< Return to Video

Sec, schneider: Iridium Update

  • 0:00 - 0:09
    32C3 preroll music
  • 0:09 - 0:13
    Herald: I think hacking satellites is fun.
  • 0:13 - 0:20
    I think it’s even more fun when
    it’s all ‘security by obscurity’.
  • 0:20 - 0:24
    I would like to present you
    Sec and schneider.
  • 0:24 - 0:29
    Both are members of the Munich CCC.
    Sec worked as a security consultant
  • 0:29 - 0:33
    but he’s probably best known for the
    ‘Hacker Jeopardy’. Which he has been doing
  • 0:33 - 0:37
    for more than a decade.
    And obviously the rad1o!
  • 0:37 - 0:42
    applause
  • 0:42 - 0:47
    And schneider is an awesome developer
    for hardware and software.
  • 0:47 - 0:52
    So, who has been to Camp and
    seen the talk about Iridium there?
  • 0:52 - 0:57
    Please raise your hand.
    Wow.
  • 0:57 - 1:03
    And who has seen
    the Iridium talk on 31C3?
  • 1:03 - 1:09
    Even more people. And who hasn’t
    had any Iridium update at all?
  • 1:09 - 1:15
    Wow. Okay, so without further ado,
    here is your yearly Iridium update!
  • 1:15 - 1:21
    applause
    Sec laughs
  • 1:21 - 1:25
    schneider: Yes, hello, thank you for
    coming to this Congress’ edition
  • 1:25 - 1:30
    of the Iridium talk. laughs We’ve
    increased our slot size by 100%
  • 1:30 - 1:33
    compared to one year ago. And we’ve also,
    I guess, increased the amount of content
  • 1:33 - 1:39
    by quite a bit. In the last
    year we’ve got ourselves
  • 1:39 - 1:44
    some devices to play with from Iridium.
    Modems, actually. More than one of them.
  • 1:44 - 1:49
    A phone, with contract. And that helped
    us a lot getting more knowledge
  • 1:49 - 1:56
    about Iridium. Now, apparently, I guess
    half of you haven’t seen any talk
  • 1:56 - 2:02
    about Iridium from us before. So here’s
    a short introduction. Iridium is a global
  • 2:02 - 2:07
    satellite network made out of Low Earth
    Orbit satellites, built by Motorola
  • 2:07 - 2:13
    in the nineties. It has 66 active logical
    satellites. And with ‘logical’ we mean
  • 2:13 - 2:18
    one satellite can be more than one
    satellite in orbit. Maybe it has failed
  • 2:18 - 2:23
    a little bit and now they have two
    satellites in one spot producing
  • 2:23 - 2:28
    one logical satellite still functioning.
    You have worldwide global coverage,
  • 2:28 - 2:34
    even at the poles, on every place on
    earth, on the water – everywhere.
  • 2:34 - 2:40
    Services: you’ve got messaging, you’ve
    got voice, you’ve got internet IP data.
  • 2:40 - 2:45
    And even some special services which are
    broadcast-only, which they only send down
  • 2:45 - 2:51
    to earth, and the receiver doesn’t receive
    anything. Now, Iridium coverage –
  • 2:51 - 2:57
    there’s a lot of Iridium satellites, and
    they produce a spot beam pattern
  • 2:57 - 3:04
    on the planet. There’s 48 spot beams,
    each of them covering roughly 400 km
  • 3:04 - 3:09
    in diameter. All spot beams together
    roughly 4500 km. Now, if you have
  • 3:09 - 3:13
    a very sensitive setup you can receive
    more than one spot beam at the same time.
  • 3:13 - 3:18
    And that’s going to be another issue
    during this talk. If you want to have
  • 3:18 - 3:24
    a look at this on a global scale you can
    see how much area one Iridium satellite
  • 3:24 - 3:32
    is covering on earth. Quite a lot. And by
    receiving them you get a lot of knowledge.
  • 3:32 - 3:38
    Why look at it? Now. There’s almost
    no info about Iridium available online
  • 3:38 - 3:44
    or in paper, or any way. It’s a completely
    proprietary protocol. There’s nothing
  • 3:44 - 3:48
    about it available. Its worldwide visible.
    You go out there you get Iridium signals.
  • 3:48 - 3:52
    You go to the pole you get Iridium signals.
    So it’s nice to have a look at it and
  • 3:52 - 3:58
    talk about it, and everyone can just go
    out and have a look at it. Low barrier
  • 3:58 - 4:04
    of entry. Cheap RTLSDRs are good enough
    to get pager messages from Iridium.
  • 4:04 - 4:10
    There’s lots of interesting services: the
    pagers, Iridium Burst. The devices for that
  • 4:10 - 4:13
    are passive. They don’t send anything
    out. So probably interesting
  • 4:13 - 4:18
    for Intelligence services also. And
    future-proof. There’s nation states
  • 4:18 - 4:22
    interested in Iridium, namely the United
    States and also quite a commercial
  • 4:22 - 4:27
    venture behind it. There’s going to be
    Iridium Next, launched next year.
  • 4:27 - 4:30
    At least that’s the plan. It’s going
    to replace all of the satellites,
  • 4:30 - 4:34
    66 more satellites. They will de-orbit
    the old ones. But still the system will
  • 4:34 - 4:39
    stay compatible with the current system.
    So, worth the effort. Applications.
  • 4:39 - 4:46
    Tracking, fleet management, mobile data,
    emergency services. There are devices
  • 4:46 - 4:50
    for emergency responders to tell
    them where to go, based on Iridium.
  • 4:50 - 4:54
    Maybe that’s in a helicopter or a plane.
    Maritime sensors – very interesting.
  • 4:54 - 4:59
    With Iridium antennas you don’t have to
    point the antenna at a specific point
  • 4:59 - 5:03
    in the sky. You have something, it can
    wobble around, will still work fine.
  • 5:03 - 5:08
    Aircraft communications – we’ve seen that.
    While the spot beams cover all of earth,
  • 5:08 - 5:12
    apparently they also work 10 kilometers
    up, and there’s a lot of applications
  • 5:12 - 5:19
    for aircrafts. We have been
    doing this for almost 2 years.
  • 5:19 - 5:25
    And one year ago at Congress
    we had pager messages. Nice.
  • 5:25 - 5:30
    We also had the downlink demodulated
    and descrambling going on.
  • 5:30 - 5:34
    The Ring Alert Channel identified, and
    some data stuff. Then the rad1o happened.
  • 5:34 - 5:39
    And really, the rad1o was a secret project
    to get more Iridium receivers out there.
  • 5:39 - 5:44
    That worked great. It has good coverage
    on Iridium. It did delay us a little bit, so
  • 5:44 - 5:48
    after the rad1o we spent a lot of time
    again on Iridium. And we got a lot of stuff
  • 5:48 - 5:53
    going: short-burst data decoding. We've
    raided a phone, had a look at that.
  • 5:53 - 5:58
    We looked at IP traffic on Iridium. And
    even got more data out of that SBD modem
  • 5:58 - 6:03
    than just data which it receives. So.
  • 6:03 - 6:09
    One year ago this was our recommended
    setup: passive antenna and very expensive
  • 6:09 - 6:14
    bandpass and low noise amplifiers.
    That works but since Camp we’ve got
  • 6:14 - 6:20
    a much better setup: modified GPS
    antennas – they’re super cheap,
  • 6:20 - 6:24
    they work almost out-of-the-box, you
    remove one filter, you maybe replace
  • 6:24 - 6:28
    one of the components in there, you’ve
    got a pretty nice Iridium antenna.
  • 6:28 - 6:31
    Optionally, you can add an Iridium filter
    in there and then you can also use it
  • 6:31 - 6:35
    in busy environments. Just one thing:
    if you get one of these antennas
  • 6:35 - 6:42
    make sure it has screws in it so you can
    reseal it again and take it outdoors.
  • 6:42 - 6:46
    Modifications: you remove one filter,
    you get an Iridium patch antenna
  • 6:46 - 6:51
    – available on Mouser, Digikey… –
    that’s no big deal. You solder it in,
  • 6:51 - 6:55
    you’ve got a nice antenna. We’ve got
    this thing documented in our Wiki.
  • 6:55 - 7:00
    Have a look at that. You will get a good
    Iridium antenna. Though, one thing is
  • 7:00 - 7:03
    potentially…
    applause
  • 7:03 - 7:08
    – thanks! – …missing if you
    are in an urban environment
  • 7:08 - 7:12
    and there’s lots of GSM and UMTS going on
    you probably want to add an Iridium filter
  • 7:12 - 7:18
    in there. Murata actually makes one
    specifically for Iridium. You pop that in
  • 7:18 - 7:21
    and you’ve got a nice and clean signal.
    It depends on the environment
  • 7:21 - 7:26
    but highly recommended.
    Now, receiver setups.
  • 7:26 - 7:31
    Cheapest option: take that antenna,
    attach it to an RTLSDR (preferably
  • 7:31 - 7:36
    E4000 tuner) and you get Iridium
    reception. Just a portion of the band,
  • 7:36 - 7:41
    roughly 20..40%, but still enough
    to get a good idea about Iridium.
  • 7:41 - 7:45
    We’ve started with that, we’ve been
    running this for a long time. And,
  • 7:45 - 7:52
    example for pagers – more
    than enough. Next best thing:
  • 7:52 - 7:58
    “real” SDR: rad1o, HackRF, USRP.
    With more coverage.
  • 7:58 - 8:02
    Passive antenna works with these, they
    have a good enough amplifier to do it. But
  • 8:02 - 8:06
    the cabling must be quite short. You
    cannot have many losses in the cable.
  • 8:06 - 8:12
    So, therefor the really recommended setup
    from us is having an active antenna
  • 8:12 - 8:16
    with an SDR. You can take the antenna
    outside, have 5 meters of cable,
  • 8:16 - 8:19
    put the SDR inside. Weatherproof setup.
    You can leave it there. We have
  • 8:19 - 8:24
    something like that in Munich,
    works a treat. Yes.
  • 8:24 - 8:28
    State of the tool chain: we’ve improved
    that quite a lot. It’s a lot speedier now.
  • 8:28 - 8:34
    We have better signal processing, we get
    the signals down a little bit nicer, faster,
  • 8:34 - 8:39
    and also now have the option to cover
    a much wider band of Iridium,
  • 8:39 - 8:43
    like the whole band. And now it’s feasible
    for us to actually decode everything
  • 8:43 - 8:48
    on the Iridium. Not real-time, that’s way
    too much computing effort now. But we can
  • 8:48 - 8:53
    put it on a disk and decode it then. For
    real-time processing really a major effort
  • 8:53 - 8:58
    has still to be done. But,
    well, we’ll see what happens.
  • 8:58 - 9:01
    applause
  • 9:01 - 9:05
    Continuing on that… to make use of
    modern multi-core processors we’ve added
  • 9:05 - 9:10
    a Queue in there. And you can utilize
    as many cores as you want to decode
  • 9:10 - 9:15
    Iridium signals. Just one thing: the stuff
    on the left still runs on a single CPU,
  • 9:15 - 9:21
    or a single core. And that’s limiting us in
    terms of what we can do. But really,
  • 9:21 - 9:28
    most faster cores right now can handle the
    whole Iridium band, so, should be fine.
  • 9:28 - 9:35
    We had a play with an Iridium test set.
    Dieter from the Osmocom guys got one.
  • 9:35 - 9:38
    We had a play session. That was
    a real boost. He also helped us a lot
  • 9:38 - 9:42
    on the Link Control Word (LCW) and other
    stuff to decode. That gave us a boost.
  • 9:42 - 9:47
    At the beginning of this year, just before
    doing the rad1o, and got a lot off of that.
  • 9:47 - 9:52
    Barrier Air recommended (?) these
    devices, nice. Now, SBD modems.
  • 9:52 - 9:56
    We got ourselves a few of these things.
    They’re ‘Short Burst Data modems’.
  • 9:56 - 10:00
    ‘Short Burst Data’ means that you get
    little packets of data. You can send it
  • 10:00 - 10:04
    to the satellite, the satellite can send it
    back to you. They’re used all over the place
  • 10:04 - 10:09
    for all kinds of services for Iridium.
    These ones are specifically cheap.
  • 10:09 - 10:14
    We got a group order going, from SteveM,
    also Osmocom guy. 50 Euros per piece,
  • 10:14 - 10:18
    was rather cheap. Now, the thing is
    these are really simple SBD modems.
  • 10:18 - 10:22
    They don’t have a SIM card. They
    really rely only on the internal IMEI.
  • 10:22 - 10:26
    They don’t have a secret in there,
    or nothing else… anything else.
  • 10:26 - 10:29
    They don’t authenticate themselves
    against the network, the network doesn’t
  • 10:29 - 10:35
    authenticate it[self] against the modem.
    Nothing. You supply your contract guy
  • 10:35 - 10:42
    with your IMEI, and you get a contract
    for that thing. Really interesting.
  • 10:42 - 10:47
    This modem also has debug interfaces,
    a test port interface which we found
  • 10:47 - 10:49
    interesting because it was mentioned in
    the documentation, quote: “maybe
  • 10:49 - 10:52
    you can change the IMEI, or stuff
    like that”. Interesting. It runs
  • 10:52 - 10:56
    over the Digital Peripheral Link (DPL)
    which is like some other multiplex thingy
  • 10:56 - 10:59
    over that, which is actually a physical
    link. And in there, there’s the TPI.
  • 10:59 - 11:03
    There’s absolutely no documentation
    available about TPI. There’s a small bit
  • 11:03 - 11:09
    of documentation about DPL for
    another device. We had a look at that.
  • 11:09 - 11:14
    DPL format then looks like that: You
    have a start byte, a length, data, checksum
  • 11:14 - 11:19
    and an X. So that’s pretty easy. That
    was fast implement. But the TPI stuff
  • 11:19 - 11:24
    was more tricky, so we had to get into
    the firmware. During the OsmoDevCon
  • 11:24 - 11:29
    tnt got into extracting firmware from an
    update image, and we had a look at that.
  • 11:29 - 11:32
    And really, you get a table of
    TPI commands and most of them are
  • 11:32 - 11:36
    not implemented but some are. And
    after reversing a lot of the firmware
  • 11:36 - 11:41
    we figured out where to go and where to
    look for the EEPROM stuff. And now
  • 11:41 - 11:48
    we have on Github available TPI support
    for this modem. You can change the IMEI,
  • 11:48 - 11:54
    so what you can do is get a contract for
    one modem, take another modem, you clone
  • 11:54 - 11:58
    this modem onto that modem, now you have
    a contract for two modems. Interesting.
  • 11:58 - 12:01
    laughter and applause
  • 12:01 - 12:06
    And also these IMEIs are not… I mean
  • 12:06 - 12:09
    they are blocks, probably you can
    guess one. You shouldn’t do that.
  • 12:09 - 12:15
    I think that’s a big hole. They did that
    on purpose. There are modems with SIM.
  • 12:15 - 12:18
    They authenticate themselves against
    the network. But that’s about it.
  • 12:18 - 12:23
    And who knows how secure that is. We’ll
    have a look at that at some point later.
  • 12:23 - 12:29
    The code is on Github but
    not quite everything. laughs
  • 12:29 - 12:33
    Then there’s another thing. There’s a debug
    interface. It spits out debug information
  • 12:33 - 12:38
    all the time. You enable it also via
    writing to some EEPROM location.
  • 12:38 - 12:46
    And if you do that what it spits at you
    is this. From 1990, really! laughs
  • 12:46 - 12:51
    Interesting. So this stuff evolved quite
    a lot. So we’re now 25 years later
  • 12:51 - 12:56
    and this code is still running. If you
    enable all of the debug information
  • 12:56 - 13:01
    you get lots of stuff.
    First two lines: Ring Alert channel.
  • 13:01 - 13:05
    This we had decoded already,
    earlier this year, most of it.
  • 13:05 - 13:11
    It proved that most of the stuff we did
    is right. We also got more stuff,
  • 13:11 - 13:16
    broadcast channel, some sync packets,
    traffic channels. Some of these information
  • 13:16 - 13:21
    you already have integrated
    into the tool chain. Not all of it yet,
  • 13:21 - 13:27
    but this firmware is a real nice thing
  • 13:27 - 13:32
    to get data from.
    Packets.
  • 13:32 - 13:36
    Iridium has 10.5 MHz of bandwidth. At
    the moment they’re using ca. 8.5 MHz,
  • 13:36 - 13:44
    at least in Europe. We see roughly 2,000
    detected bursts per second on average.
  • 13:44 - 13:52
    And we decode of these roughly
    1,200 into Iridium frames.
  • 13:52 - 13:57
    And roughly 80% of these don’t have severe
    errors, so we can get a link control word
  • 13:57 - 14:02
    or decode some stuff –
    at least categorize it.
  • 14:02 - 14:07
    If you look at that this is
    a four-minute interval on Iridium.
  • 14:07 - 14:15
    The whole band; these are roughly
    a few hundred thousand packets,
  • 14:15 - 14:21
    so there’s quite a lot going on.
    At the top you see the pager channels.
  • 14:21 - 14:25
    Every 20 seconds this small burst on the
    Ring Alert Channel, always active, and
  • 14:25 - 14:33
    then down there there’s data channels,
    broadcast channels and more of this stuff.
  • 14:33 - 14:38
    Last year we looked at pager channels,
    that’s only 500 kHz of data.
  • 14:38 - 14:44
    Now we’re looking at 10 MHz, that’s
    not going to be done in real time
  • 14:44 - 14:47
    with our current tool chain. Right now,
    we can look at roughly 2 MHz, do it
  • 14:47 - 14:52
    in real time, so that you get a good idea
    about Iridium. There’s a lot of room
  • 14:52 - 14:57
    for improvement, at least that’s what you
    think. So if someone wants to help us there
  • 14:57 - 15:00
    we are happy about to do that.
    At the moment it’s good enough for us
  • 15:00 - 15:05
    to get more data
    out of the Iridium system.
  • 15:05 - 15:10
    We usually just record to hard disk,
    get the data off. It’s lots of data.
  • 15:10 - 15:15
    I mean, you have to think about 80 GB
    per hour if you capture the whole band.
  • 15:15 - 15:19
    So you only can do that for specific
    things, if you maybe want to have
  • 15:19 - 15:23
    one transaction of a modem. We’re
    only looking at the downlink but
  • 15:23 - 15:28
    at the same time Iridium suggests that
    people use their service so that it goes
  • 15:28 - 15:31
    up to the satellite, across to another
    satellite, and down again. Because
  • 15:31 - 15:36
    that will save them bandwidth on their
    single gateway somewhere in the U.S.
  • 15:36 - 15:43
    And now Sec will tell you more
    about different frame types.
  • 15:43 - 15:49
    applause
  • 15:49 - 15:53
    Sec: Thank you. So we’re
    going to look a little bit into
  • 15:53 - 15:59
    what is all coming down
    from the Iridium satellites.
  • 15:59 - 16:04
    I mean, a little bit of it
    we already know. Like…
  • 16:04 - 16:07
    this is the overview of the packets.
    I mean, schneider already told you
  • 16:07 - 16:11
    the small bits at the top, the green
    ones are the pager channel where
  • 16:11 - 16:15
    all the pager messages come, which
    were part of our last year’s talk.
  • 16:15 - 16:19
    The red below that is the Ring Alert
    channel. And then we have
  • 16:19 - 16:24
    categorized the other traffic, like
    the blue are the Broadcast channels.
  • 16:24 - 16:29
    Interestingly, not all of the frequencies
    are used at the same time, but
  • 16:29 - 16:35
    that changes over time. And then
    we have several things like blocks
  • 16:35 - 16:43
    of IP packets, blocks of streams of voice
    packets, and other data packets. And
  • 16:43 - 16:49
    now we are going to look at them one by
    one. The first is the Pager Message frames
  • 16:49 - 16:53
    which are already known from the talk.
    We identified them, they start with
  • 16:53 - 16:58
    a unique pattern at the beginning,
    which is hex 9669 encoded
  • 16:58 - 17:03
    as binary phase-shift keying (BPSK). And
    our cool tool chain decodes them, and
  • 17:03 - 17:07
    this is the message I think we used last
    year. It’s not very interesting, it was
  • 17:07 - 17:14
    just for testing. There’s not much to say
    about this, I think that’s more or less
  • 17:14 - 17:20
    completely solved. Then we have…
    Oh, what I wanted to say is that
  • 17:20 - 17:27
    Iridium doesn’t really want you to use
    this anymore. They say: “If you can
  • 17:27 - 17:31
    get a pager [device] somewhere, then we
    will still honor it but you can’t get one
  • 17:31 - 17:37
    from us!” That makes them hard to
    get, maybe a little bit expensive but
  • 17:37 - 17:42
    they’re still in use. I mean we see lots
    of messages going on. Then there are
  • 17:42 - 17:49
    the Ring Alert frames. We can’t identify
    them by looking at them alone.
  • 17:49 - 17:55
    We identify them by the frequency
    range they’re in. This is a little bit
  • 17:55 - 18:01
    like randomly guessed
    where the best cut-off point is.
  • 18:01 - 18:08
    The format is mostly known from our play
    session with the Racal thing we showed you
  • 18:08 - 18:14
    before. Dieter took a lot of work from
    us [off us] by reversing the firmware
  • 18:14 - 18:21
    and getting us info how to decode
    this. We did a brief overview
  • 18:21 - 18:29
    at the Camp talk. The frames
    look like this. laughs
  • 18:29 - 18:35
    It contains mostly information like the
    current satellite and the beam you are
  • 18:35 - 18:40
    seeing at the moment. Then it contains
    the position which alternates between
  • 18:40 - 18:44
    the position where the satellite is at and
    the position where the beam that you are
  • 18:44 - 18:49
    currently seeing hits the earth. So that
    could, in theory, be used for geolocation
  • 18:49 - 18:54
    but it’s really, really very broad
    information. I mean you could probably
  • 18:54 - 18:59
    average this or something like that.
    And then it also contains the pages,
  • 18:59 - 19:03
    so when the network wants a device
    to contact the network because it has
  • 19:03 - 19:09
    some information for it it sends the PAGE
    message. Unfortunately, that TMSI,
  • 19:09 - 19:17
    that’s a temporary identity, so we can’t
    really tell you which actual device it is.
  • 19:17 - 19:21
    We intend to look into how this
    is mapped in the future, but
  • 19:21 - 19:28
    we didn’t have time for it. This is
    as the Ring Alert channel sends
  • 19:28 - 19:33
    the Beam ID. You can see as a satellite
    passes over our receiver. Which Beam IDs
  • 19:33 - 19:40
    we see you can see that depending
    on the noise and whatever…
  • 19:40 - 19:50
    you can also see several spot beams at the
    same time, or shortly after each other.
  • 19:50 - 19:56
    The next part of the family of packets
    are the Broadcast frames.
  • 19:56 - 20:02
    We can identify them by
    a checksum, a BCH checksum.
  • 20:02 - 20:08
    The polynomial is 1207 which is actually
    the bit-reverse of the polynomial that’s
  • 20:08 - 20:14
    used to protect the messaging
    packets. I don’t really know why but
  • 20:14 - 20:21
    it helps to distinguish those packets.
    Most info about those packets are also
  • 20:21 - 20:25
    taken from the Racal Test Set firmware.
    We’ve also shown them at the Camp talk
  • 20:25 - 20:31
    very briefly. They look like this!
  • 20:31 - 20:37
    They contain information about the
    network where it tells the devices
  • 20:37 - 20:43
    what frequency offset they have and what
    timing offset they have, to correct for this,
  • 20:43 - 20:48
    or what power they are receiving so they
    can adjust the power. That’s not really
  • 20:48 - 20:53
    our focus at the moment because that’s
    boring stuff like about the internals
  • 20:53 - 20:58
    of the network. And the interesting
    stuff are the data frames.
  • 20:58 - 21:03
    We can identify them, they have a valid
    Link Control Word. I mean, at the beginning
  • 21:03 - 21:11
    a special set of bits that is protected
  • 21:11 - 21:18
    by BCH checksum but before you get to the
    correct bits you have to re-sort those bits,
  • 21:18 - 21:23
    and it’s the most bizarre scrambling of
    bits I’ve seen so far, and I have no idea
  • 21:23 - 21:30
    how they came up with this order. If anyone
    has an idea I would be offering a beer.
  • 21:30 - 21:36
    This is three different parts and the
    content after the Link Control Word
  • 21:36 - 21:42
    is always 312 bits long which is
    the maximum packet length.
  • 21:42 - 21:48
    If you look at the descrambled Link
    Control Word those three parts
  • 21:48 - 21:54
    are protected by separate
    BCH checksum polynomials,
  • 21:54 - 22:00
    like the first 29, and then
    465 and 41.There’s
  • 22:00 - 22:06
    one interesting thing: the middle part of
    the Link Control Word is missing one bit.
  • 22:06 - 22:12
    Fortunately, the BCH checksum can correct
    bit errors, so you’re expected to have like…
  • 22:12 - 22:16
    in half of the packets you’re expected
    to have a bit error there because they
  • 22:16 - 22:21
    obviously didn’t have the space to fit
    this bit and just dropped it on the floor.
  • 22:21 - 22:26
    The first part of the Link Control Word
    which is three bits long – that gives us
  • 22:26 - 22:33
    eight choices – is the Sub-type of
    the data frame. That we can use
  • 22:33 - 22:37
    to differentiate the packets.
    The second and third part contain
  • 22:37 - 22:41
    more network information about handoff
    and acquisition channel and stuff
  • 22:41 - 22:49
    which we took from the TPI debug code
    that schneider mentioned before.
  • 22:49 - 22:54
    But we’re not too interested in that
    network management stuff at the moment.
  • 22:54 - 23:01
    So we are going through the Sub-types of
    the data packets now, starting at the top,
  • 23:01 - 23:04
    the ‘Sub-type 7’. This is just
    a synchronization packet.
  • 23:04 - 23:09
    If you look at the packet in a waterfall
    diagram you can see that it’s
  • 23:09 - 23:15
    a single line which can be used by the
    receiver to get frequency offsets and stuff.
  • 23:15 - 23:22
    It’s about 43% of all the
    data packets we see.
  • 23:22 - 23:28
    It’s just alternating 0 and 1 bits, and
    our tool chain just decodes them as it’s
  • 23:28 - 23:35
    a sync packet, and all the bits were as
    expected so it’s also not very interesting.
  • 23:35 - 23:39
    The next Sub-type we see is (3).
    We don’t see (4) to (6),
  • 23:39 - 23:45
    we have not seen them anywhere. The
    Sub-type 3 is packets that look like this.
  • 23:45 - 23:48
    And they have a little bit [of] information
    at the beginning, and a little bit more
  • 23:48 - 23:55
    information at the end. So to me it looks
    like one of those two parts is supposedly
  • 23:55 - 24:02
    a checksum but I have no idea what’s
    encoded there. We have found no information
  • 24:02 - 24:10
    and, maybe at some later date.
    The next Sub-type…
  • 24:10 - 24:17
    – Oh I forgot! The next Sub-type
  • 24:17 - 24:23
    is Sub-type 2 which is…
    the packets are descrambled,
  • 24:23 - 24:28
    I mean the same descrambling algorithm
    as we had before at the Pager channel,
  • 24:28 - 24:34
    just in three different blocks, and is
    again protected with a BCH checksum
  • 24:34 - 24:40
    with yet another polynomial. I can give
    a whole other talk about reversing
  • 24:40 - 24:45
    BCH checksums and CRCs now.
    laughs
  • 24:45 - 24:51
    After the BCH checksum is removed
    there’s a CRC which protects this again.
  • 24:51 - 24:57
    It’s a common polynomial, the CCITT
    polynomial. And the packet then has
  • 24:57 - 25:01
    a little bit header at the beginning which
    is in blue, and the CRC of this packet
  • 25:01 - 25:06
    is okay. And the header has fields
    that we don’t know but one field is
  • 25:06 - 25:13
    the 3 bit counter. That can be used
    to reassemble longer packets.
  • 25:13 - 25:18
    This is one example. We have several
    packets and the counter… we sorted them
  • 25:18 - 25:24
    by this counter so we can reassemble
    them into a larger packet.
  • 25:24 - 25:31
    If you then look at the thus
    reassembled packets they have
  • 25:31 - 25:36
    what I call an identifier, of 2 bytes at
    the start of the datagram which identifies
  • 25:36 - 25:43
    which kind of data is in there. We’ve seen
    about 40 different identifiers so far,
  • 25:43 - 25:48
    roughly. Most of them we still
    don’t know what’s in there.
  • 25:48 - 25:54
    That’s about 70% of the stuff
    we see inside the data packets.
  • 25:54 - 25:59
    Many are empty, they consist of Zeros.
    Even some of them don’t have a valid CRC,
  • 25:59 - 26:04
    there are just Zeros where the CRC is
    supposed to be. We will be looking at those
  • 26:04 - 26:11
    later on but we’ve identified some
    identifiers which contain interesting stuff.
  • 26:11 - 26:18
    The first one of those is 09.01
    which contains SMS messages.
  • 26:18 - 26:23
    We did lease us a telephone and just sent
    some SMS, and looked at what comes down.
  • 26:23 - 26:28
    This is one re-assembled SMS message.
    And if you put it into our current tool chain
  • 26:28 - 26:35
    it results in this output. The format is
    very similar to the SMS PDU format
  • 26:35 - 26:41
    used in GSM. The only difference is
    the orange bytes which are not part
  • 26:41 - 26:46
    of the PDU format and we just removed
    them. And if you remove them
  • 26:46 - 26:51
    this comes out. This is
    just the decoded message.
  • 26:51 - 26:59
    applause
  • 26:59 - 27:04
    So, the green numbers, one is the SMSC
    Centre Number, and the other is
  • 27:04 - 27:09
    the Sender Number. And date and time
    when it was sent. And the blue numbers
  • 27:09 - 27:15
    are just length indicators. The message
    is encoded in the 7-bit GSM alphabet
  • 27:15 - 27:22
    which is basically ASCII except
    for umlauts and other stuff. Then
  • 27:22 - 27:30
    the other identifier we got is 76.08 which
    contains short burst data messages
  • 27:30 - 27:35
    which are sent by those modems that
    schneider showed you. Those modems…
  • 27:35 - 27:43
    SBD messages itself can be from the
    specification 1960 or 1890 bytes,
  • 27:43 - 27:47
    depending if they’re mobile-originated or
    mobile-terminated. That means send them
  • 27:47 - 27:52
    from a modem or receive them with a modem.
    But the one we have can only send
  • 27:52 - 27:58
    messages up to 340 or 270 bytes. Still
    this is longer than what the reassembled
  • 27:58 - 28:05
    3 bit counter gives us. So we have another
    type for continuation of those messages.
  • 28:05 - 28:14
    And then we have the SBD message,
    if you want to send it. The interface is
  • 28:14 - 28:19
    very simple. You just send an email to
    data@sbd.iridium.com, put the IMEI
  • 28:19 - 28:22
    you want to send it to in the subject,
    and put an attachment on it, and it gets
  • 28:22 - 28:29
    sent out. You can also have a contract
    where you send it via just TCP connection
  • 28:29 - 28:34
    to an IP port. That works in both
    directions. You can send it from the modem
  • 28:34 - 28:39
    to test your computer, or the other way
    but Iridium-side… while there is
  • 28:39 - 28:43
    some documentation where you have to
    connect to they have a firewall which is
  • 28:43 - 28:49
    source IP based, so if you just send
    something you cannot reach random people’s
  • 28:49 - 28:57
    SBD modems. Many applications that we’ve
    seen use probably transfer from SBD modem
  • 28:57 - 29:03
    to SBD modem. As we are only looking
    at the downlink we can still see those
  • 29:03 - 29:07
    messages as they’re coming down to
    another modem. And the cost of this thing
  • 29:07 - 29:13
    is about roughly $1 per kilobyte, which
    I think reminds me of the nineties’
  • 29:13 - 29:19
    internet costs. laughs
    We have an example SBD message
  • 29:19 - 29:23
    that is not very interesting. It looks like
    this if you put it through our tool chain.
  • 29:23 - 29:28
    It contains lots of Zero bytes because
    that was of one of our test messages,
  • 29:28 - 29:35
    to check for the CRCs
    and the continuation stuff.
  • 29:35 - 29:43
    The users we found for this is
    stuff like buoys for tuna fishing,
  • 29:43 - 29:49
    or standalone GPS trackers that send
    just NMEA sentences of GPS over SBD.
  • 29:49 - 29:57
    And this Moving Map System which is
    used by the helicopters from the ADAC
  • 29:57 - 30:05
    to tell the pilot where to go,
    where the next emergency is.
  • 30:05 - 30:10
    We have two more Sub-types to go.
    The Sub-type 1 packets are protected
  • 30:10 - 30:15
    with a 24 bit frame checksum, yet another
    CRC polynomial that had to be reversed.
  • 30:15 - 30:23
    And then when you find it you’ll find out
    that, hey, it’s the same one that GSM uses.
  • 30:23 - 30:27
    The header of those packets contains
    an 8 bit counter for reassembly.
  • 30:27 - 30:32
    So you can reassemble more packets.
    And a length. The raw data itself
  • 30:32 - 30:37
    is bit-reversed, so we have to reflect
    each byte. And if you look at it
  • 30:37 - 30:42
    maybe some of you already realized
    what this looks like. And otherwise
  • 30:42 - 30:50
    it could have been a Jeopardy question.
    So, on the next slide – yes it is PPP –
  • 30:50 - 30:57
    so they’re just transmitting PPP over the
    serial line that they have on the air.
  • 30:57 - 31:03
    It can also do multilink PPP, and it can
    also do like a raw telnet connection,
  • 31:03 - 31:11
    like just a stream of bytes. Luckily for
    us Wireshark supports this PPP dump format
  • 31:11 - 31:17
    and we tested it with Linux and had our
    PPP connection and put this into Wireshark
  • 31:17 - 31:22
    and – hey! yeah! – we can see the HTTP
    request. Wireshark is a little bit annoyed
  • 31:22 - 31:26
    of the fact that we’re missing half of the
    connection, but that’s not a problem.
  • 31:26 - 31:32
    The unfortunate problem of this is,
    on the next slide, nobody uses Linux.
  • 31:32 - 31:36
    Windows also uses PPP but Windows
    also uses the Microsoft point-to-point
  • 31:36 - 31:41
    compression protocol. The Microsoft
    point-to-point compression protocol
  • 31:41 - 31:48
    has one problem: Wireshark can’t decode
    it. It just says “compressed data”.
  • 31:48 - 31:55
    So I went and looked it up. And
    – why is the slide here?
  • 31:55 - 32:01
    Go one slide farther. The Microsoft
    PPP compression is not that difficult.
  • 32:01 - 32:07
    There’s an RFC for it. It’s a very simple
    algorithm but someone just needs to do it.
  • 32:07 - 32:11
    We didn’t have the time, maybe someone
    can do it. Otherwise we’ll have to do it
  • 32:11 - 32:20
    next year. The other stuff we found,
    you will remember the green blobs for IP,
  • 32:20 - 32:24
    this is probably multi-link PPP (MLPPP),
    we have seen up to 14 channels active
  • 32:24 - 32:29
    at the same time. We have not gotten
    around to looking at this very much
  • 32:29 - 32:37
    but I think it’s a lot of traffic. So
    now that we’ve had this there’s…
  • 32:37 - 32:45
    I told you it’s not all PPP on it,
    there’s also non-PPP traffic which is…
  • 32:45 - 32:51
    You can’t see the string coming
    around and it looks like a Cisco
  • 32:51 - 32:56
    which is telnetting somewhere. Why
    is there a Cisco telnet somewhere?
  • 32:56 - 33:01
    And if you look around on the internet you
    can find some slides where people are
  • 33:01 - 33:08
    describing the setup, and –hey!–
    there’s actually a Cisco on site
  • 33:08 - 33:15
    at the Iridium people, and if you do that
    connection the Cisco actually executes
  • 33:15 - 33:27
    a telnet command to somewhere.
    applause
  • 33:27 - 33:32
    And the last Sub-type we have
    is the Sub-type 0. And this is
  • 33:32 - 33:38
    the interesting part of the talk.
    It’s just… voice!
  • 33:38 - 33:43
    And it’s just 312 bit maximum length
    of raw voice data. The problem here is
  • 33:43 - 33:48
    that there’s a voice codec, an AMBE voice
    codec which is completely undocumented.
  • 33:48 - 33:55
    It has a very low bit rate. And we were
    stumped and had no idea how to decode this.
  • 33:55 - 34:01
    And so there were several different
    options. The first option was:
  • 34:01 - 34:08
    other people can do it for us!!
    Luckily, AMBE is a family of codecs, and
  • 34:08 - 34:14
    tnt did really great work in osmo-gmr and
    Thuraya which is a similar AMBE codec.
  • 34:14 - 34:18
    And you can go and see his talk from
    last year about this. And we gave him
  • 34:18 - 34:23
    some sample files, and in record time
    we got the first version of a decoder
  • 34:23 - 34:29
    for Iridium voice frames. He’s releasing
    his code right for this Congress.
  • 34:29 - 34:34
    This is the repository. It should be
    accessible by now. This is very fast
  • 34:34 - 34:37
    and has good quality. It’s not perfect,
    applause
  • 34:37 - 34:44
    but it’s good.
    ongoing applause
  • 34:44 - 34:50
    But wait! We have more.
    So the next option is emulation.
  • 34:50 - 34:56
    As you have seen before we’ve got the
    firmware for the SBD modem. Interestingly,
  • 34:56 - 35:02
    on the SBD modem there’s the whole
    DSP code also, also the voice codec.
  • 35:02 - 35:08
    It’s also on there. So this is an TI DSP
    chip which has really, really ugly
  • 35:08 - 35:13
    assembler code. But there is an now
    unavailable – except if you know
  • 35:13 - 35:18
    the right people – version of Code Composer
    Studio, a Windows software to emulate
  • 35:18 - 35:24
    this DSP chip. And also with the help
    of tnt you can get the stuff running.
  • 35:24 - 35:30
    This is the Windows software. It looks
    very Windows-software-like. laughter
  • 35:30 - 35:36
    And you can run the codec in there
    and it produces the same output
  • 35:36 - 35:43
    as a telephone would.
    The only problem is this thing is slow!
  • 35:43 - 35:50
    It takes about… more than one minute
    to process a second of voice data.
  • 35:50 - 35:54
    Yeah, this is not fun. And it’s not really
    automatable. You have this Windows software
  • 35:54 - 35:59
    and have to click somewhere, and mhmm…
  • 35:59 - 36:04
    Now, you don’t want to do this.
    It’s roughly three or four weeks ago
  • 36:04 - 36:10
    [that] I thought: “maybe there’s a third
    option?” And the third option is to use
  • 36:10 - 36:16
    the DSP code but, we don’t want to
    understand it, but maybe we can just
  • 36:16 - 36:22
    “wing it” and emulate it
    by translating into crappy C,
  • 36:22 - 36:25
    and the optimizer will fix it.
    It will run fast.
  • 36:25 - 36:34
    laughter and applause
  • 36:34 - 36:39
    There’s documentation for this chip which
    describes the CPU and the opcodes.
  • 36:39 - 36:45
    And then you just write a small little
    Perl script which looks partly like this.
  • 36:45 - 36:50
    It takes the object dump output which has
    the assembler code and then returns
  • 36:50 - 36:55
    parts of C, and puts them all into a file,
    and we put it all into the compiler,
  • 36:55 - 37:02
    and –hey!– we’ve got an option which produces...
    bit perfect decoder,
  • 37:02 - 37:06
    and it’s running really fast!
    The optimizer does it.
  • 37:06 - 37:12
    applause
  • 37:12 - 37:17
    The only problem is that
    you need the DSP code for it.
  • 37:17 - 37:22
    So it’s not entirely free because we
    can’t really redistribute it. I suspect
  • 37:22 - 37:27
    that nobody really cares about this
    old codec but I don’t want to risk it.
  • 37:27 - 37:32
    But the firmware updates for like the SBD
    modem are for free on the internet.
  • 37:32 - 37:37
    So it’s just a matter of a little shell
    script that grabs the firmware and puts it
  • 37:37 - 37:41
    through the compiler. And then you
    should have a perfect thing to decode.
  • 37:41 - 37:46
    I didn’t get around to write this shell
    script yet but it will be there soon.
  • 37:46 - 37:52
    If not you can pesten (?) me and I will do it.
    And now we have perfect voice decoding,
  • 37:52 - 37:56
    and we want to show this to you.
    So we have a demo.
  • 37:56 - 38:08
    applause
  • 38:08 - 38:16
    One of those windows…
    schneider: Alt-Tab…
  • 38:16 - 38:19
    Sec: Ich weiß nicht welches
    das richtige Fenster ist.
  • 38:19 - 38:27
    laughs
    Ich bin kurzsichtig!
  • 38:27 - 38:31
    Was tust du da?
    laughs
  • 38:31 - 38:34
    This is really well-prepared.
    schneider: Ja, das ist es.
  • 38:34 - 38:42
    Sec: So there’s this tool
    which you can run on
  • 38:42 - 38:47
    the output of our tool chain which
    contains the packets, and it shows you
  • 38:47 - 38:52
    the frequency and the time of packets
    which are supposedly voice frames.
  • 38:52 - 39:00
    And then you can just click
    a start point and an end point.
  • 39:00 - 39:02
    audio playback starts
    Female TTS voice: You have five hundred
  • 39:02 - 39:08
    and five minutes and 40 seconds left
    for this call. Please dial or text 2888
  • 39:08 - 39:13
    for more account information. Please wait
    while your call is connected. Beep sound
  • 39:13 - 39:15
    Male caller voice: incomprehensible
    applause in Congress hall
  • 39:15 - 39:22
    the Eagle has landed.
    Coast is clear, coast is clear.
  • 39:22 - 39:26
    I need to … terminate this
    call now ’cause we have problems…
  • 39:26 - 39:29
    audio cut off
    audio playback ends
  • 39:29 - 39:36
    applause
  • 39:36 - 39:39
    schneider: Needless to say, this was of
    course recorded from this very phone,
  • 39:39 - 39:43
    from one of our members at the
    Munich CCC knowing what we’re doing.
  • 39:43 - 39:47
    So, no problem there.
  • 39:57 - 40:01
    Sec: Was muss ich denn drücken?
    schneider: Shift-F5!
  • 40:01 - 40:06
    Sec: Hallo!? … Ah!
  • 40:06 - 40:15
    schneider: So, that’s voice. And… working
    quite fine. If you get the packets in,
  • 40:15 - 40:18
    and for the decoder no problem.
    We can decode that. But there’s still
  • 40:18 - 40:24
    lots of stuff we don’t… we’re not able to
    decode. And they look like voice frames.
  • 40:24 - 40:30
    But they’re not voice.
    hey decode as 100% non-decodable.
  • 40:30 - 40:37
    They usually come in trains of three,
    so you have on three channels activity
  • 40:37 - 40:43
    with things that looks like voice. It’s not
    – so what is it? We have no idea at all.
  • 40:43 - 40:47
    Might be encrypted voice. There are people
    who have the idea maybe they used
  • 40:47 - 40:53
    channel-bundling to use some more
    bandwidth-intensive cipher.
  • 40:53 - 40:58
    If anyone has any idea about that
    that would be great … or a device
  • 40:58 - 41:04
    which uses this would be
    even more interesting.
  • 41:04 - 41:11
    Range. Now, we had the phone and
    we were traveling a little bit in Germany.
  • 41:11 - 41:16
    And at a distance of roughly 300 km
    we placed a call. And in fact could
  • 41:16 - 41:23
    receive that in Munich. Roughly half
    of it, and that puts around this circle
  • 41:23 - 41:28
    around Munich where we can receive calls
    with Iridium. That’s quite an area. Now,
  • 41:28 - 41:35
    there is no encryption at all on the voice
    frames, nothing. They just didn’t bother.
  • 41:35 - 41:39
    The phone has a little bit of
    authentication with usually GSM algorithms
  • 41:39 - 41:46
    from the nineties. Nice. But the voice is
    unencrypted. So you can bet your ass
  • 41:46 - 41:49
    that if you place a call on Iridium
    not only will the U.S. listen to you
  • 41:49 - 41:55
    but everyone else will listen to you.
    Just be aware.
  • 41:55 - 41:59
    These things are also available
    commercially. We found at least three
  • 41:59 - 42:04
    different vendors supplying the stuff.
    Probably only to government agencies
  • 42:04 - 42:11
    and other… well…
    laughs
  • 42:11 - 42:17
    I guess if you really want to get
    these things you can get them.
  • 42:17 - 42:23
    So, future plans: looking at uplink!
    At the moment if we take this phone,
  • 42:23 - 42:28
    place a call, we get what’s coming down
    from the satellite. The uplink has
  • 42:28 - 42:31
    a slightly different modulation, at least
    in the beginning. We suspect that
  • 42:31 - 42:35
    everything else will be the same.
    But so far we haven’t looked at that.
  • 42:35 - 42:38
    Shouldn’t be a big deal, we just need to
    take some time and actually do that.
  • 42:38 - 42:44
    Then, there's the ‘GSM tap for Wireshark’
    which is a nice interface to put in
  • 42:44 - 42:49
    your own protocol into Wireshark and
    decode that. Would be very nice and
  • 42:49 - 42:53
    we’re already working on that. So you can
    have a nice view in Wireshark, do filters
  • 42:53 - 42:58
    and see what’s actually going on on the
    network. Decoding unknown packets:
  • 42:58 - 43:03
    there’s lots of stuff going on on type
    number (2) and type number (0)
  • 43:03 - 43:08
    which we don’t know what it’s yet. Really,
    the limiting factor there is devices,
  • 43:08 - 43:13
    which brings us to the next slide. We
    need to get access to more devices and
  • 43:13 - 43:18
    we have some on our list to have a look
    at. Because if you have a device –
  • 43:18 - 43:21
    it’s the easiest option to actually see
    what’s going on. You know which one
  • 43:21 - 43:25
    of these packets is yours, you can decode
    these, you can send some special data
  • 43:25 - 43:31
    and play around a little bit. That makes
    things really easy, in fact. Then,
  • 43:31 - 43:35
    signaling, handover and authentication.
    We haven’t looked at that at all so far.
  • 43:35 - 43:39
    It’s actually not needed, really,
    if you just want to get to the data but
  • 43:39 - 43:43
    it’s quite interesting, for example
    these phones, they look all the time at
  • 43:43 - 43:48
    what satellites are available and they’d
    chose which satellite they want to use.
  • 43:48 - 43:51
    They perform the handovers and all of
    these things. We want to have a look
  • 43:51 - 43:56
    at that, too. Further reversing the
    firmware. There’s lots of stuff to be learned
  • 43:56 - 44:03
    from firmware and still I guess we
    reversed like 10% of that SBD modem.
  • 44:03 - 44:07
    Maybe it has still things to show.
    Performance – well, we have already
  • 44:07 - 44:13
    mentioned it, lots of stuff to do. Now,
    the code is on Github, almost all of it.
  • 44:13 - 44:18
    Maybe a few bits are missing to get the
    whole tool chain working really smoothly.
  • 44:18 - 44:23
    So if you discover that jump into the IRC
    channel, bug us and we’ll have a look
  • 44:23 - 44:27
    in our stash and see if there’s something
    missing. In general, all the information
  • 44:27 - 44:32
    we’ve presented today is public and in the
    Github repository. Again, we’re looking
  • 44:32 - 44:39
    for specification, and especially products
    – Iridium GO, OpenPort devices,
  • 44:39 - 44:44
    any SBD enabled device, e.g. Rock Seven
    devices, if you have access to this stuff.
  • 44:44 - 44:48
    If you can lend that to us for like two
    weeks, would be very nice. And then
  • 44:48 - 44:55
    there’s also Iridium Burst which might
    replace some pagers for some of these
  • 44:55 - 45:01
    users. These are modified SBD modems,
    they’re passive and you tell Iridium:
  • 45:01 - 45:06
    “Hey, send me this message to Europe, send
    me this message to the U.S. or maybe
  • 45:06 - 45:11
    to the globe”. And then these devices will
    pick it up, undetectable, and we have
  • 45:11 - 45:16
    an idea which frames these are. These
    are special pager frames, we suspect.
  • 45:16 - 45:21
    We see them all around the world,
    the same format, probably encrypted,
  • 45:21 - 45:28
    but maybe only somehow cobbled-together,
    a somehow cobbled-together encoding
  • 45:28 - 45:32
    which we haven’t seen yet. So,
    that’s going to be very interesting.
  • 45:32 - 45:36
    Then, thanks again to tnt, Dieter and
    SteveM. That was a great help,
  • 45:36 - 45:41
    very inspiring people. Thanks to the
    Osmocom guys. Thank you very much!
  • 45:41 - 45:52
    applause
  • 45:52 - 45:55
    Herald: Thank you for the awesome talk.
    Unfortunately, we won’t have any time
  • 45:55 - 45:58
    for questions anymore.
    Sec: What??
  • 45:58 - 46:04
    Herald: But I guess we can
    contact you via e-mail or IRC
  • 46:04 - 46:08
    or anything else. I’m sorry.
    Sec: Why?
  • 46:08 - 46:15
    schneider: We’re on time!
    Sec: We’re on time, we have 15 minutes left!
  • 46:15 - 46:22
    discussion on stage
  • 46:22 - 46:26
    Herald: Ooh yeah, I fucked that one up.
    We have plenty of time for Q&A!
  • 46:26 - 46:30
    applause
  • 46:30 - 46:34
    I am really sorry. So please line up
    at the microphones and get ready
  • 46:34 - 46:37
    to hit Sec and schneider with your
    questions. While you do that,
  • 46:37 - 46:41
    Signal Angel, is there something that
    we should answer for the internet?
  • 46:41 - 46:46
    Signal Angel: Yes, there is one
    question. There is someone asking
  • 46:46 - 46:50
    if the mystery data could be
    like sensitive, I don’t know,
  • 46:50 - 46:55
    military, police, or something
    like a custom codec?
  • 46:55 - 46:57
    schneider: We have absolutely no idea.
  • 46:57 - 47:00
    Signal Angel: Okay, thanks.
    schneider: But… likely!
  • 47:00 - 47:04
    Signal Angel: Thanks.
    Sec laughs
  • 47:04 - 47:06
    Herald: Microphone 2, please.
  • 47:06 - 47:11
    Question: Thank you. I heard that the NSA
    was trying to secure the Iridium network.
  • 47:11 - 47:13
    Where did they go wrong?
  • 47:13 - 47:15
    schneider: Securing the Iridium network?
    laughs
  • 47:15 - 47:20
    Sec: As far as we can tell, at least the
    parts that we looked at, there was
  • 47:20 - 47:24
    no attempt to secure it. It’s still
    the same stuff that was used
  • 47:24 - 47:28
    when it was built. I mean, we see
    some messages that we don’t know.
  • 47:28 - 47:34
    It’s possible that those are encrypted
    communications going on. We can’t tell
  • 47:34 - 47:38
    at this point. So, there might be
    encrypted communication going on
  • 47:38 - 47:43
    in Iridium that we don’t know about.
  • 47:43 - 47:51
    Herald: Thank you. Microphone No.3,
    in the back there. No, nobody!
  • 47:51 - 47:55
    Question: Since it’s conceivable that
    you could actually… I mean the actual
  • 47:55 - 48:00
    database that’s verifying the
    contracts is ground-based.
  • 48:00 - 48:06
    Does this mean that if you transmit
    a phone call to the satellite,
  • 48:06 - 48:11
    that it has to first re-transmit it back
    to earth in order to verify that data
  • 48:11 - 48:15
    is allowed to be sent and
    relayed, so you should
  • 48:15 - 48:20
    typically be able to make
    a phone call over the 150 km radius
  • 48:20 - 48:26
    that the satellite will repeat
    back to earth to… no idea?
  • 48:26 - 48:34
    Sec: Actually I don’t really know.
    We haven’t gotten that far
  • 48:34 - 48:38
    in our protocol understanding to
    even be able to try this. But it would
  • 48:38 - 48:44
    definitely be interesting to try it.
  • 48:44 - 48:54
    Question: I don’t mind throwing a bit
    money at that you are gonna try it!
  • 48:54 - 48:57
    Herald: Are there any more questions?
    Right now I can’t see any of them… oh!
  • 48:57 - 49:05
    On microphone No.4 there’s a question!
    Someone: No!
  • 49:05 - 49:09
    Herald: Then, Signal Angel!
  • 49:09 - 49:13
    Signal Angel: Okay, I have currently
    got three questions from internet.
  • 49:13 - 49:18
    I’m going to start with the first one.
    That is: the Code Composer Studio version
  • 49:18 - 49:23
    that you found, the old one, whether
    it’s specifically to the DSP or…
  • 49:23 - 49:28
    it’s… basically… did the DSP support go
    away or what’s the deal with this version?
  • 49:28 - 49:32
    schneider: Yes, exactly. At some point
    Code Composer Studio dropped
  • 49:32 - 49:37
    the support for this specific DSP and
    we had to get a very old version
  • 49:37 - 49:41
    to have still support for it.
    I think it’s CCS version 3.
  • 49:41 - 49:45
    Question: Okay!
    Herald: So I would say another question
  • 49:45 - 49:47
    from microphone No.2.
  • 49:47 - 49:53
    Ray: I just wanted to ask: is it legal
    to receive these things?
  • 49:53 - 49:58
    Sec: This is a very good question!
    And I refer to you:
  • 49:58 - 50:19
    the ‘Weltraum-Theorie’!
    wild applause and cheers
  • 50:19 - 50:23
    So as far as I can tell
    there’s no problem.
  • 50:23 - 50:25
    laughter, applause and cheers
  • 50:25 - 50:31
    schneider: And if you have a problem
  • 50:31 - 50:32
    we’ll just overrule you.
    laughs
  • 50:32 - 50:42
    laughter
    Sec: Sorry, it’s only in German!
  • 50:42 - 50:44
    schneider: Thank you for that question!
    Herald: Okay, we have another question
  • 50:44 - 50:48
    from the internet.
    Signal Angel: Yes, the question is:
  • 50:48 - 50:53
    what is the state of being able to
    geo-locate Iridium terminals?
  • 50:53 - 50:59
    schneider: So, during the Ring Alert
    you see where a device gets paged.
  • 50:59 - 51:04
    And that’s paging a specific cell.
    You know where that cell comes down.
  • 51:04 - 51:09
    So that will tell you a rough estimate
    where that terminal is.
  • 51:09 - 51:12
    Of course the cell is big, many
    hundreds of kilometers, so
  • 51:12 - 51:17
    probably you can have a look at this
    over time and see how the pagings change
  • 51:17 - 51:21
    when the cells hit some border.
    If the terminal doesn’t move
  • 51:21 - 51:27
    you can probably pinpoint it better
    using that. We haven’t tried that yet.
  • 51:27 - 51:33
    But that’s our guess how it would work.
  • 51:33 - 51:36
    Herald: Okay, bevor wir zur nächsten
    Frage kommen eine kurze Durchsage
  • 51:36 - 51:43
    an die Tür-Engel: Der Saal ist voll, liebe
    Tür-Engel, bitte lasst niemanden mehr rein.
  • 51:43 - 51:51
    something shouted from audience
    Herald continues in German by accident:
  • 51:51 - 51:55
    The next question
    from the internet, please!
  • 51:55 - 51:57
    Signal Angel: The question is:
    is your data that you collected
  • 51:57 - 52:02
    available somewhere
    for somebody else to have a look at?
  • 52:02 - 52:09
    schneider: No. laughs
    Okay, so, we won’t publish
  • 52:09 - 52:12
    any recordings or anything like that.
  • 52:12 - 52:17
    We might publish some samples
    of our own messages.
  • 52:17 - 52:22
    I mean, you’ve seen a few
    on the slides now. If you bug us on IRC
  • 52:22 - 52:27
    we’ll probably have something.
    But, in general,
  • 52:27 - 52:29
    you can’t just collect data
    and make it public.
  • 52:29 - 52:34
    Sec: I mean the great thing about
    this Iridium is: just open your window,
  • 52:34 - 52:38
    you will get data!
    schneider: Pretty much!
  • 52:38 - 52:41
    Sec: Lots of data!
  • 52:41 - 52:45
    Herald: Then we have another
    question at microphone No.3.
  • 52:45 - 52:50
    Question: So since recording
    the data is obviously legal,
  • 52:50 - 52:55
    is it against, like, some policy of Iridium,
    that you get angry emails from them?
  • 52:55 - 52:58
    Did you have any contact with them?
  • 52:58 - 53:04
    schneider: As far as I can tell
    they are aware of this,
  • 53:04 - 53:11
    and for them it’s a jungle and
    I think they just deal with it.
  • 53:11 - 53:16
    Or, in fact, who cares?
  • 53:16 - 53:22
    GSM has been shown to be insecure
    for a long time – what’s the most used
  • 53:22 - 53:29
    cellphone network on the planet?
  • 53:29 - 53:33
    Herald: Thanks for that answer.
    Microphone No.2, please.
  • 53:33 - 53:40
    Question: Thank you. We’ve talked about
    listening. What about manipulating?
  • 53:40 - 53:44
    Sec: As we said we don’t really
    have a good understanding
  • 53:44 - 53:51
    of all the signaling and more intricate
    details of the handover and stuff,
  • 53:51 - 53:55
    and the authentication. We haven’t really
    looked at this because the data we got
  • 53:55 - 54:00
    was so interesting that
    we spent our time there.
  • 54:00 - 54:05
    There’s probably lots of possibilities
    but we haven’t tried anything yet.
  • 54:05 - 54:10
    schneider: And I would recommend
    to not just try that.
  • 54:10 - 54:14
    These things have been built in the
    beginning of the nineties and,
  • 54:14 - 54:18
    I’m not sure. Maybe just before they
    de-orbit it, so one can have a play.
  • 54:18 - 54:24
    But I wouldn’t. Really.
  • 54:24 - 54:27
    Herald: Do we have more
    questions from the internet?
  • 54:27 - 54:41
    Signal Angel: We do.
    The next question is…
  • 54:41 - 54:46
    Somebody wanted to know if you… well, they
    think you know more than you tell and ask
  • 54:46 - 54:49
    if you’ve got a gag order.
  • 54:49 - 54:53
    Sec: We have definitely not gotten a gag
    order. I have had no contact from anyone
  • 54:53 - 55:01
    who is affiliated with Iridium,
    or any law at all.
  • 55:01 - 55:04
    schneider: I’ve once checked the logs
    on my web server and Iridium servers
  • 55:04 - 55:09
    did access some of my files. Then I got
    a little bit scared. And then I realized
  • 55:09 - 55:14
    that was me going over the phone and
    downloading something. laughs
  • 55:14 - 55:20
    laughter and applause
  • 55:20 - 55:27
    Herald: Okay, then, microphone No.2!
    There’s just the Microphone Angel. Okay.
  • 55:27 - 55:30
    No question from that person.
    Then, the internet, please go ahead!
  • 55:30 - 55:36
    Signal Angel: Okay, the internet wants to
    know how many uplink stations there are.
  • 55:36 - 55:41
    Sec: There’s one for civilian
    use and one for military use.
  • 55:41 - 55:44
    At least as far as
    the published information goes.
  • 55:44 - 55:49
    schneider: And one more which we
    don’t know what it it’s exactly doing
  • 55:49 - 55:55
    but it’s near the pole.
    mumble in the audience
  • 55:55 - 55:58
    Sec: There have been many more in the
    past. I mean when they built this thing
  • 55:58 - 56:04
    they had one in Japan. But as far
    as the documentation goes
  • 56:04 - 56:06
    they are all inactive.
  • 56:06 - 56:10
    schneider: Yes. You have to know that
    Iridium went bankrupt beginning 2000s.
  • 56:10 - 56:14
    And at that point they scaled down
    the whole thing a lot to make it
  • 56:14 - 56:17
    more cost-efficient. And they also
    scaled-down the amount of gateways.
  • 56:17 - 56:20
    So, sometimes you get references
    for lots of gateways for Iridium but
  • 56:20 - 56:25
    they’re all inactive. Not sure what
    they’re doing with these any more.
  • 56:25 - 56:30
    Herald: Okay. I think we have
    questions from the internet left?
  • 56:30 - 56:34
    Signal Angel: Actually as far
    as I know right now we don’t.
  • 56:34 - 56:39
    Herald: Great. Then give a warm hand
    of applause for Sec and schneider!
  • 56:39 - 56:47
    applause
  • 56:47 - 56:50
    postroll music
  • 56:50 - 56:58
    subtitles created by c3subtitles.de
    in the year 2017. Join, and help us!
Title:
Sec, schneider: Iridium Update
Description:

Listening to satellites and decoding is fun. We show interesting stuff we found, and how you can get into it.

Sec, schneider

more » « less
Video Language:
English
Duration:
56:59

English subtitles

Revisions