0:00:00.000,0:00:09.469
32C3 preroll music
0:00:09.469,0:00:13.350
Herald: I think hacking satellites is fun.
0:00:13.350,0:00:19.940
I think it’s even more fun when[br]it’s all ‘security by obscurity’.
0:00:19.940,0:00:23.990
I would like to present you[br]Sec and schneider.
0:00:23.990,0:00:28.610
Both are members of the Munich CCC.[br]Sec worked as a security consultant
0:00:28.610,0:00:32.680
but he’s probably best known for the[br]‘Hacker Jeopardy’. Which he has been doing
0:00:32.680,0:00:37.390
for more than a decade.[br]And obviously the rad1o!
0:00:37.390,0:00:42.449
applause
0:00:42.449,0:00:46.630
And schneider is an awesome developer[br]for hardware and software.
0:00:46.630,0:00:52.290
So, who has been to Camp and[br]seen the talk about Iridium there?
0:00:52.290,0:00:56.710
Please raise your hand.[br]Wow.
0:00:56.710,0:01:02.680
And who has seen[br]the Iridium talk on 31C3?
0:01:02.680,0:01:08.760
Even more people. And who hasn’t[br]had any Iridium update at all?
0:01:08.760,0:01:14.510
Wow. Okay, so without further ado,[br]here is your yearly Iridium update!
0:01:14.510,0:01:21.470
applause[br]Sec laughs
0:01:21.470,0:01:24.800
schneider: Yes, hello, thank you for[br]coming to this Congress’ edition
0:01:24.800,0:01:29.820
of the Iridium talk. laughs We’ve[br]increased our slot size by 100%
0:01:29.820,0:01:33.310
compared to one year ago. And we’ve also,[br]I guess, increased the amount of content
0:01:33.310,0:01:38.770
by quite a bit. In the last[br]year we’ve got ourselves
0:01:38.770,0:01:43.710
some devices to play with from Iridium.[br]Modems, actually. More than one of them.
0:01:43.710,0:01:49.340
A phone, with contract. And that helped[br]us a lot getting more knowledge
0:01:49.340,0:01:56.180
about Iridium. Now, apparently, I guess[br]half of you haven’t seen any talk
0:01:56.180,0:02:01.829
about Iridium from us before. So here’s[br]a short introduction. Iridium is a global
0:02:01.829,0:02:07.020
satellite network made out of Low Earth[br]Orbit satellites, built by Motorola
0:02:07.020,0:02:13.040
in the nineties. It has 66 active logical[br]satellites. And with ‘logical’ we mean
0:02:13.040,0:02:18.079
one satellite can be more than one[br]satellite in orbit. Maybe it has failed
0:02:18.079,0:02:23.239
a little bit and now they have two[br]satellites in one spot producing
0:02:23.239,0:02:27.979
one logical satellite still functioning.[br]You have worldwide global coverage,
0:02:27.979,0:02:34.229
even at the poles, on every place on[br]earth, on the water – everywhere.
0:02:34.229,0:02:40.159
Services: you’ve got messaging, you’ve[br]got voice, you’ve got internet IP data.
0:02:40.159,0:02:45.129
And even some special services which are[br]broadcast-only, which they only send down
0:02:45.129,0:02:51.469
to earth, and the receiver doesn’t receive[br]anything. Now, Iridium coverage –
0:02:51.469,0:02:57.090
there’s a lot of Iridium satellites, and[br]they produce a spot beam pattern
0:02:57.090,0:03:03.849
on the planet. There’s 48 spot beams,[br]each of them covering roughly 400 km
0:03:03.849,0:03:09.230
in diameter. All spot beams together[br]roughly 4500 km. Now, if you have
0:03:09.230,0:03:12.939
a very sensitive setup you can receive[br]more than one spot beam at the same time.
0:03:12.939,0:03:17.949
And that’s going to be another issue[br]during this talk. If you want to have
0:03:17.949,0:03:23.870
a look at this on a global scale you can[br]see how much area one Iridium satellite
0:03:23.870,0:03:32.449
is covering on earth. Quite a lot. And by[br]receiving them you get a lot of knowledge.
0:03:32.449,0:03:37.779
Why look at it? Now. There’s almost[br]no info about Iridium available online
0:03:37.779,0:03:43.519
or in paper, or any way. It’s a completely[br]proprietary protocol. There’s nothing
0:03:43.519,0:03:48.180
about it available. Its worldwide visible.[br]You go out there you get Iridium signals.
0:03:48.180,0:03:52.469
You go to the pole you get Iridium signals.[br]So it’s nice to have a look at it and
0:03:52.469,0:03:58.270
talk about it, and everyone can just go[br]out and have a look at it. Low barrier
0:03:58.270,0:04:04.479
of entry. Cheap RTLSDRs are good enough[br]to get pager messages from Iridium.
0:04:04.479,0:04:09.569
There’s lots of interesting services: the[br]pagers, Iridium Burst. The devices for that
0:04:09.569,0:04:12.840
are passive. They don’t send anything[br]out. So probably interesting
0:04:12.840,0:04:17.570
for Intelligence services also. And[br]future-proof. There’s nation states
0:04:17.570,0:04:22.100
interested in Iridium, namely the United[br]States and also quite a commercial
0:04:22.100,0:04:26.710
venture behind it. There’s going to be[br]Iridium Next, launched next year.
0:04:26.710,0:04:29.900
At least that’s the plan. It’s going[br]to replace all of the satellites,
0:04:29.900,0:04:34.379
66 more satellites. They will de-orbit[br]the old ones. But still the system will
0:04:34.379,0:04:39.139
stay compatible with the current system.[br]So, worth the effort. Applications.
0:04:39.139,0:04:45.640
Tracking, fleet management, mobile data,[br]emergency services. There are devices
0:04:45.640,0:04:49.699
for emergency responders to tell[br]them where to go, based on Iridium.
0:04:49.699,0:04:54.330
Maybe that’s in a helicopter or a plane.[br]Maritime sensors – very interesting.
0:04:54.330,0:04:58.620
With Iridium antennas you don’t have to[br]point the antenna at a specific point
0:04:58.620,0:05:02.669
in the sky. You have something, it can[br]wobble around, will still work fine.
0:05:02.669,0:05:08.040
Aircraft communications – we’ve seen that.[br]While the spot beams cover all of earth,
0:05:08.040,0:05:11.850
apparently they also work 10 kilometers[br]up, and there’s a lot of applications
0:05:11.850,0:05:18.860
for aircrafts. We have been[br]doing this for almost 2 years.
0:05:18.860,0:05:24.980
And one year ago at Congress[br]we had pager messages. Nice.
0:05:24.980,0:05:29.860
We also had the downlink demodulated[br]and descrambling going on.
0:05:29.860,0:05:33.910
The Ring Alert Channel identified, and[br]some data stuff. Then the rad1o happened.
0:05:33.910,0:05:38.919
And really, the rad1o was a secret project[br]to get more Iridium receivers out there.
0:05:38.919,0:05:44.009
That worked great. It has good coverage[br]on Iridium. It did delay us a little bit, so
0:05:44.009,0:05:47.909
after the rad1o we spent a lot of time[br]again on Iridium. And we got a lot of stuff
0:05:47.909,0:05:52.710
going: short-burst data decoding. We've[br]raided a phone, had a look at that.
0:05:52.710,0:05:57.781
We looked at IP traffic on Iridium. And[br]even got more data out of that SBD modem
0:05:57.781,0:06:03.340
than just data which it receives. So.
0:06:03.340,0:06:09.379
One year ago this was our recommended[br]setup: passive antenna and very expensive
0:06:09.379,0:06:14.500
bandpass and low noise amplifiers.[br]That works but since Camp we’ve got
0:06:14.500,0:06:20.090
a much better setup: modified GPS[br]antennas – they’re super cheap,
0:06:20.090,0:06:24.129
they work almost out-of-the-box, you[br]remove one filter, you maybe replace
0:06:24.129,0:06:27.720
one of the components in there, you’ve[br]got a pretty nice Iridium antenna.
0:06:27.720,0:06:30.770
Optionally, you can add an Iridium filter[br]in there and then you can also use it
0:06:30.770,0:06:35.310
in busy environments. Just one thing:[br]if you get one of these antennas
0:06:35.310,0:06:41.729
make sure it has screws in it so you can[br]reseal it again and take it outdoors.
0:06:41.729,0:06:46.489
Modifications: you remove one filter,[br]you get an Iridium patch antenna
0:06:46.489,0:06:50.919
– available on Mouser, Digikey… –[br]that’s no big deal. You solder it in,
0:06:50.919,0:06:55.150
you’ve got a nice antenna. We’ve got[br]this thing documented in our Wiki.
0:06:55.150,0:06:59.810
Have a look at that. You will get a good[br]Iridium antenna. Though, one thing is
0:06:59.810,0:07:02.740
potentially…[br]applause
0:07:02.740,0:07:07.960
– thanks! – …missing if you[br]are in an urban environment
0:07:07.960,0:07:12.000
and there’s lots of GSM and UMTS going on[br]you probably want to add an Iridium filter
0:07:12.000,0:07:17.610
in there. Murata actually makes one[br]specifically for Iridium. You pop that in
0:07:17.610,0:07:21.169
and you’ve got a nice and clean signal.[br]It depends on the environment
0:07:21.169,0:07:26.490
but highly recommended.[br]Now, receiver setups.
0:07:26.490,0:07:30.570
Cheapest option: take that antenna,[br]attach it to an RTLSDR (preferably
0:07:30.570,0:07:35.749
E4000 tuner) and you get Iridium[br]reception. Just a portion of the band,
0:07:35.749,0:07:41.069
roughly 20..40%, but still enough[br]to get a good idea about Iridium.
0:07:41.069,0:07:44.910
We’ve started with that, we’ve been[br]running this for a long time. And,
0:07:44.910,0:07:51.750
example for pagers – more[br]than enough. Next best thing:
0:07:51.750,0:07:58.020
“real” SDR: rad1o, HackRF, USRP.[br]With more coverage.
0:07:58.020,0:08:01.819
Passive antenna works with these, they[br]have a good enough amplifier to do it. But
0:08:01.819,0:08:06.139
the cabling must be quite short. You[br]cannot have many losses in the cable.
0:08:06.139,0:08:12.180
So, therefor the really recommended setup[br]from us is having an active antenna
0:08:12.180,0:08:15.800
with an SDR. You can take the antenna[br]outside, have 5 meters of cable,
0:08:15.800,0:08:19.260
put the SDR inside. Weatherproof setup.[br]You can leave it there. We have
0:08:19.260,0:08:23.540
something like that in Munich,[br]works a treat. Yes.
0:08:23.540,0:08:27.740
State of the tool chain: we’ve improved[br]that quite a lot. It’s a lot speedier now.
0:08:27.740,0:08:33.909
We have better signal processing, we get[br]the signals down a little bit nicer, faster,
0:08:33.909,0:08:38.529
and also now have the option to cover[br]a much wider band of Iridium,
0:08:38.529,0:08:42.979
like the whole band. And now it’s feasible[br]for us to actually decode everything
0:08:42.979,0:08:47.591
on the Iridium. Not real-time, that’s way[br]too much computing effort now. But we can
0:08:47.591,0:08:53.140
put it on a disk and decode it then. For[br]real-time processing really a major effort
0:08:53.140,0:08:58.000
has still to be done. But,[br]well, we’ll see what happens.
0:08:58.000,0:09:00.980
applause
0:09:00.980,0:09:05.480
Continuing on that… to make use of[br]modern multi-core processors we’ve added
0:09:05.480,0:09:09.529
a Queue in there. And you can utilize[br]as many cores as you want to decode
0:09:09.529,0:09:15.200
Iridium signals. Just one thing: the stuff[br]on the left still runs on a single CPU,
0:09:15.200,0:09:21.010
or a single core. And that’s limiting us in[br]terms of what we can do. But really,
0:09:21.010,0:09:27.949
most faster cores right now can handle the[br]whole Iridium band, so, should be fine.
0:09:27.949,0:09:34.710
We had a play with an Iridium test set.[br]Dieter from the Osmocom guys got one.
0:09:34.710,0:09:38.270
We had a play session. That was[br]a real boost. He also helped us a lot
0:09:38.270,0:09:42.000
on the Link Control Word (LCW) and other[br]stuff to decode. That gave us a boost.
0:09:42.000,0:09:46.699
At the beginning of this year, just before[br]doing the rad1o, and got a lot off of that.
0:09:46.699,0:09:51.830
Barrier Air recommended (?) these[br]devices, nice. Now, SBD modems.
0:09:51.830,0:09:56.060
We got ourselves a few of these things.[br]They’re ‘Short Burst Data modems’.
0:09:56.060,0:10:00.480
‘Short Burst Data’ means that you get[br]little packets of data. You can send it
0:10:00.480,0:10:04.040
to the satellite, the satellite can send it[br]back to you. They’re used all over the place
0:10:04.040,0:10:08.880
for all kinds of services for Iridium.[br]These ones are specifically cheap.
0:10:08.880,0:10:13.910
We got a group order going, from SteveM,[br]also Osmocom guy. 50 Euros per piece,
0:10:13.910,0:10:17.680
was rather cheap. Now, the thing is[br]these are really simple SBD modems.
0:10:17.680,0:10:21.700
They don’t have a SIM card. They[br]really rely only on the internal IMEI.
0:10:21.700,0:10:25.910
They don’t have a secret in there,[br]or nothing else… anything else.
0:10:25.910,0:10:29.050
They don’t authenticate themselves[br]against the network, the network doesn’t
0:10:29.050,0:10:35.070
authenticate it[self] against the modem.[br]Nothing. You supply your contract guy
0:10:35.070,0:10:41.529
with your IMEI, and you get a contract[br]for that thing. Really interesting.
0:10:41.529,0:10:46.839
This modem also has debug interfaces,[br]a test port interface which we found
0:10:46.839,0:10:49.340
interesting because it was mentioned in[br]the documentation, quote: “maybe
0:10:49.340,0:10:52.500
you can change the IMEI, or stuff[br]like that”. Interesting. It runs
0:10:52.500,0:10:55.580
over the Digital Peripheral Link (DPL)[br]which is like some other multiplex thingy
0:10:55.580,0:10:58.860
over that, which is actually a physical[br]link. And in there, there’s the TPI.
0:10:58.860,0:11:02.731
There’s absolutely no documentation[br]available about TPI. There’s a small bit
0:11:02.731,0:11:08.580
of documentation about DPL for[br]another device. We had a look at that.
0:11:08.580,0:11:13.900
DPL format then looks like that: You[br]have a start byte, a length, data, checksum
0:11:13.900,0:11:18.800
and an X. So that’s pretty easy. That[br]was fast implement. But the TPI stuff
0:11:18.800,0:11:23.530
was more tricky, so we had to get into[br]the firmware. During the OsmoDevCon
0:11:23.530,0:11:28.510
tnt got into extracting firmware from an[br]update image, and we had a look at that.
0:11:28.510,0:11:32.019
And really, you get a table of[br]TPI commands and most of them are
0:11:32.019,0:11:36.209
not implemented but some are. And[br]after reversing a lot of the firmware
0:11:36.209,0:11:40.770
we figured out where to go and where to[br]look for the EEPROM stuff. And now
0:11:40.770,0:11:48.420
we have on Github available TPI support[br]for this modem. You can change the IMEI,
0:11:48.420,0:11:54.000
so what you can do is get a contract for[br]one modem, take another modem, you clone
0:11:54.000,0:11:57.670
this modem onto that modem, now you have[br]a contract for two modems. Interesting.
0:11:57.670,0:12:00.880
laughter and applause
0:12:00.880,0:12:05.610
And also these IMEIs are not… I mean
0:12:05.610,0:12:09.310
they are blocks, probably you can[br]guess one. You shouldn’t do that.
0:12:09.310,0:12:14.920
I think that’s a big hole. They did that[br]on purpose. There are modems with SIM.
0:12:14.920,0:12:18.060
They authenticate themselves against[br]the network. But that’s about it.
0:12:18.060,0:12:23.019
And who knows how secure that is. We’ll[br]have a look at that at some point later.
0:12:23.019,0:12:28.850
The code is on Github but[br]not quite everything. laughs
0:12:28.850,0:12:33.110
Then there’s another thing. There’s a debug[br]interface. It spits out debug information
0:12:33.110,0:12:38.500
all the time. You enable it also via[br]writing to some EEPROM location.
0:12:38.500,0:12:45.520
And if you do that what it spits at you[br]is this. From 1990, really! laughs
0:12:45.520,0:12:50.759
Interesting. So this stuff evolved quite[br]a lot. So we’re now 25 years later
0:12:50.759,0:12:55.930
and this code is still running. If you[br]enable all of the debug information
0:12:55.930,0:13:00.600
you get lots of stuff.[br]First two lines: Ring Alert channel.
0:13:00.600,0:13:04.560
This we had decoded already,[br]earlier this year, most of it.
0:13:04.560,0:13:11.200
It proved that most of the stuff we did[br]is right. We also got more stuff,
0:13:11.200,0:13:16.410
broadcast channel, some sync packets,[br]traffic channels. Some of these information
0:13:16.410,0:13:21.080
you already have integrated[br]into the tool chain. Not all of it yet,
0:13:21.080,0:13:27.259
but this firmware is a real nice thing
0:13:27.259,0:13:32.290
to get data from.[br]Packets.
0:13:32.290,0:13:36.480
Iridium has 10.5 MHz of bandwidth. At[br]the moment they’re using ca. 8.5 MHz,
0:13:36.480,0:13:44.010
at least in Europe. We see roughly 2,000[br]detected bursts per second on average.
0:13:44.010,0:13:52.089
And we decode of these roughly[br]1,200 into Iridium frames.
0:13:52.089,0:13:56.800
And roughly 80% of these don’t have severe[br]errors, so we can get a link control word
0:13:56.800,0:14:01.720
or decode some stuff –[br]at least categorize it.
0:14:01.720,0:14:07.160
If you look at that this is[br]a four-minute interval on Iridium.
0:14:07.160,0:14:14.970
The whole band; these are roughly[br]a few hundred thousand packets,
0:14:14.970,0:14:21.469
so there’s quite a lot going on.[br]At the top you see the pager channels.
0:14:21.469,0:14:25.060
Every 20 seconds this small burst on the[br]Ring Alert Channel, always active, and
0:14:25.060,0:14:32.750
then down there there’s data channels,[br]broadcast channels and more of this stuff.
0:14:32.750,0:14:38.149
Last year we looked at pager channels,[br]that’s only 500 kHz of data.
0:14:38.149,0:14:43.670
Now we’re looking at 10 MHz, that’s[br]not going to be done in real time
0:14:43.670,0:14:46.540
with our current tool chain. Right now,[br]we can look at roughly 2 MHz, do it
0:14:46.540,0:14:51.940
in real time, so that you get a good idea[br]about Iridium. There’s a lot of room
0:14:51.940,0:14:56.509
for improvement, at least that’s what you[br]think. So if someone wants to help us there
0:14:56.509,0:15:00.130
we are happy about to do that.[br]At the moment it’s good enough for us
0:15:00.130,0:15:05.410
to get more data[br]out of the Iridium system.
0:15:05.410,0:15:10.350
We usually just record to hard disk,[br]get the data off. It’s lots of data.
0:15:10.350,0:15:14.880
I mean, you have to think about 80 GB[br]per hour if you capture the whole band.
0:15:14.880,0:15:18.560
So you only can do that for specific[br]things, if you maybe want to have
0:15:18.560,0:15:23.069
one transaction of a modem. We’re[br]only looking at the downlink but
0:15:23.069,0:15:27.509
at the same time Iridium suggests that[br]people use their service so that it goes
0:15:27.509,0:15:31.480
up to the satellite, across to another[br]satellite, and down again. Because
0:15:31.480,0:15:36.420
that will save them bandwidth on their[br]single gateway somewhere in the U.S.
0:15:36.420,0:15:42.999
And now Sec will tell you more[br]about different frame types.
0:15:42.999,0:15:48.579
applause
0:15:48.579,0:15:53.110
Sec: Thank you. So we’re[br]going to look a little bit into
0:15:53.110,0:15:58.660
what is all coming down[br]from the Iridium satellites.
0:15:58.660,0:16:03.720
I mean, a little bit of it[br]we already know. Like…
0:16:03.720,0:16:07.240
this is the overview of the packets.[br]I mean, schneider already told you
0:16:07.240,0:16:11.170
the small bits at the top, the green[br]ones are the pager channel where
0:16:11.170,0:16:15.120
all the pager messages come, which[br]were part of our last year’s talk.
0:16:15.120,0:16:18.769
The red below that is the Ring Alert[br]channel. And then we have
0:16:18.769,0:16:23.779
categorized the other traffic, like[br]the blue are the Broadcast channels.
0:16:23.779,0:16:28.670
Interestingly, not all of the frequencies[br]are used at the same time, but
0:16:28.670,0:16:34.850
that changes over time. And then[br]we have several things like blocks
0:16:34.850,0:16:43.179
of IP packets, blocks of streams of voice[br]packets, and other data packets. And
0:16:43.179,0:16:48.720
now we are going to look at them one by[br]one. The first is the Pager Message frames
0:16:48.720,0:16:52.779
which are already known from the talk.[br]We identified them, they start with
0:16:52.779,0:16:57.689
a unique pattern at the beginning,[br]which is hex 9669 encoded
0:16:57.689,0:17:02.889
as binary phase-shift keying (BPSK). And[br]our cool tool chain decodes them, and
0:17:02.889,0:17:06.970
this is the message I think we used last[br]year. It’s not very interesting, it was
0:17:06.970,0:17:13.920
just for testing. There’s not much to say[br]about this, I think that’s more or less
0:17:13.920,0:17:20.240
completely solved. Then we have…[br]Oh, what I wanted to say is that
0:17:20.240,0:17:26.630
Iridium doesn’t really want you to use[br]this anymore. They say: “If you can
0:17:26.630,0:17:31.130
get a pager [device] somewhere, then we[br]will still honor it but you can’t get one
0:17:31.130,0:17:36.800
from us!” That makes them hard to[br]get, maybe a little bit expensive but
0:17:36.800,0:17:42.000
they’re still in use. I mean we see lots[br]of messages going on. Then there are
0:17:42.000,0:17:48.820
the Ring Alert frames. We can’t identify[br]them by looking at them alone.
0:17:48.820,0:17:55.100
We identify them by the frequency[br]range they’re in. This is a little bit
0:17:55.100,0:18:01.390
like randomly guessed[br]where the best cut-off point is.
0:18:01.390,0:18:07.500
The format is mostly known from our play[br]session with the Racal thing we showed you
0:18:07.500,0:18:14.010
before. Dieter took a lot of work from[br]us [off us] by reversing the firmware
0:18:14.010,0:18:20.810
and getting us info how to decode[br]this. We did a brief overview
0:18:20.810,0:18:28.850
at the Camp talk. The frames[br]look like this. laughs
0:18:28.850,0:18:35.320
It contains mostly information like the[br]current satellite and the beam you are
0:18:35.320,0:18:40.050
seeing at the moment. Then it contains[br]the position which alternates between
0:18:40.050,0:18:44.410
the position where the satellite is at and[br]the position where the beam that you are
0:18:44.410,0:18:48.810
currently seeing hits the earth. So that[br]could, in theory, be used for geolocation
0:18:48.810,0:18:53.540
but it’s really, really very broad[br]information. I mean you could probably
0:18:53.540,0:18:59.090
average this or something like that.[br]And then it also contains the pages,
0:18:59.090,0:19:03.270
so when the network wants a device[br]to contact the network because it has
0:19:03.270,0:19:09.350
some information for it it sends the PAGE[br]message. Unfortunately, that TMSI,
0:19:09.350,0:19:17.020
that’s a temporary identity, so we can’t[br]really tell you which actual device it is.
0:19:17.020,0:19:21.390
We intend to look into how this[br]is mapped in the future, but
0:19:21.390,0:19:27.690
we didn’t have time for it. This is[br]as the Ring Alert channel sends
0:19:27.690,0:19:33.440
the Beam ID. You can see as a satellite[br]passes over our receiver. Which Beam IDs
0:19:33.440,0:19:39.500
we see you can see that depending[br]on the noise and whatever…
0:19:39.500,0:19:49.870
you can also see several spot beams at the[br]same time, or shortly after each other.
0:19:49.870,0:19:56.190
The next part of the family of packets[br]are the Broadcast frames.
0:19:56.190,0:20:01.580
We can identify them by[br]a checksum, a BCH checksum.
0:20:01.580,0:20:07.630
The polynomial is 1207 which is actually[br]the bit-reverse of the polynomial that’s
0:20:07.630,0:20:14.460
used to protect the messaging[br]packets. I don’t really know why but
0:20:14.460,0:20:21.300
it helps to distinguish those packets.[br]Most info about those packets are also
0:20:21.300,0:20:25.450
taken from the Racal Test Set firmware.[br]We’ve also shown them at the Camp talk
0:20:25.450,0:20:30.620
very briefly. They look like this!
0:20:30.620,0:20:36.670
They contain information about the[br]network where it tells the devices
0:20:36.670,0:20:43.070
what frequency offset they have and what[br]timing offset they have, to correct for this,
0:20:43.070,0:20:47.750
or what power they are receiving so they[br]can adjust the power. That’s not really
0:20:47.750,0:20:52.880
our focus at the moment because that’s[br]boring stuff like about the internals
0:20:52.880,0:20:58.180
of the network. And the interesting[br]stuff are the data frames.
0:20:58.180,0:21:03.330
We can identify them, they have a valid[br]Link Control Word. I mean, at the beginning
0:21:03.330,0:21:10.560
a special set of bits that is protected
0:21:10.560,0:21:17.660
by BCH checksum but before you get to the[br]correct bits you have to re-sort those bits,
0:21:17.660,0:21:22.970
and it’s the most bizarre scrambling of[br]bits I’ve seen so far, and I have no idea
0:21:22.970,0:21:29.880
how they came up with this order. If anyone[br]has an idea I would be offering a beer.
0:21:29.880,0:21:36.320
This is three different parts and the[br]content after the Link Control Word
0:21:36.320,0:21:42.340
is always 312 bits long which is[br]the maximum packet length.
0:21:42.340,0:21:48.450
If you look at the descrambled Link[br]Control Word those three parts
0:21:48.450,0:21:54.460
are protected by separate[br]BCH checksum polynomials,
0:21:54.460,0:22:00.100
like the first 29, and then[br]465 and 41.There’s
0:22:00.100,0:22:06.450
one interesting thing: the middle part of[br]the Link Control Word is missing one bit.
0:22:06.450,0:22:11.540
Fortunately, the BCH checksum can correct[br]bit errors, so you’re expected to have like…
0:22:11.540,0:22:16.040
in half of the packets you’re expected[br]to have a bit error there because they
0:22:16.040,0:22:21.220
obviously didn’t have the space to fit[br]this bit and just dropped it on the floor.
0:22:21.220,0:22:26.340
The first part of the Link Control Word[br]which is three bits long – that gives us
0:22:26.340,0:22:33.330
eight choices – is the Sub-type of[br]the data frame. That we can use
0:22:33.330,0:22:37.460
to differentiate the packets.[br]The second and third part contain
0:22:37.460,0:22:41.450
more network information about handoff[br]and acquisition channel and stuff
0:22:41.450,0:22:48.830
which we took from the TPI debug code[br]that schneider mentioned before.
0:22:48.830,0:22:53.880
But we’re not too interested in that[br]network management stuff at the moment.
0:22:53.880,0:23:00.770
So we are going through the Sub-types of[br]the data packets now, starting at the top,
0:23:00.770,0:23:04.040
the ‘Sub-type 7’. This is just[br]a synchronization packet.
0:23:04.040,0:23:08.600
If you look at the packet in a waterfall[br]diagram you can see that it’s
0:23:08.600,0:23:14.770
a single line which can be used by the[br]receiver to get frequency offsets and stuff.
0:23:14.770,0:23:21.820
It’s about 43% of all the[br]data packets we see.
0:23:21.820,0:23:27.790
It’s just alternating 0 and 1 bits, and[br]our tool chain just decodes them as it’s
0:23:27.790,0:23:34.720
a sync packet, and all the bits were as[br]expected so it’s also not very interesting.
0:23:34.720,0:23:38.820
The next Sub-type we see is (3).[br]We don’t see (4) to (6),
0:23:38.820,0:23:45.400
we have not seen them anywhere. The[br]Sub-type 3 is packets that look like this.
0:23:45.400,0:23:48.180
And they have a little bit [of] information[br]at the beginning, and a little bit more
0:23:48.180,0:23:54.810
information at the end. So to me it looks[br]like one of those two parts is supposedly
0:23:54.810,0:24:02.170
a checksum but I have no idea what’s[br]encoded there. We have found no information
0:24:02.170,0:24:09.500
and, maybe at some later date.[br]The next Sub-type…
0:24:09.500,0:24:16.910
– Oh I forgot! The next Sub-type
0:24:16.910,0:24:23.270
is Sub-type 2 which is…[br]the packets are descrambled,
0:24:23.270,0:24:27.530
I mean the same descrambling algorithm[br]as we had before at the Pager channel,
0:24:27.530,0:24:33.740
just in three different blocks, and is[br]again protected with a BCH checksum
0:24:33.740,0:24:39.780
with yet another polynomial. I can give[br]a whole other talk about reversing
0:24:39.780,0:24:45.010
BCH checksums and CRCs now.[br]laughs
0:24:45.010,0:24:51.080
After the BCH checksum is removed[br]there’s a CRC which protects this again.
0:24:51.080,0:24:56.860
It’s a common polynomial, the CCITT[br]polynomial. And the packet then has
0:24:56.860,0:25:01.120
a little bit header at the beginning which[br]is in blue, and the CRC of this packet
0:25:01.120,0:25:06.300
is okay. And the header has fields[br]that we don’t know but one field is
0:25:06.300,0:25:13.080
the 3 bit counter. That can be used[br]to reassemble longer packets.
0:25:13.080,0:25:17.710
This is one example. We have several[br]packets and the counter… we sorted them
0:25:17.710,0:25:24.090
by this counter so we can reassemble[br]them into a larger packet.
0:25:24.090,0:25:30.600
If you then look at the thus[br]reassembled packets they have
0:25:30.600,0:25:36.130
what I call an identifier, of 2 bytes at[br]the start of the datagram which identifies
0:25:36.130,0:25:43.130
which kind of data is in there. We’ve seen[br]about 40 different identifiers so far,
0:25:43.130,0:25:48.110
roughly. Most of them we still[br]don’t know what’s in there.
0:25:48.110,0:25:53.830
That’s about 70% of the stuff[br]we see inside the data packets.
0:25:53.830,0:25:59.060
Many are empty, they consist of Zeros.[br]Even some of them don’t have a valid CRC,
0:25:59.060,0:26:04.160
there are just Zeros where the CRC is[br]supposed to be. We will be looking at those
0:26:04.160,0:26:11.350
later on but we’ve identified some[br]identifiers which contain interesting stuff.
0:26:11.350,0:26:18.170
The first one of those is 09.01[br]which contains SMS messages.
0:26:18.170,0:26:22.920
We did lease us a telephone and just sent[br]some SMS, and looked at what comes down.
0:26:22.920,0:26:27.970
This is one re-assembled SMS message.[br]And if you put it into our current tool chain
0:26:27.970,0:26:34.750
it results in this output. The format is[br]very similar to the SMS PDU format
0:26:34.750,0:26:41.020
used in GSM. The only difference is[br]the orange bytes which are not part
0:26:41.020,0:26:46.170
of the PDU format and we just removed[br]them. And if you remove them
0:26:46.170,0:26:51.250
this comes out. This is[br]just the decoded message.
0:26:51.250,0:26:59.290
applause
0:26:59.290,0:27:04.250
So, the green numbers, one is the SMSC[br]Centre Number, and the other is
0:27:04.250,0:27:08.660
the Sender Number. And date and time[br]when it was sent. And the blue numbers
0:27:08.660,0:27:14.870
are just length indicators. The message[br]is encoded in the 7-bit GSM alphabet
0:27:14.870,0:27:22.500
which is basically ASCII except[br]for umlauts and other stuff. Then
0:27:22.500,0:27:29.630
the other identifier we got is 76.08 which[br]contains short burst data messages
0:27:29.630,0:27:34.640
which are sent by those modems that[br]schneider showed you. Those modems…
0:27:34.640,0:27:42.630
SBD messages itself can be from the[br]specification 1960 or 1890 bytes,
0:27:42.630,0:27:46.600
depending if they’re mobile-originated or[br]mobile-terminated. That means send them
0:27:46.600,0:27:51.960
from a modem or receive them with a modem.[br]But the one we have can only send
0:27:51.960,0:27:58.070
messages up to 340 or 270 bytes. Still[br]this is longer than what the reassembled
0:27:58.070,0:28:05.490
3 bit counter gives us. So we have another[br]type for continuation of those messages.
0:28:05.490,0:28:14.120
And then we have the SBD message,[br]if you want to send it. The interface is
0:28:14.120,0:28:18.530
very simple. You just send an email to[br]data@sbd.iridium.com, put the IMEI
0:28:18.530,0:28:21.960
you want to send it to in the subject,[br]and put an attachment on it, and it gets
0:28:21.960,0:28:29.270
sent out. You can also have a contract[br]where you send it via just TCP connection
0:28:29.270,0:28:34.050
to an IP port. That works in both[br]directions. You can send it from the modem
0:28:34.050,0:28:39.150
to test your computer, or the other way[br]but Iridium-side… while there is
0:28:39.150,0:28:43.080
some documentation where you have to[br]connect to they have a firewall which is
0:28:43.080,0:28:49.020
source IP based, so if you just send[br]something you cannot reach random people’s
0:28:49.020,0:28:57.261
SBD modems. Many applications that we’ve[br]seen use probably transfer from SBD modem
0:28:57.261,0:29:02.510
to SBD modem. As we are only looking[br]at the downlink we can still see those
0:29:02.510,0:29:06.780
messages as they’re coming down to[br]another modem. And the cost of this thing
0:29:06.780,0:29:12.550
is about roughly $1 per kilobyte, which[br]I think reminds me of the nineties’
0:29:12.550,0:29:18.570
internet costs. laughs[br]We have an example SBD message
0:29:18.570,0:29:23.410
that is not very interesting. It looks like[br]this if you put it through our tool chain.
0:29:23.410,0:29:27.860
It contains lots of Zero bytes because[br]that was of one of our test messages,
0:29:27.860,0:29:34.600
to check for the CRCs[br]and the continuation stuff.
0:29:34.600,0:29:42.570
The users we found for this is[br]stuff like buoys for tuna fishing,
0:29:42.570,0:29:49.220
or standalone GPS trackers that send[br]just NMEA sentences of GPS over SBD.
0:29:49.220,0:29:56.840
And this Moving Map System which is[br]used by the helicopters from the ADAC
0:29:56.840,0:30:04.600
to tell the pilot where to go,[br]where the next emergency is.
0:30:04.600,0:30:10.030
We have two more Sub-types to go.[br]The Sub-type 1 packets are protected
0:30:10.030,0:30:15.440
with a 24 bit frame checksum, yet another[br]CRC polynomial that had to be reversed.
0:30:15.440,0:30:22.610
And then when you find it you’ll find out[br]that, hey, it’s the same one that GSM uses.
0:30:22.610,0:30:27.300
The header of those packets contains[br]an 8 bit counter for reassembly.
0:30:27.300,0:30:31.540
So you can reassemble more packets.[br]And a length. The raw data itself
0:30:31.540,0:30:36.790
is bit-reversed, so we have to reflect[br]each byte. And if you look at it
0:30:36.790,0:30:41.830
maybe some of you already realized[br]what this looks like. And otherwise
0:30:41.830,0:30:50.210
it could have been a Jeopardy question.[br]So, on the next slide – yes it is PPP –
0:30:50.210,0:30:56.530
so they’re just transmitting PPP over the[br]serial line that they have on the air.
0:30:56.530,0:31:03.070
It can also do multilink PPP, and it can[br]also do like a raw telnet connection,
0:31:03.070,0:31:11.250
like just a stream of bytes. Luckily for[br]us Wireshark supports this PPP dump format
0:31:11.250,0:31:17.210
and we tested it with Linux and had our[br]PPP connection and put this into Wireshark
0:31:17.210,0:31:21.970
and – hey! yeah! – we can see the HTTP[br]request. Wireshark is a little bit annoyed
0:31:21.970,0:31:25.770
of the fact that we’re missing half of the[br]connection, but that’s not a problem.
0:31:25.770,0:31:32.460
The unfortunate problem of this is,[br]on the next slide, nobody uses Linux.
0:31:32.460,0:31:36.180
Windows also uses PPP but Windows[br]also uses the Microsoft point-to-point
0:31:36.180,0:31:40.600
compression protocol. The Microsoft[br]point-to-point compression protocol
0:31:40.600,0:31:47.650
has one problem: Wireshark can’t decode[br]it. It just says “compressed data”.
0:31:47.650,0:31:55.380
So I went and looked it up. And[br]– why is the slide here?
0:31:55.380,0:32:01.230
Go one slide farther. The Microsoft[br]PPP compression is not that difficult.
0:32:01.230,0:32:07.290
There’s an RFC for it. It’s a very simple[br]algorithm but someone just needs to do it.
0:32:07.290,0:32:11.260
We didn’t have the time, maybe someone[br]can do it. Otherwise we’ll have to do it
0:32:11.260,0:32:19.510
next year. The other stuff we found,[br]you will remember the green blobs for IP,
0:32:19.510,0:32:24.000
this is probably multi-link PPP (MLPPP),[br]we have seen up to 14 channels active
0:32:24.000,0:32:29.390
at the same time. We have not gotten[br]around to looking at this very much
0:32:29.390,0:32:37.230
but I think it’s a lot of traffic. So[br]now that we’ve had this there’s…
0:32:37.230,0:32:44.820
I told you it’s not all PPP on it,[br]there’s also non-PPP traffic which is…
0:32:44.820,0:32:51.430
You can’t see the string coming[br]around and it looks like a Cisco
0:32:51.430,0:32:55.510
which is telnetting somewhere. Why[br]is there a Cisco telnet somewhere?
0:32:55.510,0:33:00.710
And if you look around on the internet you[br]can find some slides where people are
0:33:00.710,0:33:07.520
describing the setup, and –hey!–[br]there’s actually a Cisco on site
0:33:07.520,0:33:14.910
at the Iridium people, and if you do that[br]connection the Cisco actually executes
0:33:14.910,0:33:27.390
a telnet command to somewhere.[br]applause
0:33:27.390,0:33:31.960
And the last Sub-type we have[br]is the Sub-type 0. And this is
0:33:31.960,0:33:37.930
the interesting part of the talk.[br]It’s just… voice!
0:33:37.930,0:33:43.400
And it’s just 312 bit maximum length[br]of raw voice data. The problem here is
0:33:43.400,0:33:48.410
that there’s a voice codec, an AMBE voice[br]codec which is completely undocumented.
0:33:48.410,0:33:54.820
It has a very low bit rate. And we were[br]stumped and had no idea how to decode this.
0:33:54.820,0:34:01.280
And so there were several different[br]options. The first option was:
0:34:01.280,0:34:07.710
other people can do it for us!![br]Luckily, AMBE is a family of codecs, and
0:34:07.710,0:34:13.770
tnt did really great work in osmo-gmr and[br]Thuraya which is a similar AMBE codec.
0:34:13.770,0:34:17.989
And you can go and see his talk from[br]last year about this. And we gave him
0:34:17.989,0:34:22.908
some sample files, and in record time[br]we got the first version of a decoder
0:34:22.908,0:34:28.949
for Iridium voice frames. He’s releasing[br]his code right for this Congress.
0:34:28.949,0:34:33.750
This is the repository. It should be[br]accessible by now. This is very fast
0:34:33.750,0:34:37.459
and has good quality. It’s not perfect,[br]applause
0:34:37.459,0:34:43.850
but it’s good.[br]ongoing applause
0:34:43.850,0:34:49.929
But wait! We have more.[br]So the next option is emulation.
0:34:49.929,0:34:55.849
As you have seen before we’ve got the[br]firmware for the SBD modem. Interestingly,
0:34:55.849,0:35:01.990
on the SBD modem there’s the whole[br]DSP code also, also the voice codec.
0:35:01.990,0:35:08.060
It’s also on there. So this is an TI DSP[br]chip which has really, really ugly
0:35:08.060,0:35:12.800
assembler code. But there is an now[br]unavailable – except if you know
0:35:12.800,0:35:17.670
the right people – version of Code Composer[br]Studio, a Windows software to emulate
0:35:17.670,0:35:24.460
this DSP chip. And also with the help[br]of tnt you can get the stuff running.
0:35:24.460,0:35:30.459
This is the Windows software. It looks[br]very Windows-software-like. laughter
0:35:30.459,0:35:36.490
And you can run the codec in there[br]and it produces the same output
0:35:36.490,0:35:43.479
as a telephone would.[br]The only problem is this thing is slow!
0:35:43.479,0:35:49.700
It takes about… more than one minute[br]to process a second of voice data.
0:35:49.700,0:35:54.500
Yeah, this is not fun. And it’s not really[br]automatable. You have this Windows software
0:35:54.500,0:35:58.580
and have to click somewhere, and mhmm…
0:35:58.580,0:36:03.509
Now, you don’t want to do this.[br]It’s roughly three or four weeks ago
0:36:03.509,0:36:10.120
[that] I thought: “maybe there’s a third[br]option?” And the third option is to use
0:36:10.120,0:36:15.780
the DSP code but, we don’t want to[br]understand it, but maybe we can just
0:36:15.780,0:36:21.630
“wing it” and emulate it[br]by translating into crappy C,
0:36:21.630,0:36:25.490
and the optimizer will fix it.[br]It will run fast.
0:36:25.490,0:36:33.890
laughter and applause
0:36:33.890,0:36:38.770
There’s documentation for this chip which[br]describes the CPU and the opcodes.
0:36:38.770,0:36:44.809
And then you just write a small little[br]Perl script which looks partly like this.
0:36:44.809,0:36:49.750
It takes the object dump output which has[br]the assembler code and then returns
0:36:49.750,0:36:54.880
parts of C, and puts them all into a file,[br]and we put it all into the compiler,
0:36:54.880,0:37:01.810
and –hey!– we’ve got an option which produces...[br]bit perfect decoder,
0:37:01.810,0:37:05.660
and it’s running really fast![br]The optimizer does it.
0:37:05.660,0:37:12.230
applause
0:37:12.230,0:37:17.359
The only problem is that[br]you need the DSP code for it.
0:37:17.359,0:37:22.349
So it’s not entirely free because we[br]can’t really redistribute it. I suspect
0:37:22.349,0:37:26.839
that nobody really cares about this[br]old codec but I don’t want to risk it.
0:37:26.839,0:37:31.710
But the firmware updates for like the SBD[br]modem are for free on the internet.
0:37:31.710,0:37:36.980
So it’s just a matter of a little shell[br]script that grabs the firmware and puts it
0:37:36.980,0:37:41.460
through the compiler. And then you[br]should have a perfect thing to decode.
0:37:41.460,0:37:45.550
I didn’t get around to write this shell[br]script yet but it will be there soon.
0:37:45.550,0:37:52.330
If not you can pesten (?) me and I will do it.[br]And now we have perfect voice decoding,
0:37:52.330,0:37:56.049
and we want to show this to you.[br]So we have a demo.
0:37:56.049,0:38:08.240
applause
0:38:08.240,0:38:16.290
One of those windows…[br]schneider: Alt-Tab…
0:38:16.290,0:38:19.080
Sec: Ich weiß nicht welches[br]das richtige Fenster ist.
0:38:19.080,0:38:26.880
laughs[br]Ich bin kurzsichtig!
0:38:26.880,0:38:30.890
Was tust du da?[br]laughs
0:38:30.890,0:38:34.240
This is really well-prepared.[br]schneider: Ja, das ist es.
0:38:34.240,0:38:41.760
Sec: So there’s this tool[br]which you can run on
0:38:41.760,0:38:46.960
the output of our tool chain which[br]contains the packets, and it shows you
0:38:46.960,0:38:52.450
the frequency and the time of packets[br]which are supposedly voice frames.
0:38:52.450,0:39:00.250
And then you can just click[br]a start point and an end point.
0:39:00.250,0:39:02.189
audio playback starts[br]Female TTS voice: You have five hundred
0:39:02.189,0:39:07.569
and five minutes and 40 seconds left[br]for this call. Please dial or text 2888
0:39:07.569,0:39:13.319
for more account information. Please wait[br]while your call is connected. Beep sound
0:39:13.319,0:39:14.979
Male caller voice: incomprehensible …[br]applause in Congress hall
0:39:14.979,0:39:22.069
the Eagle has landed.[br]Coast is clear, coast is clear.
0:39:22.069,0:39:25.620
I need to … terminate this[br]call now ’cause we have problems…
0:39:25.620,0:39:28.660
audio cut off[br]audio playback ends
0:39:28.660,0:39:35.520
applause
0:39:35.520,0:39:39.360
schneider: Needless to say, this was of[br]course recorded from this very phone,
0:39:39.360,0:39:43.310
from one of our members at the[br]Munich CCC knowing what we’re doing.
0:39:43.310,0:39:46.735
So, no problem there.
0:39:57.480,0:40:01.360
Sec: Was muss ich denn drücken?[br]schneider: Shift-F5!
0:40:01.360,0:40:06.129
Sec: Hallo!? … Ah!
0:40:06.129,0:40:14.720
schneider: So, that’s voice. And… working[br]quite fine. If you get the packets in,
0:40:14.720,0:40:18.280
and for the decoder no problem.[br]We can decode that. But there’s still
0:40:18.280,0:40:24.150
lots of stuff we don’t… we’re not able to[br]decode. And they look like voice frames.
0:40:24.150,0:40:30.290
But they’re not voice.[br]hey decode as 100% non-decodable.
0:40:30.290,0:40:37.029
They usually come in trains of three,[br]so you have on three channels activity
0:40:37.029,0:40:43.259
with things that looks like voice. It’s not[br]– so what is it? We have no idea at all.
0:40:43.259,0:40:47.190
Might be encrypted voice. There are people[br]who have the idea maybe they used
0:40:47.190,0:40:52.759
channel-bundling to use some more[br]bandwidth-intensive cipher.
0:40:52.759,0:40:57.770
If anyone has any idea about that[br]that would be great … or a device
0:40:57.770,0:41:04.289
which uses this would be[br]even more interesting.
0:41:04.289,0:41:10.660
Range. Now, we had the phone and[br]we were traveling a little bit in Germany.
0:41:10.660,0:41:16.490
And at a distance of roughly 300 km[br]we placed a call. And in fact could
0:41:16.490,0:41:22.710
receive that in Munich. Roughly half[br]of it, and that puts around this circle
0:41:22.710,0:41:28.430
around Munich where we can receive calls[br]with Iridium. That’s quite an area. Now,
0:41:28.430,0:41:34.519
there is no encryption at all on the voice[br]frames, nothing. They just didn’t bother.
0:41:34.519,0:41:39.380
The phone has a little bit of[br]authentication with usually GSM algorithms
0:41:39.380,0:41:46.249
from the nineties. Nice. But the voice is[br]unencrypted. So you can bet your ass
0:41:46.249,0:41:49.480
that if you place a call on Iridium[br]not only will the U.S. listen to you
0:41:49.480,0:41:55.160
but everyone else will listen to you.[br]Just be aware.
0:41:55.160,0:41:58.960
These things are also available[br]commercially. We found at least three
0:41:58.960,0:42:04.440
different vendors supplying the stuff.[br]Probably only to government agencies
0:42:04.440,0:42:10.970
and other… well…[br]laughs
0:42:10.970,0:42:16.989
I guess if you really want to get[br]these things you can get them.
0:42:16.989,0:42:23.330
So, future plans: looking at uplink![br]At the moment if we take this phone,
0:42:23.330,0:42:28.450
place a call, we get what’s coming down[br]from the satellite. The uplink has
0:42:28.450,0:42:31.240
a slightly different modulation, at least[br]in the beginning. We suspect that
0:42:31.240,0:42:34.910
everything else will be the same.[br]But so far we haven’t looked at that.
0:42:34.910,0:42:38.359
Shouldn’t be a big deal, we just need to[br]take some time and actually do that.
0:42:38.359,0:42:44.200
Then, there's the ‘GSM tap for Wireshark’[br]which is a nice interface to put in
0:42:44.200,0:42:48.900
your own protocol into Wireshark and[br]decode that. Would be very nice and
0:42:48.900,0:42:53.420
we’re already working on that. So you can[br]have a nice view in Wireshark, do filters
0:42:53.420,0:42:57.979
and see what’s actually going on on the[br]network. Decoding unknown packets:
0:42:57.979,0:43:02.940
there’s lots of stuff going on on type[br]number (2) and type number (0)
0:43:02.940,0:43:08.490
which we don’t know what it’s yet. Really,[br]the limiting factor there is devices,
0:43:08.490,0:43:13.089
which brings us to the next slide. We[br]need to get access to more devices and
0:43:13.089,0:43:17.559
we have some on our list to have a look[br]at. Because if you have a device –
0:43:17.559,0:43:21.369
it’s the easiest option to actually see[br]what’s going on. You know which one
0:43:21.369,0:43:25.420
of these packets is yours, you can decode[br]these, you can send some special data
0:43:25.420,0:43:31.209
and play around a little bit. That makes[br]things really easy, in fact. Then,
0:43:31.209,0:43:35.190
signaling, handover and authentication.[br]We haven’t looked at that at all so far.
0:43:35.190,0:43:39.060
It’s actually not needed, really,[br]if you just want to get to the data but
0:43:39.060,0:43:43.240
it’s quite interesting, for example[br]these phones, they look all the time at
0:43:43.240,0:43:47.500
what satellites are available and they’d[br]chose which satellite they want to use.
0:43:47.500,0:43:51.029
They perform the handovers and all of[br]these things. We want to have a look
0:43:51.029,0:43:55.619
at that, too. Further reversing the[br]firmware. There’s lots of stuff to be learned
0:43:55.619,0:44:03.010
from firmware and still I guess we[br]reversed like 10% of that SBD modem.
0:44:03.010,0:44:07.460
Maybe it has still things to show.[br]Performance – well, we have already
0:44:07.460,0:44:13.289
mentioned it, lots of stuff to do. Now,[br]the code is on Github, almost all of it.
0:44:13.289,0:44:18.340
Maybe a few bits are missing to get the[br]whole tool chain working really smoothly.
0:44:18.340,0:44:23.140
So if you discover that jump into the IRC[br]channel, bug us and we’ll have a look
0:44:23.140,0:44:27.190
in our stash and see if there’s something[br]missing. In general, all the information
0:44:27.190,0:44:32.200
we’ve presented today is public and in the[br]Github repository. Again, we’re looking
0:44:32.200,0:44:38.529
for specification, and especially products[br]– Iridium GO, OpenPort devices,
0:44:38.529,0:44:43.999
any SBD enabled device, e.g. Rock Seven[br]devices, if you have access to this stuff.
0:44:43.999,0:44:48.039
If you can lend that to us for like two[br]weeks, would be very nice. And then
0:44:48.039,0:44:55.359
there’s also Iridium Burst which might[br]replace some pagers for some of these
0:44:55.359,0:45:00.549
users. These are modified SBD modems,[br]they’re passive and you tell Iridium:
0:45:00.549,0:45:05.569
“Hey, send me this message to Europe, send[br]me this message to the U.S. or maybe
0:45:05.569,0:45:10.650
to the globe”. And then these devices will[br]pick it up, undetectable, and we have
0:45:10.650,0:45:16.080
an idea which frames these are. These[br]are special pager frames, we suspect.
0:45:16.080,0:45:20.670
We see them all around the world,[br]the same format, probably encrypted,
0:45:20.670,0:45:27.740
but maybe only somehow cobbled-together,[br]a somehow cobbled-together encoding
0:45:27.740,0:45:31.930
which we haven’t seen yet. So,[br]that’s going to be very interesting.
0:45:31.930,0:45:36.140
Then, thanks again to tnt, Dieter and[br]SteveM. That was a great help,
0:45:36.140,0:45:41.010
very inspiring people. Thanks to the[br]Osmocom guys. Thank you very much!
0:45:41.010,0:45:51.969
applause
0:45:51.969,0:45:55.359
Herald: Thank you for the awesome talk.[br]Unfortunately, we won’t have any time
0:45:55.359,0:45:58.260
for questions anymore.[br]Sec: What??
0:45:58.260,0:46:04.180
Herald: But I guess we can[br]contact you via e-mail or IRC
0:46:04.180,0:46:07.939
or anything else. I’m sorry.[br]Sec: Why?
0:46:07.939,0:46:14.650
schneider: We’re on time![br]Sec: We’re on time, we have 15 minutes left!
0:46:14.650,0:46:21.509
discussion on stage
0:46:21.509,0:46:26.200
Herald: Ooh yeah, I fucked that one up.[br]We have plenty of time for Q&A!
0:46:26.200,0:46:29.970
applause
0:46:29.970,0:46:33.799
I am really sorry. So please line up[br]at the microphones and get ready
0:46:33.799,0:46:37.069
to hit Sec and schneider with your[br]questions. While you do that,
0:46:37.069,0:46:40.759
Signal Angel, is there something that[br]we should answer for the internet?
0:46:40.759,0:46:46.369
Signal Angel: Yes, there is one[br]question. There is someone asking
0:46:46.369,0:46:50.019
if the mystery data could be[br]like sensitive, I don’t know,
0:46:50.019,0:46:54.770
military, police, or something[br]like a custom codec?
0:46:54.770,0:46:57.279
schneider: We have absolutely no idea.
0:46:57.279,0:47:00.349
Signal Angel: Okay, thanks.[br]schneider: But… likely!
0:47:00.349,0:47:04.089
Signal Angel: Thanks.[br]Sec laughs
0:47:04.089,0:47:06.270
Herald: Microphone 2, please.
0:47:06.270,0:47:10.830
Question: Thank you. I heard that the NSA[br]was trying to secure the Iridium network.
0:47:10.830,0:47:13.099
Where did they go wrong?
0:47:13.099,0:47:15.430
schneider: Securing the Iridium network?[br]laughs
0:47:15.430,0:47:19.530
Sec: As far as we can tell, at least the[br]parts that we looked at, there was
0:47:19.530,0:47:23.920
no attempt to secure it. It’s still[br]the same stuff that was used
0:47:23.920,0:47:28.250
when it was built. I mean, we see[br]some messages that we don’t know.
0:47:28.250,0:47:33.500
It’s possible that those are encrypted[br]communications going on. We can’t tell
0:47:33.500,0:47:37.720
at this point. So, there might be[br]encrypted communication going on
0:47:37.720,0:47:42.630
in Iridium that we don’t know about.
0:47:42.630,0:47:50.710
Herald: Thank you. Microphone No.3,[br]in the back there. No, nobody!
0:47:50.710,0:47:55.270
Question: Since it’s conceivable that[br]you could actually… I mean the actual
0:47:55.270,0:48:00.499
database that’s verifying the[br]contracts is ground-based.
0:48:00.499,0:48:05.709
Does this mean that if you transmit[br]a phone call to the satellite,
0:48:05.709,0:48:10.630
that it has to first re-transmit it back[br]to earth in order to verify that data
0:48:10.630,0:48:15.340
is allowed to be sent and[br]relayed, so you should
0:48:15.340,0:48:19.630
typically be able to make[br]a phone call over the 150 km radius
0:48:19.630,0:48:26.020
that the satellite will repeat[br]back to earth to… no idea?
0:48:26.020,0:48:33.739
Sec: Actually I don’t really know.[br]We haven’t gotten that far
0:48:33.739,0:48:37.980
in our protocol understanding to[br]even be able to try this. But it would
0:48:37.980,0:48:43.869
definitely be interesting to try it.
0:48:43.869,0:48:53.539
Question: I don’t mind throwing a bit[br]money at that you are gonna try it!
0:48:53.539,0:48:56.930
Herald: Are there any more questions?[br]Right now I can’t see any of them… oh!
0:48:56.930,0:49:05.040
On microphone No.4 there’s a question![br]Someone: No!
0:49:05.040,0:49:09.499
Herald: Then, Signal Angel!
0:49:09.499,0:49:12.859
Signal Angel: Okay, I have currently[br]got three questions from internet.
0:49:12.859,0:49:18.049
I’m going to start with the first one.[br]That is: the Code Composer Studio version
0:49:18.049,0:49:23.309
that you found, the old one, whether[br]it’s specifically to the DSP or…
0:49:23.309,0:49:27.680
it’s… basically… did the DSP support go[br]away or what’s the deal with this version?
0:49:27.680,0:49:32.239
schneider: Yes, exactly. At some point[br]Code Composer Studio dropped
0:49:32.239,0:49:37.499
the support for this specific DSP and[br]we had to get a very old version
0:49:37.499,0:49:40.630
to have still support for it.[br]I think it’s CCS version 3.
0:49:40.630,0:49:44.510
Question: Okay![br]Herald: So I would say another question
0:49:44.510,0:49:46.560
from microphone No.2.
0:49:46.560,0:49:52.760
Ray: I just wanted to ask: is it legal[br]to receive these things?
0:49:52.760,0:49:57.930
Sec: This is a very good question![br]And I refer to you:
0:49:57.930,0:50:19.299
the ‘Weltraum-Theorie’![br]wild applause and cheers
0:50:19.299,0:50:22.539
So as far as I can tell[br]there’s no problem.
0:50:22.539,0:50:25.430
laughter, applause and cheers
0:50:25.430,0:50:30.539
schneider: And if you have a problem
0:50:30.539,0:50:32.269
we’ll just overrule you.[br]laughs
0:50:32.269,0:50:42.250
laughter[br]Sec: Sorry, it’s only in German!
0:50:42.250,0:50:44.069
schneider: Thank you for that question![br]Herald: Okay, we have another question
0:50:44.069,0:50:47.900
from the internet.[br]Signal Angel: Yes, the question is:
0:50:47.900,0:50:53.280
what is the state of being able to[br]geo-locate Iridium terminals?
0:50:53.280,0:50:59.450
schneider: So, during the Ring Alert[br]you see where a device gets paged.
0:50:59.450,0:51:04.329
And that’s paging a specific cell.[br]You know where that cell comes down.
0:51:04.329,0:51:08.680
So that will tell you a rough estimate[br]where that terminal is.
0:51:08.680,0:51:11.869
Of course the cell is big, many[br]hundreds of kilometers, so
0:51:11.869,0:51:17.140
probably you can have a look at this[br]over time and see how the pagings change
0:51:17.140,0:51:21.480
when the cells hit some border.[br]If the terminal doesn’t move
0:51:21.480,0:51:27.109
you can probably pinpoint it better[br]using that. We haven’t tried that yet.
0:51:27.109,0:51:32.639
But that’s our guess how it would work.
0:51:32.639,0:51:35.759
Herald: Okay, bevor wir zur nächsten[br]Frage kommen eine kurze Durchsage
0:51:35.759,0:51:42.519
an die Tür-Engel: Der Saal ist voll, liebe[br]Tür-Engel, bitte lasst niemanden mehr rein.
0:51:42.519,0:51:51.280
something shouted from audience[br]Herald continues in German by accident:
0:51:51.280,0:51:54.750
The next question[br]from the internet, please!
0:51:54.750,0:51:57.349
Signal Angel: The question is:[br]is your data that you collected
0:51:57.349,0:52:02.260
available somewhere[br]for somebody else to have a look at?
0:52:02.260,0:52:09.040
schneider: No. laughs[br]Okay, so, we won’t publish
0:52:09.040,0:52:12.430
any recordings or anything like that.
0:52:12.430,0:52:17.079
We might publish some samples[br]of our own messages.
0:52:17.079,0:52:22.039
I mean, you’ve seen a few[br]on the slides now. If you bug us on IRC
0:52:22.039,0:52:26.549
we’ll probably have something.[br]But, in general,
0:52:26.549,0:52:29.230
you can’t just collect data[br]and make it public.
0:52:29.230,0:52:34.099
Sec: I mean the great thing about[br]this Iridium is: just open your window,
0:52:34.099,0:52:37.689
you will get data![br]schneider: Pretty much!
0:52:37.689,0:52:40.899
Sec: Lots of data!
0:52:40.899,0:52:44.969
Herald: Then we have another[br]question at microphone No.3.
0:52:44.969,0:52:49.730
Question: So since recording[br]the data is obviously legal,
0:52:49.730,0:52:54.810
is it against, like, some policy of Iridium,[br]that you get angry emails from them?
0:52:54.810,0:52:58.250
Did you have any contact with them?
0:52:58.250,0:53:03.719
schneider: As far as I can tell[br]they are aware of this,
0:53:03.719,0:53:11.250
and for them it’s a jungle and[br]I think they just deal with it.
0:53:11.250,0:53:16.480
Or, in fact, who cares?
0:53:16.480,0:53:22.480
GSM has been shown to be insecure[br]for a long time – what’s the most used
0:53:22.480,0:53:29.439
cellphone network on the planet?
0:53:29.439,0:53:32.640
Herald: Thanks for that answer.[br]Microphone No.2, please.
0:53:32.640,0:53:39.560
Question: Thank you. We’ve talked about[br]listening. What about manipulating?
0:53:39.560,0:53:44.319
Sec: As we said we don’t really[br]have a good understanding
0:53:44.319,0:53:50.880
of all the signaling and more intricate[br]details of the handover and stuff,
0:53:50.880,0:53:55.210
and the authentication. We haven’t really[br]looked at this because the data we got
0:53:55.210,0:53:59.729
was so interesting that[br]we spent our time there.
0:53:59.729,0:54:05.210
There’s probably lots of possibilities[br]but we haven’t tried anything yet.
0:54:05.210,0:54:09.880
schneider: And I would recommend[br]to not just try that.
0:54:09.880,0:54:14.259
These things have been built in the[br]beginning of the nineties and,
0:54:14.259,0:54:18.230
I’m not sure. Maybe just before they[br]de-orbit it, so one can have a play.
0:54:18.230,0:54:23.890
But I wouldn’t. Really.
0:54:23.890,0:54:27.259
Herald: Do we have more[br]questions from the internet?
0:54:27.259,0:54:41.339
Signal Angel: We do.[br]The next question is…
0:54:41.339,0:54:45.910
Somebody wanted to know if you… well, they[br]think you know more than you tell and ask
0:54:45.910,0:54:48.640
if you’ve got a gag order.
0:54:48.640,0:54:53.460
Sec: We have definitely not gotten a gag[br]order. I have had no contact from anyone
0:54:53.460,0:55:00.930
who is affiliated with Iridium,[br]or any law at all.
0:55:00.930,0:55:03.779
schneider: I’ve once checked the logs[br]on my web server and Iridium servers
0:55:03.779,0:55:09.259
did access some of my files. Then I got[br]a little bit scared. And then I realized
0:55:09.259,0:55:13.949
that was me going over the phone and[br]downloading something. laughs
0:55:13.949,0:55:20.330
laughter and applause
0:55:20.330,0:55:26.589
Herald: Okay, then, microphone No.2![br]There’s just the Microphone Angel. Okay.
0:55:26.589,0:55:30.010
No question from that person.[br]Then, the internet, please go ahead!
0:55:30.010,0:55:35.619
Signal Angel: Okay, the internet wants to[br]know how many uplink stations there are.
0:55:35.619,0:55:41.319
Sec: There’s one for civilian[br]use and one for military use.
0:55:41.319,0:55:44.079
At least as far as[br]the published information goes.
0:55:44.079,0:55:49.369
schneider: And one more which we[br]don’t know what it it’s exactly doing
0:55:49.369,0:55:54.549
but it’s near the pole.[br]mumble in the audience
0:55:54.549,0:55:58.480
Sec: There have been many more in the[br]past. I mean when they built this thing
0:55:58.480,0:56:03.509
they had one in Japan. But as far[br]as the documentation goes
0:56:03.509,0:56:06.279
they are all inactive.
0:56:06.279,0:56:10.210
schneider: Yes. You have to know that[br]Iridium went bankrupt beginning 2000s.
0:56:10.210,0:56:13.820
And at that point they scaled down[br]the whole thing a lot to make it
0:56:13.820,0:56:16.509
more cost-efficient. And they also[br]scaled-down the amount of gateways.
0:56:16.509,0:56:19.599
So, sometimes you get references[br]for lots of gateways for Iridium but
0:56:19.599,0:56:25.440
they’re all inactive. Not sure what[br]they’re doing with these any more.
0:56:25.440,0:56:29.959
Herald: Okay. I think we have[br]questions from the internet left?
0:56:29.959,0:56:33.600
Signal Angel: Actually as far[br]as I know right now we don’t.
0:56:33.600,0:56:39.019
Herald: Great. Then give a warm hand[br]of applause for Sec and schneider!
0:56:39.019,0:56:47.169
applause
0:56:47.169,0:56:50.359
postroll music
0:56:50.359,0:56:58.201
subtitles created by c3subtitles.de[br]in the year 2017. Join, and help us!