[liberationtech] Exactly how are satellite transmissions tapped/intercepted, in Syria and elsewhere?
Jacob Appelbaum
jacob at appelbaum.net
Mon Nov 28 19:55:25 PST 2011
On 11/28/2011 07:34 PM, Brian Conley wrote:
> Thanks for your comments Jake.
You're welcome Brian - thanks for bringing up the topic.
>
> Those are all essentially my perceptions as well. This is why I see the
> primary goal to be informing people just how dangerous satellite phones
> are, and providing the best practices possible.
>
It's actually worse...
> In the case of Syrian activists, they've turned to satphones not because
> they believe they are the magical devices seen in "24" but because they are
> the best of a lot of bad options. Right now we know thuraya is compromised,
> but its important to ensure activists have the best possible information
> about the likelihood other networks will be compromised, etc.
>
Again, all of them are compromised in some way - the question about
threat models really matters in your choice of device and your choice of
network.
Your users in Syria should be using Tor and I highly endorse that they
use Tails to get it right:
> Where might I locate information about tampering with the location
> specifics?
Not many places in public. I can suggest that some satellite uplink
hardware utilizes standard GPS chips. Some of these devices use NMEA to
communicate the location of the device - if you were to perform a
man-in-the-middle attack on the stream of NMEA data, you could
dynamically tamper with it. Again, you'd need to know the boundaries of
the spot beam you wish to use and it's likely going to be very faulty.
Furthermore, this only protects against the network's location reporting
functions that trust the user supplied data. This does not protect
against signals intelligence devices located in the country or in the
sky. It is also likely that the satellite's radio will try to confirm
the user supplied data and being too far off might trigger some alerts.
I know that some of the BGAN devices also have a special mode where the
SIM card in the device is consulted about a privacy mode. It appears
that some BGAN device firmware will check for a specific bit and if it's
present, it will automatically select and send the *spot beam id* rather
than the GPS. This is pretty sketchy and I fear bad failure modes
there... The device apparently has a spot beam ID map, it takes your
actual GPS location, does a local lookup in the spot beam ID table and
then when handshaking with the network, it sends only the spot beam ID.
That is a reasonable way to do it with the exception of it actually
requiring the real GPS location. Such a device with a tampered NMEA data
stream would be a much better idea...
> Would also be really happy to have your insight and other
> suggestions, on or off list.
If someone is interested in this topic, I have a list of hardware that
I'd like to acquire for use in a research project relating to satellite
usage and location anonymity. It's not a start up, it's a tear down. :)
All the best,
Jacob
More information about the liberationtech
mailing list