Re: Hack the Mars rover (fwd)
Forwarded message:
Date: Sun, 6 Jul 1997 06:43:06 -0400 (edt) From: Ryan Anderson <randerso@ece.eng.wayne.edu> Subject: Re: Hack the Mars rover
Somehow, I don't think that's the place to mount an attempt to take it over. The prohibitive cost of getting an antenna into space where you can counter some of the effects of Earth's spin and keep the damn rover in contact all the time would be the biggest problem.
The place to attack is the up-link. This requires physical access (ie a van with a dish and xmtr.) as well as a means to crack the encryption on the control channels. At least one French satellite has been cracked and de-orbited via a network attack.
Besides, how much encryption is needed between two points if intercepting the traffic is expensive, the communications protocol is undocumented (as far as anyone outside NASA is concerned), and the actual frequency is also hard to find?
The communications are not only documented but easily observable with the correct commercialy available equipment. The frequencies are a matter of public record, I would further bet that 5 minutes with a search engine would bring that data to light... ____________________________________________________________________ | | | _____ The Armadillo Group | | ,::////;::-. Austin, Tx. USA | | /:'///// ``::>/|/ http:// www.ssz.com/ | | .', |||| `/( e\ | | -====~~mm-'`-```-mm --'- Jim Choate | | ravage@ssz.com | | 512-451-7087 | |____________________________________________________________________|
At 11:11 CDT on Sunday, July 6, 1997, Jim Choate wrote: |The place to attack is the up-link. This requires physical access (ie a van |with a dish and xmtr.) as well as a means to crack the encryption on the |control channels. At least one French satellite has been cracked and |de-orbited via a network attack. The encryption for US-made satellites is supplied by the NSA. Cracking the encryption is much easier said than done. Is there a cite for the French incident? /pbp
Forwarded message:
Date: Sun, 6 Jul 1997 06:43:06 -0400 (edt) From: Ryan Anderson <randerso@ece.eng.wayne.edu> Subject: Re: Hack the Mars rover
Somehow, I don't think that's the place to mount an attempt to take it over. The prohibitive cost of getting an antenna into space where you can counter some of the effects of Earth's spin and keep the damn rover in contact all the time would be the biggest problem.
The place to attack is the up-link. This requires physical access (ie a van with a dish and xmtr.) as well as a means to crack the encryption on the control channels. At least one French satellite has been cracked and de-orbited via a network attack.
Besides, how much encryption is needed between two points if intercepting the traffic is expensive, the communications protocol is undocumented (as far as anyone outside NASA is concerned), and the actual frequency is also hard to find?
The communications are not only documented but easily observable with the correct commercialy available equipment. The frequencies are a matter of public record, I would further bet that 5 minutes with a search engine would bring that data to light...
The place to hack any deep-space mission is at its terminus. Even with the incredible receiveing equipment at each of the controlling earth stations (e.g., Goldstone off of I395 between Barstow and Mammoth Lakes, CA) the link margin, that is the minimum required signal/noise vs. actual for the specified bit rate, can't be too healthy. The antennas are huge, very directional, parabolic dishes, but even the best have a bit of side-lobe receiption (that's why they're located in remote areas, usualy surrounded by hills). One can exploit these side-lobe to jam in inbound signal. Depending upon the transmission/modulation scheme, only a simple, low-powered, transmitter with line-of-sight to the parabolic dish could overwhelm the Rover signal. Getting such a 'shot' at the antenna might be difficult from the ground. --Steve PGP mail preferred Fingerprint: FE 90 1A 95 9D EA 8D 61 81 2E CC A9 A4 4A FB A9 --------------------------------------------------------------------- Steve Schear | tel: (702) 658-2654 CEO | fax: (702) 658-2673 First ECache Corporation | 7075 West Gowan Road | Suite 2148 | Las Vegas, NV 89129 | Internet: azur@netcom.com --------------------------------------------------------------------- I know not what instruments others may use, but as for me, give me Ecache or give me debt. SHOW ME THE DIGITS!
Jim Choate wrote :
Forwarded message:
Date: Sun, 6 Jul 1997 06:43:06 -0400 (edt) From: Ryan Anderson <randerso@ece.eng.wayne.edu> Subject: Re: Hack the Mars rover
The place to attack is the up-link. This requires physical access (ie a van with a dish and xmtr.) as well as a means to crack the encryption on the control channels. At least one French satellite has been cracked and de-orbited via a network attack.
Besides, how much encryption is needed between two points if intercepting the traffic is expensive, the communications protocol is undocumented (as far as anyone outside NASA is concerned), and the actual frequency is also hard to find?
The communications are not only documented but easily observable with the correct commercialy available equipment. The frequencies are a matter of public record, I would further bet that 5 minutes with a search engine would bring that data to light...
Two very imprtant points. The space path loss to and from Mars is very large. So a very large dish is required to have sufficient G/T to see readable data. Most NASA deep space stations use 85 foot dishes and some also have 300 footers. Without that kind of antenna gain one is not going to see anything at all, and without that kind of gain on the command uplink as well as a multi KW high power microwave amplifier to feed the dish one is not going to be able to put enough signal into Mars to do anything. There are essentially no 85 foot or larger dishes in the hands of anyone who might be attempting to hack a NASA spacecraft. Such an antenna is simply not your back yard satellite dish.... they cost more than a million dollars and are major construction projects. The second point is that the NSA has been supplying space hardened crypto chips and related ground equipment to every US satellite manufacturer and operator for at least the last 15 years for use in protecting the command uplinks against unauthorized access. One can be quite sure that NASA has used these, or if they haven't has good reason to believe they don't have to. The attack that is barely conceivable is for some cracker to break into a NASA terrestrial communications link associated with the Deep Space Network (some links use satellite communications for example and others microwave links) and access the command uplink systems of a NASA DSN site. Whether they have fully secured all of these against such attack is unclear. Obviously good old secret key encryption would work here, and there certainly is a lot of command validation done at the uplink before the command is sent, so whoever was doing this would have to have great in-depth knowlage of the command uplink system and the spacecraft itself. And finally, demodulating the downlinks and recovering information from them is relatively easily accomplished once the hard part (obtaining the G/T required) is somehow handled. NASA tends to use very straightforward modulations and FEC and does not encrypt the downlinks. And a fair amount of detail about the data formats is publicly available. Dave Emery die@die.com Weston, Mass.
Two very imprtant points. The space path loss to and from Mars is very large. So a very large dish is required to have sufficient G/T to see readable data. Most NASA deep space stations use 85 foot dishes and some also have 300 footers. Without that kind of antenna gain one is not going to see anything at all, and without that kind of gain on the command uplink as well as a multi KW high power microwave amplifier to feed the dish one is not going to be able to put enough signal into Mars to do anything.
There are essentially no 85 foot or larger dishes in the hands of anyone who might be attempting to hack a NASA spacecraft. Such an antenna is simply not your back yard satellite dish.... they cost more than a million dollars and are major construction projects.
You're right, its beyond imagination that any amateur would have the resources at their disposal to override NASA's uplink (unless ther's another Capt'n Midnight lurking at a commercial uplink station ;-).
The second point is that the NSA has been supplying space hardened crypto chips and related ground equipment to every US satellite manufacturer and operator for at least the last 15 years for use in protecting the command uplinks against unauthorized access. One can be quite sure that NASA has used these, or if they haven't has good reason to believe they don't have to.
The attack that is barely conceivable is for some cracker to break into a NASA terrestrial communications link associated with the Deep Space Network (some links use satellite communications for example and others microwave links) and access the command uplink systems of a NASA DSN site. Whether they have fully secured all of these against such attack is unclear. Obviously good old secret key encryption would work here, and there certainly is a lot of command validation done at the uplink before the command is sent, so whoever was doing this would have to have great in-depth knowlage of the command uplink system and the spacecraft itself.
Rather than trying to seize control of lander just do a DOS hack by keeping the ground stations from hearing the lander signal. You said yourself that the path loss to Mars is very large (maybe around 200 dB), this means that even with those huge antennas their link margins can't be too high. I'll assume that in order to improve the margins they're using spread spectrum techniques, trading bandwidth for spectral efficiency. Without getting into the specifics of jamming technology, unless they have a very large process gain (like the 63 dB claimed for GPS), which is very unlikely for a number of reasons, that a properly designed transmitter located near their downlink stations would spill into the passband of their very senstive receivers (probably liquid-He cooled LNAs) making receiption difficult to impossible. Of course, such transmitters would be relatively easy to find so only intermittent operation might be practical.
And finally, demodulating the downlinks and recovering information from them is relatively easily accomplished once the hard part (obtaining the G/T required) is somehow handled. NASA tends to use very straightforward modulations and FEC and does not encrypt the downlinks. And a fair amount of detail about the data formats is publicly available.
If the data formats and coding techniques are public and well documented the task is simplified many fold. --Steve PGP encrypted mail PREFERRED (See MIT/BAL servers for my PK) PGP Fingerprint: FE 90 1A 95 9D EA 8D 61 81 2E CC A9 A4 4A FB A9 --------------------------------------------------------------------- Steve Schear (N7ZEZ) | Internet: azur@netcom.com 7075 West Gowan Road | Voice: 1-702-658-2654 Suite 2148 | Fax: 1-702-658-2673 Las Vegas, NV 89129 | --------------------------------------------------------------------- God grant me the serenity to accept the things I cannot change; The courage to change the things I can; The weapons that make the difference; And the wisdom to hide the bodies of the people that got in my way;-) "Surveilence is ultimately just another form of media, and thus, potential entertainment." --G. Beato "We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Dr. Robert Silensky
Steve Schear wrote :
You're right, its beyond imagination that any amateur would have the resources at their disposal to override NASA's uplink (unless ther's another Capt'n Midnight lurking at a commercial uplink station ;-).
Different frequency bands. And much less power for a commercial uplink to illuminate a geo satellite with significant antenna gain toward it's footprint. Commercial uplinks are usually in the 20 to 500 watt power class going into the feed, whereas the DSN has 5 and 10 kw capability into much larger dishes (30 meter versus 6 to 9 meter).
Rather than trying to seize control of lander just do a DOS hack by keeping the ground stations from hearing the lander signal. You said yourself that the path loss to Mars is very large (maybe around 200 dB), this means that even with those huge antennas their link margins can't be too high.
Greater than 200 db. But indeed one could certainly come up with enough rf power from some point on the ground in line of sight to a DSN dish to completely overwhelm the signal from the bird. However, such a signal would be instantly spotted and identified and probably DF'd fairly rapidly. It would be unlikely one could knock out the downlink for very long without being located (and vigorously prosecuted). But most of the time Mars is visible from more than one DSN earth station and given the high priority of the mission the most likely thing would just be to switch stations to one a third of the way around the globe or more. Would obviously be a nuisance and get some people very mad, but since the ground stations fail from natural causes from time to time such a handover would be fairly routine.
I'll assume that in order to improve the margins they're using spread spectrum techniques, trading bandwidth for spectral efficiency.
Spectral efficiency is usually bits/hertz of bandwidth. They do use QPSK or BPSK (mostly QPSK) which is about as power efficient - using FEC, vitirbi soft decision detection and non differential coding - as any possible modulation would be irrespective of bandwidth. That is to say for a given data rate and carrier power to noise temp ratio there is no modulation that would yield a better BER irrespective of bandwith used. Without
getting into the specifics of jamming technology, unless they have a very large process gain (like the 63 dB claimed for GPS)
Process gain is a measure of the ratio of the spreading sequence bit rate to the underlying data bit rate for a direct sequence spread spectrum signal. There is very little to be gained by using spread signals rather than non spread signals in this application except perhaps very accurate ranging information. They do not make sending k bits per second with BER less than e bits second any easier. There has been some use of spreading sequences for ranging in the DSN, but I do not know whether the pathfinder mission used that mode. Obviously a spread signal would require lots more power to jam with noise or cw carriers, but even assuming side lobes -80db down from the main lobe (really hard to do) a jammer working from nearby would not need to be putting out a lot of power to overload the receiver and correllators. , which is very unlikely
for a number of reasons, that a properly designed transmitter located near their downlink stations would spill into the passband of their very senstive receivers (probably liquid-He cooled LNAs) making receiption difficult to impossible. Of course, such transmitters would be relatively easy to find so only intermittent operation might be practical.
And would be spotted almost instantly on spectrum analyzers and other monitors.
And finally, demodulating the downlinks and recovering information from them is relatively easily accomplished once the hard part (obtaining the G/T required) is somehow handled. NASA tends to use very straightforward modulations and FEC and does not encrypt the downlinks. And a fair amount of detail about the data formats is publicly available.
If the data formats and coding techniques are public and well documented the task is simplified many fold.
Yes it is, although making educated guesses and going from there is certainly possible. Dave Emery die@die.com Weston, Mass.
participants (4)
-
Dave Emery -
Jim Choate -
Paul Pomes -
Steve Schear