[liberationtech] New Satphone Safety Guide
Jacob Appelbaum
jacob at appelbaum.net
Tue Mar 20 20:22:41 PDT 2012
On 03/16/2012 02:48 PM, Brian Conley wrote:
> Thanks Jacob, comments in-line.
Hey Brian and other libtechers,
This should be extremely interesting to everyone:
http://pastebin.com/tr38Sy3f
Note the little bit on location info in that pastebin:
.... ...1 = GCI: MES is GPS capable (1)
.... ..1. = R: 1
.... .0.. = O: 0
GPS Position
1... .... = CPI: GPS position is current position (1)
.001 1000 0000 0111 0011 .... = Latitude: 33.78961 N (98419)
.... 0010 1111 1100 1011 1111 = Longitude: 67.21414 E (195775)
.... .000 = Number Type: Unknown (0)
I believe that means the caller was here when the intercept caught them:
https://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=+&q=33.78961+N+67.21414+E&ie=UTF8&ll=33.779147,67.241821
Here's the background information:
http://openbts.blogspot.com/2012/03/gmr-1-revisited.html
David Burgess, praise be upon him, says:
"The Channel Request message is the first message sent from the handset
to the satellite at the start of any transaction. This message cannot be
encrypted. This message typically contains the following information:
the IMSI of the satellite phone handset
the called number (in the case of mobile-originated calls) and
the GPS location of the handset."
The best part of his blog post for those who can't load the page is this
part:
"Well, the uplink from the handset is only visible for a kilometer or
so, but the feeder link is visible over roughly 1/3 of the planet's
surface to anyone with a C-Band dish and is not given any additional
encryption."
So - yeah, ouch!
All the best,
Jacob
More information about the liberationtech
mailing list