It's Surprisingly Simple to Hack a Satellite

Hackers Sec and schneider demonstrate how to eavesdrop on Iridium satellite pager traffic using rad1o badges.

|
Aug 21 2015, 2:12pm

Hacker conferences are famous for using quirky, hackablebadges. DefCon's 2015 badge was a working vinyl LP containing a spoken-word ciphertext copy of the Hacker Manifesto.

But at the Chaos Communication Camp, held in Zehdenick, Germany last week, the organizers did something different: they gave out 4500 rad1o badges. These software-defined radios are sensitive enough to intercept satellite traffic from the Iridium communications network.

During a Camp presentation entitled "Iridium Hacking: please don't sue us," hackers Sec and schneider demonstrated how to eavesdrop on Iridium pager traffic using the Camp badge.

The Iridium satellite network consists of 66 active satellites in low Earth orbit. Developed by Motorola for the Iridium company, the network offers voice and data communications for satellite phones, pagers, and integrated transceivers around the world. (Iridium went bankrupt in 1999, but was later purchased from Motorola in 2001 by private investors, who have revived the company.) The largest user of the Iridium network is the Pentagon.

"The problem," Sec explained, "isn't that Iridium has poor security. It's that it has no security."

Originally designed in the 1980s, the Iridium network was obsolete by the time it was launched in 1998. Iridium pager traffic is sent in cleartext by default, and most pager traffic remains unencrypted.

Despite this, an Iridium internal PowerPoint slide deck marked "Confidential" released by WikiLeaks in 2008 boasted that "the complexity of the Iridium air interface makes the challenge of developing an Iridium L-Band monitoring device very difficult and probably beyond the reach of all but the most determined adversaries."

Iridium docs boast that the network is difficult to hack. Image: Wikileaks

"I kind of liked this," Sec said. "If I read something like this I think, hmm, maybe I could do it."

Frequency shifts as satellites go overhead have historically made it difficult to capture Iridium traffic. But with cheap, ubiquitous software-defined radio—like the rad1o badge or HackRF—eavesdropping becomes trivial. "You say, ok, give me all the frequencies at once, and in the received signal search for the Iridium [traffic] afterwards," Sec explained.

"With just the rad1o badge and onboard PCB antenna, you can collect 22 percent of all the packets you can receive with a proper Iridium antenna," schneider said. Pager message channel traffic is stronger, and up to 50 percent of pager traffic can be collected in this manner. Soldering an off-the-shelf GPS or Iridium pager antenna to the software-defined radio enables maximum reception.

"You just load the software on your PC, you attach the rad1o badge and you can start receiving Iridium pager messages," schneider said. "So happy hacking with that."

"It's kind of a myth that satellite hacking is hard."

Once collected, the data needs to be analyzed for Iridium traffic. The processing power of the badge is limited, so number-crunching takes place on a laptop running the Iridium toolchain.

It doesn't even have to be a laptop. "A Raspberry Pi 2 is just beefy enough to process the traffic," Sec said.

The Iridium network offers data bandwidth of only 2.4 Kb/sec. Compare that to a standard dial-up modem which achieves 56 Kb/sec. As a result, the satellite network's economic viability is limited to short-burst data (SBD) transceivers used for Iridium-connected sensors attached to, for example, remote oil pipelines that can send short messages in an emergency. Logistics companies also use Iridium transceivers to keep track of their vehicles, as do commercial airlines.

"Short-burst data stuff is much more complex," Sec admitted during the talk.

Sec performed a live demo (full presentation here) and captured, analyzed and decoded Iridium pager traffic on stage.

One audience member proposed a distributed eavesdropping network using the rad1o badges, and suggested that all collected messages be published on the internet.

At present, the toolchain only supports eavesdropping on Iridium pager traffic, which Iridium said is only a tiny fraction of its overall traffic. Going forward, Sec and schneider hope to understand the Iridium protocol better, and begin decoding short-burst data traffic, RUDICS (internet) streams, and AMS (aircraft communications).

Sec asked the audience for help locating a copy of the Iridium systems specifications, which, he said, would answer a lot of their questions.

"If anyone happens to come across this document, we still want it," he said, "and we will not ask questions."

The Iridium satellite network is well past its expiry date, and a next-generation network called Iridium NEXT is planned. According to the Iridium website, the new satellites are set to begin launching in 2015.

Until then, Iridium satellite traffic remains vulnerable to passive eavesdropping by anyone with a software-defined radio, the Iridium toolchain, and some spare time.

"It's kind of a myth that satellite hacking is hard," schneider said. "You are all satellite hackers now. You have the equipment. Go have fun with it."

Update 8/24/15: This story has been updated following comment from Iridium to reflect that the company was revived following its 1999 bankruptcy and to add note of the network's low pager traffic.