<i>32C3 preroll music</i>

Herald: I think hacking satellites is fun.

I think it’s even more fun when
it’s all ‘security by obscurity’.

I would like to present you
Sec and schneider.

Both are members of the Munich CCC.
Sec worked as a security consultant

but he’s probably best known for the
‘Hacker Jeopardy’. Which he has been doing

for more than a decade.
And obviously the rad1o!

<i>applause</i>

And schneider is an awesome developer
for hardware and software.

So, who has been to Camp and
seen the talk about Iridium there?

Please raise your hand.
Wow.

And who has seen
the Iridium talk on 31C3?

Even more people. And who hasn’t
had any Iridium update at all?

Wow. Okay, so without further ado,
here is your yearly Iridium update!

<i>applause</i>
<i>Sec laughs</i>

schneider: Yes, hello, thank you for
coming to this Congress’ edition

of the Iridium talk. <i>laughs</i> We’ve
increased our slot size by 100%

compared to one year ago. And we’ve also,
I guess, increased the amount of content

by quite a bit. In the last
year we’ve got ourselves

some devices to play with from Iridium.
Modems, actually. More than one of them.

A phone, with contract. And that helped
us a lot getting more knowledge

about Iridium. Now, apparently, I guess
half of you haven’t seen any talk

about Iridium from us before. So here’s
a short introduction. Iridium is a global

satellite network made out of Low Earth
Orbit satellites, built by Motorola

in the nineties. It has 66 active logical
satellites. And with ‘logical’ we mean

one satellite can be more than one
satellite in orbit. Maybe it has failed

a little bit and now they have two
satellites in one spot producing

one logical satellite still functioning.
You have worldwide global coverage,

even at the poles, on every place on
earth, on the water – everywhere.

Services: you’ve got messaging, you’ve
got voice, you’ve got internet IP data.

And even some special services which are
broadcast-only, which they only send down

to earth, and the receiver doesn’t receive
anything. Now, Iridium coverage –

there’s a lot of Iridium satellites, and
they produce a spot beam pattern

on the planet. There’s 48 spot beams,
each of them covering roughly 400 km

in diameter. All spot beams together
roughly 4500 km. Now, if you have

a very sensitive setup you can receive
more than one spot beam at the same time.

And that’s going to be another issue
during this talk. If you want to have

a look at this on a global scale you can
see how much area one Iridium satellite

is covering on earth. Quite a lot. And by
receiving them you get a lot of knowledge.

Why look at it? Now. There’s almost
no info about Iridium available online

or in paper, or any way. It’s a completely
proprietary protocol. There’s nothing

about it available. Its worldwide visible.
You go out there you get Iridium signals.

You go to the pole you get Iridium signals.
So it’s nice to have a look at it and

talk about it, and everyone can just go
out and have a look at it. Low barrier

of entry. Cheap RTLSDRs are good enough
to get pager messages from Iridium.

There’s lots of interesting services: the
pagers, Iridium Burst. The devices for that

are passive. They don’t send anything
out. So probably interesting

for Intelligence services also. And
future-proof. There’s nation states

interested in Iridium, namely the United
States and also quite a commercial

venture behind it. There’s going to be
Iridium Next, launched next year.

At least that’s the plan. It’s going
to replace all of the satellites,

66 more satellites. They will de-orbit
the old ones. But still the system will

stay compatible with the current system.
So, worth the effort. Applications.

Tracking, fleet management, mobile data,
emergency services. There are devices

for emergency responders to tell
them where to go, based on Iridium.

Maybe that’s in a helicopter or a plane.
Maritime sensors – very interesting.

With Iridium antennas you don’t have to
point the antenna at a specific point

in the sky. You have something, it can
wobble around, will still work fine.

Aircraft communications – we’ve seen that.
While the spot beams cover all of earth,

apparently they also work 10 kilometers
up, and there’s a lot of applications

for aircrafts. We have been
doing this for almost 2 years.

And one year ago at Congress
we had pager messages. Nice.

We also had the downlink demodulated
and descrambling going on.

The Ring Alert Channel identified, and
some data stuff. Then the rad1o happened.

And really, the rad1o was a secret project
to get more Iridium receivers out there.

That worked great. It has good coverage
on Iridium. It did delay us a little bit, so

after the rad1o we spent a lot of time
again on Iridium. And we got a lot of stuff

going: short-burst data decoding. We've
raided a phone, had a look at that.

We looked at IP traffic on Iridium. And
even got more data out of that SBD modem

than just data which it receives. So.

One year ago this was our recommended
setup: passive antenna and very expensive

bandpass and low noise amplifiers.
That works but since Camp we’ve got

a much better setup: modified GPS
antennas – they’re super cheap,

they work almost out-of-the-box, you
remove one filter, you maybe replace

one of the components in there, you’ve
got a pretty nice Iridium antenna.

Optionally, you can add an Iridium filter
in there and then you can also use it

in busy environments. Just one thing:
if you get one of these antennas

make sure it has screws in it so you can
reseal it again and take it outdoors.

Modifications: you remove one filter,
you get an Iridium patch antenna

– available on Mouser, Digikey… –
that’s no big deal. You solder it in,

you’ve got a nice antenna. We’ve got
this thing documented in our Wiki.

Have a look at that. You will get a good
Iridium antenna. Though, one thing is

potentially…
<i>applause</i>

– thanks! – …missing if you
are in an urban environment

and there’s lots of GSM and UMTS going on
you probably want to add an Iridium filter

in there. Murata actually makes one
specifically for Iridium. You pop that in

and you’ve got a nice and clean signal.
It depends on the environment

but highly recommended.
Now, receiver setups.

Cheapest option: take that antenna,
attach it to an RTLSDR (preferably

E4000 tuner) and you get Iridium
reception. Just a portion of the band,

roughly 20..40%, but still enough
to get a good idea about Iridium.

We’ve started with that, we’ve been
running this for a long time. And,

example for pagers – more
than enough. Next best thing:

“real” SDR: rad1o, HackRF, USRP.
With more coverage.

Passive antenna works with these, they
have a good enough amplifier to do it. But

the cabling must be quite short. You
cannot have many losses in the cable.

So, therefor the really recommended setup
from us is having an active antenna

with an SDR. You can take the antenna
outside, have 5 meters of cable,

put the SDR inside. Weatherproof setup.
You can leave it there. We have

something like that in Munich,
works a treat. Yes.

State of the tool chain: we’ve improved
that quite a lot. It’s a lot speedier now.

We have better signal processing, we get
the signals down a little bit nicer, faster,

and also now have the option to cover
a much wider band of Iridium,

like the whole band. And now it’s feasible
for us to actually decode everything

on the Iridium. Not real-time, that’s way
too much computing effort now. But we can

put it on a disk and decode it then. For
real-time processing really a major effort

has still to be done. But,
well, we’ll see what happens.

<i>applause</i>

Continuing on that… to make use of
modern multi-core processors we’ve added

a Queue in there. And you can utilize
as many cores as you want to decode

Iridium signals. Just one thing: the stuff
on the left still runs on a single CPU,

or a single core. And that’s limiting us in
terms of what we can do. But really,

most faster cores right now can handle the
whole Iridium band, so, should be fine.

We had a play with an Iridium test set.
Dieter from the Osmocom guys got one.

We had a play session. That was
a real boost. He also helped us a lot

on the Link Control Word (LCW) and other
stuff to decode. That gave us a boost.

At the beginning of this year, just before
doing the rad1o, and got a lot off of that.

Barrier Air recommended (?) these
devices, nice. Now, SBD modems.

We got ourselves a few of these things.
They’re ‘Short Burst Data modems’.

‘Short Burst Data’ means that you get
little packets of data. You can send it

to the satellite, the satellite can send it
back to you. They’re used all over the place

for all kinds of services for Iridium.
These ones are specifically cheap.

We got a group order going, from SteveM,
also Osmocom guy. 50 Euros per piece,

was rather cheap. Now, the thing is
these are really simple SBD modems.

They don’t have a SIM card. They
really rely only on the internal IMEI.

They don’t have a secret in there,
or nothing else… anything else.

They don’t authenticate themselves
against the network, the network doesn’t

authenticate it[self] against the modem.
Nothing. You supply your contract guy

with your IMEI, and you get a contract
for that thing. Really interesting.

This modem also has debug interfaces,
a test port interface which we found

interesting because it was mentioned in
the documentation, quote: “maybe

you can change the IMEI, or stuff
like that”. Interesting. It runs

over the Digital Peripheral Link (DPL)
which is like some other multiplex thingy

over that, which is actually a physical
link. And in there, there’s the TPI.

There’s absolutely no documentation
available about TPI. There’s a small bit

of documentation about DPL for
another device. We had a look at that.

DPL format then looks like that: You
have a start byte, a length, data, checksum

and an X. So that’s pretty easy. That
was fast implement. But the TPI stuff

was more tricky, so we had to get into
the firmware. During the OsmoDevCon

tnt got into extracting firmware from an
update image, and we had a look at that.

And really, you get a table of
TPI commands and most of them are

not implemented but some are. And
after reversing a lot of the firmware

we figured out where to go and where to
look for the EEPROM stuff. And now

we have on Github available TPI support
for this modem. You can change the IMEI,

so what you can do is get a contract for
one modem, take another modem, you clone

this modem onto that modem, now you have
a contract for two modems. Interesting.

<i>laughter and applause</i>

And also these IMEIs are not… I mean

they are blocks, probably you can
guess one. You shouldn’t do that.

I think that’s a big hole. They did that
on purpose. There are modems with SIM.

They authenticate themselves against
the network. But that’s about it.

And who knows how secure that is. We’ll
have a look at that at some point later.

The code is on Github but
not quite everything. <i>laughs</i>

Then there’s another thing. There’s a debug
interface. It spits out debug information

all the time. You enable it also via
writing to some EEPROM location.

And if you do that what it spits at you
is this. From 1990, really! <i>laughs</i>

Interesting. So this stuff evolved quite
a lot. So we’re now 25 years later

and this code is still running. If you
enable all of the debug information

you get lots of stuff.
First two lines: Ring Alert channel.

This we had decoded already,
earlier this year, most of it.

It proved that most of the stuff we did
is right. We also got more stuff,

broadcast channel, some sync packets,
traffic channels. Some of these information

you already have integrated
into the tool chain. Not all of it yet,

but this firmware is a real nice thing

to get data from.
Packets.

Iridium has 10.5 MHz of bandwidth. At
the moment they’re using ca. 8.5 MHz,

at least in Europe. We see roughly 2,000
detected bursts per second on average.

And we decode of these roughly
1,200 into Iridium frames.

And roughly 80% of these don’t have severe
errors, so we can get a link control word

or decode some stuff –
at least categorize it.

If you look at that this is
a four-minute interval on Iridium.

The whole band; these are roughly
a few hundred thousand packets,

so there’s quite a lot going on.
At the top you see the pager channels.

Every 20 seconds this small burst on the
Ring Alert Channel, always active, and

then down there there’s data channels,
broadcast channels and more of this stuff.

Last year we looked at pager channels,
that’s only 500 kHz of data.

Now we’re looking at 10 MHz, that’s
not going to be done in real time

with our current tool chain. Right now,
we can look at roughly 2 MHz, do it

in real time, so that you get a good idea
about Iridium. There’s a lot of room

for improvement, at least that’s what you
think. So if someone wants to help us there

we are happy about to do that.
At the moment it’s good enough for us

to get more data
out of the Iridium system.

We usually just record to hard disk,
get the data off. It’s lots of data.

I mean, you have to think about 80 GB
per hour if you capture the whole band.

So you only can do that for specific
things, if you maybe want to have

one transaction of a modem. We’re
only looking at the downlink but

at the same time Iridium suggests that
people use their service so that it goes

up to the satellite, across to another
satellite, and down again. Because

that will save them bandwidth on their
single gateway somewhere in the U.S.

And now Sec will tell you more
about different frame types.

<i>applause</i>

Sec: Thank you. So we’re
going to look a little bit into

what is all coming down
from the Iridium satellites.

I mean, a little bit of it
we already know. Like…

this is the overview of the packets.
I mean, schneider already told you

the small bits at the top, the green
ones are the pager channel where

all the pager messages come, which
were part of our last year’s talk.

The red below that is the Ring Alert
channel. And then we have

categorized the other traffic, like
the blue are the Broadcast channels.

Interestingly, not all of the frequencies
are used at the same time, but

that changes over time. And then
we have several things like blocks

of IP packets, blocks of streams of voice
packets, and other data packets. And

now we are going to look at them one by
one. The first is the Pager Message frames

which are already known from the talk.
We identified them, they start with

a unique pattern at the beginning,
which is hex 9669 encoded

as binary phase-shift keying (BPSK). And
our cool tool chain decodes them, and

this is the message I think we used last
year. It’s not very interesting, it was

just for testing. There’s not much to say
about this, I think that’s more or less

completely solved. Then we have…
Oh, what I wanted to say is that

Iridium doesn’t really want you to use
this anymore. They say: “If you can

get a pager [device] somewhere, then we
will still honor it but you can’t get one

from us!” That makes them hard to
get, maybe a little bit expensive but

they’re still in use. I mean we see lots
of messages going on. Then there are

the Ring Alert frames. We can’t identify
them by looking at them alone.

We identify them by the frequency
range they’re in. This is a little bit

like randomly guessed
where the best cut-off point is.

The format is mostly known from our play
session with the Racal thing we showed you

before. Dieter took a lot of work from
us [off us] by reversing the firmware

and getting us info how to decode
this. We did a brief overview

at the Camp talk. The frames
look like this. <i>laughs</i>

It contains mostly information like the
current satellite and the beam you are

seeing at the moment. Then it contains
the position which alternates between

the position where the satellite is at and
the position where the beam that you are

currently seeing hits the earth. So that
could, in theory, be used for geolocation

but it’s really, really very broad
information. I mean you could probably

average this or something like that.
And then it also contains the pages,

so when the network wants a device
to contact the network because it has

some information for it it sends the PAGE
message. Unfortunately, that TMSI,

that’s a temporary identity, so we can’t
really tell you which actual device it is.

We intend to look into how this
is mapped in the future, but

we didn’t have time for it. This is
as the Ring Alert channel sends

the Beam ID. You can see as a satellite
passes over our receiver. Which Beam IDs

we see you can see that depending
on the noise and whatever…

you can also see several spot beams at the
same time, or shortly after each other.

The next part of the family of packets
are the Broadcast frames.

We can identify them by
a checksum, a BCH checksum.

The polynomial is 1207 which is actually
the bit-reverse of the polynomial that’s

used to protect the messaging
packets. I don’t really know why but

it helps to distinguish those packets.
Most info about those packets are also

taken from the Racal Test Set firmware.
We’ve also shown them at the Camp talk

very briefly. They look like this!

They contain information about the
network where it tells the devices

what frequency offset they have and what
timing offset they have, to correct for this,

or what power they are receiving so they
can adjust the power. That’s not really

our focus at the moment because that’s
boring stuff like about the internals

of the network. And the interesting
stuff are the data frames.

We can identify them, they have a valid
Link Control Word. I mean, at the beginning

a special set of bits that is protected

by BCH checksum but before you get to the
correct bits you have to re-sort those bits,

and it’s the most bizarre scrambling of
bits I’ve seen so far, and I have no idea

how they came up with this order. If anyone
has an idea I would be offering a beer.

This is three different parts and the
content after the Link Control Word

is always 312 bits long which is
the maximum packet length.

If you look at the descrambled Link
Control Word those three parts

are protected by separate
BCH checksum polynomials,

like the first 29, and then
465 and 41.There’s

one interesting thing: the middle part of
the Link Control Word is missing one bit.

Fortunately, the BCH checksum can correct
bit errors, so you’re expected to have like…

in half of the packets you’re expected
to have a bit error there because they

obviously didn’t have the space to fit
this bit and just dropped it on the floor.

The first part of the Link Control Word
which is three bits long – that gives us

eight choices – is the Sub-type of
the data frame. That we can use

to differentiate the packets.
The second and third part contain

more network information about handoff
and acquisition channel and stuff

which we took from the TPI debug code
that schneider mentioned before.

But we’re not too interested in that
network management stuff at the moment.

So we are going through the Sub-types of
the data packets now, starting at the top,

the ‘Sub-type 7’. This is just
a synchronization packet.

If you look at the packet in a waterfall
diagram you can see that it’s

a single line which can be used by the
receiver to get frequency offsets and stuff.

It’s about 43% of all the
data packets we see.

It’s just alternating 0 and 1 bits, and
our tool chain just decodes them as it’s

a sync packet, and all the bits were as
expected so it’s also not very interesting.

The next Sub-type we see is (3).
We don’t see (4) to (6),

we have not seen them anywhere. The
Sub-type 3 is packets that look like this.

And they have a little bit [of] information
at the beginning, and a little bit more

information at the end. So to me it looks
like one of those two parts is supposedly

a checksum but I have no idea what’s
encoded there. We have found no information

and, maybe at some later date.
The next Sub-type…

– Oh I forgot! The next Sub-type

is Sub-type 2 which is…
the packets are descrambled,

I mean the same descrambling algorithm
as we had before at the Pager channel,

just in three different blocks, and is
again protected with a BCH checksum

with yet another polynomial. I can give
a whole other talk about reversing

BCH checksums and CRCs now.
<i>laughs</i>

After the BCH checksum is removed
there’s a CRC which protects this again.

It’s a common polynomial, the CCITT
polynomial. And the packet then has

a little bit header at the beginning which
is in blue, and the CRC of this packet

is okay. And the header has fields
that we don’t know but one field is

the 3 bit counter. That can be used
to reassemble longer packets.

This is one example. We have several
packets and the counter… we sorted them

by this counter so we can reassemble
them into a larger packet.

If you then look at the thus
reassembled packets they have

what I call an identifier, of 2 bytes at
the start of the datagram which identifies

which kind of data is in there. We’ve seen
about 40 different identifiers so far,

roughly. Most of them we still
don’t know what’s in there.

That’s about 70% of the stuff
we see inside the data packets.

Many are empty, they consist of Zeros.
Even some of them don’t have a valid CRC,

there are just Zeros where the CRC is
supposed to be. We will be looking at those

later on but we’ve identified some
identifiers which contain interesting stuff.

The first one of those is 09.01
which contains SMS messages.

We did lease us a telephone and just sent
some SMS, and looked at what comes down.

This is one re-assembled SMS message.
And if you put it into our current tool chain

it results in this output. The format is
very similar to the SMS PDU format

used in GSM. The only difference is
the orange bytes which are not part

of the PDU format and we just removed
them. And if you remove them

this comes out. This is
just the decoded message.

<i>applause</i>

So, the green numbers, one is the SMSC
Centre Number, and the other is

the Sender Number. And date and time
when it was sent. And the blue numbers

are just length indicators. The message
is encoded in the 7-bit GSM alphabet

which is basically ASCII except
for umlauts and other stuff. Then

the other identifier we got is 76.08 which
contains short burst data messages

which are sent by those modems that
schneider showed you. Those modems…

SBD messages itself can be from the
specification 1960 or 1890 bytes,

depending if they’re mobile-originated or
mobile-terminated. That means send them

from a modem or receive them with a modem.
But the one we have can only send

messages up to 340 or 270 bytes. Still
this is longer than what the reassembled

3 bit counter gives us. So we have another
type for continuation of those messages.

And then we have the SBD message,
if you want to send it. The interface is

very simple. You just send an email to
data@sbd.iridium.com, put the IMEI

you want to send it to in the subject,
and put an attachment on it, and it gets

sent out. You can also have a contract
where you send it via just TCP connection

to an IP port. That works in both
directions. You can send it from the modem

to test your computer, or the other way
but Iridium-side… while there is

some documentation where you have to
connect to they have a firewall which is

source IP based, so if you just send
something you cannot reach random people’s

SBD modems. Many applications that we’ve
seen use probably transfer from SBD modem

to SBD modem. As we are only looking
at the downlink we can still see those

messages as they’re coming down to
another modem. And the cost of this thing

is about roughly $1 per kilobyte, which
I think reminds me of the nineties’

internet costs. <i>laughs</i>
We have an example SBD message

that is not very interesting. It looks like
this if you put it through our tool chain.

It contains lots of Zero bytes because
that was of one of our test messages,

to check for the CRCs
and the continuation stuff.

The users we found for this is
stuff like buoys for tuna fishing,

or standalone GPS trackers that send
just NMEA sentences of GPS over SBD.

And this Moving Map System which is
used by the helicopters from the ADAC

to tell the pilot where to go,
where the next emergency is.

We have two more Sub-types to go.
The Sub-type 1 packets are protected

with a 24 bit frame checksum, yet another
CRC polynomial that had to be reversed.

And then when you find it you’ll find out
that, hey, it’s the same one that GSM uses.

The header of those packets contains
an 8 bit counter for reassembly.

So you can reassemble more packets.
And a length. The raw data itself

is bit-reversed, so we have to reflect
each byte. And if you look at it

maybe some of you already realized
what this looks like. And otherwise

it could have been a Jeopardy question.
So, on the next slide – yes it is PPP –

so they’re just transmitting PPP over the
serial line that they have on the air.

It can also do multilink PPP, and it can
also do like a raw telnet connection,

like just a stream of bytes. Luckily for
us Wireshark supports this PPP dump format

and we tested it with Linux and had our
PPP connection and put this into Wireshark

and – hey! yeah! – we can see the HTTP
request. Wireshark is a little bit annoyed

of the fact that we’re missing half of the
connection, but that’s not a problem.

The unfortunate problem of this is,
on the next slide, nobody uses Linux.

Windows also uses PPP but Windows
also uses the Microsoft point-to-point

compression protocol. The Microsoft
point-to-point compression protocol

has one problem: Wireshark can’t decode
it. It just says “compressed data”.

So I went and looked it up. And
– why is the slide here?

Go one slide farther. The Microsoft
PPP compression is not that difficult.

There’s an RFC for it. It’s a very simple
algorithm but someone just needs to do it.

We didn’t have the time, maybe someone
can do it. Otherwise we’ll have to do it

next year. The other stuff we found,
you will remember the green blobs for IP,

this is probably multi-link PPP (MLPPP),
we have seen up to 14 channels active

at the same time. We have not gotten
around to looking at this very much

but I think it’s a lot of traffic. So
now that we’ve had this there’s…

I told you it’s not all PPP on it,
there’s also non-PPP traffic which is…

You can’t see the string coming
around and it looks like a Cisco

which is telnetting somewhere. Why
is there a Cisco telnet somewhere?

And if you look around on the internet you
can find some slides where people are

describing the setup, and –hey!–
there’s actually a Cisco on site

at the Iridium people, and if you do that
connection the Cisco actually executes

a telnet command to somewhere.
<i>applause</i>

And the last Sub-type we have
is the Sub-type 0. And this is

the interesting part of the talk.
It’s just… voice!

And it’s just 312 bit maximum length
of raw voice data. The problem here is

that there’s a voice codec, an AMBE voice
codec which is completely undocumented.

It has a very low bit rate. And we were
stumped and had no idea how to decode this.

And so there were several different
options. The first option was:

other people can do it for us!!
Luckily, AMBE is a family of codecs, and

tnt did really great work in osmo-gmr and
Thuraya which is a similar AMBE codec.

And you can go and see his talk from
last year about this. And we gave him

some sample files, and in record time
we got the first version of a decoder

for Iridium voice frames. He’s releasing
his code right for this Congress.

This is the repository. It should be
accessible by now. This is very fast

and has good quality. It’s not perfect,
<i>applause</i>

but it’s good.
<i>ongoing applause</i>

But wait! We have more.
So the next option is emulation.

As you have seen before we’ve got the
firmware for the SBD modem. Interestingly,

on the SBD modem there’s the whole
DSP code also, also the voice codec.

It’s also on there. So this is an TI DSP
chip which has really, really ugly

assembler code. But there is an now
unavailable – except if you know

the right people – version of Code Composer
Studio, a Windows software to emulate

this DSP chip. And also with the help
of tnt you can get the stuff running.

This is the Windows software. It looks
very Windows-software-like. <i>laughter</i>

And you can run the codec in there
and it produces the same output

as a telephone would.
The only problem is this thing is slow!

It takes about… more than one minute
to process a second of voice data.

Yeah, this is not fun. And it’s not really
automatable. You have this Windows software

and have to click somewhere, and mhmm…

Now, you don’t want to do this.
It’s roughly three or four weeks ago

[that] I thought: “maybe there’s a third
option?” And the third option is to use

the DSP code but, we don’t want to
understand it, but maybe we can just

“wing it” and emulate it
by translating into crappy C,

and the optimizer will fix it.
It will run fast.

<i>laughter and applause</i>

There’s documentation for this chip which
describes the CPU and the opcodes.

And then you just write a small little
Perl script which looks partly like this.

It takes the object dump output which has
the assembler code and then returns

parts of C, and puts them all into a file,
and we put it all into the compiler,

and –hey!– we’ve got an option which produces...
bit perfect decoder,

and it’s running really fast!
The optimizer does it.

<i>applause</i>

The only problem is that
you need the DSP code for it.

So it’s not entirely free because we
can’t really redistribute it. I suspect

that nobody really cares about this
old codec but I don’t want to risk it.

But the firmware updates for like the SBD
modem are for free on the internet.

So it’s just a matter of a little shell
script that grabs the firmware and puts it

through the compiler. And then you
should have a perfect thing to decode.

I didn’t get around to write this shell
script yet but it will be there soon.

If not you can pesten (?) me and I will do it.
And now we have perfect voice decoding,

and we want to show this to you.
So we have a demo.

<i>applause</i>

One of those windows…
schneider: Alt-Tab…

Sec: Ich weiß nicht welches
das richtige Fenster ist.

<i>laughs</i>
Ich bin kurzsichtig!

Was tust du da?
<i>laughs</i>

This is really well-prepared.
schneider: Ja, das ist es.

Sec: So there’s this tool
which you can run on

the output of our tool chain which
contains the packets, and it shows you

the frequency and the time of packets
which are supposedly voice frames.

And then you can just click
a start point and an end point.

<i>audio playback starts</i>
Female TTS voice: You have five hundred

and five minutes and 40 seconds left
for this call. Please dial or text 2888

for more account information. Please wait
while your call is connected. <i>Beep sound</i>

Male caller voice: <i>incomprehensible</i> …
<i>applause in Congress hall</i>

the Eagle has landed.
Coast is clear, coast is clear.

I need to … terminate this
call now ’cause we have problems…

<i>audio cut off</i>
<i>audio playback ends</i>

<i>applause</i>

schneider: Needless to say, this was of
course recorded from this very phone,

from one of our members at the
Munich CCC knowing what we’re doing.

So, no problem there.

Sec: Was muss ich denn drücken?
schneider: Shift-F5!

Sec: Hallo!? … Ah!

schneider: So, that’s voice. And… working
quite fine. If you get the packets in,

and for the decoder no problem.
We can decode that. But there’s still

lots of stuff we don’t… we’re not able to
decode. And they look like voice frames.

But they’re not voice.
hey decode as 100% non-decodable.

They usually come in trains of three,
so you have on three channels activity

with things that looks like voice. It’s not
– so what is it? We have no idea at all.

Might be encrypted voice. There are people
who have the idea maybe they used

channel-bundling to use some more
bandwidth-intensive cipher.

If anyone has any idea about that
that would be great … or a device

which uses this would be
even more interesting.

Range. Now, we had the phone and
we were traveling a little bit in Germany.

And at a distance of roughly 300 km
we placed a call. And in fact could

receive that in Munich. Roughly half
of it, and that puts around this circle

around Munich where we can receive calls
with Iridium. That’s quite an area. Now,

there is no encryption at all on the voice
frames, nothing. They just didn’t bother.

The phone has a little bit of
authentication with usually GSM algorithms

from the nineties. Nice. But the voice is
unencrypted. So you can bet your ass

that if you place a call on Iridium
not only will the U.S. listen to you

but everyone else will listen to you.
Just be aware.

These things are also available
commercially. We found at least three

different vendors supplying the stuff.
Probably only to government agencies

and other… well…
<i>laughs</i>

I guess if you really want to get
these things you can get them.

So, future plans: looking at uplink!
At the moment if we take this phone,

place a call, we get what’s coming down
from the satellite. The uplink has

a slightly different modulation, at least
in the beginning. We suspect that

everything else will be the same.
But so far we haven’t looked at that.

Shouldn’t be a big deal, we just need to
take some time and actually do that.

Then, there's the ‘GSM tap for Wireshark’
which is a nice interface to put in

your own protocol into Wireshark and
decode that. Would be very nice and

we’re already working on that. So you can
have a nice view in Wireshark, do filters

and see what’s actually going on on the
network. Decoding unknown packets:

there’s lots of stuff going on on type
number (2) and type number (0)

which we don’t know what it’s yet. Really,
the limiting factor there is devices,

which brings us to the next slide. We
need to get access to more devices and

we have some on our list to have a look
at. Because if you have a device –

it’s the easiest option to actually see
what’s going on. You know which one

of these packets is yours, you can decode
these, you can send some special data

and play around a little bit. That makes
things really easy, in fact. Then,

signaling, handover and authentication.
We haven’t looked at that at all so far.

It’s actually not needed, really,
if you just want to get to the data but

it’s quite interesting, for example
these phones, they look all the time at

what satellites are available and they’d
chose which satellite they want to use.

They perform the handovers and all of
these things. We want to have a look

at that, too. Further reversing the
firmware. There’s lots of stuff to be learned

from firmware and still I guess we
reversed like 10% of that SBD modem.

Maybe it has still things to show.
Performance – well, we have already

mentioned it, lots of stuff to do. Now,
the code is on Github, almost all of it.

Maybe a few bits are missing to get the
whole tool chain working really smoothly.

So if you discover that jump into the IRC
channel, bug us and we’ll have a look

in our stash and see if there’s something
missing. In general, all the information

we’ve presented today is public and in the
Github repository. Again, we’re looking

for specification, and especially products
– Iridium GO, OpenPort devices,

any SBD enabled device, e.g. Rock Seven
devices, if you have access to this stuff.

If you can lend that to us for like two
weeks, would be very nice. And then

there’s also Iridium Burst which might
replace some pagers for some of these

users. These are modified SBD modems,
they’re passive and you tell Iridium:

“Hey, send me this message to Europe, send
me this message to the U.S. or maybe

to the globe”. And then these devices will
pick it up, undetectable, and we have

an idea which frames these are. These
are special pager frames, we suspect.

We see them all around the world,
the same format, probably encrypted,

but maybe only somehow cobbled-together,
a somehow cobbled-together encoding

which we haven’t seen yet. So,
that’s going to be very interesting.

Then, thanks again to tnt, Dieter and
SteveM. That was a great help,

very inspiring people. Thanks to the
Osmocom guys. Thank you very much!

<i>applause</i>

Herald: Thank you for the awesome talk.
Unfortunately, we won’t have any time

for questions anymore.
Sec: What??

Herald: But I guess we can
contact you via e-mail or IRC

or anything else. I’m sorry.
Sec: Why?

schneider: We’re on time!
Sec: We’re on time, we have 15 minutes left!

<i>discussion on stage</i>

Herald: Ooh yeah, I fucked that one up.
We have plenty of time for Q&A!

<i>applause</i>

I am really sorry. So please line up
at the microphones and get ready

to hit Sec and schneider with your
questions. While you do that,

Signal Angel, is there something that
we should answer for the internet?

Signal Angel: Yes, there is one
question. There is someone asking

if the mystery data could be
like sensitive, I don’t know,

military, police, or something
like a custom codec?

schneider: We have absolutely no idea.

Signal Angel: Okay, thanks.
schneider: But… likely!

Signal Angel: Thanks.
<i>Sec laughs</i>

Herald: Microphone 2, please.

Question: Thank you. I heard that the NSA
was trying to secure the Iridium network.

Where did they go wrong?

schneider: Securing the Iridium network?
<i>laughs</i>

Sec: As far as we can tell, at least the
parts that we looked at, there was

no attempt to secure it. It’s still
the same stuff that was used

when it was built. I mean, we see
some messages that we don’t know.

It’s possible that those are encrypted
communications going on. We can’t tell

at this point. So, there might be
encrypted communication going on

in Iridium that we don’t know about.

Herald: Thank you. Microphone No.3,
in the back there. No, nobody!

Question: Since it’s conceivable that
you could actually… I mean the actual

database that’s verifying the
contracts is ground-based.

Does this mean that if you transmit
a phone call to the satellite,

that it has to first re-transmit it back
to earth in order to verify that data

is allowed to be sent and
relayed, so you should

typically be able to make
a phone call over the 150 km radius

that the satellite will repeat
back to earth to… no idea?

Sec: Actually I don’t really know.
We haven’t gotten that far

in our protocol understanding to
even be able to try this. But it would

definitely be interesting to try it.

Question: I don’t mind throwing a bit
money at that you are gonna try it!

Herald: Are there any more questions?
Right now I can’t see any of them… oh!

On microphone No.4 there’s a question!
Someone: No!

Herald: Then, Signal Angel!

Signal Angel: Okay, I have currently
got three questions from internet.

I’m going to start with the first one.
That is: the Code Composer Studio version

that you found, the old one, whether
it’s specifically to the DSP or…

it’s… basically… did the DSP support go
away or what’s the deal with this version?

schneider: Yes, exactly. At some point
Code Composer Studio dropped

the support for this specific DSP and
we had to get a very old version

to have still support for it.
I think it’s CCS version 3.

Question: Okay!
Herald: So I would say another question

from microphone No.2.

Ray: I just wanted to ask: is it legal
to receive these things?

Sec: This is a very good question!
And I refer to you:

the ‘Weltraum-Theorie’!
<i>wild applause and cheers</i>

So as far as I can tell
there’s no problem.

<i>laughter, applause and cheers</i>

schneider: And if you have a problem

we’ll just overrule you.
<i>laughs</i>

<i>laughter</i>
Sec: Sorry, it’s only in German!

schneider: Thank you for that question!
Herald: Okay, we have another question

from the internet.
Signal Angel: Yes, the question is:

what is the state of being able to
geo-locate Iridium terminals?

schneider: So, during the Ring Alert
you see where a device gets paged.

And that’s paging a specific cell.
You know where that cell comes down.

So that will tell you a rough estimate
where that terminal is.

Of course the cell is big, many
hundreds of kilometers, so

probably you can have a look at this
over time and see how the pagings change

when the cells hit some border.
If the terminal doesn’t move

you can probably pinpoint it better
using that. We haven’t tried that yet.

But that’s our guess how it would work.

Herald: Okay, bevor wir zur nächsten
Frage kommen eine kurze Durchsage

an die Tür-Engel: Der Saal ist voll, liebe
Tür-Engel, bitte lasst niemanden mehr rein.

<i>something shouted from audience</i>
<i>Herald continues in German by accident:</i>

The next question
from the internet, please!

Signal Angel: The question is:
is your data that you collected

available somewhere
for somebody else to have a look at?

schneider: No. <i>laughs</i>
Okay, so, we won’t publish

any recordings or anything like that.

We might publish some samples
of our own messages.

I mean, you’ve seen a few
on the slides now. If you bug us on IRC

we’ll probably have something.
But, in general,

you can’t just collect data
and make it public.

Sec: I mean the great thing about
this Iridium is: just open your window,

you will get data!
schneider: Pretty much!

Sec: Lots of data!

Herald: Then we have another
question at microphone No.3.

Question: So since recording
the data is obviously legal,

is it against, like, some policy of Iridium,
that you get angry emails from them?

Did you have any contact with them?

schneider: As far as I can tell
they are aware of this,

and for them it’s a jungle and
I think they just deal with it.

Or, in fact, who cares?

GSM has been shown to be insecure
for a long time – what’s the most used

cellphone network on the planet?

Herald: Thanks for that answer.
Microphone No.2, please.

Question: Thank you. We’ve talked about
listening. What about manipulating?

Sec: As we said we don’t really
have a good understanding

of all the signaling and more intricate
details of the handover and stuff,

and the authentication. We haven’t really
looked at this because the data we got

was so interesting that
we spent our time there.

There’s probably lots of possibilities
but we haven’t tried anything yet.

schneider: And I would recommend
to not just try that.

These things have been built in the
beginning of the nineties and,

I’m not sure. Maybe just before they
de-orbit it, so one can have a play.

But I wouldn’t. Really.

Herald: Do we have more
questions from the internet?

Signal Angel: We do.
The next question is…

Somebody wanted to know if you… well, they
think you know more than you tell and ask

if you’ve got a gag order.

Sec: We have definitely not gotten a gag
order. I have had no contact from anyone

who is affiliated with Iridium,
or any law at all.

schneider: I’ve once checked the logs
on my web server and Iridium servers

did access some of my files. Then I got
a little bit scared. And then I realized

that was me going over the phone and
downloading something. <i>laughs</i>

<i>laughter and applause</i>

Herald: Okay, then, microphone No.2!
There’s just the Microphone Angel. Okay.

No question from that person.
Then, the internet, please go ahead!

Signal Angel: Okay, the internet wants to
know how many uplink stations there are.

Sec: There’s one for civilian
use and one for military use.

At least as far as
the published information goes.

schneider: And one more which we
don’t know what it it’s exactly doing

but it’s near the pole.
<i>mumble in the audience</i>

Sec: There have been many more in the
past. I mean when they built this thing

they had one in Japan. But as far
as the documentation goes

they are all inactive.

schneider: Yes. You have to know that
Iridium went bankrupt beginning 2000s.

And at that point they scaled down
the whole thing a lot to make it

more cost-efficient. And they also
scaled-down the amount of gateways.

So, sometimes you get references
for lots of gateways for Iridium but

they’re all inactive. Not sure what
they’re doing with these any more.

Herald: Okay. I think we have
questions from the internet left?

Signal Angel: Actually as far
as I know right now we don’t.

Herald: Great. Then give a warm hand
of applause for Sec and schneider!

<i>applause</i>

<i>postroll music</i>

<i>subtitles created by c3subtitles.de
in the year 2017. Join, and help us!</i>