 There will be no live demonstration, so I can relax. Apparently there's no interweb thing here. There's a hacker in town or something that's broken. So I can't give you a live demo, but hopefully that won't matter. Okay, so who am I? My name's Major Malfunction. As a few of you will know, I'm a goon here. I've been here for a few years. I do a lot of open source research and development and try and publish pretty much everything I do, stuff that won't get me whacked. And stuff that will, but we'll talk about some of that later. Currently obsessed with RFID. I've done a lot of stuff on Bluetooth. I really do strongly believe in full disclosure. I do describe myself as a hacker. It's a great line at parties and things. What do you do? I'm a hacker. Really? Isn't that illegal? But yeah, I'm a white hacker. Always have been. So I don't know how many gray hats there are in here. But those times are over when we were being, or they were being, oops, when they were being recruited. And yeah, freelance research, training. I'm completely independent, so if you want to help me put my kids through college, come and see me afterwards. Okay, why am I talking about satellites now? I saw a talk a couple of years ago at Hack in the Box by Jim Geavidi, and I'm not even going to try and pronounce that other name, called Hacking a Bird in the Sky. Did anyone see that? No? Okay, look it up on Google Video or YouTube Video. Basically, these guys hacked a VSAT and were like getting IP over the satellite. And they put together a really cool video with background music and stuff. It was really good. And one of the things he said during the talk was, this is really old technology and it's been around for a long time. People must have been doing stuff in this field. So he encouraged anyone who's been doing work on satellite stuff to come out and talk about it. So I like old school stuff and I talk about old school stuff fairly often. And satellite's pretty damn old school. So I started playing with satellite stuff in the 90s. So I thought, okay, that was a cool to arms. I'll present my stuff. Why did it take so long? It's 10 years I've been doing this. So why has it taken me so long to talk about it? Trouble with satellite. You start off with really good intentions and you're going to spend the whole night looking for interesting data feeds or something and you start scanning and then suddenly there's boobies. And he's just like, fuck, that's my night gone now. So 10 years to get a month's worth of work done. So that's basically it. That's why. Anyway, in the last three days before the conference, I crammed it all together and I'm going to present what I found. So what I'm really talking about feeding my sat monkey is looking for feeds. So feed hunting. Anyone here understand what I mean by feed hunting? Okay, quite a few of you have done it. Basically feed hunting is looking for interesting stuff that's coming down from satellite. So I'm not talking about breaking into the satellite and maybe knocking them off trajectory and knocking out a Chinese one or a Russian one or a Georgian one depending who I'm working for. What I'm looking at is what's coming down off the satellite. And basically, traditional feed hunting was looking for free content. So again, it's not about hacking the encrypted channels. What we're looking for is opportunistic capture of interesting stuff, whether it's video or data or whatever. And the way feed hunting works is like tuning a TV in a hotel room where you're looking for all the interesting channels. Basically, you're doing the same thing but for satellites. So you've not only got all the channels on one feed, you've got multiple satellites. You've got to scan all those satellites and all the frequencies and look for something interesting. And it takes a long time and it's really tedious and you find a lot of uninteresting crap and it's really difficult to keep track of. And so what people do is they start posting it onto forums and mailing lists and websites and so on. And they get out of date and it's difficult to know who's got interesting content. You get into that whole web link thing where you find something that looks interesting but it takes you to another site that tells you about another site that tells you about another site and so on. So I found it quite not very useful. And really it's poking in the dark. So you find these sites and here's a list of various feeds that you might or feed sites where these people are all dedicated to this hobby of feed hunting. So from here you can link on to some other places. So here's one where they actually show you where the satellites are positioned in the sky and what their footprints are and stuff like that. So if you're interested in a particular bird you can go and look and see what the coverage might be. And then you get stuff like this where you've actually got someone now posting information about a particular feed they found or a particular transponder they found. And so there's some details in here. You've got the name of the channel. You've got which transponder frequency and so on and so on. So if you think that's interesting you can go and tune in. But typically this stuff goes out of date really quickly. So you will have spent all day instead of looking at tuning snow on your screen and tuning your channels you would have been looking at websites all day and finding stuff to look at and you get there and there's nothing there. So that can be pretty dull. And occasionally you find some picture or some image or something interesting. So I thought there must be a better way of doing this. There must be some way of sorting this data and extracting the goodness out of all of this crap. And again those of you have seen my talks previously you know I quite often bang on about visualization. So I really like to visualize my problems and try and use the visual processing power of the human brain to extract useful information. We do it really quickly without even thinking about it. So you know you recognize food and danger and friends and enemies and boobies and yeah. And it just happens without you having to think about it. So I thought okay how can I tap into that and get some useful information out of all of this data. So this is actually something we did my brother and I did ten years ago and we came up with this representation scheme. So this is a scan of the sky. I don't know how well it shows. Can you see that well at the back there? Is the contrast okay? See some red blobs on the black. Okay so basically what this is is a map of the sky. And what we have along the bottom is the angle that I'm pointing my dish at. Actually these are just stop numbers on the steerable dish. So basically we're pointing here I'm pointing to the east. As far as my dish will steer to the east and over here I'm pointing to the west. And then this axis is frequency. So I'm scanning from 10.7 gigahertz up to 13 gigahertz. And basically what I do is I just step the motor, scan all the frequencies, draw a dot. And the dot represents the signal that I've just seen. If there's no data at all it's a black dot. If there's some data but there's no discernible image coming off it so I can't discern what it is if it's PAL or NTSC or whatever then it's a white dot. And if I get a good signal that I can lock onto then it's a red dot. So you just do that. You scan the frequencies, step, scan, step, scan, step, scan. And eventually you've built up this nice picture of the sky. And to me when I looked at that it's like fantastic. I instantly get a huge amount of information from that. It just jumps out of the screen at you exactly what I'm trying to do which is find interesting stuff. So for example, this big blob here, what you've got here is a lot of frequencies that are active on a single satellite. So it's stationary, we've got a whole load of frequencies that are big and blobby and easy to tune into. So that's a consumer satellite with a whole bunch of channels on it. And this is actually Astra. So in the UK our main satellite feed is Astra. And then we've got another commercial one here and that's probably Hotbird. And then over here we've got some others with less channels on but still quite densely populated. But over here we've got a really tight little signal all on its own. I've got to zoom in for those that can't see it. So I'm talking about that dot. So if you've got a really tight little signal on a satellite all on its own and there's no other frequencies that might be interesting, don't you think? Yeah? So immediately I hit pay dirt. Okay, I can get really useful stuff out of this. So the other thing I found I could do was time travel. I've always wanted to time travel. I don't know about you, probably a lot of you have too. But yeah, time travel is really useful. So with time traveling what we're doing is we're doing the scan and then we do it again and then we compare the two. So again, I hope you can see this. Maybe not. If you look really closely at this little group here. So as I flick between day one and day two you see a couple of blobs appearing. Can you see that? No? Damn it. Okay, imagine this is the thing. Blob? No blob. See I can't even coordinate. Let's try again. Blob? No blob. Someone else come up and do this talk for me. Okay, so basically what I'm seeing up here and it's really cool by the way is two little blobs appear that weren't there yesterday. So what that means is those two frequencies have become active when they weren't active yesterday. So again, probably really interesting because that's something new. If it's a new commercial channel then yeah, big deal. But if it's on a rental satellite for example where you actually buy time on the satellite they only switch the transponders on when they've got something to send because it costs money to send stuff over there so it's not doing anything unless it's doing something. So if they suddenly get switched on then that's probably really interesting. And in fact the best example of some stuff we found that way was back when Princess Diana was killed. What happened is a load of journalists from the UK flew over to Paris to cover the story and then because they never knew quite what was going to happen or when the breaking news was going to come out they had permanent live satellite feeds going from their hotel rooms a couple of teams we found going from their hotel rooms back to the UK. So they could sit in the hotel and they could get a phone call and then run out and cover the find out what was going on and then they'd come back to the hotel straighten their tie, stand in front of the camera do their piece to camera and then they'd sit down and news crews they forget about cameras they've got them around them all day so they would sit there and they'd be having a cigarette and drinking a coffee and slagging each other off and gossiping about stuff going on in the office but also news was coming in the whole time so we'd hear the phone calls we'd hear one end of the conversation we'd hear all these little rumors oh a guy in a white car was seen doing this so we were hearing all this stuff way before it hit the news really interesting stuff the other stuff you find is feeds coming across from say the big fight in Vegas so there's a big fight here it's going to be pay per view in the UK what they do is they bounce it across from another satellite so they'll uplink it to something over here which will then side channel it to something here which will then beam it back down to the base station in the UK and then they'll edit it and send it over the pay per view feed so again if you can see that spot being lit up the day before the fight then probably that's the feed for the fight and if you tune into it you'll get the fight for free so that's traditionally what feed hunters look for that kind of stuff so this was 10 years ago it was actually really difficult to do this stuff then apart from the problems of your attention span once you start doing it but the actual equipment to do it was basically pretty proprietary there were no open standards for how you do this stuff it was mostly undocumented manufacturers didn't really want to help us figure it out we had to build special hardware to convert their interfaces to something a PC could talk to and to understand the signals that were being sent back and so on so it was a real pain basically now we have open standards we've got DVB cards we can plug directly into a PC you've got Linux receivers well embedded receivers so the actual boxes you buy consumer electronics that do satellite sometimes actually have Linux running under the hood so you can just shell into the box and do stuff the box I actually use is called a dream box and it's based on the tux box distribution it's all open source and there are cross compilers you can run on a PC to build the tools to run on these things mostly works over a web interface you go to the web page you select what program you want to go to the dish will steer automatically and you can actually look at the properties of the feeds that you've found directly from the web interface so this is typically what the web interface looks like so you can go and tune into the channels that you want and then you can bring up the actual information about the stream so in this case I'm looking at a stream that says it's something to do with labrocks labrocks is a booking chain a betting chain in the UK so this is labrocks blackjack so they're sending some kind of gambling data feed across here and an interesting field here is supported crypto systems so we've got via access, we've got IDTO we've got beta crypt we've got dream crypt used crypto systems none that's handy same again we've got an open MUX IP gateway well that sounds quite interesting supported crypto systems media guard via access iodito conax beta crypt dream crypt used crypto systems none okay I think we see a pattern developing here so there's this tool called dvb snoop dvb snoop has been described as like wire shark for dvb basically gives you just raw access to the data that's coming in over the card and it'll decode the data is divided into things called pids and the pids basically divide up so you can stream it multiplexes video and data and audio and so on so you can look for an actual pid that contains the data you're interested to extract that so this is what it looks like it's a little bit blurry still basically I'm just getting signal strength from this screen and then you start to get stuff like the actual list of pids so here we've got the program map association tables conditional access tables and so on so if you wanted to attack the crypto on a crypto channel you could extract the streams that you need in the keys and so on here we start to see some actual data so we got service name so a description of what this channel is so again you could write code that just goes through and extracts all the channel names and so on you even get EPG so electronic program guide so you actually get a description of the programs that are coming through and you can get a service name list so these are all the channels that are running on a single transponder so I can very quickly step through each of those transponders and get a list of the channels that they're delivering or on that satellite what all the different transponders are delivering rather so I can then marry those up with all the transponder frequencies I've seen and if I don't get a description then I know again I've got something interesting so this is a non-commercial channel on this satellite that maybe I should go and have a look at and this is where the really interesting stuff comes in so the when you see something with DVB data gram that's basically IP data so if we extract just that PID then we get useful data that we can tap into so here we see MAC addresses going across IP addresses so there's a destination IP address and a source IP address some actual UDP data packets so here's some update being sent to a box presumably a firmware or a software update so one of my goals when I started writing software for this was to avoid actually writing any code what I wanted to do was just use the existing interfaces and interface with those in the end it turned out that actually you can't do arbitrary steering of the dish you have to actually have the dish configured so it knows about all the frequencies you want to talk to and all the satellites you want to go to so in the end I had to write a bunch of tools to change the config files on the fly to then allow the other tools to tell the web interface to do the steering so I've ended up kind of doing a mixture I've got stuff that runs on the box itself and I've got stuff that runs externally and just talks to the web interface and you can use as I said because it's a Linux box you can SSH into it and run stuff on there and get the output back to your normal box and you can run dvb snoop to see what's going on you can also set up interfaces directly that take the dvb and feed it into an ether okay so this is what it would normally look like I've selected Astra and I've got my channels here this is what it looks like after I've reconfigured it so basically I send a bunch of data that reconfigures the box to just say okay I don't care what the satellite is I just want orbit 260 orbit 261 and so on so that's an actual position in the sky 26 East in the UK so I've written a bit of code called DreamMap which I'll be releasing shortly as always it's written in Python because I'm a Python geek now yes Python rules Java sucks actually you know that film I'm going to start a holy war now you know that film Twins where you take all the evil out of a pair of twins and that goes in one and all the good goes in the other so if you take C and you take Java and you take all the evil out sorry if you take that well you get where I'm going with this so I'm going to get lynched after this talk I love Python all other languages are okay actually Java is not that bad I'm starting to learn Java for one of the things that I can't talk about or I'll get whacked and I'll talk about it later in the ready room if anyone wants to but not here because I'll get whacked and it's not that bad it is a bit like a cross between C and Python I suppose in a perverted kind of way so what I do I have a script that talks to the web interface I grab the URLs and I pull stuff often and I'm now creating a 3D model because I can because Python is like that you can just say oh I think I want to do 3D import 3D and it all goes bling so this is what it looks like similar layout you've got the frequency and you've got the orbits but now I've got these pretty blobs instead of a flat graphic so the idea behind doing the 3D model was actually I can start to use shape as well as color to give me information and I can fly around in it and it's cool and 3D so you zoom around in it and actually since I took that snap the new version has writing that goes off backwards behind it like the opening scene of Star Wars so you can go behind and get more information off that it's also point and click and you can see an interesting blob I can just go and click on it and it'll steer the dish and tune to that frequency and then I can see what's going on ultimately I would like to have a little floating TV screen in here so when you click on it it actually beams it onto there or a window with wire shark running in it and you see it in there because then Hollywood will hire me and I'll put my kids through college and all that stuff as I said steer to the satellite and so on I was going to give you a live demonstration but I'm told like I said at the beginning they don't have interweb here so I'm not going to be able to but I did take some screenshots like 10 minutes ago before I came in where I'm friends with the NOC so they give me internet access so this is an initial dvb snoop and looking for data grams and what you get is a number so that's the ID number of the PID so 1505 and 1509 are both carrying data on this particular satellite so you can then tell dvb net to create an interface that's hooked to that PID and if you then run ifconfig-a you've actually got a device now with a hardware address and it's sitting there waiting to be on this device and if I bring it up so ifconfig-dvb-naught-up and then have a look at it again you can see I'm starting to receive packets so that's actually extracting the TCP data straight off the dvb card sticking it on an ether for me and that ether will behave just like any other ether I can run wireshark on it I can create tunnels with it I can do whatever I want it's running on the ethernet and this is raw data coming down off the satellite and you would not believe what they send over the satellite unencrypted thank you when I was looking I'm told that there's a law in the UK about intercepting packets that are not meant for you so I haven't brought any of those packets with me okay it's just these numbers that describe these theoretical packets that you might see on this interface and in amongst them there may have been some web mail there was probably some financial data coming from there was a live stock market ticker feed basically well I saw lots of stock market symbols going by and a bunch of binary that was probably values of things okay I'm running really early because there should be like a 10-15 minute demo now which I really can't give you because I've got no internet so I'm going to blame the con that makes me look good and them look bad oh shit I'm staff, hang on that doesn't work okay so yeah sorry I just can't do it so who came to the opening talk Joe Grant and his badges so he kind of threw down a challenge which he'd also done a black hat already so I was forewarned but not forearmed he mentioned that he had put some IR stuff into the badges and kind of challenged me to do something with it since I've spoken on IR before so I thought I'll have a go so the Joe Grant Defcom badge has got a TV be gone in it which I did mention during my talk so yesterday I had a day of epic fail trying to get this done so the first thing I did was try and solve a problem which I really didn't need to solve in order to tackle this because I thought to develop the anything for the badge I would first have to figure out the puzzle that was on it has anyone successfully read the 2D barcode or did you all just go to wired.com so a few of you okay the way I did it was I took a picture and then I loaded it into the gimp converted it to an RGB maximized the contrast and then my phone actually my Nokia N95 has a barcode reader on it just pointed it at that and bam it got it straight away so very cool device thank you very cool tool to have on your phone so I read that I needed a website which had that silly badge on it and the puzzle and I was looking at that for a long time actually a bunch of us were looking at it until we finally clocked that the B with the American flag on it was a USB oh my god because I really didn't need to know that because I already had a USB interface because we had spotted it was a USB header so I didn't need to solve that problem and went to soldering so I don't see so good anymore because I'm getting old I'm old school so I got someone else to solder my USB header on for me and they basically brick the badge doing so so I've got a dead goon badge if anyone wants to trade me afterwards and in the meantime I've been I don't know if you've noticed but there are actually two red badges some of them say staff so I've been demoted to staff now instead of goon so this is the one I ended up patching I then couldn't find the development environment because it wasn't on the CD there was a bootloader but no actual compiler the license server when I did get the compiler was down so I couldn't download the license and then I finally got all that solved and had some working code but couldn't get the bootloader to see the card so some credits are due for the people that helped me solve all of these problems so Zach, tactical chip monkey franken who's on next he basically he just looks at solder and it melts and flows around contacts and as you'll see in his talk which I recommend you stay for because it's very very cool and I'm going to help him with it lost lost oh you're going to give me etherweb okay excellent we might have a demo after all okay lost who's running the mystery box thing got me the pre-scaled development CD which it turned out I could have just downloaded from the website later that saved me a lot of time the hardware hacking village there was a guy in there who had copied the license file off Joe Grand at some point and he gave me that and Sean Hillmire who spent a couple of hours with me last night figuring out how to get the damn thing into bootloader mode anyone here actually trying to program it how many of you have succeeded one excellent it was hard shouldn't be that hard but then I suppose that's the challenge okay so I thought I'll give you a tool if you haven't got the steerable dish and you haven't got the the particular satellite receiver and so on I'll give you a tool that helps you to do this the old fashioned way so I reprogrammed the badge if you've looked at it normally when you when you run it it's cycling through the power-offs and you see the little thing doing this right and then you get a solid bar at the end of the sequence so that looks like that and you'll see a solid bar will flash up yeah everyone saw that so that's normal that's agent X talking in the background so then I deleted all the power-offs except the Phillips one just to check that I was actually changing the code properly so you'll see now it's just doing one transmit and then a solid bar so I knew I was doing the right thing incidentally if anyone hacks the TVBGarn stuff he's actually sending two of each code so you could speed the whole thing up by halving the codes the next problem was figuring out the protocol so this is the way they're described in the TVBGarn source code so it's basically a bunch of timings which is very different from the way I'm used to working with IR all of that low-level crap was taken care of for me all I had to worry about was ones and zeros so this is what my codes look like so a code zero would be 1 1 0 0 0 0 and it was not at all obvious how the ones and not mapped on to these numbers so it's not like a 1 8 4 is a 1 and a 92 is a 0 it's actually because it's frequently shifting or you're shifting state it's really non-obvious and it's particularly non-obvious if it's last night at two in the morning you've been out partying and drinking and you're not quite all there but obviously IR has somehow got into my cerebral cortex because I never understood it but at about 230 I was able to look at a 1 0 1 0 pattern and just type in the things like zombie mode and they worked so I still don't understand the standard but I got it so I came up with TVB ADD so this will do all your channel hopping for you you can just sit there with your beer like this so there's my badge sitting in front of the TV thank you so that was seven o'clock this morning you get the idea right so what I'm planning to do is put the patched code onto my stick and how many people are here have actually managed to transfer a file oh deathly silence tumbleweed yeah so there's a problem we're going to have a look at now I've got this out of the way we're going to have a look at that code and maybe see if we can figure out what's going wrong but I keep bumping into people who say they have done it and I've seen it done Joe demonstrated it to me over at black hat so it definitely should work but if I can I'll put TVB gone the patched version on my disc and I'll start the badges soon we're going to try and do the demo now talk amongst yourselves why don't you ask me questions while I do this and we'll just do the questions and demo the other way around yes sir what satellite hardware did I use I used a thing called a dreambox 7020 there is another model which has interchangeable receiver modules so you can how it actually has two receivers in it it's called the 7040 I think but at the time I started doing this the hacked sort of linux distributions didn't work for the 7040 only worked for the 7020 for the steerable I just went down to in the UK we have a store called maplins which is just a cheap consumer sort of gadget store got at the cheapest steerable motor I could find and a one meter dish I think I got 1.2 meter dish so nothing really yes sir did I point at the geo orbits you mean the stuff that's actually moving oh I see did I have an elevation function as well as east west no I mean the dish steers are sort of a curve anyway just to follow the curvature of the earth and the path of the satellites but I wasn't looking for anything that wasn't geostationary so but you could do the same thing with tracking moving satellites and actually there are groups doing that I think they're mostly interested in well not mostly but they're also interested in photographing them which is quite cool that's a get a zoom picture of a satellite flying over your house that's really cool yes sir one of the most interesting things that my alleged friends have found on these satellites that's some of the stuff that I can't talk well I can talk about but afterwards we'll have to drag you out in one of those zip up black bags and take you away I think that the story I described Diana was probably the most interesting or one of the most interesting actually watching a live news event unfolding when the people participating were completely unaware that we were doing so was really it was fascinating yeah any other questions yes sir I'm sorry how often do you find something interesting well boobies every night what beside the boobies I hardly ever get past the boobies to be honest that's why I took so long is that food or friend depends what stage of the meeting we're at did I use a specific LMB yeah I use a dual LMB just so I can switch quickly between there's like two satellites that are in the UK hotbird and Astra I started with a dual LMB so I could just get those but then I moved to a steerable and so you don't actually need it a single if you're on a steerable dish unless you want to go outside the frequency ranges so if you wanted to go above 13 gig or below 10 gig you would probably need a second LMB but for steering you don't need a second one okay have I ever tried to talk back to any of the data services no so far this has been purely a passive operation just receiving stuff I would recommend you check out the satellite talk I mentioned at the beginning the hacking a bird in the sky because that one they actually do do a two way transfer do I ever see a non-geosynchronous now I mean the trouble is it's quite slow the scanning and so on so probably even if I did it would just be a blip that would be there momentarily as it flew past there are ways to track those I mean it's all documented every path of every satellite is documented somewhere so you can program a fast steering dish to follow them anyone else yes say again how many IP streams have I seen well if the demo is working I can show you hopefully okay if I can get in I'll bring it up quickly looks like I can excellent that shouldn't be happening okay hang on a second okay I'm a big girl a big crypto girly yeah I left my privacy screen behind that'll be enough I'll just ah damn it okay who in a boom to put this bloody pop-up here okay so I'm logged into my box at home now so if I bring up thank you network team the knock rule oh by the way if you're into infosec and you go to lots of conferences and you live out of a suitcase like me this is an invaluable site infosecdari.com it's got all the upcoming events if it's not on there use their submit thing and it gets put on there I plan my whole life with this thing it's really cool so I've got a tunnel set up to the web interface back at home which hopefully will give us something sniff that bitches so again please enlarge it I don't have an easy tool to do that unless you know a shortcut yeah does that work on web pages no I didn't think so um oh yes it does thank you okay that's what I get for being cocky um and control shift minus will take it down I guess no then you can see this is the problem as soon as you switch it on there it is in your face here all night long dammit what time zone is it oh yeah they're on excellent yeah should we press the stream button yeah no I don't think we're getting a fast enough feed let's just cut to what I was gonna show you we'll come back to the boobies in a minute so if we click on data okay so let's say astra so the trouble with this screen is I now can't see any of my controls control shift minus doesn't seem to go back the other way just control minus okay this is great I learned so much coming to this conference thank you okay yeah control shift minus is underline dickhead okay so hotbird there's a whole lot of feeds each of these is a data feed and so for example data 2 on there there'll be a number of pids depending on time of day the transponders come on oh incidentally when I clicked on that the satellite steered to that position so even though it's still tempting me up here to remind this is like a permanent reminder boobies going on on another channel I've clicked on that my dish has just steered and my kids are freaking out and there's no mommy the dish is moving again don't look soon they'll be like really naked people on the screen isn't it so I've now steered to a data channel so if I go back to this window I should be able to do dvb snoop so this is the raw data coming off an alleged satellite somewhere in some country other than here we do have an extradition treaty don't we damn it okay what we're looking for is a dvb data ground oh we've done questions so I can use my question time can't I we're still we're still over do I need to cut here okay so we'll do this we can do this from the q&a room afterwards if anyone's really that interested I'm gonna stay I believe and help Zach with his talk so we'll be both going together at the end so thank you for your attention