Satellite Telephony Security

Transcript

1. Satellite Telephony Security

2. DON’T PANIC

3. Arthur C. Clarke 1917-2008 WHEN TERRESTRIAL COMMUNICATION FAIL, WE PREVAIL!

   “ ”

4. Local ISPs Video Contribution Teleport PSTN End Users End Users

   Internet Teleport Corporate Data Networks (Interactive & Multicast) Direct Broadcast TV Last-mile Broadband Broadcast Video to Cable Headends Satellite Communications

5. Dan Veeneman Low Earth Orbit Satellites Dan Veeneman Future &

   Existing Satellite Systems Warezzman DVB Satellite Hacking Jim Geovedi, Raditya Iryandi, Hacking a Bird in the Sky: Hijacking VSAT Connection Jim Geovedi, Raditya Iryandi, Anthony Zboralski Hacking a Bird in the Sky: Exploiting Satellite Trust Relationship Adam Laurie $atellite Hacking for Fun & Pr0fit! Leonardo Nve Egea, Christian Martorella Playing in a Satellite Environment 1.2 Jim Geovedi, Raditya Iryandi Hacking Satellite: A New Universe to Discover 1996 1998 2004 2006 2008 2009 2011 Jim Geovedi, Raditya Iryandi, Raoul Chiesa Hacking a Bird in the Sky: The Revenge of Angry Birds Jim Geovedi Satellite Telephony Security: What Is and What Will Never Be

6. Satellite Phone

7. None
8. None
9. None

10. Satellite Phone Network

11. EARTH average distance to moon: 384,400 km Geostationary Orbit Altitude:

    35,786 km Low Earth Orbit Altitude: 500-2,000 km Medium Earth Orbit Altitude: 8,000-20,000 km Highly Elliptical Orbit Altitude: >35,786 km Satellite Orbits

12. GEO (Geostationary Earth Orbit) Satellite Operators ACeS, ICO, Inmarsat, SkyTerra,

    TerreStar, Thuraya LEO (Low Earth Orbit) Satellite Operators Globalstar, Iridium

13. Feeder Downlink Feeder Uplink Terminal Downlink Terminal Uplink Return Link

    Forward Link Intersatellite Link (ISL) Orbital Altitude Gateway PSTN Cellular End User Terminal LEO Satellite i+1 LEO Satellite i LEO Communication Satellite Constellation System

14. Frequency Band Designations

15. TDMA (Time Division Multiple Access) f1 Transponder f1 f1 f1

    f1

16. Timeframe Structure and Timeslots 1 2 3 4 5 6

    7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 16 17 18 19 20 21 22 23 2 1 3 0 1 2 3 4892 4893 4894 4895 0 1 hyperframe = 4,896 superframes = 19,584 multiframes = 313,344 TDMA frames (3h 28mn 53s 760ms) 1 superframe = 4 multiframes = 64 TDMA frames (2.56s) 1 multiframe = 16 TDMA frames (640 ms) 1 TDMA frame = 24 timeslots (40ms) 1 timeslot = 78 bit durations (5/3ms) 1 bit duration = 5/234ms

17. CDMA (Code Division Multiple Access) Transponder f1 f1 f1 f1

    ------------------------------------------ oooooooooooooooooooooooooooooooooooooooooo xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ++++++++++++++++++++++++++++++++++++++++++

18. Coverage: Iridium

19. Coverage: Inmarsat

20. Coverage: Thuraya

21. G B A F E C D H I J

    K L G B A F E C D H I J K L B A E C D I J K L Spotbeams: Regional Coverage G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L

22. GMR (GEO-Mobile Radio Interface)

23. GSM GMR Release 1 GPRS GMR Release 2 Evolution Path

    3GPP GMR Release 3 Extension to Satellite

24. GMR-1

25. Space segment GMR-1 System Elements Feeder links SOC PSTN GS

    Gateway Station Gateway Stations Mobile Earth Stations Spotbeam coverage at L-Band

26. GMR-1 Protocol Architecture MES Satellite GSC + GTS + TCS

    GSM MSC GSM SIM GPS RECEIVER CM MM RR DLL PHYS PHYS PHYS RR DLL PHYS BSSMAP SCCP MTP CM MM BSSMAP SCCP MTP GMR-1 Um-Interface Spotbeams L-Band Feeder Link Ku or C-Band GSM/A-Interface (CCS7)

27. GMR-1 Logical Channel Mapping onto Physical Channel USER CHANNELS MOBILE

    EARTH STATION SATELLITE LOGICAL CHANNELS PHYSICAL CHANNELS TCH Traffic Timeslot Number TDMA Frame Sequence RF Channel CCH Control and Signalling Frequency (RF Channels) Time (Timeslots) PHYSICAL RESOURCE UPLINK DOWNLINK CONTROL ENTITIES MAPPING

28. GMR-1 (GSM-based) Services •Standard GSM-based services (Phase 2) •Roaming •Single

    number routing •Numbers and addressing •Authentication and privacy

29. GMR-1 Extended Services •Single-hopped terminal-to-terminal calls •Optimal routing •High penetration

    alerting •Position based services

30. GMR-2

31. PSTN PN PLMN Satellite Control Facility Network Control Centre Customer

    Management Information System GEO Satellite Traffic Signalling C-Band C-Band C-Band C-Band L-Band User Terminals PSTN PN PLMN PSTN PN PLMN GMR-2 System Elements Gateway 1 Gateway 2 Gateway 3

32. C-band Regional Coverage for Signalling & Communication C-Band Traffic Signalling

33. G B A F E C D H I J

    K L G B A F E C D H I J K L B A E C D I J K L L-band Spotbeams for MSS Users G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L G B A F E C D H I J K L Traffic Signalling

34. GMR-2 Gateway Internal Structure RF/IF TCE GSC MSC PSTN PN

    GSM Databases HLR & VLR GA Gateway Antenna TCE Traffic Channel Equipment GSC Gateway Station Controller MSC Mobile Switching Center GA

35. GMR Satellite Monitoring System Intercepting

36. Satellite Phone Interception •Law-enforcements require tapping •Test equipment •Limited use

    of encryption •Modifiable phone equipment

37. Tactical Interception Receives L-band from satellite and line-of- sight from

    handset Strategic Interception Receives L-band from satellite and C-band from satellite

38. Satellite Interception Operation MES 6 GHz UP 3.5 GHz DOWN

    1.5 GHz DOWN 1.6 GHz UP Gateway

39. Tactical Satellite Interception Operation Gateway Monitoring Agent MES 6 GHz

    UP 3.5 GHz DOWN 1.5 GHz DOWN 1.5 GHz DOWN 1.6 GHz UP 1.6 GHz RADIO LINE-OF-SIGHT

40. Downconverter IF Satellite antenna Uplink antenna Tactical Satellite Interception Operation

    Channel 1 Channel 2

41. Call Analysis • Spotbeam IDs, GPS co- ordinates, operating frequency.

    • Date, time and duration of call. • MES IMSI. • GPS co-ordinates of MES. • Random Reference Number (CallerID). • TMSI called by MES. • Mobile or Fixed Originated Call (Voice, Fax, Data or SMS). • Terminal type. • Ciphering key sequence number. • RAND and SRES. • Encryption Algorithm

42. Strategic Satellite Interception Operation Monitoring Centre MES 6 GHz UP

    3.5 GHz DOWN 1.5 GHz DOWN 3.5 GHz DOWN 1.5 GHz DOWN 1.6 GHz UP Gateway

43. FAQ

44. What’s next?

45. None
46. None

47. @geovedi http://www.slideshare.net/geovedi/presentations