Hacking the Iridium network could be very easy

At the last the Chaos Communication Camp, held in Zehdenick, Germany experts demonstrated how to hack the Iridium network and eavesdrop its pager traffic.

At the last edition of the Chaos Communication Camp held in Germany the organizers distributed 4500 rad1o badges, powerful devices running a software that could be used to intercept satellite traffic from the Iridium communications network.

In a talk entitled “Iridium Hacking: please don’t sue us,” the experts Sec and Schneider have demonstrated how to intercept the Iridium pager traffic by using the Camp badge.

The Iridium satellite network is composed of 66 active satellites in low Earth orbit which offers voice and data communications for satellite phones, pagers, and integrated transceivers worldwide.

The Iridium satellite network is considered obsolete, its successor, the Iridium NEXT, is planned to be launched this year.

Among the user of the Iridium network there is the Pentagon, unfortunately the project developed by Motorola in 1980s lack of security by design as explained by the researchers in their talk.

“The problem,” noticed Sec, “isn’t that Iridium has poor security. It’s that it has no security.” “It’s kind of a myth that satellite hacking is hard,” schneider said. “You are all satellite hackers now. You have the equipment. Go have fun with it.”

The Iridium network has a limited data bandwidth, just 2.4 Kb/sec, its use is limited to specific applications. Iridium network is currently used for tracking purposes in logistic and transportation.

Just to give you an example, the Iridium pager traffic doesn’t use encryption by default and the majority of traffic is sent in clear text.

A presentation leaked by Wikileaks in 2008 states that the Iridium network is difficult to hack, but things are quite different.

“the complexity of the Iridium air interface makes the challenge of developing an Iridium L-Band monitoring device very difficult and probably beyond the reach of all but the most determined adversaries.”

The Iridium system could be hacked with a cheap software-defined radio like the rad1o badge or HackRF.

The majority of the pager traffic could be easily eavesdropping with off-the-shelf producTs and the software used by the researchers.

“With just the rad1o badge and onboard PCB antenna, you can collect 22 percent of all the packets you can receive with a proper Iridium antenna,” Schneider said “You just load the software on your PC, you attach the rad1o badge and you can start receiving Iridium pager messages,” “So happy hacking with that.”

The experts highlighted that the badge has a limited processing capability, this implies that Iridium traffic analysis needs a specific software (Iridium toolchain) that could run on a laptop or a cheap Raspberry Pi 2.

“A Raspberry Pi 2 is just beefy enough to process the traffic,” Sec said. “Short-burst data stuff is much more complex”.

During the talk Sec gave a live demo of the Iridium traffic eavesdropping, the expert demonstrated how to capture and decode the Iridium pager traffic.

This is just the beginning, Sec asked the audience for help locating a copy of the Iridium systems specifications, next step is to extend the features implemented by the toolchain that could be used in the future to decode AMS (aircraft communications) and RUDICS (internet) streams .

“If anyone happens to come across this document, we still want it,” Sec said, “and we will not ask questions.”

Let me suggest to give a look the slides presented by the experts.

 

Pierluigi Paganini

(Security Affairs – Iridium network, hacking)