This article is more than 1 year old

Want to pwn a satellite? Turns out it's surprisingly easy

PhD student admits he probably shouldn't have given this talk

Black Hat A study into the feasibility of hacking low-Earth orbit satellites has revealed that it's worryingly easy to do.

In a presentation at the Black Hat security conference in Las Vegas, Johannes Willbold, a PhD student at Germany's Ruhr University Bochum, explained he had been investigating the security of satellites. He studied three types of orbital machinery and found that many were utterly defenseless against remote takeover because they lack the most basic security systems.

"People think that satellites are secure," he said. "Those are expensive assets and they should have encryption and authentication. I assume that criminals think the same and they are too hard to target and you need to be some kind of cryptography genius. Maybe it wasn't a good idea to give this talk."

Satellite operators have been lucky so far. The prevailing wisdom is that hacking this kit would be prohibitively expensive due to the high cost of ground stations that communicate with the orbital birds, and that such hardware benefited from security by obscurity – that getting hold of the details of the firmware would be too difficult. Neither is true, the research indicates.

Those are expensive assets and they should have encryption and authentication. I assume that criminals think the same and they are too hard to target

For example, both AWS and Microsoft's Azure now offer Ground Station as a Service (GSaaS) to communicate with LEO satellites, so communication is simply a matter of plonking down a credit card. As for getting details on firmware, the commercial space industry has flourished in recent years and many of the components used on multiple platforms are easy to buy and study – Willbold estimated a hacker could build their own ground station for around $10,000 in parts.

As an academic, Willbold took a more direct approach. He just asked satellite operators for the relevant details for his paper [PDF]. Some of them agreed (although he did have to sign an NDA in one case) and the results somewhat mirrored the early computing days, when security was sidelined because of the lack of computing power and memory.

He studied three different types of satellite: an ESTCube-1, a tiny CubeSat 2013 running an Arm Cortex-M3 processor, a larger CubeSat OPS-SAT operated by the European Space Agency as an orbital research platform, and the so-called Flying Laptop – a larger and more advanced satellite run by the Institute of Space Systems at the University of Stuttgart.

The results were depressing. Both the CubeSats failed at a most basic level, with no authentication protocols, and they were broadcasting signals without encryption. With some code Willbold would have been able to take over the satellites' basic control functions and lock out the legitimate owner, which he demonstrated during the talk with a simulation.

The Flying Laptop was a different case, however. It had basic security systems in place and tried to isolate core functions from interference. However, with some skill, code, and standard techniques, this satellite too proved vulnerable.

Low priority

Intrigued by the results, Willbold decided to dig deeper. He contacted developers working on sat systems to check the data, and got nine responses from devs who worked on a total of 132 satellites over their careers. This wasn't easy – it took four months to garner those responses.

The results showed that security systems were way down on the list of priorities when it comes to satellite design. Only two of the respondents had tried any kind of penetration testing. The problem, he opined, was that space science is such a rarefied field that the developers just didn't have the security skills to do a rigorous shakedown of a satellite in the first place.

Composition of the Moonlighter satellite orbiting Earth

Uncle Sam wants DEF CON hackers to pwn this Moonlighter satellite in space

READ MORE

One surprising result was that the larger the satellite (and thus more expensive to build and launch), the more vulnerable it was. Larger machinery typically used more commercial off-the-shelf components and was thus more vulnerable since the code base was public, whereas smaller CubeSats tended to use custom code.

As for what would happen if a satellite was hijacked, Willbold suggested a number of alternatives. They could be used to transmit malicious information or code to targets on the ground, or to talk to other satellites in a constellation and subvert those too. In a worst-case scenario, a satellite could be moved to crash into another one, spewing debris all over orbit and potentially knocking out more systems.

When asked by The Register if it would be possible to retrofit security systems to satellites, Willbold wasn't hopeful.

"From a very technical perspective it would be possible. But realistically these systems are built on very tight margins," he said.

"They have planned these systems for every milliwatt of power that is used to run the satellite, so there is not the power budget on existing systems to run encryption or authentication. It's not practical." ®

More about

TIP US OFF

Send us news


Other stories you might like