Satellite Hacking: Hacking the Iridium Satellite System

Cybersecurity Cyberwar Cyberwarrior Hacking InfoSec SDR

Welcome back, my aspiring cyberwarriors!

In our modern digital era, satellites have been used for numerous essential services, such as:

  1. GPS

  2. Internet Broadband Connectivity

  3. Satellite Phone

  4. Emergency Response and Disaster Relief

  5. Broadcast TV and Radio

  6. Weather Data

  7. Scientific Data Collection

  8. Remote Sensing and Imaging and many more.

If the security of these communications are compromised it can have devastating effects upon companies and countries.

In this series, we will explore and develop ways to intercept and hack satellite signals.

Iridium Satellite System

In this first tutorial, we will be analyzing how to hack communications on the Iridium satellite network.

This network was developed by Motorola in the 1990’s and went live in 1998. It provides paying customers a handset with which they can make phone calls from anywhere on our planet including the poles, remote areas and mountaintops where no mobile service in available. This service has proven invaluable to various militaries, adventurers, environmental groups in remote parts of the planet and many others.

Unlike the “old school” geostationary satellites in high orbit of 200,000 miles or more, these 66 satellites navigate the planet in north to south orbits at low altitudes of about 22,000 miles. The advantage of these low orbits is low latency of communication, while the disadvantage is the small footprint of each satellite requiring more satellites to get full coverage of the planet.

The Iridium service includes voice communication, pager and SMS-like messaging. All of these communications can be intercepted using low-cost SDR software and hardware.

Step # 1: Set Up

The first step, of course, is to have the basic hardware. As I outlined in an earlier tutorial, you will need the following:

  1. A computer

  2. DragonOS operating system

  3. a receiving SDR (RTL-SDR or HackRF)

  4. a satellite antenna (flat patch antenna from www.rtlsdr.com. About $60)

Step # 2: Extract the Data from The Capture

To extract iridium data from the satellite signals, the first step is to set up the configuration file for the iridium extractor.

First, navigate to the gr-iridium directory in DragonOS.

dragon > cd /usr/src/gr-iridium

Then move to the examples directory. There you will find configuration files for multiple SDR hardware devices. Since we will be using the least expensive hardware to do this hack, note the rtl-sdr.config file.

Next, open the configuration file for the RTL-SDR with your favorite text editor (I used GUI-based featherpad).

Go to the line that says “device_args=’rtl=0, bias=1′ and un-comment (remove the #) it. It should look like my config file above. This enables the tool to use your rtl-sdr and enables the powering of the antenna (bias=1).

Now, save that file.

Step # 3: Capture the Iridium Signal

In this step, we will capture the raw signals from the satellite.

Here, we will use the iridium extractor to capture the iridium signals.

dragon > iridium-extractor -D rtl-sdr.conf > iridium_output.txt

To make certain you capture enough output to extract voice and messages, allow this command to run several hours or overnight.

Step # 4 Decoding the Captured Data

Now that we captured the raw data with our RTL-SDR and antenna and saved it to file named iridium_output.txt, we need to decode this raw data to understand the messages. To do so, we need to use the iridium-parser.py (parsing simply means breaking up into parts and analyze it into key components). The parsed information will then be saved into file named iridium_parsed.

dragon > python3 iridium-parser.py -p iridium_output.txt > iridium_parsed

We need to now place the entire iridium-toolkit directory into our PATH variable for ease of use.

dragon > PATH=$PATH:/usr/src/iridium-toolkit

Note: For more on changing your PATH variable, see Linux Basics for Hackers Chapter 8 on environment variables.

Now we can decode the voice data from this parsed output using stats-voc.py, part of the iridium toolkit

dragon > ./stats-voc.py iridium_parsed

When you enter this command, ihis will open a window like that below. The red dots represent potential voice captures (the more data you capture, the larger the number of red dots).

Now, select one of the red dots by clicking it with the left mouse button and then clicking with the right mouse button. If the capture includes voice data, it will now play back and you will hear it. Not all of the red dot captures will have voice data, so try several.

Step # 5: Re-assassembly of Other Data

Iridium data includes voice, pager and text messages. Let’s see whether we can find any of that among our data capture.

The first step is to re-assemble this data. Within the iridium_toolkit we have a tool named resassembler.py. We can use to to reassemble this other data into other formats. The reassembler.py has 3 options:

  1. ida – Um Layer 3 messages generally in hex, some is ASCII

  2. lap – GSM Layer 3 messages in pcap format

  3. msg – pager messages

Let’s try using the ida option.

dragon > sudo ./reassembler.py -i iridium_parsed -m ida

You can view the output below.

Note that nearly all of the messages are in hexadecimal but a few are in ASCII and are readily human readable. The hex messages can be translated to ASCII with hex-to-ascii converter.

Summary

Satellites have become an essential intermediary in our global communication system. These systems are used for radio, internet, television and mobile communication. In many cases, these systems are not properly secured so that any one with inexpensive hardware and some skill can intercept and listen or read these messages.

For more on satellite hacking, attend our Satellite Hacking training.