>> All right. As we said, welcome to track 1. And -- yeah, this is 1:00 talk as you well know. We have Colby Moore who is going to talk about Satcom hacking. He apparently found some vulnerabilities. In some satellites. This is a rerun of his talk that he gave at Black Hat so please help me welcome Colby Moore. [ cheers and applause ] >> Thanks, guys. Good afternoon DEF CON, thanks for coming out. Today we're going to talk about spread spectrum signals and hacking the GlobalStar simplex data service. First, I'm mechanical engineer that loves computer security. I'm currently working on the R&D team. I got interested in satellites and radios a long time ago when I got my ham radio license, yes, ladies, that's my call sign. Radio me, I'm single. What is this company that I work for? Basically we're a new spin on security for the enterprise. We have Army of vetted security researchers out there and hacker clients on basis for pretty crazy pay outs in my opinion. So, if you have spare cycles want to make some money join our red team. If you are concerned about security in your enterprise comes talk to us as well. But anyway, a little introduction here. Why aim doing this? I wanted to try something new and was pretty frustrated with the lack of diversity in the talks lately, satellites are kind of the ultimate hack, making a satellite talk just about every year they are theoretical. I wanted to try to do something a little bit more concrete. Location-based privacy in -- location monitoring satellite seemed like a good fit. Bottom line is I wanted to take a stab at something different and hopefully inspire collaboration on future research in this unexplored area. I'll be releasing some tools after the talk hopefully we can collaborate a little bit. What we are going to do, we'll talk about RF signals and modulation, what is spread spectrum, we'll select a target and hopefully we'll reverse engineer it and hopefully exploit it if everything goes well. The goal of my research is to do it for less than a thousand dollars. It started as a side project. I wanted to do it on the cheap. So hopefully you guys will be ail to do it too. Quite a bit of material to cover but I'll zip through it, if you guys need to look later you can e-mail me, whatever. Prerequisites. Tend to keep it high level at first but with enough detail to get you guys started really all you need to is a high school mathematical knowledge to start taking a look at the stuff. So, for you guys that came to my talk last year we like to define some key terms up front. So we have the term, Vegas interpretation then its hacker meaning. So here for a chip it's a pulse of a spread spectrum code not a poker chip. Coverage, we're not referring to the size of your bikini it's the area in which the satellite service is available. Recovery, I'm sure you guys are recovering this morning but we'll be recovering the unknown PN code of spreading code of the signals. And bent pipe if not normal pipe it's -- refers to type of satellite system that repeats the data when September up it comes right back down. I'm sampling I'm sure you did a lot of sampling last night but we're just going to be recording a signal digitally. So, targeting how do we choose our target. There's a lot of potential targets out there. There doesn't even cover them all thinking the right one was key. Commercial, military, bottom line the technology needed to be consumer accessible and cheap, we're just going to do this side project. But I wanted something to be popular have a really high impact. You want vulnerabilities to be worthwhile. So familiar with GlobalStar spot line of computer projects, I use them when I'm out backpacking, they're pretty great. They make trackers for track can your car or yacht. And first locator dash da personal locator beacons to call for help when you're lost out in the wild or your ship is sinking at sea or something like that. Start looking deeper, turns out that commercial offer little use the same offering. Basically you can buy a $50 dirt cheap consumer device for research and research translate directly to all enterprise devices out there. Not to mention anything high impact it's pretty widely deployed. Where is this technology used? Really it's used everywhere. Designed to be integrated anywhere you below bandwidth off the grid. Used in systems, big gas and oil operations, military and predominantly asset tracking, ship contapers, armored cars, expensive things. So all this tech operates on what's called the simplex data service, how does that work. The case of asset trackers, devices can also send back arbitrary information as well, the tracker gets this location from GPS satellites and then it beams that data some other metadata up to the GlobalStar satellites. It repeats the data back down into the GlobalStar ground station which interprets the data packets, forwards the data over the Internet to global star backing up the structure or to the customer infrastructure for processings. I kind of like -- think of SMS for the satellite world, just really small concise messages. So, GlobalStar system is series of low earth orbit bent pipe satellites. The way it works whatever signal goes up it's simply repeats it, ships it to a different frequency sends it right back down to be received by the ground stations. This keeps the cost of satellite low and future visibility flexible. Notices data link is one direction, simplex, simplex data network, how the heck is that reliable? Turns out that each data packet is sent multiple times to ensure successful transmission. So what's the deal with these ground stations? Turns out there's hundreds of them all around the globe and they handle reception of the satellite data there's also two main control centers, one is in San Jose, California, forget where the other one is. They're in charge much operating the satellites sand positioning them and such. So here is the coverage map from GlobalStar website, you can see if there is patches with no coverage out in the ocean, and Antarctica, no ground station there to receive the date the from the satellite. Each ground station provides up to a couple thousand miles window, radius, for reception. So you can see down in South Africa there's a nice blob down there they actually just added this one maybe couple months ago. Data coverage down there. So, before I started working I like to do a little bit of ground work to get the idea of a client's general security posture, I look at their website, having issues signing up for an account, locking in, try to log in and looks to me like potential SQL injection. I did not get the warm fuzzy hacker, this is going to be a fun target to hack on. So I dig a little deeper turns out data from the ground stations appears before the clients over FTP and HTP there's no S on there. Maybe just data over the Internet we'll try to do it over the air just for the hell of it. So things are looking pretty good in general, some sort of bug. Let's dig deeper into the actual satellite system itself. But where we look for information on GlobalStar's hardware? Of course, Google, I think we all do it. But the SEC database turned out to be the best wealth of information. If you have an RF transmitting device you need to register with the FCC to make sure you're not stepping on anyone's toes. There are lot of academic papers on GlobalStar as well and I found a lot of integrated spec sheets, proprietary information that was just left out there. So that helped a lot. But I want to make sure someone else hasn't already broke the system. I looked for prior research. Turns out Travis goodspeed looked at the Bluetooth protocol of one of the devices awhile back. Cool research. And some guy, maybe he's here, looked at the GPS to micro control interface on board an old spot personal locator beacon I wanted to dive deeper, it didn't deal with the device to satellite communications. So, again, looking at the FCC database, a chip called the STX3 coming up will be referenced. One of the transmitters used by the simplex data network it was designed for an integrater to put in their creation the low cost, low power, it's wicked tiny. That's the chip itself that talks to the satellite. So there's nice diagrams that came with this chip on the diagrams kept seeing this DSSS and BPSK coming up we'll talk about that more in a minute. I had no idea what it was at the time but turns out to be critical to what we're doing. So, the databases also came up with GlobalStar's various frequency ranges as well as Pacific range for GlobalStar simplex data network which we need to demo in this case the devices we're looking at operated around 1.6 gigahertz in frequency. So, I kept digging, and I found this leaked manufacturer spec sheet from a company called Axon. They used to make data chips for GlobalStar. Reference these parameters I couldn't help feel like we're important but I had no idea what they were. Of note let's see what it says here. We see DSSS again, something called a 255 chip NP sequence at rate of 1.25 megachips per second then reference to data rate 1060.4 bits per second. After a little reading turns out these are parameters for certain type of spread spectrum. We'll talk more about that in a minute. Before we talk about spread spectrum basic review of waves and modulation for those that aren't familiar. Remember that radio signals are transmitted on radio waves. And data is included on waves by modulating various parameters of that wave. Remember that waves have three main characteristics that we can modify they have the wave length essentially the frequency how many cycles per second the wave moves. The phase, position of the wave relative to a fixed point. As well as the amplitude, the height of the wave. We can look at waves in few different ways. Probably familiar with the time domain representation of a wave. Where time is on the X axis and amplitude on Y axis. Often we're working with signals -- when we're working with signals look at the frequency domain representation. Where it's on the X axis. This shows us what frequency components make of a signal. If you look the at the frequency domain representation of say 100 kilohertz sine wave on this it would show a sharp spike at 100 kilohertz on the frequency domain graph. Oftentimes signals may contain other frequency components. This graph may take on very unique look for different types of signals we're looking at. So, let's start and see kind of how analog modulation is done. We'll look A.M. and F.M. both of which you guys use on radio regular basis in your car radios. So send analog A.M. signal, essentially carry a wave at the desired frequency that you want to transmit on. Then vary the amplitude according to your data, the modulating signal. And the resulting signal is what gets sent out over the air and transmits whatever. Notice how we vary one parameter in this case the amplitude to send the data over the area. In said of modulating the carrier analogly we could have varied between two different amplitudes to encode digital data signal instead. Then sending digital data is signal over A.M. is called OOK for on/off or ASK or amplitude shift keying. To do the same thing to your frequency modulate data. We varied the carrier frequency according to the signal instead of the amplitude. So, again we could have shifted between the frequencies to encode digital data on this wave and method of encoding, digital encoding on frequency modulator is FSK for frequency shift keying. As we talked about^ digital A.M. is ASK or OOK and digital F.M. called FSK. We can also vary the third parameter, the phase. Called phase shift keying. Do this to encode digital on a wave. This talk we'll focus on BPSK we saw that earlier. Binary phase shift keying. Basically alternating a wave 180 degrees in and out of phase in order to ebb code binary data on this wave. In 180 degree phase shift simply achieved by splitting the wave upside down or just multiplying by negative one. So here each cycle of the wave corresponds to one symbol. A bit in this case. I know it's brief but we have the necessary knowledge on how signals are modulated gets go one step deeper talk about spread spectrum. Spread spectrum is basically way to take narrow band signal one that doesn't take up too much bandwidth to transmit and spreads out over much, much wider frequency range. This gives ability to be much more jam resistant, introduces a property called processing gain. Essentially processing gain the more you spread this signal the more gain you get at the receiving ends. You can transmit further. The processing gain actually allows for spread signal to be received even if it's below the noise floor at the receiving point. Spreading the signal allows for what is called CDMA properties this stands for code division multiple access. You probably heard about it reference to your cell phones. What this means is that multiple devices can transmit on the same frequency at the same time and all the data can still get through. This is achieved through the use of each device having a unique what we call spreading code. Remember we saw in the tech talk called PN sequence or PN code this is the same thing. Now there's two types of spread spectrum, the difference is that the DSSS operates around one frequency as shown on the left. Where as the FHSS hops between multiple frequencies you can see on the four peaks on the right. For the sake of this talk we'll focus on DSSS as that was what was referenced in the Doc. Create DSS signal in this case relatively slow BPSK signal in the case of the transmitters, 100 bits per second mixed with a very, very fast pseudorandom signal. The resulting signal contains all the information that is spread out over much larger bandwidth. So here you can see the data, the signal is then spread to 1.235 megahertz that's 12,500 sometimes wider. Notice the shape of the wave forms are very similar in these two. This is going to be important later. So here is a more concrete example. Our data signal is just 0 and 1 modulated very slowly. Our pseudosequence is binary signal that changes much, much faster the higher frequency shown there in green. We mix those two signals together to get a resulting signal with much higher frequency. You see there in the red. How do we recover the data? Simply mix the signal with the pseudo-random signal one more time the original data falls right back out. So that's how this whole DSS thing works. Now we talked about the PM sequences, basically all they are that periodic binary codes have strong auto properties. Meaning that they're binary sequence that repeats over and over. Just interesting piece of information if you guys end up trying some of this at home commonly generated using linear registers. So this research we'll look at specific type of PN sequence called M sequence. Again we saw this in the the original spec doc. What is interesting they correlate strongly with themselves as phase shift of zero, very poorly in other phase shift. Let's take a look. Up there on the left we're comparing very short M sequence, 0001. We're comparing to itself. A phase shift to zero has perfect correlation of four that we shiftivity once to the left. Correlation goes to zero. Stays at zero until we bring it back into phase. This is nice because makes searching for this PN sequence any other signal very easy just look for it using correlation. So, spread spectrum is simple in theory but really more difficult in practice. In theory simply mix the signal with the appropriate MP sequence data signal will emerge. In a perfect world our transmitter and receiver going to have -- going to be tuned -- not going to be tuned to the exact same frequency we need to accommodate for this frequency differential somehow. Also remember that if the FN is not properly aligned with itself in incoming data it won't work. Just get a garbage signal out. We need a way to phase align with PN sequences. It uses those auto correlation properties we talked about just a second ago. All right. We got a little rough idea of the theory but now to put into practice we need to build hardware and do something. To do this I use software along with python and the code. Also needed an appropriate antenna that I got off of eBay and so for those that at home GlobalStar antennas are left hand circular polarized a specific type of antenna that you need to look up. But that's a little bit out of the scope of this talk. For those of you who are familiar with RTL and SDR the software, you won't be able to use for this it doesn't cover enough bandwidth I use USRP to get for about 600 bucks, I think all other works just fine also. We also needed low noise amplifier for receiving some weak signals and supporting cable and voltage regulators I got this LNA off of company called mini circuits, it was $150. Not too bad. So this point I package up into a box these things are pretty fragile and package or clumsy and I didn't really want to break the hardware. So anyway, I am outside the box we can take this thing places and aim it at things I had it up in my tower was aiming over at McCarron, sniffing up data from the airport. We'll get to try that out. How does this hardware work? Essentially the software radio, radio waves which are analog coming in converts them to digital data that a computer can process. Does this by taking samples of the wave. So this guy named Nyquist came up to realization that sampling you need to sample at least twice as fast as signal's highest frequency in order to accurately reproduce the signal while sampling. A real world example is that the human ear can't hear frequencies higher than 20 kilohertz. If you recall CD audio, if you still use CDs, sampled at 44.12 kilohertz that's just over twice the human frequency hearing range. Also should know that software defined radio hardware uses IQ sampling or modulation. To receive and send these signals. This top sick a little too much to get into for now but for each sample data taken, two values are recorded. The I and Q. Using this IQ modulation has strong benefits for processing signals in software. But if you're interested I suggest you check out this YouTube video, it does really good job explaining much better than I'll be able to do. Bottom line is you don't need to understand this unless you're going to try this research at home. First step to decoding satellite transmissions to figure out that PN sequence to extract the data from the waves. So let's put our hardware to work. Remember that we're looking for a signal, the PN sequence that is 255 bits in length, repeats over and over and over again. And repeats at rate of 1.25 million chips per second. Mention that a chip is same thing as a bit. We just name it differently to distinguish it from actual data bits. Now interestingly enough we can treat less spectrum the same as we treat BPSK. Check out this graph. It's hard to show. But we can see that the BPSK signal above shifts the wave but once every several wave cycles. The DSSS signal shifts the wave much, much faster but in the same way as BPSK signal. We can use ordinary modulate tore receive the spread data now the downside of doing this is that receiving data this way that we don't receive any of the processing gain benefit we talked about from the signal. Technique only works over really short distances. I was able to do this across the room maybe 100 feet away. So to accurately receive the data we need to set our hardware to sample the data correctly. We have to meet a few different criteria. First, the USRP the radio I using only sample multiples of 32 megahertz. We also need to sample twice as fast as the highest frequency component in this case that's the PN sequence and signal 1.25 megahertz. We also need to sample rate that even number of samples for symbol. Even number of samples per chip. So we achieve all this by sampling at rate of 4 megahertz then resampling the signal just interpolating data points to get up sample signal of five megahertz. What is special about this five megahertz. Which is even number. But now how do we get the actual PN sequence out of this date that that we receive? What we know from doing calculations that the MN sequence repeats 49 times for each bit of data sent. Since the sequence doesn't cross any bit boundaries would be -- we can X the -- first bit of data result is the actual PN code. So let's use to decode the signal as BPSK and appropriate in output the appropriate data disk. So here you can see a flow graph, I used to do this, you can see the PSK modulator. PSK modulator to output to binary file that will examine it. So if you look at data in the editor we clearly see that repeating sequence of data, 255 bits long. Starting to sound familiar. Turns out that repeating sequence of data is the PN code. And turns out this is pretty much the keys to the kingdom for intercepting all this data. Code is used by all simplex data devices to encode the data center over the air. Now that we have the code let's try despreading some data. You remember we need to mix the PN code with incoming signal to receive the information and if all goes well expect output signal to contain very strong narrow band signal shown as asharp peak in the graph below. Above is what the normal simplex data network signal looks like, the lumpy thing, the graphic shows what we should see, just a nice sharp spike in there. Now before -- again it's important to know that working with the signals is a very computationally intense procedure. Receiving a signal at four megahertz with software defined works out to data rate of 30.5 megabytes per second so for the purposes of this work we'll record the data then post process later. Eventually possible to use more robust custom hardware, FPGAs to do this work in realtime. That sounds like a pain in the butt we'll just record and do it later. Big thanks to my interns for helping me optimize this code, used to take a minute to run now takes about like 40 seconds. How do woe we spread the data? First lock on to the mixed sequence. We do this by correlating the receive data signal against the recovered PN at every single point in time we're sliding the PN against the receive data signal and correlating. If we plot the correlation over time when the PN is perfectly aligned we'll see a sharp spike in the core lakes that's what you're seeing up there. This is know when to mix the data together. If we align the PN on the first correlation spike only, do this on frequency mismatch we'll pull out correlation over time. As shown on the left. We fix this by adjusting the PN four ward to backward at each and every correlation peak to ensure it's alignment. At this point once we're in alignment we simply mix the data together and the signal should fall out. Let's try that. After compensating for the frequency differential you you can see on the left the correlation over time stays pretty constant with the slight oscillation, that's okay. If we zoom out really far we can see the correlation over a whole data packet you can see the negative and positive correlations actually representing actual data bits flying over the air. So if you look at the signal coming out of our software sure enough we see that sharp spike in the center indicative of our signal in question, this means we despread our data successfully theoretically. Zooming way in on that sharp peak we can see that the wave form looks like BPSK signal, operating around 100 hertz and we know that the data rate in question that we're looking for, things are looking pretty promising. All right. Now that we're maybe receiving data let's try to decode it like what's inside. If you look at the time demain representation of the signal you can clearly see there's actual data bits coming over the air. That is satellite date. That now signal and do something with it. Namely just low pass filter it type it into a PS data modulator. That point the data pretty much falls right now you can see the top, nice binary string out of that data we need to validate it. I found spec sheet that references the data packet format which is shown right up there it starts with the preamble a constant unique binary sequence that tells the severe when the pack set starting then this manufacture I.D. as well as bunch more data. So if we convert that manufacturer I.D. set of bits to decimal sure enough it lines up with written on the back of the device. I'm pretty sure that means we're doing something right. So now data packets also contain just about any information you want. This is kind of up to the integrator thee devices are send location data in asset trackers. So everyone uses the same data format, it can be adjusted on the same. After extensive comparison with the help of intern freed up the 8 to 32 latitude and 32 to 56 longitude. Simply convert those binary bits to decimal and multiply by degree per count value that will give you the actual. You have to sniff into the code, be online later if you want to craft your own pockets. We'll talk more about that. The data packets also contain a checksum. We figure out not only validate packets we should be able to create our own. From what we saw the comparison and devices we looked at there was no encryption no signing no other protection. Theoretically we can inject our own data back into the satellite network. So, recall that we're doing all this interception here on the data up link from the device to the satellite. But the bent pipe nature of the GlobalStar satellites the down link is exactly the same as the data on the uplink. Except we just need compensate for few other things like Doppler shift and multi-path interference. This is an avenue for future research if anyone of you guys are interested. A bigger dish, a little better hardware we can start receiving a ton more data doing this same method. But all right, now we figure the out these data packets, can we inject it back into the network? Seriously, don't transmit on GlobalStar frequencies, it's probably illegal where you live, and it might interfere with critical emergency communications, fortunately the simplex frequencies aren't used for satellite control, per se, it's not like you're going to make fly sideways or anything. But if you wanted to transmit, that's actually the easy part. [ laughter ] [Applause] Don't try this at home. Wink, wink. All you do really simply mix the data together with the PN sequence and carrier all at the appropriate rates which are listed here in this talk, I'm not going to be providing my code that I designed but if you're savvy enough you should be able to do it. All you need is about .2 watts of power, appropriate amplifier on the Internet for 200 bucks and you can write the code, it's pretty simple. What if there was seesier way. GlobalStar provides OSX update utility for one of their spot trace devices their personal asset trackers, inside the application package there's a tool, spot three firm wear tool and contains all sorts of interesting functionality that never called by the actual consumer up data app. If you look in the jar, there's bug console which references something in the spot device class called, right ESP, electronic serial number. What if we wrote java app to call that console. Sure enough functionality, right there. In the software on their website. Bug console left us update the ESN of any of these spot trace devices out there we can change the serial number of these devices, essentially cloning it. Think cloning cell phones, whatever. To prove this I cloned one of my spot trackers, which the others ESN told it to transmit and sure enough I got a tracking back that confirmed we were able to clone the device. For $50 you can clone satellite network devices and maybe coordinates and shenanigans. But besides the obvious of using network to transmit your own data or expanding capabilities of your service, maybe sending more packets than you're allowed to per hour, what can we do with the data transmission capability. Can we get in bit more trouble? First these devices are used very commonly in emergency response. One scenario, what if an attacker spoofed thousands of false emergencies and jammed um the emergency response center preventing aid from getting to an actual emergency. Or what about monitoring for help requests in these devices just cancelling the help request. Kind of of a Dick move but someone might do it. I talked to a really, really well-known reporter couple days ago and she used to work out of the middle east as a correspondent for ten years, she said that journalists use these spot devices to track their whereabouts in case they're kidnapped. They're relying on these devices, some people know where they are. Was sniffing up this data, people using these for their safety, that's not cool. Turns out these chips are also used in access control systems, by law enforcement even for animal tracking, I think it would be hilarious to say that a wild grizzly had relocates itself to suburban California then see what they say. I also forgot to mention that they're used heavily in data systems. I'm not naming specifics, you guys are bunch of hooligans who probably get in trouble but commonly used in water quality sensors, pipeline monitoring, lot of big oil and gas operations. I was thinking what if there's a big rival oil company that wanted to figure out where the competitor was drilling, just fire up your own base station just have look for yourself. But wait, there's more. Lockheed Martin flight services, the contractor that handle flight planning for the FAA allows these spot devices to be used to track any VFR flight. What if an attacker made airplane appear to deviate from its original flight plan into tightly controlled air space. I haven't tried this, but it would be interesting to see see what happened. Demonstrate some of this, I built a little capability, which I'll talk a little bit about. The way it works is that I sit with the device in the uplink path of the transmitter. This is what I was doing a couple nights ago. Over time I'm able to pick up countless transmissions from asset trackers. I did some research a year ago talking about mapping patterns from mobile vulnerability location tracking. And able to monitor users over a fixed period of time and figure out where is home, where is work, just by where they are different times of the day. It's key to tracking somebody. This makes it really easy to identify what a target is and where it goes, in this case we'll monitor an armored car route. Now that I know where the armored car is I know where to hijack it. And I hijack the car, disable and begin spoofing their beacon's I.D. with my transmitter and spoof GPS coordinates that the armored car is on route when in reality I'm driving it somewhere else and robbing the bank blind. Think "Fast and furious." So you might ask, does this work. Short answer is yes. I needed high vantage point, only solution to go out start working on my private pilot license to intercept the data from the air. I've been flying with this thing, we'll see where it's going, results are pretty promising so far. I'm going to do a little demo, show you how this works. Decided not to tempt the live demo gods but I broke it up step by step to talk about it a little bit. Bear with me here while I fire up the video. Is it up there full screen? We're going to wait for data signal from an attacker or from someone that transmits. Intercepting the data right there. And so captures the data, writes the data out to disk. We're going to throw that data in our despreading python program here, kind of cropped the video it takes a minute to analyze the data packet. And, okay, it locks on to the PN signal in the signal and starts despreading. I'll finish up here. Then we can see, pretty constant correlation over time that's what we're looking for. It means we locked on to the PN signal successfully. Then that back to radio code to visualize what we got. And you're going to be able to see that sharp peak in the middle we'll zoom in up there, be able to see the live data bits flying by. Then meanwhile this is writing the data bits out to disk for us to analyze. Then we're going to go ahead analyze those data bits, we should get the binary packet data out if all goes well. So there's the binary of the packet. Let's throw that into the packet decoder and verifier through successfully validate a packet print out parameters. This can all be all line as well more to dive in into the user's specific data, translate that to latitude and longitude. Let's go back to the presentation. All right. Couple conclusions. Few parting thoughts for you guys. I GlobalStar senior engineering staff about 180 days ago they were actually really friendly in response and seemed very concerned I get the impression they don't deal with a lot of these disclosures, not very typical. I provided indepth ten fold detail for them hoping of helping out never really heard back. After we spoke they issued statement taking privacy very seriously monitoring in place to detect these sort of attacks, unfortunately half the attack is passive no way that can be detected. The transmitting portion if targeted really has a low probability of being detected. So, in some of the recent statements, GlobalStar seemed quite defensive I don't know about you guys I tend to get a little bit upset when manufacturers get this way rather than addressing the actual issue at hand. He in my experience these vulnerabilities are always discovered one way or another. It's better to get them addressed sooner than later last year I disclosed a bug to grinder about being able to track their super mobile data app they said it wasn't an issue, didn't patch it. Six months later the Egyptian police got ahold of that bug began using to arrest gay men in Egypt. I really hate for these vulnerabilities to be used for bad I'd rather see these get patched and we're able to make the systems a lot safer for the end users. So, I sincerely hope that GlobalStar is serious about their statement of issues, I hope other manufacturers are paying attention as well. But I'm really looking forward to seeing the solutions or seeing what solutions come out of the community. Bottom line is there's still a lot of work to be done. I'm using my code on GetHub, I apologize I don't have it up yet it's been crazy here at the conference, parties and things. But it will be up soon. And I love to collaborate on the whole system maybe intercepting data on the downlink, let's work on this together if you're interested. I have feeling this is only the tip of the iceberg of seeing where this thing is used we'll start seeing a lot of interesting things fall out. If you're interested, help out. In conclusion I still believe GlobalStar makes a good product. But couple much take-aways. I remember that the air space products in satellites in airplanes have long life cycle and we're stuck with them for years to come. And the way that GlobalStar system is implemented it's not really patchable or easily patchable. A lot of the devices don't support upgrades or so far out in the boonies it's not realistic. The best thing a layer of encryption on top of the protocol and remember that obscurity is not security. It won't protect your data. Consumers, just assume can act accordingly we hear this a lot. Hold them to a higher standard, demand security. And if not, demand to know how you're date is being transmitted is it encrypted, if not, how so. Big thanks to the interns over there. For helping out. With testing and code authorization. [ Applause ] Yeah. Thanks, guys. Then for funding this different, crazy research. But it will be live later, hit me up if it doesn't come up. Feel free to e-mail me, tweet me, I'm always happy to talk. Thanks for coming out. Questions, comments, we got five minutes. [ inaudible ] >> Can we use the do -- from one location to another sneak in some formation? >> We use the bent pipe to send other information. That's a great question. And you certainly can. I don't recommend it. There's nothing -- someone probably is, you have to speculate. But, yeah, repeats anything it hears on the range and beams back down in 7 gigahertz you can build your own receiver and use your own personal satellite network. >> Does it need to be on a protocol or packet or it transmits anything that it receives? >> I missed that. >> Does it need to be in coded in a specific format or not -- >> The data can really be any format. Bent pipe doesn't do any interpretation, it reads a repeater. Probably need to be some sort of spread spectrum to get it over that distance, but you can use model very similar to what they're doing here. >> Thank you. Anyone else? Fee Friel to come up after. Cool, thanks, guys. Appreciate it. [ Applause ]