BSIDES CPT 2019 - Hacking satellites with Software Defined Radio (SDR) - Gerard de Jong

00:44:52
https://www.youtube.com/watch?v=gMwciWchH3Q

Ringkasan

TLDRForedraget fokuserer på hacking av satellitter ved hjelp av programvaredefinert radio (SDR). Foredragsholderen deler sin erfaring med å spore skip og fly i sanntid uten internett, og demonstrerer hvordan man kan manipulere signaler fra enheter som bilnøkler. Det diskuteres også hvordan man lager antenner og bruker programvare for å dekode signaler fra satellitter som NOAA. Foredraget advarer om de juridiske konsekvensene av hacking og oppfordrer til ansvarlig bruk av teknologi. Det avsluttes med spørsmål fra publikum om emnet.

Takeaways

  • 🔍 Lær hvordan du sporer fly og skip i sanntid uten internett.
  • 💻 Oppdag hvordan programvaredefinert radio fungerer.
  • 📡 Lag dine egne antenner for SDR-prosjekter.
  • ⚖️ Vær oppmerksom på de juridiske konsekvensene av hacking.
  • 📊 Forstå Doppler-effekten og dens betydning for signalanalyse.
  • 🌐 Utforsk NOAA-satellitter og deres data.
  • 🛠️ Bruk SDR Sharp for å analysere radiosignaler.
  • 📡 Lær om Yagi-antennens design og bruk.
  • 📈 Få innsikt i hvordan du dekoder satellittsignaler.
  • 🔧 Eksperimenter med signalmanipulering og -analyse.

Garis waktu

  • 00:00:00 - 00:05:00

    Introduksjon til hacking av satellitter med programvaredefinert radio, inkludert sporing av skip og fly uten internett.

  • 00:05:00 - 00:10:00

    Historisk perspektiv på videoproduksjon og radioamatørvirksomhet, samt introduksjon av programvaredefinert radio som ble populært med Kickstarter-prosjekter.

  • 00:10:00 - 00:15:00

    Presentasjon av RTL-SDR dongler og deres bruksområder, inkludert signalanalyse av fjernkontroller og mulige sikkerhetsproblemer.

  • 00:15:00 - 00:20:00

    Diskusjon om regulering av elektromagnetisk spektrum og viktigheten av amatør radio-lisenser for hobbyister.

  • 00:20:00 - 00:25:00

    Forklaring av Raspberry Pi og dens begrensninger i sending, samt advarsler om å unngå forstyrrelser i andre frekvenser.

  • 00:25:00 - 00:30:00

    Demonstrasjon av replay-angrep med RTL-SDR og Raspberry Pi, samt muligheten for brute-force angrep på enkle fjernkontroller.

  • 00:30:00 - 00:35:00

    Presentasjon av hvordan man kan spore skip og fly ved hjelp av SDR-teknologi, inkludert bruk av spesifikke programvarer og antenner.

  • 00:35:00 - 00:44:52

    Avslutning med diskusjon om satellitter, inkludert NOAA-satellitter og hvordan man kan dekode signaler fra dem.

Tampilkan lebih banyak

Peta Pikiran

Video Tanya Jawab

  • Hva er programvaredefinert radio?

    Programvaredefinert radio (SDR) er en teknologi som bruker programvare for å håndtere radiofrekvenser, noe som gjør det enklere å manipulere og analysere radiosignaler.

  • Hvordan kan jeg spore fly og skip?

    Du kan spore fly og skip ved å bruke programvaredefinert radio og spesifikke frekvenser for automatisk identifikasjonssystem (AIS) for skip og automatisk avhengig overvåking (ADS-B) for fly.

  • Er det ulovlig å hacke satellitter?

    Ja, hacking av satellitter eller andre radiosignaler uten tillatelse er ulovlig og kan føre til alvorlige straffer.

  • Hva er en RTL-SDR?

    RTL-SDR er en billig USB-dongle som kan brukes til å motta og analysere radiosignaler over et bredt spekter av frekvenser.

  • Hvordan lager jeg en antenne for SDR?

    Du kan lage en enkel dipole antenne ved å bruke to aluminiumspoler og en koaksialkabel, tilpasset til den frekvensen du ønsker å motta.

  • Hva er Doppler-effekten?

    Doppler-effekten er endringen i frekvensen av en bølge i forhold til en observatør som beveger seg i forhold til kilden til bølgen.

  • Hva er NOAA-satellitter?

    NOAA-satellitter er meteorologiske satellitter som overvåker værforhold og samler data om atmosfæren.

  • Hvordan kan jeg dekode signaler fra satellitter?

    Du kan dekode signaler fra satellitter ved å bruke spesifik programvare som WXtoImg eller NOAA ATP, avhengig av signaltypen.

  • Hva er en Yagi-antenne?

    En Yagi-antenne er en type retningsbestemt antenne som brukes til å forbedre signalmottak i en bestemt retning.

  • Hva er SDR Sharp?

    SDR Sharp er en populær programvare for Windows som brukes til å motta og analysere radiosignaler med SDR.

Lihat lebih banyak ringkasan video

Dapatkan akses instan ke ringkasan video YouTube gratis yang didukung oleh AI!
Teks
en
Gulir Otomatis:
  • 00:00:04
    see us welcome today we're going to be
  • 00:00:06
    hacking satellites with software-defined
  • 00:00:07
    radio you might find somebody
  • 00:00:11
    interesting what you're gonna learn
  • 00:00:12
    today who has a gate that does this when
  • 00:00:14
    you press a button one of these have
  • 00:00:16
    your a key will you take them out we
  • 00:00:18
    might play with them in a moment so I'm
  • 00:00:20
    going to teach you how to do something
  • 00:00:21
    bad with that if you're worried about
  • 00:00:24
    where ships are if you ever go to the
  • 00:00:26
    sea I'm gonna show you how to track
  • 00:00:27
    where those things are in real time no
  • 00:00:29
    internet same thing with planes I'll
  • 00:00:31
    show you how to track planes so the next
  • 00:00:33
    time you're picking up a friend at the
  • 00:00:34
    airport you'll know if it's delayed if
  • 00:00:36
    your flight is delayed you don't need an
  • 00:00:37
    internet connection or worry about Wi-Fi
  • 00:00:39
    you can just figure out when that's
  • 00:00:40
    gonna happen and of course we're gonna
  • 00:00:41
    mess around with some signals from some
  • 00:00:44
    satellites so let that animation
  • 00:00:47
    complete I just want to put the brakes
  • 00:00:48
    on here if you do stupid stuff you're a
  • 00:00:50
    dolt and you can go to prison I will
  • 00:00:52
    show you many and interesting new ways
  • 00:00:54
    of going to prison if you're if you're
  • 00:00:55
    looking at doing that today and then
  • 00:00:58
    this talk is really just about my
  • 00:01:00
    journey and what I've been learning
  • 00:01:01
    about so I'm quite new in the security
  • 00:01:03
    field I don't work in the security field
  • 00:01:05
    I have I'm a software developer I work
  • 00:01:07
    for a bank so yeah this is still about
  • 00:01:10
    what I've been messing around with so
  • 00:01:11
    I'm going to show you the stuff that's
  • 00:01:12
    worked for me and what hasn't worked for
  • 00:01:13
    me and if you've got any ideas about
  • 00:01:15
    stuff you think I should try or when a
  • 00:01:18
    chat about do come to me afterwards we
  • 00:01:20
    can chat about that so a little bit of
  • 00:01:22
    history where does this come from who
  • 00:01:23
    here makes videos okay some of you might
  • 00:01:26
    not put us up because you make other
  • 00:01:28
    kinds of videos for the Internet so
  • 00:01:30
    about 10 years ago if you wanted to or
  • 00:01:32
    not 10 maybe even 20 years ago if you
  • 00:01:34
    wanted to make any kind of high-class
  • 00:01:35
    video production you need a rig pretty
  • 00:01:37
    much like this right with IP custom a
  • 00:01:39
    laser pointer but anyway if some DVDs
  • 00:01:41
    done there's a little bit more modern
  • 00:01:42
    but anyway you need a lot of equipment
  • 00:01:44
    but today most youtubers are doing
  • 00:01:45
    something like this and similarly my
  • 00:01:48
    late father was a radio amateur and I
  • 00:01:50
    grew up thinking that all men have a
  • 00:01:51
    Radio Shack full of crap like this and
  • 00:01:54
    and that was just normal but no in fact
  • 00:01:57
    today and I'll show you how and why it's
  • 00:02:00
    pretty much just as simple to mess
  • 00:02:01
    around with software-defined radio so
  • 00:02:03
    how is that possible there was a
  • 00:02:04
    Kickstarter and surely yes this was
  • 00:02:06
    possible before but I think it really
  • 00:02:08
    kicked off in 2014 with a Kickstarter
  • 00:02:10
    for this called the hack or if one does
  • 00:02:13
    anyone have one someone someone persons
  • 00:02:15
    go on two peoples got one awesome so
  • 00:02:17
    started by a guy called
  • 00:02:18
    Michael Osmond it's a little bit maybe
  • 00:02:20
    twice the size of a raspberry pie and
  • 00:02:22
    works anywhere between one megahertz up
  • 00:02:24
    to six gigahertz it can both send and
  • 00:02:27
    transmit so we say Rx and TX
  • 00:02:29
    it's got a cool ARM chip in it and it
  • 00:02:31
    only costs 10,000 Rance that's right
  • 00:02:33
    folks only ten grands some people you
  • 00:02:35
    see some people are getting better deals
  • 00:02:36
    than when I was looking but you have to
  • 00:02:39
    chat to those people afterwards yeah
  • 00:02:42
    what speaking of speaking of meanwhile
  • 00:02:44
    who wants to guess what this is
  • 00:02:46
    it's the rollout of digital terrestrial
  • 00:02:48
    television and I don't know why South
  • 00:02:50
    Africa is blue because why is it blue
  • 00:02:53
    they say it's launched but whatever and
  • 00:02:56
    it's um created this whole market
  • 00:02:57
    speaking of China they produce these
  • 00:02:59
    awesome chips these real Tex RTL 2832
  • 00:03:02
    use which going little dongles like this
  • 00:03:04
    and here's one I've got another one
  • 00:03:07
    there as well and they operate anywhere
  • 00:03:09
    between 25 megahertz and 1.6 gigahertz
  • 00:03:12
    they're the read-only which is fine you
  • 00:03:14
    can give yourself into less trouble
  • 00:03:15
    we'll chat about how you get into
  • 00:03:17
    trouble there if you really want to they
  • 00:03:19
    use this trip of course then you cost
  • 00:03:20
    about 300 bucks so that's really not bad
  • 00:03:22
    up to about 500 and there's a whole new
  • 00:03:25
    blog so many of the stuff that I'm going
  • 00:03:26
    to be chatting about comes from this
  • 00:03:28
    website OTO sto comm so even more crazy
  • 00:03:31
    things are posted up here so that's
  • 00:03:33
    that's a really good source and then
  • 00:03:35
    there are much nicer ones like this one
  • 00:03:37
    that's got an iminium on it so you can
  • 00:03:38
    work at high frequencies for longer so
  • 00:03:42
    that's what that looks like that's what
  • 00:03:43
    that terrible sound was earlier I was
  • 00:03:45
    messing around with that I was trying to
  • 00:03:46
    get my mic on the rtl-sdr to show you
  • 00:03:48
    that but I couldn't control the volume
  • 00:03:49
    so sorry about those folks ears but it's
  • 00:03:52
    pretty much the same thing just a little
  • 00:03:53
    bit more expensive and there are
  • 00:03:54
    hundreds of these kinds of devices
  • 00:03:56
    coming out they're available and things
  • 00:03:58
    like micro robotics communicates that
  • 00:04:00
    we're all setting them now for around
  • 00:04:01
    500 bucks there's an S buy devices
  • 00:04:04
    another nice option and when it comes to
  • 00:04:06
    the kind of software for those windows
  • 00:04:08
    forgot which crowd i've got here today
  • 00:04:11
    but anyway if you are a Windows user
  • 00:04:13
    this is normally how you'll get things
  • 00:04:14
    going so a spy makes some of these
  • 00:04:16
    devices you can just download their
  • 00:04:19
    software over there you guys know how to
  • 00:04:20
    click download so once you've got that
  • 00:04:22
    going what I like about s bi is they
  • 00:04:24
    actually give you a link this little
  • 00:04:26
    batch file over here is going to
  • 00:04:27
    download the drivers for your rtl-sdr
  • 00:04:30
    which is pretty cool
  • 00:04:31
    and once you've got that installed this
  • 00:04:33
    is just how you'll get an rtl-sdr going
  • 00:04:35
    in Windows you open this little program
  • 00:04:36
    called Zadok it's going to patch a
  • 00:04:38
    driver before you install that this is
  • 00:04:41
    what generally what it looks like you go
  • 00:04:43
    this is all real time I haven't sped
  • 00:04:44
    this up because I'm far too lazy then 10
  • 00:04:47
    turn and it's installed successfully and
  • 00:04:49
    then you can start a program called SDR
  • 00:04:52
    shop which in my experience is one of
  • 00:04:53
    the more popular versions that people
  • 00:04:54
    are using out there so this is what it
  • 00:04:56
    looks like and you're just going to have
  • 00:04:58
    to go to settings and select your USB
  • 00:05:00
    device over there so if you've got that
  • 00:05:01
    going that's it so this is very much
  • 00:05:05
    what the spectrum is looking like and
  • 00:05:07
    this is called the waterfall down here
  • 00:05:09
    so you can just pick up that's just
  • 00:05:10
    normal radio station at 104 megahertz
  • 00:05:12
    and this is where we can start playing
  • 00:05:15
    with one of those key fobs if you've got
  • 00:05:16
    these on so if you've got one now not
  • 00:05:19
    all of them I like this yes they are
  • 00:05:20
    rolling codes and French and coding and
  • 00:05:22
    everything else but most property
  • 00:05:23
    developers are cheap and like buying
  • 00:05:25
    cheap stuff so if I was just messing
  • 00:05:28
    around with one of these as well
  • 00:05:29
    so you use RTL SDR these things run and
  • 00:05:32
    I think it's 405 megahertz so let's look
  • 00:05:34
    what I recorded over 403 550 there we go
  • 00:05:37
    and play over there to record that and
  • 00:05:40
    if you press that button you'll see that
  • 00:05:43
    little code over there so that's fun
  • 00:05:46
    let's go do some signal analysis
  • 00:05:48
    actually bought the part that you attach
  • 00:05:50
    to your gate to actually flip the the
  • 00:05:52
    reader over there to open everything up
  • 00:05:53
    this Brown thing is the antenna and well
  • 00:05:57
    how does it work you press the button
  • 00:05:58
    there's some sound bump and a little LED
  • 00:06:01
    goes so what's fun about this is you can
  • 00:06:04
    record that using some of the recording
  • 00:06:07
    stuff down here and there's a little bit
  • 00:06:10
    just like audio recording 16-bit PCM see
  • 00:06:13
    that and it's exactly the same
  • 00:06:15
    experience you're just going to record
  • 00:06:16
    this there we go we've got that and now
  • 00:06:19
    let's go see what that signal looks like
  • 00:06:20
    inside so who uses audacity for audio
  • 00:06:24
    and stuff like that you use that full
  • 00:06:26
    for this as well well you can at least
  • 00:06:27
    so if I open this up on audacity in
  • 00:06:30
    Windows and I did this all through a
  • 00:06:31
    virtual machine in my defense which
  • 00:06:33
    caused me problems you will see about
  • 00:06:34
    later but anyway that's the signal that
  • 00:06:36
    I recorded and if we zoom in there
  • 00:06:39
    there's no any press that I'm doing this
  • 00:06:41
    with my thumb alive there's no one
  • 00:06:43
    impressed
  • 00:06:44
    notice that these things it sends the
  • 00:06:46
    signal a quite a couple of times and if
  • 00:06:51
    you look at that that's I think that's
  • 00:06:52
    Manchester encoding I can't remember
  • 00:06:53
    what this is called actually but that
  • 00:06:56
    looks like a code and if you had to open
  • 00:06:59
    up your I want to call it a dongle
  • 00:07:02
    because I use Apple computers but
  • 00:07:03
    forgive me on that yes so see those dip
  • 00:07:07
    switches are there that's how you set
  • 00:07:08
    that static code and you'll notice very
  • 00:07:11
    probably expected for this audience
  • 00:07:13
    correlation between these are over here
  • 00:07:15
    so that's an interesting new way of
  • 00:07:17
    going to jail if you want to open up
  • 00:07:19
    things will record these in effect when
  • 00:07:20
    I was messing around this I noticed that
  • 00:07:22
    I was getting signals when I hadn't
  • 00:07:23
    pressed the button and it was my
  • 00:07:25
    neighbors coming home and and stuff like
  • 00:07:27
    that and you'll be surprised how often
  • 00:07:28
    it's a static code that keeps being
  • 00:07:29
    reused so let's talk about why we get
  • 00:07:31
    into trouble when we mess around with
  • 00:07:33
    the electromagnetic spectrum on the back
  • 00:07:35
    of your phone you will normally have
  • 00:07:37
    something like this so the FCC is from
  • 00:07:39
    the states and EC is from the UK and
  • 00:07:42
    these guys regulate what part of the
  • 00:07:45
    spectrum who can use or you can use
  • 00:07:47
    which part and you know different
  • 00:07:49
    parties have paid different amounts for
  • 00:07:50
    people to be allowed to use different
  • 00:07:52
    parts of the spectrum so it's sort of
  • 00:07:54
    policed so Akasa
  • 00:07:55
    is the south african version of that i
  • 00:07:57
    believe this is the one for China and
  • 00:07:59
    Malaysia and one of them here I can't
  • 00:08:00
    remember it's for New Zealand and this
  • 00:08:03
    is a nice graph just to show you where
  • 00:08:04
    all the different parts so allocated so
  • 00:08:06
    this is normally where normal broadcast
  • 00:08:08
    radio would be sitting the kind of stuff
  • 00:08:10
    you listen to in your car if we go over
  • 00:08:12
    to 2.4 gigahertz that's a Wi-Fi and
  • 00:08:15
    Bluetooth and all those good things that
  • 00:08:16
    say that's kind of a unlicensed it's
  • 00:08:18
    free for us to use and going over to
  • 00:08:20
    this side we've got 890 what was this oh
  • 00:08:23
    yes aeronautical mobile stuff so we're
  • 00:08:26
    going to miss around some planes a
  • 00:08:27
    little bit later on this side
  • 00:08:29
    satellites fit in there in this 137
  • 00:08:32
    make-ahead range it's a little bit tight
  • 00:08:34
    and then all the way on that side this
  • 00:08:37
    is where those key fobs so your car
  • 00:08:38
    remote and all those different things
  • 00:08:39
    sitting here so that's quite fun and if
  • 00:08:41
    you do want to extend this a little bit
  • 00:08:43
    further I would very much recommend
  • 00:08:45
    getting an amateur radio license who
  • 00:08:46
    hears a radio an okay more than I've had
  • 00:08:49
    before you guys the guys who would like
  • 00:08:50
    being referred to by yours eros whatever
  • 00:08:52
    call signs okay I'm not a radio ham yet
  • 00:08:54
    I have accepted Dominic White's
  • 00:08:56
    challenge to
  • 00:08:57
    do my both my parents already owned our
  • 00:08:58
    ham so a big pardon yes I am doing it
  • 00:09:02
    it's just taking long and how I'm doing
  • 00:09:04
    it is is we prepared say let's say
  • 00:09:07
    there's a corpse up you can do practice
  • 00:09:09
    exams even so recommend that to to
  • 00:09:11
    anyone interested I'm who here has a
  • 00:09:13
    Raspberry Pi who does not what is wrong
  • 00:09:16
    with you why don't you have a raspberry
  • 00:09:18
    pie okay for those of you don't know
  • 00:09:19
    what a raspberry pie is credit
  • 00:09:21
    card-sized computer about Yohai 600
  • 00:09:23
    bucks
  • 00:09:24
    cool it alarm processor and did you know
  • 00:09:26
    this its TX only as far about as far as
  • 00:09:30
    I've been able to find out anywhere
  • 00:09:32
    between 5 kilohertz and and 1.5
  • 00:09:34
    gigahertz which is actually quite
  • 00:09:35
    impressive and guy you've got this going
  • 00:09:37
    created something called ARP ITX
  • 00:09:40
    very fine piece of software in the way
  • 00:09:41
    you get this going and I'll show you why
  • 00:09:43
    you shouldn't do it just like this yet
  • 00:09:45
    but anyway if you look at your general
  • 00:09:47
    input/output GPIO headers if you attach
  • 00:09:50
    just a little lead on to GPIO 7 which I
  • 00:09:53
    think correct me if I'm wrong is the one
  • 00:09:55
    useful pulse width modulation on motors
  • 00:09:58
    you can use that to broadcast stuff but
  • 00:10:01
    I warn you please do not do this because
  • 00:10:03
    a Raspberry Pi is a digital device so it
  • 00:10:06
    thinks in ones and zeros and that
  • 00:10:08
    normally gets broadcast as a bit of a
  • 00:10:09
    square wave and those of you who
  • 00:10:11
    remember your high school computer
  • 00:10:13
    science and for other computer science
  • 00:10:15
    what I'm saying
  • 00:10:15
    physical science and when we broadcast
  • 00:10:18
    things we want to use nice sine waves
  • 00:10:19
    I'll show you why in a moment because of
  • 00:10:21
    this harmonics problem but because we
  • 00:10:22
    can use constructive interference and
  • 00:10:24
    destructive interference to create
  • 00:10:26
    different waveforms and and if we add
  • 00:10:28
    some more app we can make square waves
  • 00:10:30
    the same thing is true in Reverse which
  • 00:10:33
    causes this terrible problem so if
  • 00:10:35
    you're gonna be using a Raspberry Pi to
  • 00:10:36
    transmit any of these things that
  • 00:10:38
    whatever you're broadcasting is going to
  • 00:10:39
    be sort of reflected on different parts
  • 00:10:42
    of the spectrum as well and you're going
  • 00:10:43
    to start breaking people's baby monitors
  • 00:10:45
    and setting all kinds of people and the
  • 00:10:47
    worst part is you're telling them
  • 00:10:48
    exactly where you are by broadcasting
  • 00:10:50
    that signal so so you've been warned and
  • 00:10:53
    it caster will come after you but it's
  • 00:10:55
    fine there are these things called
  • 00:10:56
    bandpass filters so this is what you
  • 00:10:57
    should use and essentially all this does
  • 00:11:00
    is it it cuts off the frequency on
  • 00:11:02
    either side so that those harmonics
  • 00:11:04
    don't end up in other parts of the
  • 00:11:05
    spectrum where you cause trouble for
  • 00:11:06
    people very cheap buy them from China I
  • 00:11:09
    haven't bothered yet
  • 00:11:10
    but I'll show you why it's cool and wow
  • 00:11:12
    you can do this everything leaks
  • 00:11:14
    electromagnetic radiation we'll chat
  • 00:11:15
    about that in a second so if we wanted
  • 00:11:17
    to turn our key fob into one of these or
  • 00:11:20
    rather the other way around we could do
  • 00:11:21
    a replay attack with something like this
  • 00:11:22
    so what I've done is I've attached that
  • 00:11:24
    RTL dongle to our 3 PI over here that's
  • 00:11:28
    the antenna part over here and I can SSH
  • 00:11:31
    into my PI you guys all know how to do
  • 00:11:33
    that and from the command line I love
  • 00:11:35
    this kind of audience where I can do
  • 00:11:36
    this and our TL menu is a nice piece of
  • 00:11:39
    software so I can go back to that for
  • 00:11:40
    you can see I had before and I'm just
  • 00:11:44
    choosing an input in that output
  • 00:11:45
    frequency and I want them both to be the
  • 00:11:46
    same because I'm doing a replay attack
  • 00:11:48
    here attack anyway so while that rants
  • 00:11:51
    cool it's busy recording a signal so
  • 00:11:53
    that I can go to my dongle and I can go
  • 00:11:56
    and oh is it shaking because it's
  • 00:11:58
    playing there we go should we get that
  • 00:12:00
    going cool and then I can run it again
  • 00:12:03
    so from the menu I can just replay what
  • 00:12:05
    I've recorded so I'm basically just
  • 00:12:06
    recording something and then playing it
  • 00:12:07
    back I want you to notice something I've
  • 00:12:10
    not attached to anything here it's just
  • 00:12:12
    the normal electromagnetic leakage from
  • 00:12:14
    this thing which you can see is
  • 00:12:15
    certified it's still leaking enough for
  • 00:12:18
    me to be able to trip this relay so
  • 00:12:21
    that's pretty cool if you think about it
  • 00:12:22
    you could just go and plug this thing
  • 00:12:24
    into a battery pack and connect it just
  • 00:12:26
    press it up against the receiver and you
  • 00:12:29
    should get enough leakage for this thing
  • 00:12:30
    to work so that's a little playing on
  • 00:12:33
    this can work as a transponder mode as
  • 00:12:35
    well basically just a repeater and a few
  • 00:12:37
    other cool hacks so that's a more
  • 00:12:39
    interesting way to go to jail but can
  • 00:12:42
    you do a brute-force attack so I thought
  • 00:12:44
    about this and there are only 12
  • 00:12:45
    switches and never even got to positions
  • 00:12:46
    so the total amount of combinations that
  • 00:12:49
    this thing can have is only 2 to the
  • 00:12:51
    power of 12 which is 4096 combinations
  • 00:12:53
    that's not too bad for brute force at
  • 00:12:54
    all so if you were to write a piece of
  • 00:12:57
    software like this which I just called
  • 00:13:00
    brute force you could just transmit I
  • 00:13:01
    had to speed this up for every single
  • 00:13:03
    code for all these static things and and
  • 00:13:06
    you could run through all of them and
  • 00:13:08
    pump there that stun factor didn't have
  • 00:13:10
    to wait for it
  • 00:13:11
    meanwhile Koha so I I thought about I
  • 00:13:17
    started this on github and then I took
  • 00:13:19
    it off when I realized I'd I'm not
  • 00:13:21
    worried about people stealing things
  • 00:13:22
    from your home I'm worried about your
  • 00:13:23
    dogs getting out
  • 00:13:24
    and stuff like that so so yeah maybe I
  • 00:13:28
    need some oh yes and so the last time I
  • 00:13:30
    did this at ex-con in Joburg I called
  • 00:13:32
    skulk came over to me and showed me how
  • 00:13:33
    he's using this who has Robo guards at
  • 00:13:35
    home okay I want do you know what a Robo
  • 00:13:38
    guard is this is a this is a South
  • 00:13:41
    African product so what they've got its
  • 00:13:43
    - I suppose that like PIR sensors
  • 00:13:46
    essentially and you've got two beans
  • 00:13:48
    that it makes so that you can so that
  • 00:13:50
    your dog doesn't trip it or you know I
  • 00:13:52
    want to say airplane for some reason no
  • 00:13:55
    it will not be tripped by an aeroplane
  • 00:13:56
    you know birds or or anything and
  • 00:13:59
    anything else in your garden won't trip
  • 00:14:01
    it off but if someone hops into your
  • 00:14:02
    garden and this thing can can pick it up
  • 00:14:04
    and they work at 433 megahertz so this
  • 00:14:06
    is some Scots code which he was kind
  • 00:14:08
    enough to share with me where what he's
  • 00:14:10
    doing is he's written his own
  • 00:14:11
    implementation yes it's still connected
  • 00:14:13
    to his alarm but now he can connect it
  • 00:14:15
    to his Raspberry Pi and see when his
  • 00:14:18
    garden services are there if his kids
  • 00:14:20
    are playing outside and in if certain
  • 00:14:21
    hours where he's not expecting anyone
  • 00:14:23
    else to be in his yard it can let him
  • 00:14:25
    know and that's why he's got these
  • 00:14:27
    tamper and checking flags and everything
  • 00:14:29
    else and that's just how he runs it with
  • 00:14:31
    rtl-sdr it's a really really cool thing
  • 00:14:33
    and let's chat about antennas so when
  • 00:14:36
    you buy these dongles you get one of
  • 00:14:37
    these things which is of course one of
  • 00:14:40
    the simplest antenna types you can get
  • 00:14:41
    called a dipole so you can make this
  • 00:14:44
    yourself with a coat hanger if you like
  • 00:14:45
    this is just a piece of coax and when
  • 00:14:49
    you open that up it's got shielding a
  • 00:14:50
    core and I love saying dielectric
  • 00:14:52
    insulator for some reason it makes me
  • 00:14:54
    sound very intelligent but it's it's
  • 00:14:55
    just plastic
  • 00:14:56
    and yes I'm incorrectly labeling these
  • 00:14:59
    ground and VCC because that makes more
  • 00:15:01
    sense to me personally but anyway if you
  • 00:15:03
    just attach two aluminium poles onto
  • 00:15:05
    this you have made a dipole they're that
  • 00:15:06
    easy to make and you can tell them to
  • 00:15:09
    different kinds of frequencies so and
  • 00:15:10
    how does this work well as the
  • 00:15:12
    electromagnetic waves pass by they are
  • 00:15:14
    inducing a current or a potential
  • 00:15:16
    voltage between these two different
  • 00:15:18
    poles and polarization is an important
  • 00:15:21
    thing you'll hear about a lot when you
  • 00:15:22
    mess around with this stuff who wants to
  • 00:15:24
    guess yes this is vertical or horizontal
  • 00:15:26
    polarization how did I miss that up and
  • 00:15:29
    vertical polarization point is basically
  • 00:15:32
    if you want to chair to someone the
  • 00:15:33
    polarizations need to match but things
  • 00:15:35
    get complicated with satellites with
  • 00:15:36
    circular polarization
  • 00:15:38
    which we'll chat about in a second
  • 00:15:39
    because that gets a lot of fun anyway so
  • 00:15:42
    um I can chat about antennas for a very
  • 00:15:44
    long time I just have one thing I want
  • 00:15:46
    to get out of here you will know about
  • 00:15:47
    yagi antennas
  • 00:15:48
    please start calling them yahudah
  • 00:15:51
    antennas because it is mr. Udo who had
  • 00:15:53
    the greater contribution to the creation
  • 00:15:55
    of this antenna then yagi that's the
  • 00:15:57
    only thing I want to change about that
  • 00:15:58
    and if you want to make your own how
  • 00:16:00
    long should these things run or how long
  • 00:16:02
    should your things be
  • 00:16:04
    that's always going to be proportional
  • 00:16:05
    to your wavelength so just how long that
  • 00:16:08
    wave is over time and your antenna needs
  • 00:16:10
    to be half that all right so if you're
  • 00:16:13
    making these yourself quickly we'll talk
  • 00:16:15
    about the half wavelength and the
  • 00:16:16
    quarter wavelength and for the sake of
  • 00:16:17
    our antenna we're going to talk about
  • 00:16:18
    the total length and the element length
  • 00:16:20
    of our dipole and you're not going to
  • 00:16:23
    sound smart at any conference and less
  • 00:16:24
    you include some mathematics so for the
  • 00:16:26
    purposes of this talk we are going to
  • 00:16:29
    state the very well-known fact that
  • 00:16:31
    wavelength equals the velocity of
  • 00:16:32
    whichever medium through which something
  • 00:16:35
    is traveling divided by its frequency in
  • 00:16:37
    which case this will be the speed of
  • 00:16:39
    light because it's radio waves of course
  • 00:16:40
    which we can approximate to three times
  • 00:16:42
    a to the well three times a to the power
  • 00:16:43
    of ten meters per second so if we want
  • 00:16:45
    you to know what the length should be to
  • 00:16:47
    pick up a signal at a hundred megahertz
  • 00:16:49
    100 megahertz is just 100 times 10 to
  • 00:16:52
    the power of six so those two zeros can
  • 00:16:53
    just fall in there and notice that now I
  • 00:16:56
    can cancel out 10 to the power of eight
  • 00:16:58
    divided by 10 to the power of eight
  • 00:17:00
    leaving with only three meters and
  • 00:17:01
    that's how easy it is to figure out how
  • 00:17:03
    long your antenna dipole should be half
  • 00:17:05
    that remember yeah anyway okay so
  • 00:17:16
    apparently I've got that wrong and you
  • 00:17:17
    need to come to me afterwards to show me
  • 00:17:19
    how to fix that for my talk I'm very
  • 00:17:20
    welcome and open to feedback okay thanks
  • 00:17:23
    so so for those of you at home you can
  • 00:17:25
    ignore the last five seconds of this and
  • 00:17:27
    we'll fix it in post ok and and I also
  • 00:17:33
    approximated the speed of light which
  • 00:17:34
    motivates it some people I'm sorry okay
  • 00:17:36
    let's talk about tracking ships so this
  • 00:17:38
    is what the ocean looks like and it's
  • 00:17:40
    always clearance always comment no it's
  • 00:17:41
    not sometimes it looks like this and
  • 00:17:43
    then it also gets dark so it can be
  • 00:17:45
    scary and that's why on ships they have
  • 00:17:47
    things like this which help you track
  • 00:17:48
    other
  • 00:17:49
    why do I keep wanting to say airplanes
  • 00:17:51
    and other ships you could you could
  • 00:17:53
    track aeroplanes as well you'd need some
  • 00:17:55
    different equipment we'll chat about
  • 00:17:56
    that in a second
  • 00:17:56
    anyway they use a system called a is
  • 00:17:59
    automatic identification system and
  • 00:18:01
    because I'm a software guy I like to
  • 00:18:03
    think of them as datagrams don't call
  • 00:18:04
    them datagrams I just like doing that
  • 00:18:06
    but yes they'll they'll come with
  • 00:18:08
    something similar to I don't know what
  • 00:18:10
    anyway yes you get this MSI maritime
  • 00:18:15
    mobile service identity number you get a
  • 00:18:17
    navigation status with cool words like
  • 00:18:19
    anchor and underweight a rate of turn so
  • 00:18:22
    which where the ship's pointed I suppose
  • 00:18:23
    speed in knots and in latitude longitude
  • 00:18:25
    and it runs 160 1.9 you don't care about
  • 00:18:30
    the actual numbers you can get those and
  • 00:18:31
    post later anyway if you want to make an
  • 00:18:33
    antenna for this you'll need it's
  • 00:18:35
    probably wrong now but anyway I I went
  • 00:18:39
    and did this and I made 44 centimeter
  • 00:18:41
    dipoles so I was down at why do I keep
  • 00:18:44
    wanting to say can't spare this is down
  • 00:18:46
    by the VNA water friend and if you look
  • 00:18:47
    out there there are ships out there so
  • 00:18:49
    we can figure out where they are what
  • 00:18:51
    they are what they're doing so this is
  • 00:18:54
    SDR sharp running in a virtual machine
  • 00:18:56
    and you'll already notice I lie to you
  • 00:18:58
    there are actually two types of a is a
  • 00:19:00
    s1 and s2 and they make these little
  • 00:19:01
    chips just go back and play this one I
  • 00:19:04
    go and make these little chips that you
  • 00:19:05
    can pick up and in Windows there's
  • 00:19:08
    something called ship plotter
  • 00:19:09
    that you can use with a virtual audio
  • 00:19:11
    cable through a virtual machine which
  • 00:19:13
    caused problems for me that you'll see a
  • 00:19:15
    little bit later but this is generally
  • 00:19:16
    how you would do this on a Windows box
  • 00:19:17
    you can record these signals and then
  • 00:19:20
    you should be able to see all these
  • 00:19:21
    ships but this doesn't work so well on a
  • 00:19:24
    Mac and I was wondering what was the
  • 00:19:25
    problem with this and all my virtual
  • 00:19:27
    cables and virtual machines so when I
  • 00:19:29
    opened up cubic SDR and I could still
  • 00:19:32
    see these coming through and then we're
  • 00:19:33
    coming through even clearer and I could
  • 00:19:35
    record them as well and by the way yes
  • 00:19:37
    GQ Rx is a perfectly good alternative
  • 00:19:39
    that works on Linux I have nothing
  • 00:19:41
    against GQ rx person who spoke to me
  • 00:19:43
    about it at the last conference cool so
  • 00:19:46
    so I could record these which was fine
  • 00:19:48
    and then I could go back into Windows
  • 00:19:50
    and take the WAV file from this using
  • 00:19:52
    this thing called s Mon which could at
  • 00:19:54
    least tell me something about these
  • 00:19:55
    files and the interesting thing I had to
  • 00:19:57
    do I experiment a lot but if you bring
  • 00:19:58
    it down to 8-bit audio select telephone
  • 00:20:00
    line quality it seems to work so I mean
  • 00:20:03
    I've got
  • 00:20:03
    of arras over here but there was
  • 00:20:04
    definitely some data India where it
  • 00:20:06
    could find some stuff so if I go then
  • 00:20:08
    and take that same audio file and I put
  • 00:20:10
    that into ship plotter this is more the
  • 00:20:12
    experience you'll use if you have a
  • 00:20:13
    Windows machine which is useless to this
  • 00:20:15
    audience because I don't think anyone
  • 00:20:16
    here has one but anyway yes that's what
  • 00:20:20
    it looks like and then you can see your
  • 00:20:22
    ships pretty cool huh
  • 00:20:24
    no internet no hands yeah and and if you
  • 00:20:28
    plot that on a nicer piece of software
  • 00:20:29
    from the Mac App Store Jerry this is
  • 00:20:31
    what it looks like and how these things
  • 00:20:33
    work let's talk about how you can build
  • 00:20:35
    your own flight radar as well has anyone
  • 00:20:37
    done this before okay this is a lot of
  • 00:20:40
    fun this is a lot of fun who knows what
  • 00:20:41
    type of plane this is no guesses
  • 00:20:45
    it's a Boeing yes it's a Boeing triple7
  • 00:20:49
    it's a Boeing triple7 it's got 31
  • 00:20:52
    antennas on you and we're going to go
  • 00:20:53
    through every single one I'm kidding
  • 00:20:55
    we'll just go through one and and that's
  • 00:20:57
    for for something called ATS B so that's
  • 00:21:00
    your automatic dependent surveillance
  • 00:21:01
    broadcast very similar to a is but
  • 00:21:03
    designed for aircraft so how this works
  • 00:21:06
    and yeah I just thought of some problems
  • 00:21:09
    with this thing but there's more coming
  • 00:21:10
    up all the time anyway
  • 00:21:12
    aircraft generally know where they are
  • 00:21:14
    or should not generally know exactly
  • 00:21:16
    where they are thanks to technologies
  • 00:21:17
    like GPS and they can and the idea of a
  • 00:21:20
    DSP is that you broadcast that to other
  • 00:21:22
    aeroplanes and and by the way none of
  • 00:21:24
    this stuff is illegal it is a really
  • 00:21:25
    good idea that everyone knows where
  • 00:21:26
    aeroplanes are in the sky at all times
  • 00:21:30
    so yes they broadcast that down to two
  • 00:21:33
    ground stations so that air traffic
  • 00:21:34
    control can use this stuff and of course
  • 00:21:36
    to to other aircraft in the sky as well
  • 00:21:39
    through something called ATS be in and
  • 00:21:41
    if you do find yourself in the cockpit
  • 00:21:43
    of one of these planes right next to the
  • 00:21:44
    seat on this side is where you would put
  • 00:21:47
    this in I can't remember which YouTube
  • 00:21:49
    video I stole this from so I probably
  • 00:21:51
    owes someone some credit I've completely
  • 00:21:55
    forgotten I think it's captain Joe or
  • 00:21:57
    something like that but anyway what
  • 00:21:58
    you've put in there is a score code this
  • 00:22:00
    would be issued to you by aircraft
  • 00:22:01
    traffic control and you'll pop it in
  • 00:22:03
    before you get going and then I can't
  • 00:22:06
    recall which airport this is exactly but
  • 00:22:09
    yes this is the view that aircraft
  • 00:22:10
    traffic control normally have that blue
  • 00:22:12
    little part there's the runway where
  • 00:22:14
    everything is landing and you can see
  • 00:22:15
    here we've got score codes
  • 00:22:16
    and and flight numbers there's some
  • 00:22:18
    Dutch Airlines care them going and this
  • 00:22:21
    is normally in traditionally done
  • 00:22:22
    through what they call primary and
  • 00:22:23
    secondary surveillance radar which are
  • 00:22:25
    these dish things that are normally
  • 00:22:26
    hidden in big domes at the airports that
  • 00:22:28
    we normally visit but in South Africa
  • 00:22:31
    our Civil Aviation Authority is very
  • 00:22:32
    much pushing for the implementation of a
  • 00:22:35
    DSB - as they say replace legacy less
  • 00:22:37
    effective and more expensive primary
  • 00:22:40
    surveillance radar and monopole
  • 00:22:41
    secondary surveillance radar so these
  • 00:22:46
    80s speed datagrams
  • 00:22:47
    I'm a software guy remember I have that
  • 00:22:50
    score code in there the flight number
  • 00:22:51
    which in my experience is never
  • 00:22:52
    populated for some reason you altitude
  • 00:22:55
    how high you are your airspeed longitude
  • 00:22:56
    latitude surf course this broadcasts at
  • 00:22:59
    ten ninety and you need a much shorter
  • 00:23:01
    antenna only seven centimeters am I
  • 00:23:04
    wrong about that you're nodding okay
  • 00:23:05
    cool yeah okay and we use this a piece
  • 00:23:08
    of software called dump 1090 available
  • 00:23:11
    in github because I like open source
  • 00:23:12
    things and if you want to set this up in
  • 00:23:14
    your raspberry pi like I do same setup
  • 00:23:16
    except you hop in the command line you
  • 00:23:18
    guys know how to clone github
  • 00:23:20
    repositories let's skip that one but
  • 00:23:22
    when you run this after you've made it
  • 00:23:24
    you need to add on this interactive mode
  • 00:23:26
    otherwise it just starts streaming stuff
  • 00:23:28
    into the console and that - - net will
  • 00:23:29
    be important so I did this at the
  • 00:23:31
    airport
  • 00:23:32
    in the slow lounge my wife was not
  • 00:23:34
    amused at all with what I was doing and
  • 00:23:38
    you can see we've got an essay a flight
  • 00:23:40
    I've got it s if R if R as if our flight
  • 00:23:43
    over they a big question mark flight
  • 00:23:44
    they don't know where they're going
  • 00:23:46
    interesting part about this is a lot of
  • 00:23:48
    them have no speed and no longer - you
  • 00:23:50
    know latitude and I imagine this is
  • 00:23:52
    because a lot of planes are parked but
  • 00:23:54
    they leave the a DSB transponders on so
  • 00:23:56
    they keep transmitting but they don't
  • 00:23:58
    have a location or I've got excellent
  • 00:24:00
    range and they're all parked at point
  • 00:24:01
    Nemo so so that's that's really what
  • 00:24:05
    this looks like and if you want to that
  • 00:24:07
    - - net allows you to add on if you just
  • 00:24:10
    use local host in this instance but
  • 00:24:12
    anyway you can just go plot this using
  • 00:24:15
    Google Maps you do need to go register
  • 00:24:17
    to get your own Google Maps API key and
  • 00:24:19
    then fix it in the JavaScript code to
  • 00:24:20
    get this working
  • 00:24:21
    but yes here I've got three different
  • 00:24:23
    planes and you'll recognize there is our
  • 00:24:25
    T in Johannesburg so lots of fun um who
  • 00:24:28
    does the flight from flight who uses
  • 00:24:30
    flat rail
  • 00:24:30
    twenty four at all so there's this whole
  • 00:24:33
    community thing yeah lots of planes
  • 00:24:34
    being tracked by up by these guys and
  • 00:24:36
    you can contribute data yourself so if
  • 00:24:38
    you live in a remote area or somewhere
  • 00:24:40
    interesting
  • 00:24:40
    they've got a whole guide where you can
  • 00:24:42
    use a Raspberry Pi in one of these
  • 00:24:43
    dongles and contribute data by just
  • 00:24:46
    running this as sudo just grabbing
  • 00:24:48
    commands that start with sudo off the
  • 00:24:49
    internet and putting them into your
  • 00:24:50
    Raspberry Pi yes
  • 00:24:53
    I'm sure it's safe but anyway yeah this
  • 00:24:57
    this goes and pulls down and install and
  • 00:24:58
    and sits whole thing up and so this
  • 00:25:01
    presents new and interesting
  • 00:25:02
    opportunities for us to go to jail um
  • 00:25:05
    none of what I've spoken about is
  • 00:25:07
    authenticated or encrypted at all and
  • 00:25:10
    who remembers much earlier this year
  • 00:25:12
    Gatwick Airport was shut down for more
  • 00:25:14
    than a day I think millions of flights
  • 00:25:17
    were redirected now I've got a friend
  • 00:25:18
    who who owns a company that does like if
  • 00:25:22
    you want to charter a plane from one
  • 00:25:24
    country to another or do private flights
  • 00:25:26
    and medical flights and stuff like that
  • 00:25:27
    so he's not an aircraft traffic control
  • 00:25:29
    he does his company does all the ground
  • 00:25:31
    handling and I had some very interesting
  • 00:25:32
    discussions with him about how you could
  • 00:25:34
    cause more interesting problems with us
  • 00:25:35
    and I assume what would happen if on
  • 00:25:38
    let's say a prefers for whatever reason
  • 00:25:41
    goodness I'm so nervous with you in the
  • 00:25:43
    room about this
  • 00:25:44
    i I'm so gonna end up on a do not fly
  • 00:25:47
    list I'm a Dutch citizen as well so we
  • 00:25:50
    can't work together so but anyway yes if
  • 00:25:53
    on April 1st you had to put in so here's
  • 00:25:56
    the thing about school codes any school
  • 00:25:57
    code that starts with seven is a major
  • 00:25:59
    emergency okay I think seven thousand
  • 00:26:03
    means that plane is definitely hijacked
  • 00:26:04
    seven thousand six hundred probably
  • 00:26:07
    means that you you disagreeing you try
  • 00:26:10
    and remember this is that anything with
  • 00:26:12
    seven is bad the best one that starts
  • 00:26:15
    with seven I don't know which one this
  • 00:26:16
    is but it says that your your all your
  • 00:26:18
    radio communications are out
  • 00:26:20
    so I'm landing aircraft traffic control
  • 00:26:22
    please get everyone out of the way so I
  • 00:26:24
    said what would happen if I had to
  • 00:26:25
    create you know a seven thousand school
  • 00:26:27
    code and then in the same way that I can
  • 00:26:29
    create any transmitter using a Raspberry
  • 00:26:30
    Pi I could just attach it to Ross the
  • 00:26:32
    two I haven't thought through very well
  • 00:26:34
    but anyway let's attach it to a battery
  • 00:26:36
    bank go to the airport close to where
  • 00:26:39
    they're picking up these ADSP signals
  • 00:26:41
    leave it in the trash run away
  • 00:26:43
    oh I'm so worried about this suddenly
  • 00:26:46
    but anyway yes if this thing were it if
  • 00:26:48
    we then broadcast a fake like a ghost
  • 00:26:50
    airplane and you could fly this plane
  • 00:26:52
    all over the place all straight through
  • 00:26:53
    the aircraft traffic control tower and I
  • 00:26:56
    said what would happen and they said
  • 00:26:57
    well they would bail and run so I
  • 00:27:02
    haven't helped him get a day off work
  • 00:27:03
    yet because he doesn't actually work in
  • 00:27:05
    the tower but I mean like I don't think
  • 00:27:07
    these folks are thinking about the types
  • 00:27:09
    of problems that you guys are thinking
  • 00:27:10
    about in this software security space so
  • 00:27:12
    I thought thinking what could you do at
  • 00:27:14
    ATS be DDoS attack so who recognize this
  • 00:27:17
    this recognizes this Airport sorry
  • 00:27:22
    captain no it's not Cape Town it's way
  • 00:27:25
    too big this is Dubai International
  • 00:27:26
    Airport it's quite sandy here and the
  • 00:27:29
    reason I've chosen this one is because
  • 00:27:30
    it's one of the biggest connecting where
  • 00:27:33
    like connecting flights come through and
  • 00:27:35
    this causes massive massive problems
  • 00:27:37
    with diversions and everything else if
  • 00:27:39
    one of these airports had to go down
  • 00:27:40
    they will redirect any and all flights
  • 00:27:42
    coming in to anywhere else all right
  • 00:27:45
    so you don't need to hit a large amount
  • 00:27:47
    of airports you just need to hit a
  • 00:27:49
    couple of like you know JFK Heathrow
  • 00:27:52
    sheikah Paul and you can cause absolute
  • 00:27:55
    chaos with this sort of thing and
  • 00:27:57
    because if you're an aircraft traffic
  • 00:27:59
    control and you're just seeing a couple
  • 00:28:00
    of planes was what's your day can it be
  • 00:28:02
    like when this happens right and the
  • 00:28:05
    problem here really is that that you
  • 00:28:07
    know your your normal radar the whole
  • 00:28:09
    reason why these these airports can't
  • 00:28:11
    even operate the way they do is because
  • 00:28:12
    they're using a DSP they're not using
  • 00:28:14
    radar anymore because it doesn't give
  • 00:28:16
    them to the resolution they can't see
  • 00:28:17
    height or or anything else so they're
  • 00:28:19
    becoming very dependent on this kind of
  • 00:28:21
    thing and there's no security around
  • 00:28:22
    this stuff but yes like I said I am NOT
  • 00:28:25
    the first one to chat about this at all
  • 00:28:27
    for more than I think it's more than
  • 00:28:29
    five years we've been complaining about
  • 00:28:30
    security problems in there so if you
  • 00:28:32
    play in this field and yeah please
  • 00:28:34
    please let us know so of course you guys
  • 00:28:37
    actually came here to talk about
  • 00:28:38
    satellites so let's get into that and
  • 00:28:39
    this is Noah the u.s. is National
  • 00:28:43
    Oceanic and Atmospheric Administration
  • 00:28:44
    along blah-dee-blah but these guys exist
  • 00:28:46
    because of the Titanic this is not
  • 00:28:50
    running my theory but they started
  • 00:28:52
    tracking icebergs so they're quite all
  • 00:28:53
    the institution and they've got some
  • 00:28:54
    nice weather satellites like this one
  • 00:28:57
    I don't know which exactly this one is
  • 00:28:59
    there's a couple of NOAA satellites
  • 00:29:00
    three of them are in orbit at the moment
  • 00:29:02
    and they're in the East they go like
  • 00:29:05
    think of the most fax machines just go
  • 00:29:07
    over the earth from pole to pole all the
  • 00:29:09
    time they're there in Pearl all but and
  • 00:29:10
    they've got some different names so the
  • 00:29:14
    u.s. uses NORAD IDs to identify
  • 00:29:15
    everything because you're interested in
  • 00:29:17
    knowing what is and potential nuclear
  • 00:29:19
    missile and what is not and you can
  • 00:29:20
    probably tell us more about that while
  • 00:29:22
    the rest of us use these international
  • 00:29:23
    codes which tell us what data was
  • 00:29:25
    launched and some more information and
  • 00:29:27
    these things are quite here it's like
  • 00:29:29
    heavier than my car and I travel 28,000
  • 00:29:32
    kilometers per hour which is quite
  • 00:29:33
    impressive and they circumnavigate the
  • 00:29:35
    world every hundred and two minutes and
  • 00:29:37
    the view you're going to get from any
  • 00:29:40
    cameras on these things is from 850
  • 00:29:42
    kilometers above so you're not going to
  • 00:29:44
    get Google Earth kind of stuff here just
  • 00:29:46
    warning you in advance so the NOAA
  • 00:29:49
    satellites operated to primary frequency
  • 00:29:51
    so do a lot more than just this but at
  • 00:29:53
    137 point 1 megahertz they use something
  • 00:29:55
    called automatic picture transmission
  • 00:29:57
    and then there's a high-resolution
  • 00:29:58
    version of that which I don't use
  • 00:30:00
    because I'm not steady enough to hold
  • 00:30:02
    the antenna and track the satellite as
  • 00:30:04
    it comes over so funny story about no.19
  • 00:30:07
    it fell over this must have been such a
  • 00:30:10
    bad day at work for these guys right 137
  • 00:30:13
    million dollars because the bolts
  • 00:30:14
    weren't properly attached I don't think
  • 00:30:16
    anyone got fired I don't know the whole
  • 00:30:17
    story but when I do this myself I get
  • 00:30:21
    the best signal from this one so they're
  • 00:30:23
    probably fixed some stuff I don't know
  • 00:30:24
    what did they call it percussive
  • 00:30:26
    maintenance yeah okay so any story about
  • 00:30:30
    noah 16 it it used to have only one
  • 00:30:33
    NORAD ID and now it has over 200 because
  • 00:30:36
    it blew up and no one knows exactly why
  • 00:30:39
    listen I'm so impressed with these
  • 00:30:41
    things I'm really not trying to make fun
  • 00:30:43
    of them I mean to get this stuff to work
  • 00:30:44
    in this environment is amazing
  • 00:30:46
    you know I imagine if your laptop
  • 00:30:48
    battery blew up and there were 200
  • 00:30:51
    pieces of laptop everywhere and those
  • 00:30:53
    are only the pieces or whatever going
  • 00:30:54
    down again oh those are only the parts
  • 00:30:57
    big enough for them to to see you know
  • 00:31:00
    the much small little paint flecks and
  • 00:31:01
    things so this is half a rant about
  • 00:31:03
    space garbage we'll see some of that in
  • 00:31:04
    a moment anyway how do we find
  • 00:31:06
    satellites these tons of software to do
  • 00:31:08
    this orbiter on is something you'll see
  • 00:31:10
    recommended quite
  • 00:31:10
    but it's got quite a crap in confusing
  • 00:31:12
    do I probably perfect for when it was
  • 00:31:14
    written which feels like the 90s so I'm
  • 00:31:16
    gonna skip over this one so let's not
  • 00:31:18
    worry about that this is a much nicer
  • 00:31:19
    version called G predict so there's no
  • 00:31:22
    nineteen over there and I can select
  • 00:31:24
    that one and get some more information
  • 00:31:25
    around when it's going to be coming up
  • 00:31:27
    over so till the date and the time
  • 00:31:30
    around when you can expect that
  • 00:31:32
    satellite to come around again the one
  • 00:31:33
    I'd like is into y ou so this is the
  • 00:31:35
    website and you can use that one ten
  • 00:31:38
    minutes for e anyway we'll try go
  • 00:31:41
    through this a little bit faster but
  • 00:31:42
    this is how you can find when a
  • 00:31:43
    satellites going to you come over so put
  • 00:31:45
    in your coordinates of where you eye
  • 00:31:46
    picks it up from your IP address so it's
  • 00:31:48
    quite easy and I'll tell you when that
  • 00:31:49
    satellites going to come around so it'll
  • 00:31:50
    be in the sky for about 10 minutes as it
  • 00:31:53
    comes over no you can't see it oh guy
  • 00:31:57
    called chores recommended a very cool
  • 00:31:58
    alternative of this called Celeste rec
  • 00:32:00
    so speaking about space junk check this
  • 00:32:01
    out there's a lot of stuff up there and
  • 00:32:05
    anyway there's a search function down at
  • 00:32:06
    the bottom that you can chase use that
  • 00:32:08
    you can use to find some of these things
  • 00:32:10
    and if you're a developer there's
  • 00:32:11
    something called ory kit if you're a
  • 00:32:13
    Java programmer you can automate a
  • 00:32:15
    couple of stuff there's also a command
  • 00:32:16
    line version of G predict that I
  • 00:32:19
    wouldn't recommend too much but anyway
  • 00:32:21
    well we have to make some internal
  • 00:32:22
    modifications to get this going so to
  • 00:32:23
    deal with circular polarization will go
  • 00:32:25
    for 120 degree change over there 437
  • 00:32:29
    megahertz we need to do 54 centimeter
  • 00:32:31
    long element lengths and you point that
  • 00:32:33
    thing north-south so so literally this
  • 00:32:35
    is what I had that's my balcony up where
  • 00:32:38
    I live in Pretoria and it was pretty
  • 00:32:40
    much something like this just a little
  • 00:32:42
    bit longer and you sit out there at half
  • 00:32:44
    past 4:00 in the morning waiting for
  • 00:32:46
    satellites to come over and you'll see
  • 00:32:47
    in this waterfall this is cubic SDR
  • 00:32:49
    again there's something happening over
  • 00:32:51
    here as this thing comes over and a
  • 00:32:53
    little bit later you can see signals
  • 00:32:56
    improving and I hope this doesn't hurt
  • 00:32:58
    anyone's ears because there is an audio
  • 00:32:59
    section a little bit later but notice
  • 00:33:01
    how this ATP signal is coming in and
  • 00:33:03
    notice how it's just bent a little bit
  • 00:33:05
    who wants to guess why that is
  • 00:33:07
    it's the Doppler effect absolutely so
  • 00:33:10
    this thing is moving so quickly that the
  • 00:33:12
    frequency shifts ever so slightly
  • 00:33:13
    because of the speed at which it's
  • 00:33:14
    moving which is really interesting do
  • 00:33:16
    you want to hear what the sounds like
  • 00:33:17
    this might be super loud I'm sorry if it
  • 00:33:19
    is wait it's maybe better that you don't
  • 00:33:24
    hear it
  • 00:33:25
    they're probably turned it off but
  • 00:33:26
    anyway how do you decode this well like
  • 00:33:27
    I told you this thing's like a fax
  • 00:33:29
    machine so these were the old number
  • 00:33:31
    satellites some of the first were the
  • 00:33:32
    satellites you had out there so you use
  • 00:33:34
    something called automatic picture
  • 00:33:35
    transmission and everyone will tell you
  • 00:33:37
    to use WX to image which I used in a
  • 00:33:40
    virtual machine but could not install
  • 00:33:41
    and it didn't work out really well for
  • 00:33:43
    me so I switched to an open-source
  • 00:33:45
    version you'll see this thing break but
  • 00:33:47
    I'm a little bit worried about time so
  • 00:33:49
    we'll go forward on that what I
  • 00:33:51
    recommend is Noah ATP a very nice
  • 00:33:53
    website that shows you how all the
  • 00:33:55
    decoding of these signals can be done
  • 00:33:57
    and how you find the different wedges
  • 00:33:59
    for all that but in any case it's just a
  • 00:34:00
    project you can run so I did this on an
  • 00:34:02
    old Kali Linux box of mine so probably
  • 00:34:05
    appropriate for this audience I guess
  • 00:34:06
    but it comes a little gooey and you can
  • 00:34:09
    go for start and go grab so I did this
  • 00:34:12
    for for DEFCON initially so that's some
  • 00:34:14
    signal for no.19
  • 00:34:16
    choose an output file I'm just going to
  • 00:34:18
    call that DEFCON for one I'm typing
  • 00:34:21
    impressed
  • 00:34:22
    oh that jokes gotten old quickly all
  • 00:34:24
    right sorry and you start and this is in
  • 00:34:27
    real time I didn't speed this up there
  • 00:34:30
    we go
  • 00:34:37
    well Kali Linux everything is reduced
  • 00:34:40
    this is written what toroidal hora
  • 00:34:43
    that's yeah I only did this one time
  • 00:34:46
    I've actually put something else on that
  • 00:34:48
    machine because I know what you're all
  • 00:34:49
    thinking now who wants to see the
  • 00:34:50
    results yeah of course you do that's why
  • 00:34:53
    you came awesome so this was one of the
  • 00:34:55
    first ones I got okay so it's bad right
  • 00:34:58
    but but think about it I've got a signal
  • 00:35:00
    from space with a 300 round dongle and
  • 00:35:03
    the equivalent of a coat hanger I I was
  • 00:35:06
    very impressed with myself
  • 00:35:07
    and further pass has got much better
  • 00:35:09
    result so here you can see definitely
  • 00:35:11
    there's some clouds this and whether
  • 00:35:12
    there's something so what was the
  • 00:35:14
    problem
  • 00:35:14
    first of all occasion I just relied on
  • 00:35:17
    into IO using my IP but you need to be
  • 00:35:20
    quite specific about your your location
  • 00:35:22
    so that you can track the timing exactly
  • 00:35:23
    of when that satellite is going to rise
  • 00:35:26
    and set if you like line-of-sight is
  • 00:35:28
    also very important these signals do not
  • 00:35:30
    travel very well through buildings or
  • 00:35:32
    trees or anything else like that at all
  • 00:35:34
    and your antenna needs to meet much
  • 00:35:36
    better so
  • 00:35:37
    there's this website called technology
  • 00:35:39
    which I recommend they've got a very
  • 00:35:40
    cool cross dipole there's a whole
  • 00:35:42
    plethora of designs for these types of
  • 00:35:44
    antennas out there so this is by no
  • 00:35:46
    means the only one but less hacky burn
  • 00:35:48
    the thing I was using and you can filter
  • 00:35:51
    out some stuff which I'm going to skip
  • 00:35:52
    over and they're the results start
  • 00:35:53
    looking much better much better who can
  • 00:35:57
    tell me what's wrong with this image yes
  • 00:36:02
    because we're running out of time it's
  • 00:36:04
    upside down because these things are
  • 00:36:06
    moving you know north to south and south
  • 00:36:07
    north and you never know which way it's
  • 00:36:08
    it's really moving so and what you're
  • 00:36:11
    looking at over there is some thermal
  • 00:36:12
    infrared and some near visible but it's
  • 00:36:15
    all black and white of course
  • 00:36:16
    shall we play with some Russian
  • 00:36:17
    satellites have a good time for that
  • 00:36:19
    cool so they've got something called
  • 00:36:20
    meteor em two satellites is actually a
  • 00:36:23
    two version two one and two the first
  • 00:36:26
    one I think didn't properly separate
  • 00:36:28
    from its booster so it's sort of tumbles
  • 00:36:30
    and then they turn it off and then it
  • 00:36:32
    turns itself on again and starts
  • 00:36:33
    broadcasting there's a whole thing about
  • 00:36:35
    if you go to rtl-sdr recommend this it's
  • 00:36:37
    like 30 different dead satellites that
  • 00:36:39
    they put in these graveyard orbits and
  • 00:36:41
    then they just turn on again but ya know
  • 00:36:44
    this is this is an actual functioning
  • 00:36:45
    one same deal twice as heavy and same
  • 00:36:48
    idea a little bit closer same ish
  • 00:36:52
    frequency and this is what it looks like
  • 00:36:54
    it's a digital signal this time and I
  • 00:36:56
    had a lot of trouble with this you've
  • 00:36:57
    got to demodulate this they use
  • 00:36:59
    something called LR PT or low rate
  • 00:37:01
    picture transmission it's digital it's
  • 00:37:03
    slow but that's what we'd expect and
  • 00:37:05
    Utrecht wires lock for the Doppler
  • 00:37:07
    effects so if you're doing this there's
  • 00:37:08
    a whole long tutorial about how to do
  • 00:37:10
    this but I like the open source stuff
  • 00:37:11
    and thought this is way too much work to
  • 00:37:13
    use all those Windows programs so I use
  • 00:37:15
    something called meteor D mod and when
  • 00:37:18
    you're running that and you've recorded
  • 00:37:20
    this WAV file using SDR shop which you
  • 00:37:22
    need a plugin for by the way to maintain
  • 00:37:24
    that to compensate for the Doppler
  • 00:37:26
    effect and the movement of this
  • 00:37:27
    satellite there you've got lock it's
  • 00:37:30
    busy getting some data and then you've
  • 00:37:32
    got to decode it which didn't work this
  • 00:37:34
    time so I struggled with that and I
  • 00:37:36
    couldn't figure out why which is a long
  • 00:37:37
    story won't get into but other people
  • 00:37:39
    have had very good results so someone
  • 00:37:41
    posted this on Twitter I forgot to
  • 00:37:43
    credit them but this cape turned down on
  • 00:37:45
    that side and you can see this is a
  • 00:37:46
    digital signal on that side so really
  • 00:37:48
    really nice stuff from the Russians
  • 00:37:50
    there
  • 00:37:51
    if you want to use ooh International
  • 00:37:54
    Space Station is another fun thing that
  • 00:37:56
    I've been trying to mess around with
  • 00:37:57
    won't get into too many of the details
  • 00:37:59
    of that but of course find out when it's
  • 00:38:01
    gonna come close to you and I did this
  • 00:38:04
    using a Raspberry Pi actually just using
  • 00:38:06
    rtl-sdr
  • 00:38:07
    software FM's so this is it's just a
  • 00:38:10
    command line you can record it it
  • 00:38:11
    creates a WAV file or an IQ file for you
  • 00:38:13
    so put in the frequency give it a nice
  • 00:38:16
    name let it run and you just set this up
  • 00:38:19
    while the International Space Station is
  • 00:38:21
    coming over and they use this whenever
  • 00:38:23
    they're doing any amateur radio talks or
  • 00:38:25
    anything else and I had these
  • 00:38:26
    expectations about them maybe
  • 00:38:27
    complaining about the food or each other
  • 00:38:29
    or maybe picking up something scandalous
  • 00:38:31
    they can say on the radio because
  • 00:38:32
    they're over Africa and not on the
  • 00:38:34
    northern hemisphere nothing like that
  • 00:38:36
    happened at all as they flew over this
  • 00:38:38
    is not a video they sent me I don't even
  • 00:38:39
    know where this is but it's the view of
  • 00:38:42
    where it comes from ctrl C to exit to
  • 00:38:44
    pick up that file and that's all I heard
  • 00:38:48
    sorry about that so what you need to do
  • 00:38:51
    is go to the amateur radio in on the
  • 00:38:54
    International Space Station website and
  • 00:38:55
    find out when they're going to be
  • 00:38:57
    talking okay
  • 00:38:58
    so sometimes I speak to schools or
  • 00:39:00
    community events and stuff like that and
  • 00:39:02
    you'll only hear one side of the
  • 00:39:04
    conversation because you're not going to
  • 00:39:05
    hear you know the people speaking up to
  • 00:39:07
    it you won't get that you'll only hear
  • 00:39:09
    that one half of the conversation at
  • 00:39:11
    least but yes and they also do these
  • 00:39:13
    weird kind of I almost think of them as
  • 00:39:14
    memorial plaques but they sent down slow
  • 00:39:17
    scan television images which looked like
  • 00:39:19
    this in SDR shop yeah a little bit
  • 00:39:23
    grainy but quite fun to do so other fun
  • 00:39:26
    things to try in conclusion who has been
  • 00:39:30
    to one of those terrible restaurants we
  • 00:39:32
    have in South Africa where they tie like
  • 00:39:34
    this thing to the waiter and the
  • 00:39:36
    weight-room I have to say and you can
  • 00:39:38
    call them with a button on the table
  • 00:39:40
    who's been to those am I the only one
  • 00:39:42
    has those that uses the same technology
  • 00:39:45
    that pagers use and you can really mess
  • 00:39:46
    around with that stuff so that's a fun
  • 00:39:48
    thing I might want to try you can spoof
  • 00:39:51
    something called ODS TMC which is a fun
  • 00:39:54
    way so this is the inside of my cart
  • 00:39:57
    uses TMC pro to be able to tell where
  • 00:39:59
    there's traffic so I know this is
  • 00:40:01
    encrypted in Europe I don't know if it's
  • 00:40:02
    encrypted in South Africa
  • 00:40:04
    but it might be a fun way to say that
  • 00:40:06
    every road you're driving on is busy and
  • 00:40:07
    everyone should get out of the way that
  • 00:40:08
    might be a fun thing to do you can
  • 00:40:11
    create your own cellular networks with
  • 00:40:13
    something called open BTS the semi count
  • 00:40:16
    cars is cool talk called drive it like
  • 00:40:18
    you stole it where he talks about how
  • 00:40:20
    you can basically defeat French encoding
  • 00:40:23
    and and all that was some cool jamming
  • 00:40:25
    techniques you can build your own Space
  • 00:40:27
    Telescope and and yeah like literally
  • 00:40:30
    listened to pulsars which is really cool
  • 00:40:31
    you can spoof or RFID tags and I don't
  • 00:40:34
    know about this one but it might be fun
  • 00:40:37
    they'll explain eatos later and this is
  • 00:40:41
    the coolest thing I found it's something
  • 00:40:42
    called SMB radio so remember how my
  • 00:40:45
    Raspberry Pi has a little bit of EMF
  • 00:40:47
    leakage so all computers have a little
  • 00:40:48
    bit of EMF leakage and there's a it's
  • 00:40:51
    actually one of the demos isn't
  • 00:40:53
    JavaScript I don't actually have an
  • 00:40:54
    old-timey radio that can go down to I
  • 00:40:57
    think it's only 5 kilohertz is the
  • 00:40:59
    frequency at which it can broadcast but
  • 00:41:01
    it literally uses the EMF leakage from
  • 00:41:05
    your system bus to play mary had a
  • 00:41:08
    little lamb it is incredibly cool so who
  • 00:41:11
    knows who this is very close I won't
  • 00:41:18
    keep you interested it's it's Harry
  • 00:41:19
    Hertz and and the last mission social me
  • 00:41:21
    leave you guys with us they were
  • 00:41:22
    chatting to him many many years ago not
  • 00:41:24
    on an iPhone and when he does he's the
  • 00:41:26
    guy who discovered radio waves that's
  • 00:41:28
    why we talk about Hertz as the only SI
  • 00:41:31
    unit with our s in it because it's
  • 00:41:32
    someone's name and when they awesome
  • 00:41:35
    what the point of this was at all
  • 00:41:36
    there's nothing whatsoever he was very
  • 00:41:37
    impressed that he'd found a way to prove
  • 00:41:39
    Maxwell's equations of electromagnetic
  • 00:41:41
    induction and they'll swim about any
  • 00:41:43
    applications is it nothing I guess
  • 00:41:45
    and if you think about the applications
  • 00:41:47
    of radio and Wi-Fi and everything else
  • 00:41:49
    that we use today that's maybe a point
  • 00:41:52
    to make so if we think today about what
  • 00:41:53
    we do with the cloud we've basically
  • 00:41:55
    taken computer infrastructure to find it
  • 00:41:57
    via software and called it the cloud so
  • 00:41:59
    you can hop on to GCP or anything and
  • 00:42:01
    maker and VM what could you do a
  • 00:42:04
    software-defined radio and it's
  • 00:42:06
    interesting AWS is is doing this this
  • 00:42:08
    cool ground station network so you can
  • 00:42:10
    imagine creating your own points around
  • 00:42:13
    where I might have totally out of time
  • 00:42:16
    it's two minutes okay we'll just close
  • 00:42:18
    this up you can imagine as your
  • 00:42:20
    satellite is maybe moving across across
  • 00:42:22
    the planet as it moves close to that AWS
  • 00:42:25
    ground station with that data sand you
  • 00:42:27
    can spin up in an instance of a server
  • 00:42:28
    that could download that information
  • 00:42:30
    process it pass it along
  • 00:42:31
    and you don't need your own ground
  • 00:42:33
    stations for anything at all so I'm
  • 00:42:35
    completely out of fuel I've got some
  • 00:42:36
    credits for some of the guys who've
  • 00:42:39
    worked with me on this the O ex-con guys
  • 00:42:41
    who gave me some advice on this stuff
  • 00:42:43
    thank you to foreign aid Bank for doing
  • 00:42:45
    my flights and stuff I'm speaking at
  • 00:42:47
    your conference on the 31st probably I
  • 00:42:50
    don't know next year at Def Con
  • 00:42:53
    and that is me you guys can follow me on
  • 00:42:55
    Twitter thank you very much that's me
  • 00:43:01
    okay they have allowed me to questions
  • 00:43:07
    so not all of you at once please only
  • 00:43:09
    okay gentleman in the back with the
  • 00:43:11
    incredible beard you should have seen me
  • 00:43:13
    at Movember Hey okay first of all the
  • 00:43:19
    question is when am I getting my ham
  • 00:43:21
    license and what am I playing with Qi so
  • 00:43:22
    100 and so I'm thinking maybe next year
  • 00:43:26
    when exams are in April next year I
  • 00:43:29
    think will probably be the next
  • 00:43:30
    opportunity okay so that's that's what
  • 00:43:33
    I'm going for I'm slowly going up on on
  • 00:43:36
    we prepare and what do you say it was
  • 00:43:38
    Q&A what 100 what is that oh yes oh
  • 00:43:54
    so I've got the content for my next talk
  • 00:43:56
    yeah I'm sure we probably don't have the
  • 00:44:08
    audio from all of that but that sounds
  • 00:44:09
    incredible okay and and someone okay
  • 00:44:11
    awesome
  • 00:44:12
    one more question right so the question
  • 00:44:20
    is what other plans around encrypting
  • 00:44:21
    air traffic data I have no idea okay
  • 00:44:25
    I I did have this idea that you know
  • 00:44:27
    let's put blockchain on it and and of
  • 00:44:28
    course no but you know it could be I
  • 00:44:33
    don't know you know I think that I don't
  • 00:44:37
    know I don't know I should know but I
  • 00:44:40
    don't that's terribly embarrassing thank
  • 00:44:42
    you
  • 00:44:42
    all right no that's all for me you guys
  • 00:44:44
    thank you very much Cheers
Tags
  • satellitter
  • programvaredefinert radio
  • hacking
  • signalsporing
  • antennedesign
  • Doppler-effekt
  • NOAA
  • flysporing
  • skipssporing
  • SDR Sharp