BSIDES CPT 2019 - Hacking satellites with Software Defined Radio (SDR) - Gerard de Jong

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
see us welcome today we're going to be hacking satellites with software-defined radio you might find somebody interesting what you're gonna learn today who has a gate that does this when you press a button one of these have your a key will you take them out we might play with them in a moment so I'm going to teach you how to do something bad with that if you're worried about where ships are if you ever go to the sea I'm gonna show you how to track where those things are in real time no internet same thing with planes I'll show you how to track planes so the next time you're picking up a friend at the airport you'll know if it's delayed if your flight is delayed you don't need an internet connection or worry about Wi-Fi you can just figure out when that's gonna happen and of course we're gonna mess around with some signals from some satellites so let that animation complete I just want to put the brakes on here if you do stupid stuff you're a dolt and you can go to prison I will show you many and interesting new ways of going to prison if you're if you're looking at doing that today and then this talk is really just about my journey and what I've been learning about so I'm quite new in the security field I don't work in the security field I have I'm a software developer I work for a bank so yeah this is still about what I've been messing around with so I'm going to show you the stuff that's worked for me and what hasn't worked for me and if you've got any ideas about stuff you think I should try or when a chat about do come to me afterwards we can chat about that so a little bit of history where does this come from who here makes videos okay some of you might not put us up because you make other kinds of videos for the Internet so about 10 years ago if you wanted to or not 10 maybe even 20 years ago if you wanted to make any kind of high-class video production you need a rig pretty much like this right with IP custom a laser pointer but anyway if some DVDs done there's a little bit more modern but anyway you need a lot of equipment but today most youtubers are doing something like this and similarly my late father was a radio amateur and I grew up thinking that all men have a Radio Shack full of crap like this and and that was just normal but no in fact today and I'll show you how and why it's pretty much just as simple to mess around with software-defined radio so how is that possible there was a Kickstarter and surely yes this was possible before but I think it really kicked off in 2014 with a Kickstarter for this called the hack or if one does anyone have one someone someone persons go on two peoples got one awesome so started by a guy called Michael Osmond it's a little bit maybe twice the size of a raspberry pie and works anywhere between one megahertz up to six gigahertz it can both send and transmit so we say Rx and TX it's got a cool ARM chip in it and it only costs 10,000 Rance that's right folks only ten grands some people you see some people are getting better deals than when I was looking but you have to chat to those people afterwards yeah what speaking of speaking of meanwhile who wants to guess what this is it's the rollout of digital terrestrial television and I don't know why South Africa is blue because why is it blue they say it's launched but whatever and it's um created this whole market speaking of China they produce these awesome chips these real Tex RTL 2832 use which going little dongles like this and here's one I've got another one there as well and they operate anywhere between 25 megahertz and 1.6 gigahertz they're the read-only which is fine you can give yourself into less trouble we'll chat about how you get into trouble there if you really want to they use this trip of course then you cost about 300 bucks so that's really not bad up to about 500 and there's a whole new blog so many of the stuff that I'm going to be chatting about comes from this website OTO sto comm so even more crazy things are posted up here so that's that's a really good source and then there are much nicer ones like this one that's got an iminium on it so you can work at high frequencies for longer so that's what that looks like that's what that terrible sound was earlier I was messing around with that I was trying to get my mic on the rtl-sdr to show you that but I couldn't control the volume so sorry about those folks ears but it's pretty much the same thing just a little bit more expensive and there are hundreds of these kinds of devices coming out they're available and things like micro robotics communicates that we're all setting them now for around 500 bucks there's an S buy devices another nice option and when it comes to the kind of software for those windows forgot which crowd i've got here today but anyway if you are a Windows user this is normally how you'll get things going so a spy makes some of these devices you can just download their software over there you guys know how to click download so once you've got that going what I like about s bi is they actually give you a link this little batch file over here is going to download the drivers for your rtl-sdr which is pretty cool and once you've got that installed this is just how you'll get an rtl-sdr going in Windows you open this little program called Zadok it's going to patch a driver before you install that this is what generally what it looks like you go this is all real time I haven't sped this up because I'm far too lazy then 10 turn and it's installed successfully and then you can start a program called SDR shop which in my experience is one of the more popular versions that people are using out there so this is what it looks like and you're just going to have to go to settings and select your USB device over there so if you've got that going that's it so this is very much what the spectrum is looking like and this is called the waterfall down here so you can just pick up that's just normal radio station at 104 megahertz and this is where we can start playing with one of those key fobs if you've got these on so if you've got one now not all of them I like this yes they are rolling codes and French and coding and everything else but most property developers are cheap and like buying cheap stuff so if I was just messing around with one of these as well so you use RTL SDR these things run and I think it's 405 megahertz so let's look what I recorded over 403 550 there we go and play over there to record that and if you press that button you'll see that little code over there so that's fun let's go do some signal analysis actually bought the part that you attach to your gate to actually flip the the reader over there to open everything up this Brown thing is the antenna and well how does it work you press the button there's some sound bump and a little LED goes so what's fun about this is you can record that using some of the recording stuff down here and there's a little bit just like audio recording 16-bit PCM see that and it's exactly the same experience you're just going to record this there we go we've got that and now let's go see what that signal looks like inside so who uses audacity for audio and stuff like that you use that full for this as well well you can at least so if I open this up on audacity in Windows and I did this all through a virtual machine in my defense which caused me problems you will see about later but anyway that's the signal that I recorded and if we zoom in there there's no any press that I'm doing this with my thumb alive there's no one impressed notice that these things it sends the signal a quite a couple of times and if you look at that that's I think that's Manchester encoding I can't remember what this is called actually but that looks like a code and if you had to open up your I want to call it a dongle because I use Apple computers but forgive me on that yes so see those dip switches are there that's how you set that static code and you'll notice very probably expected for this audience correlation between these are over here so that's an interesting new way of going to jail if you want to open up things will record these in effect when I was messing around this I noticed that I was getting signals when I hadn't pressed the button and it was my neighbors coming home and and stuff like that and you'll be surprised how often it's a static code that keeps being reused so let's talk about why we get into trouble when we mess around with the electromagnetic spectrum on the back of your phone you will normally have something like this so the FCC is from the states and EC is from the UK and these guys regulate what part of the spectrum who can use or you can use which part and you know different parties have paid different amounts for people to be allowed to use different parts of the spectrum so it's sort of policed so Akasa is the south african version of that i believe this is the one for China and Malaysia and one of them here I can't remember it's for New Zealand and this is a nice graph just to show you where all the different parts so allocated so this is normally where normal broadcast radio would be sitting the kind of stuff you listen to in your car if we go over to 2.4 gigahertz that's a Wi-Fi and Bluetooth and all those good things that say that's kind of a unlicensed it's free for us to use and going over to this side we've got 890 what was this oh yes aeronautical mobile stuff so we're going to miss around some planes a little bit later on this side satellites fit in there in this 137 make-ahead range it's a little bit tight and then all the way on that side this is where those key fobs so your car remote and all those different things sitting here so that's quite fun and if you do want to extend this a little bit further I would very much recommend getting an amateur radio license who hears a radio an okay more than I've had before you guys the guys who would like being referred to by yours eros whatever call signs okay I'm not a radio ham yet I have accepted Dominic White's challenge to do my both my parents already owned our ham so a big pardon yes I am doing it it's just taking long and how I'm doing it is is we prepared say let's say there's a corpse up you can do practice exams even so recommend that to to anyone interested I'm who here has a Raspberry Pi who does not what is wrong with you why don't you have a raspberry pie okay for those of you don't know what a raspberry pie is credit card-sized computer about Yohai 600 bucks cool it alarm processor and did you know this its TX only as far about as far as I've been able to find out anywhere between 5 kilohertz and and 1.5 gigahertz which is actually quite impressive and guy you've got this going created something called ARP ITX very fine piece of software in the way you get this going and I'll show you why you shouldn't do it just like this yet but anyway if you look at your general input/output GPIO headers if you attach just a little lead on to GPIO 7 which I think correct me if I'm wrong is the one useful pulse width modulation on motors you can use that to broadcast stuff but I warn you please do not do this because a Raspberry Pi is a digital device so it thinks in ones and zeros and that normally gets broadcast as a bit of a square wave and those of you who remember your high school computer science and for other computer science what I'm saying physical science and when we broadcast things we want to use nice sine waves I'll show you why in a moment because of this harmonics problem but because we can use constructive interference and destructive interference to create different waveforms and and if we add some more app we can make square waves the same thing is true in Reverse which causes this terrible problem so if you're gonna be using a Raspberry Pi to transmit any of these things that whatever you're broadcasting is going to be sort of reflected on different parts of the spectrum as well and you're going to start breaking people's baby monitors and setting all kinds of people and the worst part is you're telling them exactly where you are by broadcasting that signal so so you've been warned and it caster will come after you but it's fine there are these things called bandpass filters so this is what you should use and essentially all this does is it it cuts off the frequency on either side so that those harmonics don't end up in other parts of the spectrum where you cause trouble for people very cheap buy them from China I haven't bothered yet but I'll show you why it's cool and wow you can do this everything leaks electromagnetic radiation we'll chat about that in a second so if we wanted to turn our key fob into one of these or rather the other way around we could do a replay attack with something like this so what I've done is I've attached that RTL dongle to our 3 PI over here that's the antenna part over here and I can SSH into my PI you guys all know how to do that and from the command line I love this kind of audience where I can do this and our TL menu is a nice piece of software so I can go back to that for you can see I had before and I'm just choosing an input in that output frequency and I want them both to be the same because I'm doing a replay attack here attack anyway so while that rants cool it's busy recording a signal so that I can go to my dongle and I can go and oh is it shaking because it's playing there we go should we get that going cool and then I can run it again so from the menu I can just replay what I've recorded so I'm basically just recording something and then playing it back I want you to notice something I've not attached to anything here it's just the normal electromagnetic leakage from this thing which you can see is certified it's still leaking enough for me to be able to trip this relay so that's pretty cool if you think about it you could just go and plug this thing into a battery pack and connect it just press it up against the receiver and you should get enough leakage for this thing to work so that's a little playing on this can work as a transponder mode as well basically just a repeater and a few other cool hacks so that's a more interesting way to go to jail but can you do a brute-force attack so I thought about this and there are only 12 switches and never even got to positions so the total amount of combinations that this thing can have is only 2 to the power of 12 which is 4096 combinations that's not too bad for brute force at all so if you were to write a piece of software like this which I just called brute force you could just transmit I had to speed this up for every single code for all these static things and and you could run through all of them and pump there that stun factor didn't have to wait for it meanwhile Koha so I I thought about I started this on github and then I took it off when I realized I'd I'm not worried about people stealing things from your home I'm worried about your dogs getting out and stuff like that so so yeah maybe I need some oh yes and so the last time I did this at ex-con in Joburg I called skulk came over to me and showed me how he's using this who has Robo guards at home okay I want do you know what a Robo guard is this is a this is a South African product so what they've got its - I suppose that like PIR sensors essentially and you've got two beans that it makes so that you can so that your dog doesn't trip it or you know I want to say airplane for some reason no it will not be tripped by an aeroplane you know birds or or anything and anything else in your garden won't trip it off but if someone hops into your garden and this thing can can pick it up and they work at 433 megahertz so this is some Scots code which he was kind enough to share with me where what he's doing is he's written his own implementation yes it's still connected to his alarm but now he can connect it to his Raspberry Pi and see when his garden services are there if his kids are playing outside and in if certain hours where he's not expecting anyone else to be in his yard it can let him know and that's why he's got these tamper and checking flags and everything else and that's just how he runs it with rtl-sdr it's a really really cool thing and let's chat about antennas so when you buy these dongles you get one of these things which is of course one of the simplest antenna types you can get called a dipole so you can make this yourself with a coat hanger if you like this is just a piece of coax and when you open that up it's got shielding a core and I love saying dielectric insulator for some reason it makes me sound very intelligent but it's it's just plastic and yes I'm incorrectly labeling these ground and VCC because that makes more sense to me personally but anyway if you just attach two aluminium poles onto this you have made a dipole they're that easy to make and you can tell them to different kinds of frequencies so and how does this work well as the electromagnetic waves pass by they are inducing a current or a potential voltage between these two different poles and polarization is an important thing you'll hear about a lot when you mess around with this stuff who wants to guess yes this is vertical or horizontal polarization how did I miss that up and vertical polarization point is basically if you want to chair to someone the polarizations need to match but things get complicated with satellites with circular polarization which we'll chat about in a second because that gets a lot of fun anyway so um I can chat about antennas for a very long time I just have one thing I want to get out of here you will know about yagi antennas please start calling them yahudah antennas because it is mr. Udo who had the greater contribution to the creation of this antenna then yagi that's the only thing I want to change about that and if you want to make your own how long should these things run or how long should your things be that's always going to be proportional to your wavelength so just how long that wave is over time and your antenna needs to be half that all right so if you're making these yourself quickly we'll talk about the half wavelength and the quarter wavelength and for the sake of our antenna we're going to talk about the total length and the element length of our dipole and you're not going to sound smart at any conference and less you include some mathematics so for the purposes of this talk we are going to state the very well-known fact that wavelength equals the velocity of whichever medium through which something is traveling divided by its frequency in which case this will be the speed of light because it's radio waves of course which we can approximate to three times a to the well three times a to the power of ten meters per second so if we want you to know what the length should be to pick up a signal at a hundred megahertz 100 megahertz is just 100 times 10 to the power of six so those two zeros can just fall in there and notice that now I can cancel out 10 to the power of eight divided by 10 to the power of eight leaving with only three meters and that's how easy it is to figure out how long your antenna dipole should be half that remember yeah anyway okay so apparently I've got that wrong and you need to come to me afterwards to show me how to fix that for my talk I'm very welcome and open to feedback okay thanks so so for those of you at home you can ignore the last five seconds of this and we'll fix it in post ok and and I also approximated the speed of light which motivates it some people I'm sorry okay let's talk about tracking ships so this is what the ocean looks like and it's always clearance always comment no it's not sometimes it looks like this and then it also gets dark so it can be scary and that's why on ships they have things like this which help you track other why do I keep wanting to say airplanes and other ships you could you could track aeroplanes as well you'd need some different equipment we'll chat about that in a second anyway they use a system called a is automatic identification system and because I'm a software guy I like to think of them as datagrams don't call them datagrams I just like doing that but yes they'll they'll come with something similar to I don't know what anyway yes you get this MSI maritime mobile service identity number you get a navigation status with cool words like anchor and underweight a rate of turn so which where the ship's pointed I suppose speed in knots and in latitude longitude and it runs 160 1.9 you don't care about the actual numbers you can get those and post later anyway if you want to make an antenna for this you'll need it's probably wrong now but anyway I I went and did this and I made 44 centimeter dipoles so I was down at why do I keep wanting to say can't spare this is down by the VNA water friend and if you look out there there are ships out there so we can figure out where they are what they are what they're doing so this is SDR sharp running in a virtual machine and you'll already notice I lie to you there are actually two types of a is a s1 and s2 and they make these little chips just go back and play this one I go and make these little chips that you can pick up and in Windows there's something called ship plotter that you can use with a virtual audio cable through a virtual machine which caused problems for me that you'll see a little bit later but this is generally how you would do this on a Windows box you can record these signals and then you should be able to see all these ships but this doesn't work so well on a Mac and I was wondering what was the problem with this and all my virtual cables and virtual machines so when I opened up cubic SDR and I could still see these coming through and then we're coming through even clearer and I could record them as well and by the way yes GQ Rx is a perfectly good alternative that works on Linux I have nothing against GQ rx person who spoke to me about it at the last conference cool so so I could record these which was fine and then I could go back into Windows and take the WAV file from this using this thing called s Mon which could at least tell me something about these files and the interesting thing I had to do I experiment a lot but if you bring it down to 8-bit audio select telephone line quality it seems to work so I mean I've got of arras over here but there was definitely some data India where it could find some stuff so if I go then and take that same audio file and I put that into ship plotter this is more the experience you'll use if you have a Windows machine which is useless to this audience because I don't think anyone here has one but anyway yes that's what it looks like and then you can see your ships pretty cool huh no internet no hands yeah and and if you plot that on a nicer piece of software from the Mac App Store Jerry this is what it looks like and how these things work let's talk about how you can build your own flight radar as well has anyone done this before okay this is a lot of fun this is a lot of fun who knows what type of plane this is no guesses it's a Boeing yes it's a Boeing triple7 it's a Boeing triple7 it's got 31 antennas on you and we're going to go through every single one I'm kidding we'll just go through one and and that's for for something called ATS B so that's your automatic dependent surveillance broadcast very similar to a is but designed for aircraft so how this works and yeah I just thought of some problems with this thing but there's more coming up all the time anyway aircraft generally know where they are or should not generally know exactly where they are thanks to technologies like GPS and they can and the idea of a DSP is that you broadcast that to other aeroplanes and and by the way none of this stuff is illegal it is a really good idea that everyone knows where aeroplanes are in the sky at all times so yes they broadcast that down to two ground stations so that air traffic control can use this stuff and of course to to other aircraft in the sky as well through something called ATS be in and if you do find yourself in the cockpit of one of these planes right next to the seat on this side is where you would put this in I can't remember which YouTube video I stole this from so I probably owes someone some credit I've completely forgotten I think it's captain Joe or something like that but anyway what you've put in there is a score code this would be issued to you by aircraft traffic control and you'll pop it in before you get going and then I can't recall which airport this is exactly but yes this is the view that aircraft traffic control normally have that blue little part there's the runway where everything is landing and you can see here we've got score codes and and flight numbers there's some Dutch Airlines care them going and this is normally in traditionally done through what they call primary and secondary surveillance radar which are these dish things that are normally hidden in big domes at the airports that we normally visit but in South Africa our Civil Aviation Authority is very much pushing for the implementation of a DSB - as they say replace legacy less effective and more expensive primary surveillance radar and monopole secondary surveillance radar so these 80s speed datagrams I'm a software guy remember I have that score code in there the flight number which in my experience is never populated for some reason you altitude how high you are your airspeed longitude latitude surf course this broadcasts at ten ninety and you need a much shorter antenna only seven centimeters am I wrong about that you're nodding okay cool yeah okay and we use this a piece of software called dump 1090 available in github because I like open source things and if you want to set this up in your raspberry pi like I do same setup except you hop in the command line you guys know how to clone github repositories let's skip that one but when you run this after you've made it you need to add on this interactive mode otherwise it just starts streaming stuff into the console and that - - net will be important so I did this at the airport in the slow lounge my wife was not amused at all with what I was doing and you can see we've got an essay a flight I've got it s if R if R as if our flight over they a big question mark flight they don't know where they're going interesting part about this is a lot of them have no speed and no longer - you know latitude and I imagine this is because a lot of planes are parked but they leave the a DSB transponders on so they keep transmitting but they don't have a location or I've got excellent range and they're all parked at point Nemo so so that's that's really what this looks like and if you want to that - - net allows you to add on if you just use local host in this instance but anyway you can just go plot this using Google Maps you do need to go register to get your own Google Maps API key and then fix it in the JavaScript code to get this working but yes here I've got three different planes and you'll recognize there is our T in Johannesburg so lots of fun um who does the flight from flight who uses flat rail twenty four at all so there's this whole community thing yeah lots of planes being tracked by up by these guys and you can contribute data yourself so if you live in a remote area or somewhere interesting they've got a whole guide where you can use a Raspberry Pi in one of these dongles and contribute data by just running this as sudo just grabbing commands that start with sudo off the internet and putting them into your Raspberry Pi yes I'm sure it's safe but anyway yeah this this goes and pulls down and install and and sits whole thing up and so this presents new and interesting opportunities for us to go to jail um none of what I've spoken about is authenticated or encrypted at all and who remembers much earlier this year Gatwick Airport was shut down for more than a day I think millions of flights were redirected now I've got a friend who who owns a company that does like if you want to charter a plane from one country to another or do private flights and medical flights and stuff like that so he's not an aircraft traffic control he does his company does all the ground handling and I had some very interesting discussions with him about how you could cause more interesting problems with us and I assume what would happen if on let's say a prefers for whatever reason goodness I'm so nervous with you in the room about this i I'm so gonna end up on a do not fly list I'm a Dutch citizen as well so we can't work together so but anyway yes if on April 1st you had to put in so here's the thing about school codes any school code that starts with seven is a major emergency okay I think seven thousand means that plane is definitely hijacked seven thousand six hundred probably means that you you disagreeing you try and remember this is that anything with seven is bad the best one that starts with seven I don't know which one this is but it says that your your all your radio communications are out so I'm landing aircraft traffic control please get everyone out of the way so I said what would happen if I had to create you know a seven thousand school code and then in the same way that I can create any transmitter using a Raspberry Pi I could just attach it to Ross the two I haven't thought through very well but anyway let's attach it to a battery bank go to the airport close to where they're picking up these ADSP signals leave it in the trash run away oh I'm so worried about this suddenly but anyway yes if this thing were it if we then broadcast a fake like a ghost airplane and you could fly this plane all over the place all straight through the aircraft traffic control tower and I said what would happen and they said well they would bail and run so I haven't helped him get a day off work yet because he doesn't actually work in the tower but I mean like I don't think these folks are thinking about the types of problems that you guys are thinking about in this software security space so I thought thinking what could you do at ATS be DDoS attack so who recognize this this recognizes this Airport sorry captain no it's not Cape Town it's way too big this is Dubai International Airport it's quite sandy here and the reason I've chosen this one is because it's one of the biggest connecting where like connecting flights come through and this causes massive massive problems with diversions and everything else if one of these airports had to go down they will redirect any and all flights coming in to anywhere else all right so you don't need to hit a large amount of airports you just need to hit a couple of like you know JFK Heathrow sheikah Paul and you can cause absolute chaos with this sort of thing and because if you're an aircraft traffic control and you're just seeing a couple of planes was what's your day can it be like when this happens right and the problem here really is that that you know your your normal radar the whole reason why these these airports can't even operate the way they do is because they're using a DSP they're not using radar anymore because it doesn't give them to the resolution they can't see height or or anything else so they're becoming very dependent on this kind of thing and there's no security around this stuff but yes like I said I am NOT the first one to chat about this at all for more than I think it's more than five years we've been complaining about security problems in there so if you play in this field and yeah please please let us know so of course you guys actually came here to talk about satellites so let's get into that and this is Noah the u.s. is National Oceanic and Atmospheric Administration along blah-dee-blah but these guys exist because of the Titanic this is not running my theory but they started tracking icebergs so they're quite all the institution and they've got some nice weather satellites like this one I don't know which exactly this one is there's a couple of NOAA satellites three of them are in orbit at the moment and they're in the East they go like think of the most fax machines just go over the earth from pole to pole all the time they're there in Pearl all but and they've got some different names so the u.s. uses NORAD IDs to identify everything because you're interested in knowing what is and potential nuclear missile and what is not and you can probably tell us more about that while the rest of us use these international codes which tell us what data was launched and some more information and these things are quite here it's like heavier than my car and I travel 28,000 kilometers per hour which is quite impressive and they circumnavigate the world every hundred and two minutes and the view you're going to get from any cameras on these things is from 850 kilometers above so you're not going to get Google Earth kind of stuff here just warning you in advance so the NOAA satellites operated to primary frequency so do a lot more than just this but at 137 point 1 megahertz they use something called automatic picture transmission and then there's a high-resolution version of that which I don't use because I'm not steady enough to hold the antenna and track the satellite as it comes over so funny story about no.19 it fell over this must have been such a bad day at work for these guys right 137 million dollars because the bolts weren't properly attached I don't think anyone got fired I don't know the whole story but when I do this myself I get the best signal from this one so they're probably fixed some stuff I don't know what did they call it percussive maintenance yeah okay so any story about noah 16 it it used to have only one NORAD ID and now it has over 200 because it blew up and no one knows exactly why listen I'm so impressed with these things I'm really not trying to make fun of them I mean to get this stuff to work in this environment is amazing you know I imagine if your laptop battery blew up and there were 200 pieces of laptop everywhere and those are only the pieces or whatever going down again oh those are only the parts big enough for them to to see you know the much small little paint flecks and things so this is half a rant about space garbage we'll see some of that in a moment anyway how do we find satellites these tons of software to do this orbiter on is something you'll see recommended quite but it's got quite a crap in confusing do I probably perfect for when it was written which feels like the 90s so I'm gonna skip over this one so let's not worry about that this is a much nicer version called G predict so there's no nineteen over there and I can select that one and get some more information around when it's going to be coming up over so till the date and the time around when you can expect that satellite to come around again the one I'd like is into y ou so this is the website and you can use that one ten minutes for e anyway we'll try go through this a little bit faster but this is how you can find when a satellites going to you come over so put in your coordinates of where you eye picks it up from your IP address so it's quite easy and I'll tell you when that satellites going to come around so it'll be in the sky for about 10 minutes as it comes over no you can't see it oh guy called chores recommended a very cool alternative of this called Celeste rec so speaking about space junk check this out there's a lot of stuff up there and anyway there's a search function down at the bottom that you can chase use that you can use to find some of these things and if you're a developer there's something called ory kit if you're a Java programmer you can automate a couple of stuff there's also a command line version of G predict that I wouldn't recommend too much but anyway well we have to make some internal modifications to get this going so to deal with circular polarization will go for 120 degree change over there 437 megahertz we need to do 54 centimeter long element lengths and you point that thing north-south so so literally this is what I had that's my balcony up where I live in Pretoria and it was pretty much something like this just a little bit longer and you sit out there at half past 4:00 in the morning waiting for satellites to come over and you'll see in this waterfall this is cubic SDR again there's something happening over here as this thing comes over and a little bit later you can see signals improving and I hope this doesn't hurt anyone's ears because there is an audio section a little bit later but notice how this ATP signal is coming in and notice how it's just bent a little bit who wants to guess why that is it's the Doppler effect absolutely so this thing is moving so quickly that the frequency shifts ever so slightly because of the speed at which it's moving which is really interesting do you want to hear what the sounds like this might be super loud I'm sorry if it is wait it's maybe better that you don't hear it they're probably turned it off but anyway how do you decode this well like I told you this thing's like a fax machine so these were the old number satellites some of the first were the satellites you had out there so you use something called automatic picture transmission and everyone will tell you to use WX to image which I used in a virtual machine but could not install and it didn't work out really well for me so I switched to an open-source version you'll see this thing break but I'm a little bit worried about time so we'll go forward on that what I recommend is Noah ATP a very nice website that shows you how all the decoding of these signals can be done and how you find the different wedges for all that but in any case it's just a project you can run so I did this on an old Kali Linux box of mine so probably appropriate for this audience I guess but it comes a little gooey and you can go for start and go grab so I did this for for DEFCON initially so that's some signal for no.19 choose an output file I'm just going to call that DEFCON for one I'm typing impressed oh that jokes gotten old quickly all right sorry and you start and this is in real time I didn't speed this up there we go well Kali Linux everything is reduced this is written what toroidal hora that's yeah I only did this one time I've actually put something else on that machine because I know what you're all thinking now who wants to see the results yeah of course you do that's why you came awesome so this was one of the first ones I got okay so it's bad right but but think about it I've got a signal from space with a 300 round dongle and the equivalent of a coat hanger I I was very impressed with myself and further pass has got much better result so here you can see definitely there's some clouds this and whether there's something so what was the problem first of all occasion I just relied on into IO using my IP but you need to be quite specific about your your location so that you can track the timing exactly of when that satellite is going to rise and set if you like line-of-sight is also very important these signals do not travel very well through buildings or trees or anything else like that at all and your antenna needs to meet much better so there's this website called technology which I recommend they've got a very cool cross dipole there's a whole plethora of designs for these types of antennas out there so this is by no means the only one but less hacky burn the thing I was using and you can filter out some stuff which I'm going to skip over and they're the results start looking much better much better who can tell me what's wrong with this image yes because we're running out of time it's upside down because these things are moving you know north to south and south north and you never know which way it's it's really moving so and what you're looking at over there is some thermal infrared and some near visible but it's all black and white of course shall we play with some Russian satellites have a good time for that cool so they've got something called meteor em two satellites is actually a two version two one and two the first one I think didn't properly separate from its booster so it's sort of tumbles and then they turn it off and then it turns itself on again and starts broadcasting there's a whole thing about if you go to rtl-sdr recommend this it's like 30 different dead satellites that they put in these graveyard orbits and then they just turn on again but ya know this is this is an actual functioning one same deal twice as heavy and same idea a little bit closer same ish frequency and this is what it looks like it's a digital signal this time and I had a lot of trouble with this you've got to demodulate this they use something called LR PT or low rate picture transmission it's digital it's slow but that's what we'd expect and Utrecht wires lock for the Doppler effects so if you're doing this there's a whole long tutorial about how to do this but I like the open source stuff and thought this is way too much work to use all those Windows programs so I use something called meteor D mod and when you're running that and you've recorded this WAV file using SDR shop which you need a plugin for by the way to maintain that to compensate for the Doppler effect and the movement of this satellite there you've got lock it's busy getting some data and then you've got to decode it which didn't work this time so I struggled with that and I couldn't figure out why which is a long story won't get into but other people have had very good results so someone posted this on Twitter I forgot to credit them but this cape turned down on that side and you can see this is a digital signal on that side so really really nice stuff from the Russians there if you want to use ooh International Space Station is another fun thing that I've been trying to mess around with won't get into too many of the details of that but of course find out when it's gonna come close to you and I did this using a Raspberry Pi actually just using rtl-sdr software FM's so this is it's just a command line you can record it it creates a WAV file or an IQ file for you so put in the frequency give it a nice name let it run and you just set this up while the International Space Station is coming over and they use this whenever they're doing any amateur radio talks or anything else and I had these expectations about them maybe complaining about the food or each other or maybe picking up something scandalous they can say on the radio because they're over Africa and not on the northern hemisphere nothing like that happened at all as they flew over this is not a video they sent me I don't even know where this is but it's the view of where it comes from ctrl C to exit to pick up that file and that's all I heard sorry about that so what you need to do is go to the amateur radio in on the International Space Station website and find out when they're going to be talking okay so sometimes I speak to schools or community events and stuff like that and you'll only hear one side of the conversation because you're not going to hear you know the people speaking up to it you won't get that you'll only hear that one half of the conversation at least but yes and they also do these weird kind of I almost think of them as memorial plaques but they sent down slow scan television images which looked like this in SDR shop yeah a little bit grainy but quite fun to do so other fun things to try in conclusion who has been to one of those terrible restaurants we have in South Africa where they tie like this thing to the waiter and the weight-room I have to say and you can call them with a button on the table who's been to those am I the only one has those that uses the same technology that pagers use and you can really mess around with that stuff so that's a fun thing I might want to try you can spoof something called ODS TMC which is a fun way so this is the inside of my cart uses TMC pro to be able to tell where there's traffic so I know this is encrypted in Europe I don't know if it's encrypted in South Africa but it might be a fun way to say that every road you're driving on is busy and everyone should get out of the way that might be a fun thing to do you can create your own cellular networks with something called open BTS the semi count cars is cool talk called drive it like you stole it where he talks about how you can basically defeat French encoding and and all that was some cool jamming techniques you can build your own Space Telescope and and yeah like literally listened to pulsars which is really cool you can spoof or RFID tags and I don't know about this one but it might be fun they'll explain eatos later and this is the coolest thing I found it's something called SMB radio so remember how my Raspberry Pi has a little bit of EMF leakage so all computers have a little bit of EMF leakage and there's a it's actually one of the demos isn't JavaScript I don't actually have an old-timey radio that can go down to I think it's only 5 kilohertz is the frequency at which it can broadcast but it literally uses the EMF leakage from your system bus to play mary had a little lamb it is incredibly cool so who knows who this is very close I won't keep you interested it's it's Harry Hertz and and the last mission social me leave you guys with us they were chatting to him many many years ago not on an iPhone and when he does he's the guy who discovered radio waves that's why we talk about Hertz as the only SI unit with our s in it because it's someone's name and when they awesome what the point of this was at all there's nothing whatsoever he was very impressed that he'd found a way to prove Maxwell's equations of electromagnetic induction and they'll swim about any applications is it nothing I guess and if you think about the applications of radio and Wi-Fi and everything else that we use today that's maybe a point to make so if we think today about what we do with the cloud we've basically taken computer infrastructure to find it via software and called it the cloud so you can hop on to GCP or anything and maker and VM what could you do a software-defined radio and it's interesting AWS is is doing this this cool ground station network so you can imagine creating your own points around where I might have totally out of time it's two minutes okay we'll just close this up you can imagine as your satellite is maybe moving across across the planet as it moves close to that AWS ground station with that data sand you can spin up in an instance of a server that could download that information process it pass it along and you don't need your own ground stations for anything at all so I'm completely out of fuel I've got some credits for some of the guys who've worked with me on this the O ex-con guys who gave me some advice on this stuff thank you to foreign aid Bank for doing my flights and stuff I'm speaking at your conference on the 31st probably I don't know next year at Def Con and that is me you guys can follow me on Twitter thank you very much that's me okay they have allowed me to questions so not all of you at once please only okay gentleman in the back with the incredible beard you should have seen me at Movember Hey okay first of all the question is when am I getting my ham license and what am I playing with Qi so 100 and so I'm thinking maybe next year when exams are in April next year I think will probably be the next opportunity okay so that's that's what I'm going for I'm slowly going up on on we prepare and what do you say it was Q&A what 100 what is that oh yes oh so I've got the content for my next talk yeah I'm sure we probably don't have the audio from all of that but that sounds incredible okay and and someone okay awesome one more question right so the question is what other plans around encrypting air traffic data I have no idea okay I I did have this idea that you know let's put blockchain on it and and of course no but you know it could be I don't know you know I think that I don't know I don't know I should know but I don't that's terribly embarrassing thank you all right no that's all for me you guys thank you very much Cheers
Info
Channel: BSides Cape Town
Views: 208,457
Rating: 4.9150214 out of 5
Keywords: BSIDES, BSIDESCapeTown, BSIDESCapeTown2019, Hacking, Cybersecurity, Infosec, SDR, GERARDDEJONG
Id: gMwciWchH3Q
Channel Id: undefined
Length: 44min 52sec (2692 seconds)
Published: Wed Dec 11 2019
Related Videos
#286 How does Software Defined Radio (SDR) work under the Hood? SDR Tutorial
Andreas Spiess
263K
"Through the Eyes of a Thief" - LMG Basement, 2019-10-10
DeviantOllam
223K
How Carburetors are Made (Basically Magic) - Holley Factory Tour | Smarter Every Day 261
SmarterEveryDay
874K
How Do I Crack Satellite and Cable Pay TV? (33c3)
media.ccc.de
280K
Non Destructive Entry for Firefighters, Police Officers & EMS by Deviant Ollam
Fort Washington Fire Company No.1 Station 88
205K
MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
John Hammond
498K
How Does A Carburetor Work? | Transparent Carburetor at 28,546 fps Slow Mo - Smarter Every Day 259
SmarterEveryDay
5.9M
Things you can make from old, dead laptops
DIY Perks
8.1M
Defcon 21 - All Your RFz Are Belong to Me - Hacking the Wireless World with Software Defined Radio
HackersOnBoard
277K
The Simplest Math Problem No One Can Solve - Collatz Conjecture
Veritasium
10M
Iridium Satellite Hacking - HOPE XI 2016
billblass70222
43K
How does a USB keyboard work?
Ben Eater
707K
How SpaceX Designed A Heat Shield For The Largest Spacecraft Ever Built
Scott Manley
835K
CompTIA Network+ Certification Video Course
PowerCert Animated Videos
3.4M
#286 How does Software Defined Radio (SDR) work under the Hood? SDR Tutorial
Andreas Spiess
263K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.