Hackers

Who come from the sky

JingLi Hao - 360 Feture Security Lab
Contents
The development background of satellite
network and DVB-S2 agreement

Some unsecured satellite networks

The hidden dangers of future

satellite networks
1. The development background of satellite
network and DVB-S2 agreement
Application scenarios of satellite network
1. ISP、Broadcasting
2. Bank、 Petrochemical industry
3. Multinational corporation
4. Gov、Army
5. Emergency communications
6. Aerospace
7. Maritime transport
8. Communications industry
9. Meteorological industry
10.…
Satellite networks have a very special status in national infrastructure and military communications. In recent
years, the rapid development of global satellite Internet and the deployment of Internet constellations have
brought satellite communications into a white-hot stage of development. As an important space-based node of
the future world-earth integrated network architecture, the importance and status of satellites are self-evident.
Global satellite
Constellati
Country
constellationBanddeployment
No.orbit Initial Payload Orbit Schedule
on planning altitude
StarLink USA 1674 12000 Ku,Ka On-board 500/1100km Trial
operation
routing
O3B UK/Luxembou 20 50 Ka,V On-board 8000km In
operation
rg processing The global satellite Internet
OneWeb UK 358 720 Ku,Ka,V Bent-pipe 500/1200km Orbit
constellation and the Internet
networking
of Things constellation are
Viasat USA 2 3 Ka Bent-pipe 36000km Orbit
networking
vying for the first deployment,
Iridium USA 75 66 L On-board 700km In and orbit resources and
processing
operation
spectrum resources are
Globalstar USA 85 48 L,S On-board 1500km In
operation
constantly being competed.
processing
In
Among them, the large-scale
USA/Canada 41 - VHF,UHF On-board 700km
ORBCOMM
operation Internet constellation
processing
Telesat Canada 6 300 Ka On-board 36000km Orbit represented by “StarLink” has
LEO processing Verifying a planned number of 12,000
HongYan CHINA 1 300 L,Ka,V unknown unknown Orbit satellites.
Verifying
TianQi CHINA 10 38 UHF unknown 500km Orbit
Verifying
XingYun CHINA 2 80 UHF,L unknown unknown Orbit
Verifying
Kepler Canada 15 140 UHF unknown 550km Verifying

Lightspeed Canada 0 298 unknown unknown unknown Planned

Satellite Internet Constellation - StarLink
SpaceX satellite manufacturing technology, rocket launch/recovery technology, and inter-satellite routing
technology are very mature. The StarLink constellation is rapidly deployed, and rocket recovery continues to
achieve new results. It has provided test broadband Internet access services for the northern United States
and southern Canada.

6
DVB-S2 protocol for satellite
Digital Video Broadcasting - Satellite - Second Generation (DVB-S2) is a digital
television broadcast standard that has been designed as a successor for the popular DVB-
S system. It was developed in 2003 by the Digital Video Broadcasting Project, an international
industry consortium, and ratified by ETSI (EN 302307) in March 2005. The standard is based on,
and improves upon DVB-S and the electronic news-gathering (or Digital Satellite News
Gathering) system, used by mobile units for sending sounds and images from remote locations
worldwide back to their home television stations.
DVB-S2 is designed for broadcast services including standard and HDTV, interactive services
including Internet access, and (professional) data content distribution. The development of
DVB-S2 coincided with the introduction of HDTV and H.264 (MPEG-4 AVC) video codecs.

IP over DVB
DVB-S2 network system

Point to point Star network Mesh network

2. Some unsecured satellite networks
iDirect satellite system
iDirect satellite system

More than 1600 super stations was builded in

China
One third of them are running with VoIP phones
Super Stations
Super Stations principle

Common Station network Super Station network

Fibre-optical

By default, the data between BTS and BSC is carried out through fiber-optical, but when
special circumstances occur, such as earthquakes, floods, etc., when the fiber-optical
network between them is cut off, the “super station” will automatically switch to the
satellite network and use it The satellite network transmits the user's voice phone and SMS
message
Great system

I found that“Super Station” is really a great system

through this research, and this system has played a
very important role in the water flood that occurred
in China this year.

I bought a China mobile SIM card after this research.

Super Stations modem

iDirect X3 Default Passwd：

Username: root
Options info from super station modem by
Password: P@55w0rd!
second hand trading software
Calculate the uplink frequency

𝐿𝑜 4120MHz
?
𝑓𝑎 𝑓𝑏

• If we know the downlink frequency. What’s the uplink frequency?

𝑓𝑏 = 𝑓𝑎 ± 𝐿𝑜
𝑓𝑎 , 𝑢𝑝𝑙𝑖𝑛𝑘 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦; 𝑓𝑏 , 𝑑𝑜𝑤𝑛𝑙𝑖𝑛𝑘 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦; 𝐿𝑜 , 𝑙𝑜𝑐𝑎𝑙 𝑓𝑟𝑞𝑢𝑒𝑛𝑐𝑦

𝑓𝑏 = 4120𝑀ℎ𝑧 => 𝐶 − 𝑏𝑎𝑛𝑑 𝑓𝑟𝑒𝑞𝑢𝑐𝑒𝑛𝑦 => 𝐿𝑜 = 2225𝑀𝐻𝑧 => 𝑓𝑎 = 4120 + 2225 = 6345𝑀ℎ𝑧
Stealing Communication Links

C-band frequency
Uplink: 5.85GHz -- 6.75GHz
Downlink: 3.4GHz – 4.2GHz
Local frequency: 2.225GHz

Ku-band frequency Ka-band frequency

Uplink: 14.0GHz – 14.5GHz Uplink: 27.5GHz – 31.0GHz
Downlink: 11.7GHz – 12.2GHz Downlink: 17.1GHz – 21.2GHz
Local frequency:1.748GHz,1.750GHz Local frequency:9.80GHz
Information of “Super Station”

Satellite：ChinaSat 12

C-band: 6A Transponder
Ku-band: 11B Transponder

Ku-band:
IP：10.10.230.126
RX: 11300MHz + 1086.31MHz = 12386.31MHz（downlink）-10600（local）=1786.31MHz
TX: 13050MHz + 1000.00MHz = 14050.00MHz（uplink）

C-band:
IP：10.10.226.219
RX: 5150MHz - 1305.5MHz = 3844.5MHz
TX: 7300MHz - 1000.00MHz = 6300.00MHz
Option file from modem Lat：40.211N
Long: 116.238E
Receive signal from “Super Station”
Ku Band

C Band
Decode data from Super Station
Decod data from super station

In the data of
received ,we can
see VoIP
protocol and
BTS
communication
protocol
Social engineering

Me: “Hello, your express arrived”

He: “What, express?”

Me: “Yes”

He: “I have no express” (I didn’t hear clearly)

He: “Where did you send it?”

Me: “xxx community” (fake name of community)

He: “You sent it wrong, This is China Mobile

Corporation”
Using OpenATS to receive signal

OpenATS
Eavesdropping on data
Searching satellite network

CrazyScan
Asia 9 Satellite

Downlink：
Rx Bitrate：25000000
Rx symrate：25 000 000
Modem rx freq：1247MHz
Downlink freq：1247+11300= 12547Mhz

Uplink：
Tx Bitrate ：3000000
Tx symrate ：1875000
Modem tx freq ：1000000000
Uplink freq：13050+1000= 14050Mhz
China National Petroleum Corporation
X3 modem vulnerability scan
Why is iDirect network?

TRANSEC

The idirect modem provides the function of secure

encrypted transmission by default. When the user
turns on this function, the user's id and data will be
fully encrypted and transmitted without being
attacked by eavesdropping. However, due to the key
distribution involved, many operator networks have
not enabled this function.
iDirect modem
Modify iDirect’s modem DID

sub_E7D94

And we can modify any SN number and reflash it

But we need also modify options file’s DID number
Set the legal ip address and your modem can send
new DID’s signal

X3’s DID = 128* 2 ^ 18 + SN =（33554432+SN）

Hidden data because China rules

3. The hidden dangers of future satellite
networks
Orbit security
ESA (European Space Agency) statistics:
As of 20 September,2021, the number of successful rocket launches by mankind is about 6,110, the number of satellites
entering the earth orbit is about 12070, and the number of satellites still in space orbit is about 7550. The various satellites
that are providing services, The number of spacecraft is about 4700, and the number of debris objects tracked by the space
monitoring network is about 29610, of which 36500 are debris larger than 10 cm.

>1cm

>1mm
Satellite network risk points
Space
1. Spaceborne system backdoor,
vulnerability attack
2. Tracking in orbit, operation risk
3. Supply chain intrusion attack
4. Spaceborne bus intrusion and
forgery attacks
5. Reconnaissance, capture attack

1. TT&C eavesdropping, cracking, forgery,

and replay attacks
Security of 2. Virus injection by signal
Satellite network
Link 3. Eavesdropping, forgery, and
interference of communication signals
4. Protocol of communication

1. End application supply chain, backdoor,

vulnerability attack
2. Penetration attack for earth station
Ground 3. APT
4. Terminal passive reconnaissance
5. Terminal other attack
Satellite network hack

➢ 1997，Trespassers penetrated computers in the X-ray Astrophysics Section of a building on NASA’s Goddard Space Flight Center campus, where they
commandeered computers delivering data and instructions to satellites.
➢ 1998，A US-German ROSAT satellite, used for peering into deep space, was rendered useless after it turned suddenly toward the sun damaging the
High Resolution Imager by exposure, The attack allegedly originated from Russia.
➢ 1999，Hacker control one satellite of SkyNet
➢ 2002，An online intruder penetrated the computer network at the Marshall Space Flight Center
➢ 2002，Some hackers attack the XINNUO-1 satellite and change the TV content
➢ 2004，A cyber-trespasser who poked around NASA's Ames Research Center in Silicon Valley caused a panicked technician to pull the plug on the
facility's supercomputers to limit the loss of secure data (Epstein and Elgin 2008)
➢ 2005，A malignant software program gathered data from computers in the Kennedy Space Center’s Vehicle Assembly Building, where the Shuttle is
maintained.
➢ 2006，Due to concerns of computer network exploitation NASA facilities barred all incoming Word attachments from its computer systems (Epstein and
Elgin 2008)
➢ 2007，The Goddard Space Flight Center was again compromised
➢ 2007，Landsat-7, a US earth observation satellite jointly managed by NASA and the US Geological Survey, experienced 12 or more minutes of
interference
➢ 2008，hackers are thought to have loaded a Trojan horse in the computers at Johnson Space Center in Houston, Texas
➢ 2011，Romanian hacker TinKode allegedly obtained sensitive information from NASA’s Goddard Space Flight Center and the European Space Agency
which he then made publicly available online.
➢ 2011，NASA’s Jet Propulsion Laboratory (JPL) “reported suspicious network activity involving Chinese-based IP addresses... giving the intruders access to
most of JPL’s networks” (Martin 2012)
➢ 2015，On CCC Germany, Iridium system attack
➢ ...
Thanks