Hacking U.S. Military Satellites

The problem is more widespread than you might think:

First lofted into orbit in the 1970s, the FLTSATCOM bird was at the time a major advance in military communications. Their 23 channels were used by every branch of the U.S. armed forces and the White House for encrypted data and voice, typically from portable ground units that could be quickly unpacked and put to use on the battlefield.

As the original FLTSAT constellation of four satellites fell out of service, the Navy launched a more advanced UFO satellite (for Ultra High Frequency Follow-On) to replace them. Today, there are two FLTSAT and eight UFO birds in geosynchronous orbit. Navy contractors are working on a next-generation system called Mobile User Objective System beginning in September 2009.

Until then, the military is still using aging FLTSAT and UFO satellites — and so are a lot of Brazilians. While the technology on the transponders still dates from the 1970s, radio sets back on Earth have only improved and plummeted in cost — opening a cheap, efficient and illegal backdoor.

To use the satellite, pirates typically take an ordinary ham radio transmitter, which operates in the 144- to 148-MHZ range, and add a frequency doubler cobbled from coils and a varactor diode. That lets the radio stretch into the lower end of FLTSATCOM's 292- to 317-MHz uplink range. All the gear can be bought near any truck stop for less than $500. Ads on specialized websites offer to perform the conversion for less than $100. Taught the ropes, even rough electricians can make Bolinha-ware.

Posted on April 23, 2009 at 12:30 PM • 23 Comments

Comments

ChrisApril 23, 2009 1:30 PM

So, the problem is repeaters in geosynch orbit that do no authentication and rely on obscurity to not be touched?

Outstanding!

One hopes that permitted users' traffic is not in the clear.

meApril 23, 2009 1:58 PM

Two questions:

1) Another article I read says that the Brazilian government is fighting this. Why are THEIR tax dollars going to fight something stupid MY tax dollars are funding?

2) Why ARE my tax dollars funding something so stupid?

bobApril 23, 2009 2:02 PM

When I think of all the times I was in a mudhole someplace trying to connect to a satellite and not able to because the satellite sysop didn't like the looks of my signal and these guys are just switching on and blabbing away?!? Amazing.

As far as why Brazil is fighting it, there are international treaties establishing what service is allowed to use what spectrum for which purpose and its in Brazil's interest to make sure people in their country obey their frequency allocations.

HeikoApril 23, 2009 2:57 PM

The first time I heard about this was in the early nineties in a german satellite magazine. They had a series of articles about do it yourself spying using satellite and radio technologies. They had two articles about this usage. The first were italian immigrants in Argentina that used it as a cheap telephone connection to talk to their relatives in Italy. The second was about a criminal gang that used it to coordinate buying money counterfeit equipment.

This magazine had some other interesting stories involving the US military and satellites.

BF SkinnerApril 23, 2009 6:22 PM

I've been hearing rumors for some time that a comsat was put into sleep mode by gov't hackers for the PRC as a proof of concept. The rumor was provided by a former special assistant to the president and verified by a former cia DO case officer.

I haven't been able to find an event that corresponds to what they describe...but I assign a tentative truth value to what they say.

Eric SchmiedlApril 24, 2009 3:34 AM

Heiko:
Do you recall the name of the magazine, or the approximate date?

GregApril 24, 2009 6:27 AM

So the details are these sats are nothing but dumb repeaters. And this is not new. So military traffic is encrypted point to point --not link to link, there are a lot of reasons for doing this way.

Also some people have been doing this for a while. Whats changed is the cost and size of the equipment and hence the number of people doing it. these sats are a long way up so its only "easy" with the newer equipment.

Joe the PlumberApril 24, 2009 6:43 AM

I wonder if they utilized IPv8 to pull this off?

www.infiltrated.net/rfc246810.txt (IPv8 RFC)

EwanApril 24, 2009 7:22 AM

Whoever managed to wangle naming the satellites 'UFO' has a distinctly non-military sense of humour.

JasonApril 24, 2009 9:20 AM

What bugs me is not that these satellites are obviously stupid in a 21st-century context. Any savvy internet user knows that an open service with no authentication is going to get abused.

What bugs me is that these satellites are obviously stupid in the Cold War context in which they were designed. If I went to the US Congress, circa 1975, and said that I wanted to build an open satellite repeater link, and oh by the way I was building a satellite repeater link for the Russkies to use too, they'd laugh me out of the committee room.

BF SkinnerApril 24, 2009 9:32 AM

@jason "they'd laugh me out of the committee room"

That's why they weren't told all the "confusing technobable details".

HeikoApril 24, 2009 10:16 AM

@Eric Schmiedl:

I think the magazine was "Tele Satellit" and the articles were named "Spionage selbstgemacht".

Clive RobinsonApril 24, 2009 10:49 AM

Folks, you need to know a little bit about this sort of thing to understand the whys and wherefors of how they came to be.

Oh and realise that pirating "skirt bandwidth" is activly in progress today even with relativly modern sat systems.

First off most if not all transponders are going to allow this to happen in one way or another.

Effectivly all a transponder is is an antenna, a filter an optional band shifter, a high dynamic range linear amplifier with 40-80dB of gain and upto 100dB of automatic gain control, another filter and another antenna.

At no point did the signal get actually recieved and re transmited in the conventional sense (ie converted to the base band signal and up again).

There are a lot of similar systems used as "television relay" systems in out of the way places like sparsly populated areas on the other side of hills and mountains.

There are several reasons why these systems are as they are.

Firstly in the design of space systems reliability is very important, as is low weight and low power consumption.

This usually gives rise to extreamly conservative designs with tried and time proven (read old fashioned by launch time) electronics, which is why NASA buys up old ceramic "mil spec" 486 etc components.

Further back in the "good old analog (analogue for us Brits) electronics days" the transponders lack of parts both active and passive and the fact that they required no "re-cal", and therefor had better MTBF figures was highly desirable.

Also they where a known tried and tested technology used a lot in terestrial telecomunications (think multi channel phone links by frequency division multiplexing).

As some will know "availability" is expressed in terms of both MTBF and MTTR.

As MTTR figures for sats is usually considered to be close to infinite ;) the only way to improve availability is by upping MTBF.

The three usuall ways are use only high MTBF parts, use as few parts as possible and operating systems in parallel (ie MTBF goes up as root N of parallel paths).

As both power and weight are significant issues with launch costs and reliability. A lack of parts and parallel systems are highly attractive options to space systems designers of old.

Oh and remember the NSA docs that where released recently where they mentioned long cycle Crypto generators for space systems weighing in at +50lbs and you start to understand why these systems are as they are.

Further and importantly is the 100dB of AGC range, this ensures that the strongest signal(s) always get through the transponder and that it is actually difficult to jam especially when spread spectrum signals are involved.

Some of the sat systems actually had a rudimentry protection system that works extreamly well in that the oscillator used for band shifting was modulated by a non linear long sequence PRBS generator (ie that NSA Crypto generator). Look up JPL ranging codes and Gold generators to see how the linear versions work. Essentialy if you have another identical generator in your transmitter and you shift it's sequence in time to coincide with the one in the transponder then you can use it. The anti jaming margin can give you another 40-100dB of protection over that of the AGC...

However in the past ten years or so the reliability and availability of high dynamic range analog to digital converters with very high conversion rates have changed the equation a lot.

Not just for baseband processing but for high frequency RF processing as well. Have a google around for "channel bank receivers" and "software defined radio" to see the way of the future.

Sats of the future will not be as suceptable to pirating but there will always be those that know or can find out enough to make it possible (think the students that worked out the spreading codes for the European GPS test system just from monitoring the sat output).

Clive RobinsonApril 24, 2009 11:10 AM

@ Joe the Plumber,

"http://www.infiltrated.net/rfc246810.txt"

This is the latest upgrade to the "Hay Pril / Foo Lin" inspired protocol and just does not "cut the mustard" in the same way the avian version did ;)

Bob StrattonApril 24, 2009 3:54 PM

It's worth learning a little about Gold codes and sliding correlators for many reasons, including CDMA mobile phones and GPS.

Bob StrattonApril 24, 2009 3:57 PM

Most of what Tele-Satellite's article was about was the interception of Inmarsat-A telephone and fax calls. It's a fascinating story in that the author set up a DTMF (touch tone) decoder and looked for numbers to or from Iraq.

He seems to have documented several attempts by the previous government of that country to purchase embargoed or restricted technology through industrial and academic intermediaries. Naughty.

Oh, and it's really not all that hard to do if you're curious, though in the U.S. it's not legal to discuss what you hear that way.

FredApril 25, 2009 10:55 PM

If they'd just used low bitrate/power cdma all this coms would have never been detected.

Oh wait...

joseApril 27, 2009 7:54 AM

Amazing story, it is incredible that times.
Please dont tell me tomorrow, AES or worse TWOFISH are cracked, I will commit suicide. Just take this times with fun.LOL
Jose

ModeratorApril 27, 2009 12:00 PM

Jose, that's the second time you've shown up here complaining that your comments were being removed when, in fact, they weren't. I'm not sure if you are trolling or just confused. But I am going to start removing your comments if you can't manage to be on-topic, constructive, and coherent.

Ray June 6, 2009 6:59 PM

Sounds a little simplistic and urban myth like. dumb repeater? Uplink and downlink are different on even commercial sats. It looks like cyber security types are paranoid and chasing boogie men out of every closet. The power grid is in bigger danger of being jacked.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..