View
3.192
Download
0
Category
Preview:
DESCRIPTION
This talk will provide an in-depth treatment of satellite telephony networks from a security perspective. The overall system seems secure, but in reality, it cannot be expected to be fully reliable. We will briefly cover the satellite mobile system architecture, then discuss GMR (GEO-Mobile Radio) system elements, e.g. GSS (Gateway Station Subsystem), MES (Mobile Earth Station), AOC (Advanced Operation Center), and TCS (Traffic Control Subsystem) for GMR-1 systems and NCC (Network Control Center), GW (Gateway), SCF (Satellite Control Facility) and CMIS (Customer Management Information System) for GMR-2 systems. From there, we will discuss the security issues of GMR system as it shares similar vulnerabilities with GSM–GMR is derived from the terrestrial digital cellular standard GSM and support access to GSM core networks, along with some interesting demos. Time permitting, a question and answer session at the end of the presentation will allow participants to cover any additional issues in satellite telephony system they’d like to discuss.
Citation preview
SatelliteTelephonySecurity
DON’T PANIC
Arthur C. Clarke1917-2008
WHEN TERRESTRIAL COMMUNICATION FAIL,WE PREVAIL!
“
”
Local ISPs
Video Contribution
Teleport PSTN
End Users
End Users
InternetTeleport
Corporate Data Networks(Interactive & Multicast)
Direct Broadcast TVLast-mile Broadband
Broadcast Video toCable Headends
Satellite Communications
Dan VeenemanLow Earth Orbit Satellites
Dan VeenemanFuture & Existing Satellite Systems
WarezzmanDVB Satellite Hacking
Jim Geovedi, Raditya Iryandi,Hacking a Bird in the Sky: Hijacking VSAT Connection
Jim Geovedi, Raditya Iryandi, Anthony ZboralskiHacking a Bird in the Sky: Exploiting Satellite Trust Relationship
Adam Laurie$atellite Hacking for Fun & Pr0fit!
Leonardo Nve Egea, Christian MartorellaPlaying in a Satellite Environment 1.2
Jim Geovedi, Raditya IryandiHacking Satellite: A New Universe to Discover
1996 1998 2004 2006 2008 2009 2011
Jim Geovedi, Raditya Iryandi, Raoul ChiesaHacking a Bird in the Sky: The Revenge of Angry Birds
Jim GeovediSatellite Telephony Security: What Is and What Will Never Be
Satellite Phone
Satellite Phone Network
EARTH
average distance to moon:384,400 km
Geostationary OrbitAltitude: 35,786 km
Low Earth OrbitAltitude: 500-2,000 km
Medium Earth OrbitAltitude: 8,000-20,000 km
Highly Elliptical OrbitAltitude: >35,786 km
Satellite Orbits
GEO (Geostationary Earth Orbit)Satellite OperatorsACeS, ICO, Inmarsat, SkyTerra, TerreStar, Thuraya
LEO (Low Earth Orbit)Satellite OperatorsGlobalstar, Iridium
FeederDownlink
FeederUplink
TerminalDownlink
TerminalUplink
Return Link
Forward Link
Intersatellite Link(ISL)
Orb
ital
Alt
itud
e
Gateway
PSTN Cellular
End UserTerminal
LEOSatellite i+1
LEOSatellite i
LEO Communication Satellite Constellation System
Frequency Band Designations
TDMA (Time Division Multiple Access)
f1
Transponder
f1
f1f1 f1
Timeframe Structure and Timeslots
1 2 3 4 5 6 7 8 9 10 11 12 13 14 150
1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 16 17 18 19 20 21 22 23
21 30
1 2 3 4892 4893 4894 48950
1 hyperframe = 4,896 superframes = 19,584 multiframes = 313,344 TDMA frames(3h 28mn 53s 760ms)
1 superframe = 4 multiframes = 64 TDMA frames (2.56s)
1 multiframe = 16 TDMA frames (640 ms)
1 TDMA frame = 24 timeslots (40ms)
1 timeslot = 78 bit durations (5/3ms)
1 bit duration = 5/234ms
CDMA (Code Division Multiple Access)
Transponder
f1 f1 f1 f1
------------------------------------------
oooooooooooooooooooooooooooooooooooooooooo
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
++++++++++++++++++++++++++++++++++++++++++
Coverage: Iridium
Coverage: Inmarsat
Coverage: Thuraya
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
Spotbeams: Regional Coverage
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
GMR (GEO-Mobile Radio Interface)
GSM GMR Release 1
GPRS GMR Release 2Evolution Path
3GPP GMR Release 3
Extension to Satellite
GMR-1
Space segment
GMR-1 System Elements
Feeder links
SOC
PSTN
GS
Gateway Station
Gateway Stations
Mobile Earth Stations
Spotbeam coverageat L-Band
GMR-1 Protocol Architecture
MES
Satellite
GSC +GTS +TCS
GSMMSC
GSMSIM
GPSRECEIVER
CM
MM
RR
DLL
PHYSPHYS PHYS
RR
DLL
PHYS
BSSMAP
SCCP
MTP
CM
MM
BSSMAP
SCCP
MTP
GMR-1 Um-Interface
SpotbeamsL-Band
Feeder LinkKu or C-Band
GSM/A-Interface(CCS7)
GMR-1 Logical Channel Mapping onto Physical ChannelU
SE
R C
HA
NN
ELS
MOBILE EARTH STATION SATELLITE
LOGICALCHANNELS
PHYSICALCHANNELS
TCHTraffic
TimeslotNumber
TDMA FrameSequence
RF ChannelCCH
Control andSignalling
Frequency(RF Channels)
Time(Timeslots)
PHYSICALRESOURCE
UPLINK
DOWNLINKC
ON
TR
OL
EN
TIT
IES
MA
PP
ING
GMR-1 (GSM-based) Services• Standard GSM-based services (Phase 2)
• Roaming
• Single number routing
• Numbers and addressing
• Authentication and privacy
GMR-1 Extended Services• Single-hopped terminal-to-terminal calls
• Optimal routing
• High penetration alerting
• Position based services
GMR-2
PSTN
PN
PLMN
Satellite ControlFacility
Network ControlCentre
Customer ManagementInformation System
GEO SatelliteTrafficSignalling
C-BandC-Band
C-Band
C-Band L-Band
UserTerminals
PSTN
PN
PLMN
PSTN
PN
PLMN
GMR-2 System Elements
Gateway 1
Gateway 2
Gateway 3
C-band Regional Coverage for Signalling & Communication
C-Band
TrafficSignalling
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
L-band Spotbeams for MSS Users
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
G
B
A
F
E
C
D
H
I
J
K
L
TrafficSignalling
GMR-2 Gateway Internal Structure
RF/IF TCE GSC MSC
PSTNPN
GSM
DatabasesHLR & VLR
GA Gateway Antenna
TCE Traffic Channel Equipment
GSC Gateway Station Controller
MSC Mobile Switching Center
GA
GMR Satellite Monitoring SystemIntercepting
Satellite Phone Interception• Law-enforcements require tapping
• Test equipment
• Limited use of encryption
• Modifiable phone equipment
Tactical InterceptionReceives L-band from satellite and line-of-sight from handset
Strategic InterceptionReceives L-band from satellite and C-band from satellite
Satellite Interception Operation
MES6 GHz
UP3.5 GHzDOWN
1.5 GHzDOWN
1.6 GHzUP
Gateway
Tactical Satellite Interception Operation
Gateway Monitoring Agent
MES6 GHz
UP3.5 GHzDOWN
1.5 GHzDOWN
1.5 GHzDOWN
1.6 GHzUP
1.6 GHzRADIO LINE-OF-SIGHT
DownconverterIF
Satellite antenna
Uplink antenna
Tactical Satellite Interception Operation
Channel 1
Channel 2
Call Analysis• Spotbeam IDs, GPS co-
ordinates, operating frequency.
• Date, time and duration of call.
• MES IMSI.
• GPS co-ordinates of MES.
• Random Reference Number (CallerID).
• TMSI called by MES.
• Mobile or Fixed Originated Call (Voice, Fax, Data or SMS).
• Terminal type.
• Ciphering key sequence number.
• RAND and SRES.
• Encryption Algorithm
Strategic Satellite Interception Operation
Monitoring Centre
MES6 GHz
UP3.5 GHzDOWN
1.5 GHzDOWN
3.5 GHzDOWN
1.5 GHzDOWN
1.6 GHzUP
Gateway
FAQ
What’s next?
@geovedihttp://www.slideshare.net/geovedi/presentations
Recommended