Welcome back, my aspiring cyberwarriors!
In our modern digital era, satellites have been used for numerous essential services, such as:
GPS
Internet Broadband Connectivity
Satellite Phone
Emergency Response and Disaster Relief
Broadcast TV and Radio
Weather Data
Scientific Data Collection
Remote Sensing and Imaging and many more.
If the security of these communications are compromised it can have devastating effects upon companies and countries.
In this series, we will explore and develop ways to intercept and hack satellite signals.
Iridium Satellite System
In this first tutorial, we will be analyzing how to hack communications on the Iridium satellite network.
This network was developed by Motorola in the 1990’s and went live in 1998. It provides paying customers a handset with which they can make phone calls from anywhere on our planet including the poles, remote areas and mountaintops where no mobile service in available. This service has proven invaluable to various militaries, adventurers, environmental groups in remote parts of the planet and many others.
Unlike the “old school” geostationary satellites in high orbit of 200,000 miles or more, these 66 satellites navigate the planet in north to south orbits at low altitudes of about 22,000 miles. The advantage of these low orbits is low latency of communication, while the disadvantage is the small footprint of each satellite requiring more satellites to get full coverage of the planet.
The Iridium service includes voice communication, pager and SMS-like messaging. All of these communications can be intercepted using low-cost SDR software and hardware.
Step # 1: Set Up
The first step, of course, is to have the basic hardware. As I outlined in an earlier tutorial, you will need the following:
A computer
DragonOS operating system
a receiving SDR (RTL-SDR or HackRF)
a satellite antenna (flat patch antenna from www.rtlsdr.com. About $60)
Step # 2: Extract the Data from The Capture
To extract iridium data from the satellite signals, the first step is to set up the configuration file for the iridium extractor.
First, navigate to the gr-iridium directory in DragonOS.
dragon > cd /usr/src/gr-iridium
Then move to the examples directory. There you will find configuration files for multiple SDR hardware devices. Since we will be using the least expensive hardware to do this hack, note the rtl-sdr.config file.
Next, open the configuration file for the RTL-SDR with your favorite text editor (I used GUI-based featherpad).
Go to the line that says “device_args=’rtl=0, bias=1′ and un-comment (remove the #) it. It should look like my config file above. This enables the tool to use your rtl-sdr and enables the powering of the antenna (bias=1).
Now, save that file.
Step # 3: Capture the Iridium Signal
In this step, we will capture the raw signals from the satellite.
Here, we will use the iridium extractor to capture the iridium signals.
dragon > iridium-extractor -D rtl-sdr.conf > iridium_output.txt
To make certain you capture enough output to extract voice and messages, allow this command to run several hours or overnight.
Step # 4 Decoding the Captured Data
Now that we captured the raw data with our RTL-SDR and antenna and saved it to file named iridium_output.txt, we need to decode this raw data to understand the messages. To do so, we need to use the iridium-parser.py (parsing simply means breaking up into parts and analyze it into key components). The parsed information will then be saved into file named iridium_parsed.
We need to now place the entire iridium-toolkit directory into our PATH variable for ease of use.
dragon > PATH=$PATH:/usr/src/iridium-toolkit
Note: For more on changing your PATH variable, see Linux Basics for Hackers Chapter 8 on environment variables.
Now we can decode the voice data from this parsed output using stats-voc.py, part of the iridium toolkit
dragon > ./stats-voc.py iridium_parsed
When you enter this command, ihis will open a window like that below. The red dots represent potential voice captures (the more data you capture, the larger the number of red dots).
Now, select one of the red dots by clicking it with the left mouse button and then clicking with the right mouse button. If the capture includes voice data, it will now play back and you will hear it. Not all of the red dot captures will have voice data, so try several.
Step # 5: Re-assassembly of Other Data
Iridium data includes voice, pager and text messages. Let’s see whether we can find any of that among our data capture.
The first step is to re-assemble this data. Within the iridium_toolkit we have a tool named resassembler.py. We can use to to reassemble this other data into other formats. The reassembler.py has 3 options:
ida – Um Layer 3 messages generally in hex, some is ASCII
lap – GSM Layer 3 messages in pcap format
msg – pager messages
Let’s try using the ida option.
dragon > sudo ./reassembler.py -i iridium_parsed -m ida
You can view the output below.
Note that nearly all of the messages are in hexadecimal but a few are in ASCII and are readily human readable. The hex messages can be translated to ASCII with hex-to-ascii converter.
Summary
Satellites have become an essential intermediary in our global communication system. These systems are used for radio, internet, television and mobile communication. In many cases, these systems are not properly secured so that any one with inexpensive hardware and some skill can intercept and listen or read these messages.
For more on satellite hacking, attend our Satellite Hacking training.
