for the hell of it. So things are looking pretty good in general, finding some sort of bug. So let's dig deeper into the actual satellite system itself. But where do we look for information on global stars hardware? Of course Google, you know, I think we all do it. But the FCC database turned out to be like the best wealth of information. If you have a RF transmitting device in the U.S. you need to register with the FCC to make sure you're not stepping on anyone's toes. There are a lot of academic papers on global star as well and I found a lot of integrator spec sheets, you know, company proprietary information that was just kind of left out there. So that helped a lot. But I wanted to make sure someone else hadn't already broke the system. So I looked for some prior research. It turns out Travis Goodspeed looked at the Bluetooth protocol of one of global stars devices a while back. Really cool research. And then Natrium42, some guy on the internet maybe is here, looked at the GPS to microcontroller interface on board an old spot personal locator beacon. But I wanted to dive deeper. This was all great research but it didn't really deal with the device to satellite communications. So again, looking at the FCC database, a chip called the STX3 kept coming up and being referenced. Turns out it's one of the transmitters used by the Simplex data network. And it was designed for integrators to put in their creations. It's low cost, low power and you can see it's wicked tiny. That's the chip itself that talks to the satellite. So there were some nice diagrams that came with this chip and on the diagrams I kept seeing this DSSS and BPSK coming up. We'll talk about that more in a minute. I really had no idea what it was at the time but it turns out to be pretty critical to what we're doing. So the FCC databases, they also came up with global stars various frequency ranges as well as the specific range for the global star Simplex data network which we need to know. In this case the devices were looking at operated around 1.6 gigahertz in frequency. So I kept digging and I found this leaked manufacturer spec sheet from a company called Axon. They used to make transmitter chips for the global star Simplex data network. And I referenced all these parameters that I couldn't help feel like were important but I had no idea what they were. So of note, let's see what it says here. We see that DSSS again and something called a 255 chip PN sequence at a rate of 1.25 megachips per second and then a reference to a data rate of 100.4 bits per second. After a little reading it turns out these are parameters for a certain type of spread spectrum modulation but we'll talk about that more in a minute. So before we talk about spread spectrum we need to have a basic review of waves and modulation for those that aren't familiar. So remember that radio signals are transmitted on radio waves and data is encoded on waves by modulating various parameters of that wave. Remember that waves have three main characteristics that we can modify. They have the wavelength essentially the frequency, how many cycles per second the wave moves and the phase, the position of the wave relative to its point. As well as the amplitude essentially the height of the wave. And we can look at waves in a few different ways. You guys are probably familiar with the time domain representation of a wave where time is on the x-axis and amplitude is on the y-axis. But often when we're working with signals we look at the frequency domain representation where frequency is on the x-axis and amplitude is on the y-axis. So essentially this shows us what frequency components make up a signal. The frequency domain representation of let's say 100 kilohertz sine wave on this representation it would show a sharp spike at 100 kilohertz on the frequency domain graph. But often times signals may contain other frequency components. So this graph may take on a very unique look for different types of signals we're looking at. So let's start and see kind of how analog modulation is done and we'll move on from there. But we're going to look at both AM and FM both of which you guys probably use to look at. So to send an analog AM signal essentially you have a carrier wave at the desired frequency you want to transmit on. And then you vary the amplitude of this frequency according to your data, the modulating signal. And the resulting signal is what gets sent out over the air and transmits whatever. Notice how we varied one parameter in this case the amplitude to send the data over the air. And instead of modulating the carrier analogly we could have simply varied it between the data signal instead. And then sending a digital data signal over AM is often called OOK for on off keying or ASK for amplitude shift keying. So we can do the same thing to frequency modulate data except we vary the carrier frequency according to the modulating signal instead of the amplitude. So again we could have shifted it between two distinct frequencies to encode digital data on this wave. And the method of encoding digital data on a frequency modulated wave is called FSK for frequency shift keying. So as we talked about digital AM is ASK or OOK and digital FM is called FSK. But we can also vary the third parameter the phase in a manner that's called phase shift keying. And so we can do this to encode digital data on a wave. So for this talk we're going to focus on BPSK. Remember we saw that earlier in that tech doc. It stands for binary phase shift keying. Basically it's alternating a wave 180 degrees in and out of phase in order to encode binary data on this wave. And 180 degree phase shift is simply achieved by flipping the wave upside down or just multiplying it by negative one. So here each cycle of the wave corresponds to one symbol a bit in this case. Okay so I know it's kind of brief but we have the necessary knowledge on how signals are modulated. So let's go one step ahead and talk about what is spread spectrum. Spread spectrum is basically a way to take a narrow band signal, one that doesn't take up too much bandwidth to transmit and it spreads it out over a much, much, much wider frequency range. And this gives it the ability to be much more jam resistant and it introduces a property called processing gain. And essentially this processing gain the more you spread the signal the more gain you get at the receiving end. Essentially you can transmit further. The processing gain actually allows for a spread spectrum signal to be received even if it's below the noise floor at the receiving point. Spreading the signal also allows for what's called CDMA properties. This stands for code division multiple access. You've probably heard about it in reference to your cell phones. What this means is that multiple devices can transmit on the same frequency at the same time and all the data can still get through. And this is achieved through the use of something earlier in the tech doc called a PN sequence or a PN code. This is the same thing. Now there's two types of spread spectrum. DSSS and FHSS. And the difference is that the D-TRIPLE-S operates around one frequency as shown there on the left. Whereas the FHSS hops between multiple frequencies so as you can see on the four peaks on the right. But for the sake of this talk we're just going to focus on D-TRIPLE-S as that was what was referenced in the doc. The signal in this case a relatively slow BPSK signal in the case of these transmitters 100 per second signal is mixed with a very very very fast pseudo-random signal the PN sequence. And the resulting signal contains all the original information but is spread out over a much larger bandwidth. So here you can see the data the data BPSK signal is then spread to 1.25 megahertz that's 12,500 times wider. Notice the shape of the waveforms are very similar in these two. It's going to be important later. So here's a more concrete example. Our data signal is just 0 and 1 modulated very slowly. Our pseudo-random sequence is a binary signal that changes much much faster. The higher frequency shown there in green. And we mix those two signals together to get a resulting signal with a much higher frequency components you see there in the red. But how do we recover the data? You simply mix the output signal one more time and the original data falls right back out. And so that's how this whole DSSS thing works. So now we talked about these PN sequences briefly. Basically all they are is that their periodic binary codes have strong auto-correlation properties. Meaning that they are a binary sequence that repeats over and over and over. And just as an interesting piece of information if you guys end up trying something at home they're commonly generated using linear signals. So for this research we're going to look at a specific type of PN sequence called an M sequence. Again we saw that in the original spec doc. And what's interesting about them is that they correlate strongly with themselves at a phase shift of zero very, very, very poorly at any other phase shift. So let's take a look. Up there on the left we're comparing a very short M sequence. 0, 0, 0, 1. And we're comparing it to itself. And at a phase shift of zero has a perfect correlation of 4. If we shift it once to the left it stays at zero until we bring it back into phase. This is nice because it makes searching for this PN sequence in any other signal very easy. We just look for it using correlation. So this spread spectrum stuff is simple in theory but it's really more difficult in practice. You know in theory you simply mix the signal being received with the appropriate PN sequence and the data signal will emerge. But in a perfect world our transmitter and our receiver are going to have, they're going to be tuned, not going to have a frequency. So we need to accommodate for this frequency differential somehow. Also remember that if the PN is not properly aligned with itself and incoming data it won't work. You'll just get a garbage signal out. So we need a way to phase align the PN sequences. So keep thinking how we might do that and it uses those auto correlation properties we talked about just a second ago. All right so we've kind of got a little rough idea of the theory but now to put it into practice we're going to do something. So to do this I use software software defined radio along with Python and GNU radio to write on my code and I also needed an appropriate antenna that I ended up getting off of ebay and so for those that wish to try this at home just know that global star antennas are left hand circular polarized so it's a specific type of antenna that you'll need to look up. But that's a little bit out of the scope of this talk and for those of you who are familiar with RTL-SDR you know the really cheap defined radio dongle unfortunately you won't be able to use it for this it doesn't cover enough bandwidth. So I use the USRP B200 great board to get it for about 600 bucks and I think a lot of the other SDRs in the market work just fine. So we also needed a low noise amplifier for receiving some weak signals and supporting cabling and voltage regulators to supply it. I got this LNA off of a company called Mini Circuits it was 150 bucks so not too bad. I packaged it all up into a box because these things are pretty fragile and hackers are clumsy or I'm clumsy and I didn't really want to break the hardware so anyway I mounted the antenna on the outside of the box so we can take this thing places and aim it at things. I had it up in my Black Hat hotel room was aiming it over at McCarran and sniffing up data from the airport so we'll get to try that out. So how does this hardware work? Essentially the software defined radio it listens for radio waves which are analog coming in to digital data that our computer can process and does this by taking samples of the wave. So this guy named Nyquist back in the day came up to the realization that while sampling you need to sample it at least twice as fast as a signal's highest frequency in order to accurately reproduce the signal while sampling. A real world example of this is that the human ear can't hear frequencies higher than 20 kilohertz and if you recall CD audio if you guys still use CDs is sampled at 44.1 kilohertz that's just over twice the human frequency hearing range. So you should also know that software defined radio hardware uses what's called IQ sampling or modulation to receive and send these signals. This topic's a little too much to get into for now but I know that for each sampled data taken two values are recorded the I the in phase value and the Q the quadrature value and using this IQ modulation has strong benefits for processing signals and software but if you're interested I suggest you check out this YouTube video it does a really really good job explaining much better than I'll be able to do but bottom line you don't need to understand this unless you're going to try this research at home. So the first step to decoding satellite transmissions is to figure out that PN sequence so we can extract the data from the waves. So let's put our hardware to work. So remember that we're looking for a signal the PN sequence that is 255 bits in length it repeats over and over and over again 1.25 million chips per second. Here I should mention that a chip is the same thing as a bit we just name it differently so we can distinguish it from actual data bits. So now interestingly enough we can treat a D triple S spread spectrum BPSK signal the same as we treat BPSK. So check out this graph it's kind of hard to show but we can see that the BPSK signal above shifts the wave at its transition but once every several wave cycles. The DSSS BPSK signal shifts the wave much, much, much faster but in the same way as the BPSK signal. So this means that we can use an ordinary BPSK demodulator to receive the spread data. Now the downside of doing this is that receiving the data this way is that we don't receive any of the processing gain benefit we talked about from spreading a signal. So this technique only works over really short distances but it's perfectly legitimate. So I was able to do this across the room maybe 100 feet away. We need to set our hardware to sample the data correctly and we have to meet a few different criteria. First the USRP, the Sysophorotify radio I use can only sample at multiples of 32 megahertz. We also need to sample twice as fast as the highest frequency component and in this case that's the PN sequence in the signal 1.25 megahertz due to what Nyquist had to say. We also need to sample at a rate that provides an even number of samples per symbol. In this case an even number of samples per chip. So we achieve all this by sampling at a rate of 4 megahertz and then re-sampling the signal essentially just interpolating data points along it to get an upset sample signal of 5 megahertz. And what's special about this 5 megahertz signal is that it has a sampling rate that corresponds to 4 samples per symbol which is an even number. But now how do we get the actual PN sequence out of this data we're going to see over there? Well we know from doing some calculations 29 times for each bit of data that's sent. And since the PN sequence doesn't cross any bit boundaries, we can simply XOR the PN sequence with a fixed bit of data, you know the first bit of data and the resultant is the actual PN code. So let's use GNU Radio to decode the signal as BPSK and appropriate and then it'll output the appropriate data to disk. So here you can see a GNU Radio flow graph. I used to do this and you can see that the PPSK demodulator has the setting of 4 samples per symbol from our calculations. So the PPSK demodulator outputs the decoded symbols to a binary file that we'll then examine in a hex editor. So if you look at the data in the hex editor we can clearly see that there's a repeating sequence of data, 255 bits long. It's starting to sound kind of familiar. Well it turns out that repeating sequence of data is the PN code. And it turns out this is pretty much the keys of the kingdom for intercepting all this data. This code is used by all simplex data network services to encode the data sent over the air. So now that we have the code let's try de-spreading some data. You may recall that we need to mix the PN code with the incoming signal to receive the information. And if all goes well we should expect our output signal to contain a very strong narrow band signal shown as a sharp peak down in that graph below. So above is what the normal simplex data network signal looks like kind of that lumpy thing. And the graphic below shows what we should see after we de-spread the data. Just that nice sharp spike in there. So now before we begin, it's important to know that working with these signals is a very computationally intense procedure. Receiving a signal at 4 megahertz with a software defined radio works out to a data rate of about 30.5 megabytes per second. So for the purposes of this work we're going to record the data and then post-process later. But eventually be possible to use more robust custom hardware, you know, think FPGAs to do this work in real time. So we're just going to record and do it later. So big thanks to some of my interns over there for helping me optimize this code. It used to take about a minute to run. Now it takes about like 40 seconds. But all right, so how do we de-spread the data? First we need to lock on to the mixed PN sequence in the signal. And we do this by correlating the received data signal against the recovered PN at every single point in time. So essentially we're sliding the PN against the received data signal and correlating. And if we plot the correlations over time specifically aligned, we'll see a sharp spike in the correlation. And that's what you're seeing up there. So this is how we know when to mix the two signals together to de-spread the data. So if we align the PN on the first correlation spike only due to some frequency mismatch, we'll fall out of correlation over time as shown there on the left. So we fix this by adjusting the PN forward or backward at each and every correlation peak to ensure it's alignment. At this point, once we're in alignment we simply mix the data together and the signal should fall out. So after compensating for the frequency differential there you can see on the left that the correlation over time stays pretty constant with a slight oscillation, but that's okay. And if we zoom in, or I guess zoom out really far we can see the correlations over a whole data packet. And you can see the negative and positive correlations representing actual data bits flying over the air. So if we look at the signal coming out of our software to spreader, sure enough we see that sharp spike in the center indicative of our signal in question. That's better data successfully, theoretically. So zooming way in on that sharp peak we can see that the waveform looks like a BPSK signal. It's operating at around 100 hertz and we know that that's the data rate in question that we're looking for. So things are looking pretty promising. So now that we're maybe receiving data let's try to decode it, like what's inside. So if you look at the time domain representation of the signal you can clearly see there's actual data bits coming over there. So that's satellite data. So now let's click up the signal and do something with it. Namely we just low pass filter it and pipe it into a PSK demodulator. So at that point the data pretty much just falls right out. You can see at the top I got this nice binary string out of that data. But we need to validate it. So I found a spec sheet online that references the data packet format which is shown right up there. And it starts with a preamble, essentially a constant unique binary sequence that tells the receiver when the packet is running, as well as a bunch more data. So if we convert that manufacturer ID set of bits to decimal, sure enough it lines up with the ESN written on the back of the device. So I'm pretty sure that means we're doing something right. So now the data packets also contain just about any information you want. And this is kind of up to the end integrator. But these devices predominantly are used to send location data in asset trackers. So everyone uses the same data format to do the same on the back end. So after extensive comparison, again with some help of the interns, we freed out the bits 8 to 32 are latitude and 32 to 56 are longitude. You simply convert those binary bits to decimal and multiply it by a degrees per count value. And that will give you the actual latitude and longitude. So I kind of got a snippet of the code there. It will be online later if you want to kind of craft your own packets. We'll talk more about that. So the data packets also contain long story short, we figured out how to calculate the checksum. But this means not only can we validate packets, we should be able to create our own. From what we saw in the comparison and the devices we looked at, there was no encryption, no signing, or no other protection. So theoretically we can inject our own data back into the satellite network. So now recall that we're doing all this interception here on the data uplink from the device to the satellite. But due to the bent pipe nature the data in the downlink is exactly the same as the data on the uplink. So except we just need to compensate for a few other things like Doppler shift and multi-path interference. So this is a kind of avenue for future research if you guys are interested in helping out. But essentially with a bigger dish, a little better hardware, we can start receiving a ton more data doing the same method. But all right, so now we figured out these data packets, can we inject it back into the network? Transmit on global stars frequencies. It's probably illegal where you live and it might interfere with critical emergency communications. Fortunately the simplex frequencies aren't used for satellite control per se, so it's not like you're going to make it fly sideways or anything. But if you wanted to transmit that's actually the easy part. So don't try this at home, wink, wink. So all you do is really you simply mix the data together with the PN sequence and the carrier, all of the appropriate rates which are listed here in this talk. I'm not going to be providing my code that I designed but if you're savvy enough you should be able to do it. But really all you need is about .2 watts of power and you can get an appropriate amplifier on the internet for 200 bucks and you can write the code and get new radio, it's pretty simple. But what if there was an easier way? Well, GlobalStar provides an OSX firmware update utility for one of their spot trace devices, their personal asset trackers. Inside the application package there's a tool, Spot3FirmwareTool.jar and it contains all sorts of interesting functionality that's never called by the actual consumer firmware updater app. So if you look in the jar there's a debug console class which references something in the spot device class called write an electronic serial number. So what if we wrote a Java app to call that debug console? Sure enough, hidden functionality right there in the software on their website. The debug console essentially lets us update the ESN of any of these spot trace devices out there. So we can change the serial number of any of these devices essentially cloning it. I mean think cloning cell phones, cloning whatever. So to prove this I cloned one of my spot trackers with that confirmed, yeah, we were able to clone the device. So for 50 bucks you can clone satellite network devices and maybe spoof some coordinates and shenanigans. But besides the obvious of using the network to transmit your own custom data or expanding capabilities at your service, maybe sending more packets than you're allowed to per hour, what can we do with the data transmission capability? Can we get in a little bit more trouble? These devices are used very commonly in emergency response. So one scenario I thought up is what if an attacker spoof thousands of false emergency is using these devices and jammed up the emergency response center, preventing aid from getting to an actual emergency? Or what about monitoring for help requests from these devices and then just cancelling the help requests? I mean it's kind of a dick move but someone might do it. So I talked to a really, really well known reporter a couple days ago and she said that many of the journalists out there use these spot devices to track their whereabouts in case they're kidnapped. So they're relying on these devices so people know where they are. So what if a foreign adversary was sniffing up this data and then like arresting our reporters or people are using these for their safety? That's not cool. So it turns out these chips are also used in access control systems by law enforcement and even for animal tracking. So I think it would be hilarious to say that a child grizzly had relocated itself into suburban California and see what all the moms say. But I also forgot to mention that they're used heavily in SCADA systems and I'm going to refrain from naming any specifics because I know you guys are a bunch of hooligans and will probably get in some trouble but they're commonly used in water quality sensors, pipeline monitoring and a lot of big oil and gas operations. So I was thinking what if there's a big rival oil company that wanted to figure out where its competitor was and just have a look for yourself? But wait, there's more. Lockheed Martin Flight Services, the contractor that handles flight planning for the FAA, allows these devices, these spot devices to be used to track any VFR flight. So what if an attacker made an airplane appear to deviate from its original flight plan into tightly controlled airspace? You know I obviously haven't tried this but it would be interesting to see what happened. So to demonstrate some of this I built a little vulnerability which I'm going to talk a little bit about and the way it works is that I sit with the device in the uplink path of the transmitter and listen. So this is what I was doing in my hotel room a couple nights ago and over time I'm able to pick up countless transmissions from access trackers and map their patterns of life. I did some research a year ago at Schmucon talking about mapping patterns of life from mobile vulnerability location tracking and you know we were able to use work just by where they are at different times of the day. So pattern of life is really key to tracking somebody. This makes it really easy to identify what a target is and where it goes. In this case we're going to monitor an armored car route. Now that I know where the armored car is I know where to hijack it and I can hijack the car, disable its beacon and begin spoofing their beacons ID with my transmitter and spoof GPS coordinates that the armored car routes and robbing the bank blind. So think fast and furious. So you might ask does this work? Short answer is yes but I needed a high vantage point. So clearly the only solution was to go out and start working on my private pilot license so I could intercept the data from the air. So I've been flying with this thing and we're going to see where it keeps going but the results are pretty promising so far. So I'm going to do a little demo. I'll show you how. But I've broken up the video step by step so we can talk about it a little bit. So bear with me here while I fire up the video. Is that up there full screen? I can't. Perfect. So we're going to wait for a data signal from an attacker or someone to transmit so the attacker is intercepting the data right there. So we've captured the data, it writes the data out to disk and we're going to throw that data in the program here. And I've kind of cropped the video because it takes about a minute to analyze the data packet. And, okay, so it locks on to the PN signal in the signal and starts de-spreading. And it'll finish up here. And then we can see that's a pretty constant correlation over time. That's what we're looking for so it means we locked on to the PN signal successfully. Then we're going to throw that back into some guinea radio code to kind of visualize what we got. We're going to zoom in up there and you'll be able to see the live data bits flying by. Meanwhile, this is writing those data bits out to disk for us to analyze. And then we're going to go ahead and analyze those data bits. We should get the binary packet data out if all goes well. So there's the binary of the packet. Now let's throw that into the packet decoder and verify it. We can successfully validate a packet and print out its parameters. We can actually use a specific data and translate that into a latitude and longitude. So let's go back to the presentation. All right. So a couple conclusions. A few parting thoughts for you guys. I disclosed to global stars senior engineering staff about 180 days ago. They were actually really friendly in the response and seemed very concerned. I get the impression they don't deal with a lot of these disclosures. It's not very typical. They have technical detail right up for them in the hopes of helping out and never really heard back. After the news broke recently, they issued a statement saying they take privacy very seriously and they have monitoring in place to detect these sort of attacks. Unfortunately, half this attack is passive and there's no way that can be detected. And the transmitting portion, if targeted, really has a low probability of being detected. So in some of the recent statements, some of the users get this way rather than addressing the actual issue at hand. In my experience, these vulnerabilities are always discovered one way or another. And it's better to get them addressed sooner than later. Last year, I disclosed a bug to Grindr about being able to track their users through their mobile dating app and they said it wasn't an issue and didn't patch it. Six months later, the Egyptian police got a hold of that bug through other channels and began using it to arrest gay men in Egypt. You know, we're able to make these systems a lot safer for the end users. So I sincerely hope the Global Star is serious about their statement addressing these issues and I hope other manufacturers are paying attention as well. But I'm really looking forward to seeing the solutions or seeing what solutions come out of the community. Bottom line, there's still a lot of work to be done. I'm releasing my code on GitHub later. Apologies, I don't have it up yet. It's been kind of crazy here at Google. I'd love to collaborate on improving this whole system, maybe intercepting data on the downlink. So if you guys are interested, let's work on this together. I have a feeling we're only at the tip of the iceberg of seeing where this thing is used. So we're going to start seeing a lot of interesting things fall out. So if you're interested, help out. You know, in conclusion, I still believe Global Star makes a good product. But there's a couple takeaways. Remember that the system is implemented, it's not really patchable or easily patchable. A lot of the devices don't support firmware upgrades or they're so far out in the boonies that it's not realistic. So the best thing to do going forward is to add a layer of encryption on top of this existing protocol. And remember that obscurity is not security. Spread spectrum alone won't protect your data. And if consumers just assume someone can snoop on your data and act accordingly, I think it's security. And if not, demand to know how your data is being transmitted and isn't encrypted. If not, how so? So big thanks to the interns over there for helping out with testing and code optimization. Yeah. Thanks, guys. And then to SINAC as well for funding this different crazy research. But, yeah, the code will be live later. Hit me up if it doesn't come up. Feel free to email me, tweet me. I'm always happy to talk. So thanks for coming out. Questions, comments? We got five minutes. Can we use the bent pipe to tunnel information or like, you know, from one location to another, sneak in some information? Are you saying, yeah, can we use the bent pipe to send other information? Yeah. That's a great question and you certainly can. I don't recommend it. But there's nothing, I mean someone probably is. You have to say, yeah, it really repeats anything it hears on that 1.6 gigahertz range and beams it back down on about 7 gigahertz so you can build your own receiver and use your own personal satellite network. So, like, does it need to be on a particular protocol or like a packet structure or like it transmits anything that it receives? I'm sorry, I missed that. Like, does it need to be encoded in a specific format? So the data is a repeater. So you could probably need to be some sort of spread spectrum in order to get it over that distance but you could use a model very similar to what they're doing here. Thank you. Anyone else? Feel free to come up after. Cool, thanks guys. Appreciate it. Thank you.