Spread Spectrum Satcom Hacking - DEF CON CON 23/DEF CON 23 presentations/DEFCON...Motivation •...

Preview:

Click to see full reader

Citation preview

Spread Spectrum Satcom Hacking

Attacking the Globalstar Simplex Data Service

Colby Moore @colbymoore - colby@synack.com

mailto:colby@synack.com

Motivation

• Satellite hacking talks never deliver

• RF world largely neglected by hacker community

• So much legacy tech in critical systems

• Spark interest in satellite security research

What are we going to learn?• Overview of basic RF signals and modulation

• What is spread spectrum - how does it work and how do we work with it

• Picking a target and reverse engineering it

• Exploiting that target

• Next steps

Analog RF Modulation

• Amplitude Modulation (AM)

• Frequency Modulation (FM)

Digital RF Modulation

• Amplitude Shift Keying (ASK / OOK)

• Frequency Shift Keying (FSK)

• Phase Shift Keying (PSK)

Spread Spectrum Modulation

• What is Spread Spectrum Special? WiFi, Bluetooth, Most modern RF Communication

Spread Spectrum Modulation

• Frequency Hopping Spread Spectrum (FHSS)

• Direct Sequence Spread Spectrum (DSSS)

Selecting a Target

• Consumer Accessible

• Cheap

• Popular

• High Impact

Introducing SPOT

• SPOT

• But wait… this tech is used… everywhere. Goldmine.

Who uses it?

• Flight Planning Services

• Consumers

• SCADA

• Big Gas and Oil

How does it work?

• LEO non-geosynchronous Bend Pipe Architecture

Intel Gathering

• Google

• FCC Database

• Academic Papers

• Integrator Spec Sheets

Intel Gathering Continued

• What we know:

• PN = 255 Chip M-Sequence

• 1.6xx ghz

• 144 bit message

Hardware and Validation

• USRP B200

• GQRX

• GNURADIO

Decoding Theory

• Mix signal with PN sequence and the BPSK signal will drop out

Packet Format Contd.

• Wait a second… There is no signing… No encryption.

• We can create packets if we known how to reproduce the checksum.

• Reverse engineering the checksum

Transmitting

• Strictly Theoretical - Do not attempt

• This is the easy part

Impact of Transmission

• Spoof communications

• Disrupt critical services

Signal Interception Demo

• DEMO

Future Research

• Code optimization

• Custom hardware

• Widespread reception

Slides and Code

• Updated slides, resources, and code to be posted online after the presentation.

Recommended

DEF CON 26 HACKING CONFERENCE CON 26/DEF CON 26 receipt.pdf · Title: DEF CON 26 HACKING CONFERENCE Author: DEF CON 26 Subject: DEF CON 26 RECEIPT Keywords: DEF CON Conference, DEF
Documents
Stealing Identity Management Systems - DEF CON® Hacking
Documents
DEF CON 21 - Hacking Driverless Vehicles
Documents
DEF CON 24 Hacking Conference - Ruxcon · Title: DEF CON 24 Hacking Conference Author: DEF CON 24 Speaker Keywords
Documents
Eric Sesterhenn 2018 CON 26/DEF CON 26 presentations/DEFCON-26... · DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation
Documents
DEF CON 26 Hacking Conference CON 26/DEF CON 26 presentations/DEF… · Summary Device external storage is a public area which can be observed/modified by a third-party application
Documents
DEF CON 26 Hacking Conference CON 26/DEF CON 26...Find us on Twitter: @michaelossmann / @dominicgs Title DEF CON 26 Hacking Conference Author DEF CON Speaker Subject DEF CON 26 Presentation
Documents
DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… · started in late 2017 to prepare for the 2018 CCDC season. We ended up using the BETA
Documents
DEF CON 27 Hacking Conference Presentation CON 27/DEF CON 27 presentations/DEF… · BPF • tcpdump -i any -n 'tcp[tcpflags] & (tcp-syn|tcp-ack) != 0' (000) ldh [14] (001) jeq #0x800
Documents
DEF CON 24 Hacking Conference CON 24/DEF CON 24 presentations/DEF… · •Dummy frame injection •Delaying acknowledgments ECU CAN High CAN Low ... #wireshark -X lua_script:ethcan.lua
Documents
Hacking the Cloud - DEF CON CON 25/DEF CON 25... · SalesForce (salesforce.com, pardot.com, & exacttarget.com) MailChimp (mcsv.net) Mandrill (MailChimp paid app) Q4Press (document
Documents
Hardware Hacking for Software Geeks - DEF CON
Documents
HACKING HOTEL KEYS - DEF CON CON 24/DEF CON 24 presentations/DEF… · HACKING HOTEL KEYS Security Consultant ... Researcher. 9About 11 years pen-testing, Security Research, ... 912
Documents
Hacking travel routers like it’s 1999 - DEF CON CON 25/DEF CON 25... · Hacking travel routers like it’s 1999 ... to discover security vulnerabilities in our customers’ web
Documents
Hacking the Cloud - DEF CON
Documents
Hacking Google AdWords - DEF CON CON 13/DEF CON 13... · – No Hacking or Cracking • They do not differentiate between H/C • Hypocrisy – Hacking is invalid yet “Define:Hacker”
Documents
Satellite TV Technology - DEF CON® Hacking Conference - The
Documents
Aaron Bayles DC101 @ DEF CON 22 - DEF CON® Hacking Conference · Aaron Bayles DC101 @ DEF CON 22 ... //media.blackhat.com/us ... Lockpicking, Hackers, Infosec, Hardware Hacking,
Documents
DEF CON 23 Presentation CON 23/DEF CON 23... · DEF CON 23 Presentation Keywords: DEF CON Conference, DEF CON, DEFCON, Speeches, Hacking, Hackers, Hacker Conference, Computer Security,
Documents
Hacking BLE Bicycle Locks for Fun & A Small Profit CON 26/DEF CON 26... · 2020-05-16 · Hacking BLE Bicycle Locks for Fun & A Small Profit Author: DEF CON Speaker Subject: DEF CON
Documents