This repository contains the code for the paper "Satellite Spoofing from A to Z: On the Requirements of Satellite Downlink Overshadowing Attacks".
The specifics of experimental design, methodology and evaluation can be found in the paper. This work has been a collaboration between Edd Salkield, Marcell Szakály, Joshua Smailes, Simon Birnbach, Sebastian Köhler, and Ivan Martinovic from the Systems Security Lab at the University of Oxford, and Martin Strohmeier from armasuisse Science and Technology.
This repository firstly contains the code and results relating to out-of-beam loss in ./Fig_6/
.
This contains the GNURadio pipeline required gather results for a real world antenna, our raw data, and the Python scripts required to generate the plots from the paper.
All other figures and tables relate directly or indirectly to the overshadow factor due to modulation and coding. The remaining code consists of several Python scripts for simulation and graphing.
Repository: https://github.com/ssloxford/satellite-spoofing-a-z/ List of Programming Languages: [Python/sh] Compiler Info: Python interpreter v3.11
For the simulations:
For the real-world experiments:
- GNU Radio
The datasets for graphs relating to the overshadow factor are generated by simulation automatically by the scripts.
The datasets gathered through real world experiments are in ./Fig_6/data/
.
These experiments can be rerun as described in section Running the dish attenution experiments.
For the simulations, only a computer with a modern Python interpreter is required. For reference, we ran the experiments on a machine with the following specifications:
OS: Alpine Linux edge x86_64
Host: Latitude 7400
Kernel: 6.1.12-0-lts
CPU: Intel i5-8365U (8) @ 4.100GHz
GPU: Intel WhiskeyLake-U GT2 [UHD Graphics 620]
Memory: 4967MiB / 15821MiB
For the real-world experiments, the following additional equipment is required:
- 2x SDR e.g. HackRF One
- Monopole transmitting antenna and appropriate cables
- Various receiving antennas and appropriate cables
- Suitable transmitting amplifier
- Two laptops capable of running the GNURadio pipelines
The code can be run either in the supplied virtual machine (VM), or on your own machine.
When not using the VM, the python packages can be installed either using your system package manager, or instead with pip
as follows:
pip install typer numpy matplotlib seaborn tqdm
The figures and tables from the paper can be generated with ./runExperiments.sh
.
Since the default number of runs of each experiment is high, the computation time is long.
You can therefore alternatively run ./runExperiments.sh --fast
to generate approximate figures with a reduced number of samples.
The supplied VM has the following credentials:
Username: root Password: [empty string]
The scripts are found in /root
, and are identical to those described in section Running the code.
The figures are output to /root/out
.
The RF signal level capture software consists of two GNU Radio pipelines: ./Fig_6/transmit.grc
transmits an FM voice signal complying with our amateur license requirements, and ./Fig_6/signal_strength_calibration.grc
receives the signal to calculate the received power level.
Dish attenuation can be measured from different distances and angles in the far field by transmitting the signal from a monopole antenna and moving this transmitter relative to the receiver.
The experiment proceeds as follows:
First the GNU Radio pipeline must be modified to use the appropriate SDR as the input source, as well as chaning the limits in the appropriate widgets to take advantage of the capabilities of the hardware. Once started, the user interface presents a variety of widgets to control the data collection.
Firstly, the features needed to achieve correct tuning:
- The Center Frequency is used to tune the SDR RF center crequency
- Since most SDRs have a significant DC peak, tuning the SDR to the same frequency as the intended signal is not recommended. To get around this, the software also provides a Signal Offset input, to digitally re-tune the receiver. It is recommended to keep this well below the RF bandwidth of the SDR to avoid attenuation due to the RF bandwidth. Our experiments usually used 200-400kHz offset.
- The waterfall plot shows this re-tuned signal.
- The measurements only measure the power in a small frequency range around the set value. When tuning and looking for the experimental signal it is useful to see the entire spectrum, not just this narrow range. However when finetuning, it is important to make sure that the test signal is safely inside the measurement range. The Show LPF checkbox switches the waterfall to show only the filtered spectrum, which is used in the signal strenght measurement.
- To comply with RF regulations, experiments were performed in FM Voice amateur bands. To comply with regulations a small message and the call sign were periodically transmitted. Between these transmission, the FM carrier is a pure sine wave, and is used to measure received power. To monitor the signal quality, as well as make sure that measurements are only taken in the silence period, the FM voice channel is demodulated and played as audio.
Secondly, the steps to ensure optimal receiver sensitivity:
- The Gain slider can be used to adjust the hardware gain of the SDR used
- The Saturation widget shows a rolling maximum of how close any raw input IQ signal was to reaching the clipping value. This value must be kept below 1 at all times, since a saturating receiver will introduce artifacts in the data. Having a small value for this will decrease measurement accuracy, since the signal is increasingly lost in the quantization error and noise floor of the receiver. In experiments, the 0.1 - 0.5 range was targeted
- The AGC Mode dropdown can select between 3 modes:
- Off: The AGC does not change the gain. This was used for experiments, instead relying on the human operator to make changes when needed.
- Sweep: The gain is increased from its current value till the saturation reaches 0.9. Measurements are automatically taken after every step. This was used during the calibration when measuring how linear the measured signal power is VS the gain of the SDR.
- On: The gain is adjusted to maintain it close to 0.5. This was not used.
- The Amplitude and RMS outputs show the current average amplitude of the signal around the tuned value. These values are saved to the output every time a measurement is taken.
Finally, measurements can be taken:
- The Dish name and Angle inputs can be used to tag the circumstances of the measurement. Their values are saved together with the measurements for every data point. To properly register changes to these fields, Enter needs to be pressed after changing the value.
- The angle between the transmitting and receiving antenna is changed, these values are recorded in the Angle input
- If the input saturation strays from the ideal value, the Gain is manually adjusted
- The Save button saves the current Average(Amplitude) and RMS(Amplitude) values to the output file, as well as the date and current experiment name.
This software is licensed under the GNU GPLv3.
Since the simulations for the graphs are stochastic in nature, the results computed will differ slightly from those in the paper. This is most noticable in Table 1, which tabulates precise numbers.
Certain figures and tables from the paper are not considered in this repository, because they do not represent results derived from computation. We proceed to explain how these can be derived;
Figure 2 is an illustrative diagram, and does not contain results. Figure 5 is a collection of photographs, so is not considered here.
Table 2 is a tabulation of data measured using the same GNURadio pipeline as in Figure 6. Table 3 is data calculated by free space path loss from publicly available sources, which are referenced in the paper. This calculation was done manually, and is explained fully in the paper. Table 4 contains the manually calculated results of minimum attacker power from the variables derived elsewhere in the paper. Table 5 is a summary of publicly available information on transmitter equipment costs.
Code formatted with the linter black.