Space companies and telecommunication providers are racing to litter the Earth’s skies with tens of thousands of new twinkling satellites capable of completing a vast variety of tasks, from research and internet communication to military espionage. Up until now, the security practices of these hefty floating computers have remained more or less a black box. But new academic research shedding light on the practice shadows satellite manufacturers may be neglecting basic cybersecurity considerations in their haste to blast new satellites up into orbit.
The research, led by Ruhr University Bochum Ph.D. student Johannes Willbold, discovered multiple vulnerabilities and a lack of simple protections in three research satellites. In general, the researchers say the space domain has lagged behind security research by about ten years. That lack of up-to-date security can carry heavy costs. In theory, the researchers say bad actors could potentially exploit vulnerabilities to seize full control of a satellite and send it crashing into others causing a violent chain reaction of space debris.
“These potential consequences of a single successful satellite hack are largely ignored by the security community, even though they could heavily affect spaceflight as we know it,” the researchers wrote.
What vulnerabilities were found on the satellites?
After reportedly requesting access to the firmware of multiple satellites, the researchers were ultimately given the opportunity to analyze three mostly used for research purposes. Those satellites included an Estonian cube satellite called ESTCube-1, the European Space Agency’s OPS-SAT open research platform, and a smaller satellite called Flying Laptop created by Stuttgart University and Airbus. The researchers say they discovered six different vulnerabilities across all three satellites, and 13 separate vulnerabilities in total.
Satellites that were analyzed failed to use basic encryption leading to “unprotected telecommand interfaces.” Another vulnerability in a code library accessed by multiple satellites maintained by the firm GomSpace was also discovered. Researchers say they disclosed all of the vulnerabilities to the companies involved prior to publication.
Aside from inspecting the three satellites’ firmware, the researchers also conducted a survey of 19 professional satellite engineers and developers who collectively work on around 132 satellites. The responses to those surveys appeared to show a preference for function over security. In three of 17 satellites analysed as part of the survey, participants said there were absolutely no measures taken to prevent third parties from controlling a satellite.
“We focused on providing a functioning system instead of a secure one,” one of the survey respondents said.”
The European Space Agency, Airbus, and GomSpace did not immediately respond to Gizmodo’s requests for comment. The University of Tartu, which is responsible for the ESTCube satellite, also did not respond to a request for comment.
Satellite security marred in secrecy
An analysis of firmware from three satellites and survey responses from less than two dozen space professionals may not seem like much to go off of, but researchers behind this paper say the deeply secretive nature of satellite security makes this one of the first real demonstrations of ways attackers could exploit vulnerabilities to gain control over satellites. That general lack of information, they say, is attributed in part to space companies following a philosophy of “achieving security by obscurity.” In general, the researchers say satellite companies act as “gatekeepers” preventing academics from investigating their security.
Gregory Falco, an assistant professor at Johns Hopkins University, recently commended the research in an interview with Wired, saying there’s “almost nothing” publicly available that offers its level of insight. Falco, who specializes in space cybersecurity, said security software in space is often rarely updated leaving it far more vulnerable to attacks. Space systems are also usually designed by aerospace engineers who simply place less weight on cybersecurity than software developers.
“They absolutely are not prioritizing security,” Falco told Wired.
It’s unclear the extent to which the vulnerabilities described in the paper apply to other commercial satellite companies but one thing is clear: satellite deployments aren’t slowing down. McKinsey estimates there are at least 5,000 satellites serving communications alone orbiting the Earth as of March 2023, marking a 15% increase since 2017. They estimate those figures could jump up to around 15,000 by 2030 due to lower overall costs. The vast majority of those communications satellites come from one company: SpaceX. Earlier this year the Elon Musk-led space company made history by deploying its 4,000 Starlink internet satellite into orbit. The company plans to deploy at least 22,488 more of those satellites over the next two decades. Those figures will climb even further once Amazon’s long-awaited Project Kuiper satellite internet begins deployment.