Malicious Life Podcast: How to Hack Into Satellites

About a year ago, six academics from Ruhr University Bochum and the CISPA  Helmholtz Center for Information Security set out to survey engineers and developers on the subject of satellite cybersecurity. But most of these engineers were very reluctant to share any details about their satellites and their security aspects. Why were satellite engineers so reticent to talk about cybersecurity? What was so secretive, so wrong with it, that they didn’t feel they could answer even general questions, anonymously? Because let’s be clear: if there’s something wrong with the security of satellites, that’d be a serious problem.

 

Powered by RedCircle

johannes
About the Guest

Johannes Willbold

Satellite and Space Systems Security Researcher

Johannes Willbold is a doctoral student at the chair for systems security at the Ruhr University Bochum in Germany. In this doctoral thesis, he focuses on the security of space and satellite systems, with a particular emphasis on understanding real-world security issues by studying otherwise hard-to-access space software. He is co-founder and co-chair of SpaceSec, the first academic workshop on space and satellite systems security.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Transcript

About a year ago, six academics from Ruhr University Bochum and the CISPA  Helmholtz Center for Information Security set out to survey engineers and developers on the subject of satellite cybersecurity.

In some ways, it didn’t go so well. After reaching out throughout the industry, they received a whopping 19 responses representing 17 satellites (though the respondents had worked on a total of 132 satellites in their careers). The researchers lamented in their report how, quote: 

“It should be noted that even with the 19 valid responses we received, it took about four months to convince people to complete the survey. In general, we observed that people were very reluctant to share any details about their satellites and their security aspects.”

Why were satellite engineers so reticent to talk about cybersecurity? What was so secretive, so wrong with it, that they didn’t feel they could answer even general questions, anonymously?

Because let’s be clear: if there’s something wrong with the security of satellites, that’d be a serious problem.

Satellites in Orbit Right Now

According to the website “Orbiting Now,” as of this recording, there are 8,705 active satellites orbiting the planet.

They’re owned by telecommunications companies, military and defense organizations, even universities. They’re providing internet, television, and phone services to millions of people around the globe. They’re enabling scientists to study the climate, and emergency responders to more quickly respond to serious events. They’re providing us with the GPS used in your car, or on your flight. Farmers are using them for their crops, and armies for their missile targeting. They’re interwoven into the fabric of daily life, in ways that you might not even realize, which makes it concerning to imagine what would happen if they suddenly weren’t available.

In late February, 2022, the German wind power company Enercon lost remote control over 5,800 of its wind turbines: equivalent to 11 gigawatts, enough to power roughly 150 million lightbulbs.

Luckily, the turbines continued running on their automatic mode, and power to German civilians went uninterrupted. That, despite what appeared to be the reason for the shutdown: 30,000 satellite communications terminals taken offline at Viasat, their American internet service provider with a satellite service business based in Europe.

While Enercon managed to keep its turbines running, and Viasat scrambled to figure out what was wrong, one mystery hung over everyone’s thoughts. As Enercon wrote in a statement, quote:

“The exact cause of the disruption is not yet known. The communication services failed almost simultaneously with the start of the Russian invasion of Ukraine.”

While missiles and troops crossed into the sovereign territory of Ukraine, state-level hackers performed disruptive and destructive attacks against organizations throughout the country. And, in the case of Viasat, outside of it. A month after the fact, two researchers revealed that Russian operatives were the ones who attacked Viasat, deploying a wiper they called “AcidRain” to take its routers and modems offline.

And even a year later, the company claimed it was still under attack. According to its CISO, a second phase of the attack involved targeting, quote, “specific terminals to not let them back on the network,” demonstrating, quote, “highly technical knowledge of our network.” 

Even the NSA, according to one agency spokesperson, was caught off guard. But the move was strategic. You might remember how Russian forces disrupted the internet in vast swathes of the country during their invasion, and pockets of Ukrainian citizens turned to Starlink for what little signal they could get. The Russian army paired comms disruptions with intimidating texts to Ukrainian soldiers, a deepfake of President Zelenskyy surrendering, and an onslaught of other fake news that kept Ukrainians from hearing or sharing their side of the war’s story.

More Potential Consequences

So that’s one way a satellite systems hack might go down. Or…

“[Johannes] If you’re, for example, thinking about Earth observation satellites, then maybe you want to introduce or remove artifacts from these images.”

That’s Johannes Willbold, one of the authors of the Bochum-CISPA report, who presented at this year’s Black Hat on the subject of satellite security.

“[Johannes] So maybe you’re making an image of a particular interesting region, and maybe you want to remove a certain house.”

Just as easily, a hacker could siphon data from the satellite — for example, in an act of military espionage — or steal intellectual property about the satellite, for economic purposes.

“[Johannes] If you’re more talking about communication satellites, then maybe denial of service is pretty interesting. It’s kind of the same ideas when you break the end user devices, but in this case, you maybe have to break just one satellite.”

This could look like a DDoS attack, or even a ransomware attack. In such a case, disruptions could affect wide regions of a particular country, like with Ukraine, or it could affect people that rely extra on satellite connections because they’re in some remote part of the globe. A scientist in the North Pole, for example, couldn’t exactly get a technician from Verizon to come out and troubleshoot for them.

And beyond communications, disruptions could impact sensing and imaging and various other functions that militaries perform for national security, critical services used to find and help people, and so on.

“[Johannes] And obviously, when you go a step further, you can also kind of like try to take control of your satellites.”

You could, for example, conceive of an attacker with control system access maneuvering a satellite to turn away from earth, towards the sun. This could cause disruption, obviously, and damage the satellite, potentially irreparably.

Alternatively, they could try to adjust the satellite’s orbit in order to collide with some other object in space. Your imagination can take it from there…

“[Johannes] And finally, if you’re talking about compromising ground stations, it’s very similar. Again, you might want to, for example, capture the information. You have some kind of like human in the middle attack maybe. You want to alter the communication that goes through the satellite, or you want to take full control of either the full network, like in a Viasat incident.”

This last distinction is important. In the Viasat story, Russian state-sponsored hackers compromised routers and modems — ordinary parts of a ground station network, just like any other IT network. In that sense, it was like any other cyberattack you’ve ever heard of.

What Johannes’ research focuses on, by contrast, is the potential for attackers to hack satellites directly.

Modern LEO Tech

“[Johannes] usually, I look at the kind of satellites that you would find in Low-Earth orbit. And they are specifically interesting, because we’re currently in this, like era of space that is called, the new space era.”

Not that long ago, it was a really big deal to launch someone or something into space, and there wasn’t nearly as much flying around up there.

In the “new space era” we’ve begun to sort of take it for granted, because it happens so often, because it’s so much more attainable. For two, primary reasons.

“[Johannes] launch prices went pretty down, so it’s a lot cheaper to get into low Earth orbit. And that’s why we’re seeing so many people now deploying to Low-Earth orbit.”

Besides launch prices dropping, there’s the technology on the satellite itself.

Not so long ago, even a single processor for a satellite might have cost tens, or even hundreds of thousands of dollars, because it was a highly, highly specialized thing designed specifically for use in space, usually by nation states and international companies, and it had to be very thoroughly vetted to receive proper certification — so-called “flight heritage.”

“[Johannes] And this kind of stuff works well when you’re like a super big multimillion or multibillion-dollar company because you can afford it. And ultimately, you have the insurance that somebody will cover your satellite if it fails, and you have also a lot of proof that it probably won’t fail.[…] But it also won’t be very fast, and it takes literally decades to make iteration or changes, since all the hardware that goes on the next satellites has to be flown on a previous satellite. So you have a lot of technology testing.”

Compare that with today?

“[Johannes] You can literally go on the internet, click together your satellite and buy it. Well, it’s expensive. It won’t be in the range of individuals, but you can do this, and you couldn’t do this 10 years ago.”

What makes it so cheap is that these machines use a lot of the same components we’re used to down here.

“[Johannes] the idea is really that you take stuff from Earth that is already cheap and put it into space. And this way, your space  craft also becomes cheap.”

For example…

“[Johannes] A regular microcontroller, like an ARM microcontroller, STM32, for example, if somebody is more close in this field, where you would find spark processes.”

ARM processors already make up somewhere around 15% of the global processor market, most commonly found in regular Macbooks, so it’s not like they’re highly specialized space tech.

Similarly, like any computer, satellites have an operating system, with just one important difference. Think about running any kind of process on your laptop.

“[Johannes] I’m sure it’s happened to you in the past that the process just hang up because the operating system couldn’t get back to it in time. This is this like we are waiting since X seconds and the application hasn’t responded. This is when an application hangs up. Now, this would be a pretty big problem in an aircraft or an automobile, or satellite. And in these cases, you want to have something that is called the real time operating system.”

Real-time operating system, or RTOS for short.

“[Johannes] And this basically provides to guarantee that this process gets – we will get back to this process in, for example, two milliseconds. So I’m assured that 500 times per second, this process, the small loop gets executed and the small loop might be, read sensor value and act upon it. And this is important space because you want to steer your satellite and, but this is kind of, this guarantee that stuff happens in real time. [. . .] And when you combine this with these regular microcontrollers, and a lot of sensors, for example, you have temperature sensors, you have magnetic sensors, and so on, and then maybe regular flash memory, this is really the setup. So the actual technical setup is pretty, pretty simple on satellites on, at least, like newer Low-Earth orbit satellites.”

There are a few more differences between a satellite and your typical computer, like all the radiation shielding needed to protect a processor in the sky from cosmic rays. But, generally, this is the basic outline: an RTOS, microcontrollers, sensors.

Being able to use familiar, commercially available parts makes it much more cheap and attainable to build satellites. And, by the same token, to attack them.

Logistics for Hacking a Satellite

“[Johannes] So you get your own radio hardware, you get your own antenna, which is not too expensive. You can, for example, get like one that can talk UHF, VHF in Low-Earth orbit with Low-Earth orbit satellites for like $10,000. It’s not incredibly cheap, but still, certainly in a range of criminals.”

With proper hardware, an attacker might be able to communicate directly with a satellite. If they could find out which radio frequencies to tap into.

“[Johannes] This is oftentimes open information, even for companies. You can, for example, go to the FCC and check the filings; what is the frequency of the command or control channel, which is surprisingly well documented and freely available.”

There’s other information you’d need, too, like frequency modulation — what kind of protocol your target satellite is using. If there’s no better way to obtain this information, you could probably find it with a bit of brute force.

“[Johannes] There are only so many, like standardized protocols for this kind of like low level interaction.”

You’d also have to find out where exactly your satellite is in space. This information is publicly available thanks to NORAD, the North American Aerospace Defense Command, but then there’s one big, perhaps rather obvious problem that remains.

“[Johannes] When you think about the old satellites, geostationary Earth, or geostationary Earth orbit satellites, it’s right there in the name, it’s geostationary. So it will always be above the exact same point. But that is only the case when it’s very far out there. And because of physics, it stays there. In Low-Earth orbit, things are different. Things are moving very fast. So for example, satellites are moving with like 25,000 kilometers an hour.”

Any connection to a low-earth satellite could only be maintained as long as the satellite is in a visible area of space — otherwise, there’s going to be a planet in the way of your comms link.

“[Johannes] When you go outside, you can only see so far over the horizon. And so when a satellite appears over the horizon, and disappears back at the other side of the horizon, your time window in this time might be 10 minutes or less.”

The exact timeframe would depend on the angle of its orbit, relative to your position. If a satellite flies directly over your head, you’ll have a view of it for longer than if it makes its arc far off in the distance.

“[Johannes] So unless you have like a whole coverage of like ground stations across the world, to have like kind of an almost uninterrupted communication time in which almost nobody has, since there’s a thing called oceans, then you might just have a few minutes. And for example, four times a day.”

A cyberattacker would need to mathematically work out their window of opportunity to communicate with a satellite, then conduct the entirety of their attack in a window of less than ten minutes, or chunks of ten minutes spread out over time.

It doesn’t sound particularly easy. But if they could pull it off, they’d have some massive advantages in their favor.

The Security Problem

Satellite ground networks are, as we’ve mentioned, like any other IT network, and so they can be protected like any other network — antivirus, detection tools, or even the very fundamental security features we take advantage of in modern computers.

“[Johannes] But none of this has really reached the space domain in the sense of the, whatever goes into the satellite, because all of your things take away a little bit of your processing budget.”

It’s not just greedy companies wanting to skimp on security costs — there are genuine, operational reasons for sidelining these protections.

“[Johannes] as I previously mentioned, they’re using real time operating systems, which are usually trimmed to be very, very efficient, since they are running on super low processes. So they don’t have a lot of these mitigations that we would find in modern terrestrial applications, just because they’re running on these fast modern processes, and nobody really cares about 1%, or 2%, or 3%, or 5%. And on the spacecraft, they care about this. […] So they have these old systems that don’t have these defenses. And this is kind of the same thing. It’s not like people are often deliberately choosing, “Oh, I want this operating system without any mitigations.” But rather, it’s a case of, “I just take what’s there, and what’s there doesn’t have the defenses.””

Just as ground stations reflect IT networks, satellites reflect industrial machinery — legacy systems built without security in mind. This opens up multiple different vectors of attack, for example…

“[Johannes] the hardware that is up there, even a lot of it might be a little bit older. So the encryption that can be done on these processes is maybe not too strong. So maybe they can’t do AES-256. [. . .] And when you’re thinking about this slow processes, you also open up the door to pretty old attacks on cryptography. So years ago, we had, for example, timing attacks, where you could exploit certain timing mismatches and try to figure out the key of the encryption or just one correct signature. This is something that you can do.

And there’s also this whole topic of, how do you do recovery of a spacecraft in space? So peoples, even when they protect their satellites, which looks fine the first time and in the first place, then how do you do recovery if the key gets destroyed on the satellite because of radiation, or if you lose a key on Earth?

So people want to have some kind of like way to still access to a satellite. So there’s usually some recovery routine, which usually is, if I haven’t received in like three, four, or five days, a valid command, then I’m just dropping the encryption. So maybe you can jam the satellites for a few days.

And this is only the start. There can still be vulnerabilities in actually decoding the protocols and doing the decryption. And there are a lot of, the vectors that you have seen in the last two decades in terrestrial software. So a lot of ways that it’s not there, and a lot of ways that can be broken.”

Like legacy industrial equipment, satellites have all kinds of complicated vulnerabilities. But unlike a nuclear reactor or an electrical transformer, as we’ve established, a hacker could theoretically communicate directly with a satellite. So while industrial facilities have a first, IT line of defense, with satellites, you really do need to have built-in security.

But that does not seem to be present in the satellites in orbit around us right now.

Security by Obscurity

Of the 17 satellites represented in Johannes’ study, the engineers behind nine of them claimed to have some cybersecurity protections in place. For five more, the engineers were unsure about it. In three cases, they admitted to having zero cybersecurity in place whatsoever.

And if that sounds bad, consider that these were the engineers who agreed to participate in the study. Many, many more opted not to. It would make sense that those more reluctant to talk would be more likely to have poorer cybersecurity in place. Either that, or, perhaps, not talking about their security is their version of security.

“[Johannes] space people still live in a so-called security by obscurity thinking: If I don’t publish a protocol that my telecommands use, nobody can access it. So, in fact, we did a survey amongst people and asked them, and most of them actually said, “Well, this is encryption of protection that we have.””

Quote:

“For decades, the satellite community and developers have acted as gatekeepers for the topic of satellite security [15]. By keeping the software and components of satellites under lock, they created a “barrier of obscurity” that prevented any meaningful research on this subject. Hence, external communities had no way to study satellite internals and potential security issues.”

This strategy may have worked reasonably well back when satellites were made up of highly technical, bespoke components. Nowadays, because they’re composed of more ordinary parts, it’s far easier for anyone from the outside to break this seal of obscurity.

Vulnerabilities

The proof is in Johannes’ study. After, quote, “a long period of persuasion, trust building, discussions, and contracts,” the researchers finally got their hands on three real-world satellite firmware images: a window into recently launched, modern spacecraft, to see whether they might have holes in them.

In analyzing the firmware, they alone discovered 13 “security-critical” zero-day vulnerabilities which could allow an attacker with a connection to take control of these machines in orbit. (For context: good zero-days in significant technologies can go for five, six, even seven figures or more on the black market.) These vulnerabilities ranged from, for example, unsecured or outright insecure-by-design communications with telecommand centers, to a simple buffer overflow flaw in the processing of ICP packets, allowing an attacker to execute custom malicious code on the machine.

It’s entirely likely that plenty more vulnerabilities existed in these same satellites, which would be revealed under more scrutiny.

 The Difficulty in Patching

Now let’s say manufacturers and operators wanted to fix firmware vulnerabilities affecting their spacecraft, or add even basic security measures like strong encryption. Here we have yet another problem.

Satellites can receive updates like any other networked device, but they run on processors that typically don’t have a lot of extra capacity for computation beyond what they’re already busy doing. 

“[Johannes] pulling all the sensors and acting upon the sensor values, and decoding stuff, and doing also images, and maybe compressing these images since the downlink is super tight. So they’re also doing, they’re already doing a lot of computation, heavy tasks, and they’re low performance system. And usually, they have been built to work with exactly this task. So if you add tasks that are computationally intensive, which is, for example, asymmetric cryptography, which you would need for a key exchange, then that’s just maybe not something that fits into like power budget even.”

This issue is especially noticeable in older satellites, or satellites that simply run on older parts.

“[Johannes] So adding stuff is not necessarily, not impossible, but maybe just resource constrained. And this is something that also new processes get faster. There’s more energy, there are better solar cells, and so on. So stuff that will be fixed, but it’s not just the thing that somebody decides, “OK, I’ll do my – I do now for my security and upload a new image. And on some satellites, it will work exactly that way, but oftentimes, it won’t.”

What’s Being Done

“[Nate] is there anything happening there that suggests to you that this picture could change soon?
[Johannes]  Johannes Willbold: So there’s actually a lot happening regarding this, and I think it will be changing.”

Following the attack on Viasat, the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, published an advisory “strongly encouraging” satellite providers and customers to review their security postures, as they were, quote, “aware of possible threats to U.S. and international satellite communication (SATCOM) networks.” End quote.

Two months after the FBI-CISA advisory, Space Force — which is still, evidently, a real thing — created four new squadrons which, in part, will help modernize aging national satellite control equipment.

“[Johannes] The US is currently looking into what is defined as critical infrastructure, certain satellites. And with the designation of critical infrastructure, a lot of like security to-dos come with that. And this is the first step. I know that also European Union is currently assessing if there should be new space law regarding security, and the US is doing the same. [. . .] And we see a lot of standards popping up. For example, the Federal Bureau of Information Security. In Germany, it has made two standards; one’s about spacecraft and one about ground stations.”

 The cybersecurity research community is also, increasingly but slowly, starting to look into this domain.

Last June, the first ever satellite built specially for testing and training purposes — called “Moonlighter” — was launched into space. After a brief stint at the International Space Station, it entered low-earth orbit on July 6th.

A month later, hosted by the US Air Force and Space Force, hacking teams from around the world participated in days-long capture the flag games, at the “Hack-a-Sat 4” event at DEFCON 31 in Las Vegas. The top three teams took home cuts of the $100,000 prize money.

“[Johannes] people are interested in this topic, and I think generally interested in all fronts. And since maybe the companies have to do it, or whoever is offering the satellites maybe has to do it in the future because of new regulations. There will definitely be a change there. But, how fast? Probably not tomorrow.”