If, like me, you know too much and nurture a healthy sense of paranoia when it comes to your devices keeping tabs on you, you keep your eye out for devices which are built with your privacy in mind. When I heard about a GDB satellite pager my heart skipped a beat and I thought I had found the ultimate personal privacy device, a pager that could not be tracked or traced for receiving encrypted messages which had been sent via obfuscated traffic patterns.
Of course I fell in love with the idea of a satellite pager, I am old enough to remember carrying an old school pager and I just love the idea that a communications device I carry around with me cannot be tracked. I also love space in general, of course I love the idea of messages being beamed down out of space to my device.
If you work in the information security space there is absolutely nothing not to like about the new Iridium GDB Pager from a privacy and security perspective, its the ultimate paranoid people device, perfect for frustrating your peers who prefer instant two way IM communication and people who might be tracking you.
I you think that I have zero issues with this device you would be mistaken and we will arrive at what I think is wrong with it a little later in the article. For now let's focus on what this device does right, which is covert communications.
Covert Communication With Operators In The Wild
The GDB pager is not actually meant for the likes of me, I just really want one to satisfy my own paranoia, it is meant for organizations in the defense space who may or may not be operating networks of operators in the wild. The GDP pager is a security hardened satellite pager which allows you to disseminate messages to multiple operators who may or may not be spread over a wide geographical area.
What I like most about the GDB pager is that it will work anywhere on earth thanks to its connection to the Iridium global network of satellites which relay messages to the pager, meaning that it has no dependance on terrestrial infrastructure, you cannot be tracked in the usual ways when using the device. It even receives messages when you are inside buildings and does not rely on line-of-sight.
Forget cover communication with operators in the wild for a moment, who doesn't want a device that cannot be tracked in this day and age when everyone from your ISP to the people who make your apps want to harvest and sell your location data?
The GDB pager is a receive only device, meaning it cannot be tracked using radio frequency monitoring because it has no transmission capability, RF hunters cannot find you when using one of these. Perfect for dropping off the radar completely.
All messages sent to the GDP pager are encrypted with AES Encryption using the Cipher Block Chaining (CBC) mode with a random Initial Vector per message and can only be decrypted on the device. Message data that sits at rest on the device is encrypted and are only decrypted when you view them on the screen. If the device ever falls into enemy hands, the messages can be wiped remotely to keep them safe.
To increase message security beyond encryption, you can specify that messages be sent to closed user groups and ensure that only authorized devices see the messages, allowing you to be granular in the way you communicate with groups.
Traffic Pattern Obsfucation
For some people in the information security space intercepting satellite communications is a hobby, for others it is the cornerstone of a good SIGINT capability. When building a device that will frustrate either of these two groups you have to double down on your operational security and the GDB pager does just that with traffic pattern obfuscation. Even if a message is encrypted, sharp eyed analysts can infer associations to activities and events by observing the existence of the messages, their frequency, patterns in their content and even by the length of the message.
Traffic pattern analysis combined with intelligence gleaned from other sources, can be an effective tool, so the GDB pager works to frustrate this with a traffic pattern obscuration technology (TPOT) that they affectionally pronounce as 'tea pot'.
TPOT works by generating artificial messages and then flooding the network with them to simulate the traffic generated during a real event, perfect for hiding your real messages in amongst the chatter. It uses probability based techniques to maintain a continuous stream of traffic during the kind of situations where you need to disguise your traffic patterns. You can create profiles to simulate different traffic patterns for different scenarios with a built in analyzer program that lets you build profiles from historical traffic, which is a great capability to have if your adversaries are sophisticated.
If your operators in the wild happen to be door kickers they probably break their devices all the time, so the GDB pager has a rugged design and is made out of a tough polycarbonate with a rubber cover that is designed to withstand rough treatment and use in rough conditions. It doesn't seem to be waterproof though.
It has two-factor authentication (implementation unknown) so that messages can only be viewed with a PIN, as well as a tamper detection capability which is activated if the case is opened. This triggers the firmware to erase the encryption keys, the messages and finally itself, making the device totally unusable unless you send it back to the factory to be repaired. Handy if you have trigger it in an emergency.
So What Does The GDB Pager Do Badly?
I never go to war zones and I don't usually wander around in desolate foreign lands, I am hopefully not the sort of person that nation states want to track, but I am a privacy minded individual considering this device for my personal use.
I just like the idea that nobody can remotely track me if I carry the GDB pager as my sole device and I also really like the idea that I can be off grid and still receive important messages, I am also guilty of being romantic and nostalgic about my old pager.
The GDP pager is not a consumer device and it's not meant for personal users like me, not because it wouldn't work, but because of the expense involved in buying the hardware and paying for the messages. Also because of the way you send messages to the device, there isn't a simple service you can call who will send you the message.
I found all of this out after cold calling Richard Prodger of two10degrees, one of the two companies in the world who sell this device. He very helpfully explained the message delivery mechanism and the associated costs, he also educated me on the device capabilities which made me want one even more. Thanks Richard!
The cost of the device itself is not prohibitive, the GDB pager costs just under a thousand dollars to buy making it comparable in price to an iPhone, but it is the messaging costs and the way you send messages to devices which will confound your everyday privacy conscious consumer like me, its impractical and expensive.
To send messages to the device costs approximately $5+ USD per message depending on how you send them. You can't just send messages to a specific device and nowhere else, instead you must broadcast the message from space and cover a specific geographical area of your choice using the back end messaging platform.
Unlike commercial pager services where your contacts call up a service and the message gets sent out over the cell phone infrastructure, your contacts need to have access to the back end secure messaging platform, choose which country or continent you are probably in and then blast the message out over that area. You can choose to beam down a message to a small region, a country, a continent or the planet and this choice or geographic region is what determines the cost of the message.
While $5+ to send a message may seem steep, it's the same cost to send a message to one device as it is to send a message to a thousand devices, the price is dependent on the geographical spread of your chosen broadcast area. This makes sending messages to the device expensive and cumbersome for individuals, but inexpensive and flexible for organizations who regularly want to covertly communicate with different groups of operators scattered around the planet in remote locations
It's not expensive enough to put off paranoid, affluent, individuals though. The back end is an appliance hosting a messaging portal which relays the message through the one-to-many Iridium Burst data broadcast service and you can have that appliance installed on a cloud server, or on-premise in your own datacenter. Once you setup the back end infrastructure and buy the devices you can be the proud owner of your very own global, untraceable and covert communications broadcast system.
Can You Attack It?
We do not really know for sure because we have not actually had our hands on this device, am hoping somebody will send me one to properly review. I asked Adrian Sanabria who runs strategy over at NOPSEC about attacking the device and he told me that he would be interested to know how the 2FA was implemented and also how he would not be comfortable using it unless he properly understood how the end-to-end encryption was implemented, details on both are scant. I plan to follow up with both the device manufacturer, the reseller and Iridium to get some more clarification around the specific encryption and security employed on the device.
What Is The Operator Verdict?
It really does not matter what I think, we have already established that this is not a device for the likes of me and much better suited to operators in the field, so I spoke to Jon Case, an algorithmic warfare engineer in the US military who is currently deployed overseas, and sought his opinion on the GDB pager and its utility.
He told me that he thinks this device is cool but it also presents new challenges when dealing in the realm of spectrum management and signal overlap which causes real world issues in operations. Jon explained that the military operates on hundreds of different wavelengths, but most in the military typically don't account for the fact that the different frequencies aren't unlimited and it can get messy.
Pair the spectrum management issues with the fact that they already have gear that can handle their communication needs in the field (without the messaging cost overhead) and Jon thinks that it is an unlikely chance that this device will meet the needs of conventional forces in the field. Jon was unable to speak for SOCOM or JSOC.
He also noted that they do mention encryption, but without knowing how the algorithm or key size was being used, he wasn't willing to conclude that he likes the device just yet. The last point he made was about how this device can reach pole-to-pole without a loss in signal. They point out that GPS loses signal indoors, but even Jon's $1000 land navigation devices from Garmin (literally known for their high performance GPS devices) lose signal in some areas in the Middle East leaving him in digital darkness. Jon does thinks that without extensive field testing in harsh and unknown environments this is merely a conversation of the theoretical.
We think it unlikely that the GDB Pager will ever be bought by consumers or adopted by conventional nation state military forces unless they lack a similar capability, but it is highly likely that this device will be bought by affluent and paranoid individuals, security conscious private organizations and organized crime groups. After El Chapo got caught because of insecure communications, crime syndicates are probably looking around for a secure messaging solution.
We also don't know enough about this device's security to give a verdict, we need to know about the 2FA is setup and how the encryption is handled in order to provide a more conclusive verdict from an information security perspective. We really want to attack the device in different ways in order to test its security features.
We would first field test the GDB pager in remote locations by sending it to friendly operators who could use this device, it would then be sent to those who intercept satellite communications so that they could test the robustness of the traffic obsfucation system and finally we would send the device to the hardware security guys to properly test the anti-tamper capability. We would also need to penetration test the back end messaging infrastructure too, only then would we begin to trust this device.
As with any security/privacy product, it is never trusted by infosec professionals until it has first been attacked and disassembled by people who know things. In principle though we love the idea of a secure satellite pager. If anyone from GDB or Iridium fancies sending one over, we will happily put it through its paces properly.
For transparency purposes I do not own equity in this company, nor have I been paid for this article, I just like cool new technology and covert communications is an interesting subject that I plan to explore and write about over time.
If you liked this article, you should definitely follow me on Twitter!