 So, thank you and thank you all for showing up. My name is Paza Mayiri and I'll speak about trawling the weather First allow me to introduce myself. I'm a system engineer. I get a master degree in electro-optical Engineering I worked for 14 years in the aerospace industry as a system engineer team leader I have six years of experience with communication systems design I launched two weather balloons with elementary school pupils, which will become relevant in a few slides I'm a former DEF CON speaker at DEF CON 29 and I gave a talk at besides TLV this year It's been a very good year Why trawling the weather where it all started? Well, it all started when I read an article about a country that's been trying to launch a satellite in space and Is suffering from a string of failures? And it kind of amused me because I thought about all the engineers and all the generals which are sure that someone is probably sabotaging their work because if you remember the quote from the old James Bond book once his happenstance twice his coincidence, but three times his enemy action and it kind of amused me for a couple of hours thinking about Everyone there at that country thinking there's some James Bond character driving around in their country sabotaging the work repeatedly and He's doing it all alone and he's a superhero when whatever James Bond resembles to you and After being in my James Bond mood for a couple of hours. I started wondering can I stop a satellite launch and Can I cause it to fail after lift off and can I do it on my own and It quite amazed me when after a couple of hours I realized that the answer is yes And it's not that hard because all I need to do is just control the weather and This is a very hard claim because nobody can control the weather The weather is the weather and we are who we are and we cannot do anything to influence the weather hardly Can do anything to influence the weather But we have a very good relationship with the weather. We are sampling the weather in Numerous ways we are gathering the data. We're analyzing the data and we are building models of the weather and We call it weather forecasts and we are using the information to decide there should we operate this airfield Should we launch this satellite? So if you have the ability to influence the data stream which goes into the databases you have a powerful tool to influence decisions You have to understand why there is a strong relationship between air vehicles and the weather because There is no all-weather air vehicle all air vehicles are limited by a certain weather envelope that guided their design and nothing can fly at any terms in and at any time and You probably all seen that one time or the other the headlines launch delayed you to weather conditions and In the most simple way you can see by thinking about for example lightning It can cause electrical damage to an aircraft It can cause structural damage to an aircraft and the same with hail rain can freeze over control surfaces or the wings and cause the aircraft to stall and fall from the sky and my work is Built around an interesting fact that they are high winds high Turbulences in the air that you cannot see in every Regular means for example you it is not tied to dry to Rainy day or thunderstorms you can have perfect sky Everything looks great, but you have a very dangerous turbulence out there and it can cause damage to aircraft that will try to pass through it and The way to measure these high winds is with a weather balloon So here you can see a weather balloon in the picture On the upper side you can see the balloon itself It's partially filled with helium and the higher it gets the more it is getting filled with helium because the External pressure drops on the lower side the small box that you see is the Instrumentation that does all the measurements gathered the information process part of the information and transmitted to the ground And in the middle you can see a parachute because when the balloon pops around a hundred thousand Feet up in the air everything starts to fall down And you don't want to get hit by your on your head with a radius on which is the name of the instrumentation and Therefore they are attaching a small parachute that will slow it down So when you'll get hit on your head, it won't kill you I quoted here from an article that was written by Ian Dudley from the Vandenberg space force base and He wrote a very good article describing the relationship between the activity at Vandenberg and the weather balloon and The weather balloons operations and it was very good for me as an attacker to understand how it works and to design my attack Here you can see a launching station There are about a thousand like this all scattered all over the world and if you think about it one thousand is not that big number if you want to really Influence then you can gather a thousand people and do a lot of damage to the world They each site is launching Usually two balloons per day some of them are launching more and as you can see they're Checking the radius on in the hangar Inflating the balloon inside the hunger tying them both up together Doing final test go out of the hunger release the balloon and the balloons flies off and the reception station is Usually located there and starts to receiving the data from the weather balloon Here's some more quotes from a senior metrologist at Vandenberg He's saying that the data goes directly into the databases and the national weather models Which is great for me as an attacker if I know that it will go directly into the computers then big success if I can Insert my data there Another important thing to remember is that depending on the launch there are launching depending on the satellite launch that are launching but releasing between five and fifteen balloons to get a much more accurate and updated data of the high winds and He's saying that the upper balloon support is critical to Vandenberg's activity because You you've all seen the movies eventually before alone There are about 30 people sitting next to each other and everything everyone has to say that the launch is a go for their system and the weather is one of the considerations and there's a weather officer there and he needs to raise his thumb and He's doing it according to the information that he's getting so if you can Insert data or falsified data within the system that will show him that the weather is great But the weather is not great Then he will approve the launch and the launch might fail or if you can manipulate the data and cause him to believe that the Weather is not okay, even though it is okay Then he will not approve the launch and the launch will be delayed million of millions of dollars going to waste And to make it more interesting you're probably thinking okay Vandenberg Vandenberg is a very we hope a very secured base and Let's see you trying to attack it and not getting caught but NASA is giving more information and NASA is demanding that for man launch man missions you have not only to have good weather above the launch aside, but also in the down range and It means a lot of stations Around the down range needs to raise their thumb and say listen the weather. He's here is great to do the launch So if you don't if you are intimidated by attacking and Space Force base, then you might not be intimidated by attacking such a civil hangar With a simple reception station that nobody guards Okay, so I have malicious intentions and I want to Inject data into the system. So and I want to do it on a radius on so I need to pick the radius on that I'm going to emulate or attack and Here you can see a list of the Most common radio songs and you can see that the vicella RS 41 holds 30% of the market So I said to myself. Okay. This is my target The RS 41 transmission frame is the basics of the arse transmission frame are Presented here. There are two several sub models of the RS 41 one the most commons are The RS 41 SG and the SGP the SGP has a pressure sensor on it. The SG does not The basic frames has 320 bytes divided into blocks. I'll go over the blocks in the in the next slide And they use data whitening to get the data noisier when it is being transmitted to the ground So the reception equipment will have an easier time to decipher the to decode the data and The NDNS little NDNS bitwise bytewise and two layers of air detection and for the air correction Each block is protected with CRC 16 and the entire frame is protected with read Solomon algorithm Here you can see the Bites of the frame inside the frame the first bites and heard the header bytes and then come the Ford air correction bytes and then one bite for frame type and then come the blocks The first block is 79 and it is the status block It holds a lot of general information such as serial numbers Board temperature control data and so on and also sub frames which I will mention in the next slide The next next block is 7a which holds the measurements that the air is that the radio sound is taking From the air and then there are three GPS blocks the first block is GPS information it holds time and the number of space vehicles and the quality of reception of each space vehicle block 7b holds the raw data the Relative velocity and distance of the radio sounds from the space vehicles GPS space vehicles and The third block is the positioning you have their position and velocity and the number of satellites that are Being used to for the position calculations And the accuracy of both velocity and position and so on The most interesting block is the last block 76. It's an empty block. All of the bytes are zero Except for the two CRC 16 why they have it. I don't know and as I mentioned the Status block whores Also sub frames there are 51 sub frames 16 bytes each and there's a lot of more general information and serial numbers board type Calibration data and so on Here the RS 41 RF properties it transmits between 406 megahertz the output power is 18dbm and the modulation is GFSK and it's very easy to receive the transmissions all you need to have is an RTL SDR and antenna and you can pick up signals from very far far away and It's nice. There are thousands of people all around the world who are Who built such stations in their home and they are looking and at the decoded data and also Transmitting the data to databases public databases way where they are gathering the data and give the public access to that data and It's a great community. They are tracking the radio songs and what mostly what they're doing is and Tracking the radio song as it falls down and go with their car and pick it up and get the free STM 32 evaluation board Fawning out of the sky So I have malicious intentions. I have my target So the first thing that I can do is jamming attack when you want to do a jamming attack You take a powerful transmitter and you transmit the jamming signals My weapon of choice was the healthy automation Laura node 151 I just searched for the Transmitter and then the name health tech popped up and said, oh my god, this is a sign I have to use this board and so I used it and it has a very good Lord ship It has a very good microcontroller. It transmits 20 dBm, which is great for my work It carries its own battery a lithium battery It costs $20 on eBay and it weighs 25 grams, which is also great And I will talk about it in the next slide Okay, so let's see how it looks like Hopes this will work. Yeah On the right side, you can see the RS 41 emulation equipment It is transmitting transmitting log files. This is the reception equipment on the left the RTL SDR and the computer and in the middle you can see the little board which will be used for jamming Now I start the radius on emulation. It goes to an old log file that I have It gets a message and transmit it and get another message and transmit it in a cyclic cyclic manner Here you can see the transmission on the RF level and Here you can see the decoding software This is what the operator sees In the middle you can see the radius on position and velocity On the left you can see some general information like the radius on the ID Here you can see the GPS time and the state of the space vehicles reception and this is the status of the subframes reception These are the measurements that the radius on this taking and this is the GPS navigation data The decoding software is getting the information over the computer audio from the RTL SDR So you can record the raw data as you can see here And if we'll zoom in we'll see these are the preamble bits Followed by the data bits inside the message Okay, so now that we have a working RF path Let's add some jamming Here you can see that the RF level the old transmission the radius on transmission versus the and the Jammer and when you record it and look at the audio. It's a mess You can see here the jamming signal. It's a very simple signal transmitted half of the time And here you can see it being mixed with the radius on and it's Unrecoverable and of course we have no decoding remember that it weighs 25 grams so you can tie to a birthday balloon and Get it up in the air to follow the radio song and they will both fly together and be so happy and The poor people on the ground will be so sad because you are not only attacking the local Reception station, but now you are attacking all of the reception stations across the way The US National Weather Service is supporting 102 sites each launching two balloons at precise time twice a day and What will happen if 50 people will decide to jam the signals and it will be very bad because Professionals say that it will really lead to errors in the weather models and forecasts Okay, so this was one example of how you can harm or troll the weather Speaking about the message decoding and I mentioned earlier that there are a thousand people around the world thousands of people around the world supporting the radius on tracking community and They developed a lot of tools and they studied a lot many models Most of the models that you've seen in the list are already Can be decoded by their software and a lot Wrote a lot of tools to receive the code process and when I wrote my work. It was based on Their work and I'm standing here on the shoulders of giants and these are the Giants What I've developed is a simulation framework On the right side, you can see the transmission part on the left side. You can see the reception part In the middle of the transmission part You can see a python coded simulation script. This is the heart of the RS 41 emulation it can Get updated GPS satellites data from a file that it downloads from the internet it can use RS 41 log files and It can manipulate the data using the simulation framework of work I wrote that gives the Script writer a lot of operations that to manipulate the data to create frames to create blocks and so on the script can either send the Data directly to the coding software if the it is installed on the same computer or it can Transmit the data with the radio transmitter to an RTL SDR receiver and from there to the decoding software the Framework has four libraries one is for block level Operations one is for subframe operations and one is for manipulative functions for example if I want if I have I want to falsify the position and velocity then I can enter the position and velocity into Function that will create the three GPS blocks and if I will transmit the three GPS blocks The receiver will believe that the data is updated and is active right now And the fourth library is general simulation functions such as manipulating reading log files using log files and so on when generating messages with the framework you can either synthesize complete frames and subframes and But it's very hard because it requires of you to have a behavior model for each measurements And you have to remember that most of the measurements are tied together So it's very hard to build your own Weather emulator inside your computer, but it's possible the framework will not stop you from doing it more simple way is to take a log file from an old the flight it could be a year old two years old or last week and Returns me the data but manipulate the data for example replacing all of the serial numbers To a new serial number and or updating the GPS data that it will not be a year old but it looks like that it's a present live GPS reception right now and It's a much more easier path and this is the one I used So now that they have malicious means malicious intentions, and I have the means I can do some spoofing To do some spoofing all you need is a powerful transmitter and the technique is this one You receive all of the subframes from the radius and that is flying right now in the air and Then you prepare for spoofing you set up your transmitter and everything and then you jam the receiver and this is done because It is very hard to adapt all of the data at the same rates at the same offsets From one frame to the other from the radius on frame. I just got to the frames that I already have from the log file So to mitigate it. I'm jamming the receiver for a few seconds raising the data uncertainty and then I'm starting to spoof the data and The operator will see that it lost the link for a few seconds and then the link return and he has good data everything is great and I transmit all of the spoof data and then I'm doing the same thing again. I'm jamming the signal Raising the data uncertainty and you have to remember that this is much more difficult because while I'm spoofing the messages We've recorded messages the radius on is doing something and I usually cannot anticipate What exactly it is doing so again? I need to mitigate between my data falsified data and the radius on data and The jamming does that very well and then I stop and that's it my data inserted into the databases It works because of the signal-to-noise ratio You make the receiver believe that this strong healthy Signal that it is picking is the main signal while you are transmitting it with the spoofing transmitter and you want the receiver to Experience the low signal from the radius on as noise that is interfering with the main signal And to do so you have some signal to noise thumb rules numbers here For example, if they are both transmitting at the same power You get jamming and not spoofing, but if you get 25 DB Margin between the two or more then the receiver will accept the signal as a good valid signal and will be fooled by the spoofing transmitter To get this margin you need to be familiar with the free space loss a free space path loss versus distant When the radius on leave the station and drifts away the power at the receiver drops very quickly And if you are close to the receiver and the radius on is far enough from the receiver Then you'll you'll have you'll get the margin that you need Regarding the signal-to-noise ratio If you cannot get very close to the or close enough to the reception station Then you can do several things to get the power up at the reception station One is to use directional antenna and concentrate all of the power on the reception antenna Another way is to use a power amplifier, which is simple But it works and if there's something between you and the station Then you can elevate the transmitter as I showed earlier with a balloon a kite a drone or whatever you have Okay, so let's see how spoofing is being done This is the RS 41 log file transmitter This is a spoofing transmitter and again the reception equipment Now I'm starting spoofing. No, sorry starting emulating the RS 41 Again, you see here the decoding software after a few hours of receiving the RS 41 transmissions and The trigger for the spoofing attack will be when it will reach 20 kilometers Now you can see the jamming jamming and now spoof data and This data is based on an old log file and I offset all of the required parameters So it will look very smooth now you get jamming jamming jamming again and the spoofing stops and you can see here a small jump in position and This is what I talk about about raising the data uncertainty level the operator looks at it says, okay I lost a few packets seems to be fine This simulation I added two things one. I changed the temperature and the pressure while spoofing and The second thing that the entire simulation and the coding is run on the same computer. I'm using the audio link as Transmission media You can see here that the temperature and the pressure are changing a bit changing a bit it's hard to see but in a minute you'll see the effect and This is what the weather officer will get you will get the graph of pressure versus temperature And I created the circle inside the graph and now he is looking at the circle and his superior is asking Can we launch and he don't know what to do? I wanted to give you a sense of How difficult it is to write such a script so here are the main Bullets to build such a script this script for example takes data all data From that was recorded on one site and it will change all of the serial numbers On the in IDs in the transmission And it will also offset the position of the radio song and it will make it Look as if there is an active radio song flying right now somewhere even though it's not and To build such a script you need to define the new serial numbers like these and so on define the position offset Read update the GPS satellites data from the internet because you want to emulate a flight that is flying right now Read the log file read the data that you want to use for a transmission set up the RF transmitter and or the audio stream and initiate the transmission thread and That will transmit the data upon an event and Then the script will go through it will initiate a transmission loop an Indra transmission loop it loads a message from a log file It recovers the data with the forward correction It will update the ID serial numbers and so on and then it will calculate an update new CRC for the status block because that's where the this data is stored After that it will extract the GPS position block data. It will offset the balloon position And it will recalculate the three GPS Blocks to make it looks as if the flight is occurring right now Then it will prepare the data for transmission It will wait for a time event and it will trigger the transmission thread and the data will be transmitted This is how it looks like on the upper side. You can see the original flight done somewhere in the US and On the lower side, you can see the spoofed Flight emulating a flight of a radio sound above the Pentagon. I wonder how they look at it Okay, mentioning the Pentagon the RS 41 has also a military model, which is called SGM It is intended for military use the word intended is Right there We'll speak about it in a minute It has two features one is radio silence It will remain silent until a certain time or a certain height and the other feature is data encryption and Regarding the radio silence. It's because the manufacturer is claiming that if you use radio silence, you won't The anyway will have hard time to understand where the balloon was launched from It's not really military in the sense that most of the properties were not changed they're still using the same civil frequency band and They are still using the same properties modulation bitrate and so on and they're still using the same framing message a framing method So each person who is receiving other RS 41 models Sorry, we'll be able to receive the SGM and understand as an SGM flying right now over my house And this is not really military because usually the military is good in hiding things not declaring up in the air I'm here. I'm here. I'm operating and this is very strange and Only the data the measurement block and the GPS blocks are encrypted and As I said, you're still very aware that the military is operating here Another thing which is not so military is that the encryption is not always activated when you are Monitoring these flights of the SGM around the world. You can see that in many cases It is not Active, I don't know why it's very strange because the military usually believe in doing the same thing over and over and over so the soldier will be prepared for war and What's funny is that when it is not encrypted? It's the same frame as the RS 41 SG, but it identifies itself as the SGM. So you still Know that the army is operating here right now No, why? The claim that the radio sound transmission will not reveal the balloon launch location is very funny because for me at least because when I launched the two weather balloons with the elementary school pupils We downloaded software from the internet that can analyze the position of the radio sound and according to wind models predict where it will fall to the ground and it gave us very good results in both Cases and it's funny because you can do it the other way around if you have the wind models and you know the position right now So you can make a very good Assessment where it was launched from and send your troops there One last thing is that I mentioned it earlier that at Vandenberg, they are launching a lot of balloons before they are launching a satellite and it means that if you are monitoring the Air Force base next to your house and you see that they are launching twice a day as they should and suddenly they are launching a string of Radio sounds then you know that they are up to something even if the data is encrypted. You still know that the army is about to Probably launch who are looking at coping with spoofing Which is important. I don't think encryption is the way because Key management is a headache most of the launching organizations are not military at all and They are not prepared to start management keys and hiding information from each other and synchronizing reception sites and so on and it Using encryption it requires significant upgrades and it most likely won't be welcomed by most of the customers And it's bad for the radius on community because they wanted to get the data and the data is not secret It did the get the get the radius on launch is Publicly funded. So why can't the public get their antennas out of the windows and receive the data? It's not secret. I think that what should be done is to authenticate the messages There are so many methods to authenticate messages You can take the existing existing messages and add Authentication tags for example in the case of the house 41 perhaps find a good use for the empty block and add an authentication block instead of the empty block and Customers who are not interested in using authentication will not use the authentication and the community can keep up doing what they're doing and It is most important to understand that the authentication can be done offline you don't have to do it online and It's a potential business model and the manufacturer of the radio sound I offer a service if you are suspecting that the last flight was perhaps Spoofed then send me the log file I will check it up and I will tell you if it was proof or not and I will charge So it's a business model When I developed the framework and it was a lot of work I At first started to use it in Investigating and understanding the decoding software different decoding software and different models different operating systems and so on and When I finished it I realized that it's a very good tool to examine these Software develop the software test these softwares and so I decided to upload all of my code to this link it will be uploaded after the talk and That's it. Thank you very much There's some references here and if you have any questions, I'll be here for the next couple of minutes. Thank you