[liberationtech] Exactly how are satellite transmissions tapped/intercepted, in Syria and elsewhere?

Jesse Krembs jessekrembs at gmail.com
Mon Nov 28 20:32:11 PST 2011 

It might also be of note that having bypassed the auto location reporting
function already built into the unit doesn't stop your adversary from just
using good old fashion radio direction finding to hunt the target down.
Which doesn't work so great if your doing something that is bandwidth
intensive.

On Mon, Nov 28, 2011 at 10:55 PM, Jacob Appelbaum <jacob at appelbaum.net>wrote:

> On 11/28/2011 07:34 PM, Brian Conley wrote:
> > Thanks for your comments Jake.
>
> You're welcome Brian - thanks for bringing up the topic.
> >
> > Those are all essentially my perceptions as well. This is why I see the
> > primary goal to be informing people just how dangerous satellite phones
> > are, and providing the best practices possible.
> >
>
> It's actually worse...
>
> > In the case of Syrian activists, they've turned to satphones not because
> > they believe they are the magical devices seen in "24" but because they
> are
> > the best of a lot of bad options. Right now we know thuraya is
> compromised,
> > but its important to ensure activists have the best possible information
> > about the likelihood other networks will be compromised, etc.
> >
>
> Again, all of them are compromised in some way - the question about
> threat models really matters in your choice of device and your choice of
> network.
>
> Your users in Syria should be using Tor and I highly endorse that they
> use Tails to get it right:
>
>
> > Where might I locate information about tampering with the location
> > specifics?
>
> Not many places in public. I can suggest that some satellite uplink
> hardware utilizes standard GPS chips. Some of these devices use NMEA to
> communicate the location of the device - if you were to perform a
> man-in-the-middle attack on the stream of NMEA data, you could
> dynamically tamper with it. Again, you'd need to know the boundaries of
> the spot beam you wish to use and it's likely going to be very faulty.
> Furthermore, this only protects against the network's location reporting
> functions that trust the user supplied data. This does not protect
> against signals intelligence devices located in the country or in the
> sky. It is also likely that the satellite's radio will try to confirm
> the user supplied data and being too far off might trigger some alerts.
> I know that some of the BGAN devices also have a special mode where the
> SIM card in the device is consulted about a privacy mode. It appears
> that some BGAN device firmware will check for a specific bit and if it's
> present, it will automatically select and send the *spot beam id* rather
> than the GPS. This is pretty sketchy and I fear bad failure modes
> there... The device apparently has a spot beam ID map, it takes your
> actual GPS location, does a local lookup in the spot beam ID table and
> then when handshaking with the network, it sends only the spot beam ID.
> That is a reasonable way to do it with the exception of it actually
> requiring the real GPS location. Such a device with a tampered NMEA data
> stream would be a much better idea...
>
> > Would also be really happy to have your insight and other
> > suggestions, on or off list.
>
> If someone is interested in this topic, I have a list of hardware that
> I'd like to acquire for use in a research project relating to satellite
> usage and location anonymity. It's not a start up, it's a tear down. :)
>
> All the best,
> Jacob
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>



-- 
Jesse Krembs
802.233.7051
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111128/41645d36/attachment.html>

More information about the liberationtech mailing list