Satellites are full of exploitable vulnerabilities. Satellite security researchers believe attackers could exploit these flaws to launch themselves into orbit, closer to more valuable targets.
While it takes a rocket scientist to put a satellite into orbit, apparently, it doesn't take a human to crack it. Some of the satellites whizzing by our planet have worse security than the equipment you're reading this article on.
According to a new paper by researchers at Ruhr University Bochum and CISPA Helmholtz Center for Information Security in Saarbrücken, the communication orbiters on which our modern lives depend do not use even basic encryption and are vulnerable to cyber attacks.
The research team delved into several small satellites and a medium-sized device. Interestingly, one of the devices has a commercial use, orbiting the Earth to monitor it. Commercial companies rarely share detailed information about their software.
Technically, there's nothing stopping us from exploiting their [satellite exploits]. The only fact is that we are researchers and we tell the operators about our findings. For example, if someone wanted to blackmail a satellite operator, that would certainly be possible.
However, with the help of the European Space Agency (ESA), various universities involved in the satellite's construction and a commercial enterprise, researchers managed to obtain closely guarded details.
Doctoral student Johannes Willbold from Bochum, one of the team leaders behind the paper, says his team has discovered several exploitable vulnerabilities in the satellite.
Malicious hackers can easily crack them using off-the-shelf equipment.
Discussing the report, colleagues said "hardly any modern security concepts have been implemented".
Modern operating systems, such as Windows or macOS, have a number of defenses in place to prevent the vulnerabilities we discovered. Usually, everyday devices have defenses in place to prevent the memory corruption vulnerabilities we discovered from being exploited.
Plus, it's much harder to exploit vulnerabilities on the computers you and I are running now. You need a second or third vulnerability to build an exploit chain where an attacker can actually do something.
On the satellite, none of these defenses were found. Even the defenses implemented in modern operating systems in the early 2000s are not present on satellites. This is what we call "missing modern security".
When we browse any website, encryption or authentication is running in the background, usually there is no protection for remote control commands. It's also one of those measures we take for granted, which satellites don't.
To be sure, the engineers who build the satellites are not ignorant of basic cybersecurity.
Everything you do in space is harder for a reason. For example, the cryptography in outer space is more complicated, and if something goes wrong, you will never be able to physically access your assets again. If you lose satellite access, you will not be able to install new drivers or request new keys.
Another thing is the radiation and general conditions of outer space, which can degrade your memory and destroy key materials. Implementing something as simple as encryption is much more difficult because some recovery must be implemented.
Ultimately, satellite creators must decide when to remove encryption to restore their assets. They have to figure out what to do when a radiation event destroys the key. But in general, safety in space is much more difficult.
Existing security measures appear to be working, as we are not aware of any public incidents where satellite security flaws were exploited. There may be some secret cases, but we don't know about them.
What are the benefits of intercepting or hacking satellites?
The main problem with taking over a satellite is that an attacker can get into orbit. Launching satellites is still very expensive and requires a lot of work and time. A hacked satellite might not be the primary target -- the attackers could use the spacecraft to get closer to their real target. Suddenly, the threat actor pushed the target satellite even closer.
With the right distance, they can start intercepting communications like remote commands, which is difficult without direct access to the satellite provider's ground station.
Attackers may also attempt denial-of-service attacks against satellites. Eventually, if you start crashing one satellite into another, it can cause a chain reaction that robs everyone of space.
How likely is this? have no idea. But of course people should keep that in mind. The real problem is that an attacker can get into the orbital plane and access command assets in space.
Assets themselves may not be actual targets. It may be a different target that cannot be attacked directly. But this information can be obtained if an attacker gets close. This is an interesting attack vector.
It was long believed that only nation-states could afford communications equipment to communicate with satellites.
We see this in other areas as well, such as the mobile or cell phone community. Base stations have long been thought to be too expensive for attackers, meaning only nation-states would have them. Therefore, it was thought that the attacker would not have the base station.
Now, we are seeing a similar story repeated in the field of satellite security. Today, you can buy a brand new ground station in low Earth orbit for $10,000. While it's not cheap, it's certainly within the reach of motivated enthusiasts.
Technically, there is nothing stopping us from exploiting them. The only fact is that we are researchers and we tell the operators about our findings. But if, for example, someone wanted to blackmail a satellite operator, that's certainly a possibility.
Satellites are getting cheaper, more people are involved in making satellites, they have commercial off-the-shelf components, and people switch between teams. There is a lot of knowledge out there. The perceived obscurity is slowly fading as it becomes easier to get into the subject matter.
Of course, if we're talking military satellites, prioritizing obscurity security is certainly an option, assuming they implement proper protections for remote command access and other security measures.
On the other hand, it hinders researchers from making insights. If you are open about your system and show researchers what that system looks like, people will come and show how it can be done better.