Satellites Are Lagging Years Behind on Cybersecurity

Space companies and telecommunications providers are in a race to avoid waste the sky of the earth with Tens of thousands of new sparkling satellites that can perform a variety of tasks, from research and internet communications to military espionage. So far, the security practices of these massive floating computers have stood the test of time remained more or less a black box. But new scientific research results shed light on the practice shadow satellite In their rush to launch new satellites into orbit, manufacturers may be neglecting fundamental cybersecurity considerations.

The Researchled by the Ruhr University Bochum Ph.D. The student Johannes Willbold discovered several vulnerabilities and the lack of simple protective measures in three research satellites. In general, the researchers say that the space field lags behind security research by about ten years. This lack of up-to-date security can result in high costs. In theory, the researchers say, malicious actors could potentially exploit vulnerabilities to take full control of a satellite and crash it into others, causing a violent chain reaction of space debris.

“These potential consequences of a single successful satellite hack are largely ignored by the security community, even though they could severely impact spaceflight as we know it,” the researchers write.

What vulnerabilities were found on the satellites?

After reportedly requesting access to the firmware of several satellites, the researchers finally got the opportunity to analyze three satellites used primarily for research purposes. These satellites included an Estonian cube satellite called ESTCube-1, the European Space Agency’s open research platform OPS-SAT, and a smaller satellite called Flying Laptop, developed by the University of Stuttgart and Airbus. Researchers say they discovered it six different vulnerabilities in all three satellites and a total of 13 separate vulnerabilities.

satellites that were Basic encryption was not used in the analyzed cases, resulting in “unprotected telecommunications interfaces”. Another vulnerability was also discovered in a code library accessed by several GomSpace satellites. Researchers stated that they disclosed all vulnerabilities to the companies involved prior to release.

In addition to reviewing the three satellites’ firmware, the researchers also conducted a survey of 19 professional satellite engineers and designers working together on around 132 satellites. Responses to these surveys seemed to show a preference for function over security. For three out of 17 satellites analyzed in the survey, respondents indicated that no measures were in place to prevent third parties from controlling a satellite.

“We focused on providing a working system rather than a secure one,” said one of the survey respondents.

The European Space Agency, Airbus and GomSpace did not immediately respond to Gizmodo’s request for comment. The University of Tartu, which is responsible for the ESTCube satellite, also did not respond to a request for comment.

Satellite security is clouded by secrecy

An analysis of three satellites’ firmware and survey responses from fewer than two dozen space experts doesn’t seem like much, but the researchers behind this paper say the deeply mysterious nature of satellite security makes this one of the first real demonstrations of possibility Attackers could exploit vulnerabilities to take control of satellites. This general lack of information is due in part to space companies following the philosophy of “achieving safety through obscurity”. Generally, the researchers say satellite companies act as “gatekeepers,” preventing scientists from investigating their security.

Gregory Falcon, a assistant professor at Johns Hopkins University, praised the research in a recent interview with Wired, saying there is “almost nothing” publicly available that offers comparable insight. Falco, who specializes in space cybersecurity, said security software in space is often rarely updated, making it far more vulnerable to attack. Space systems are also typically designed by aerospace engineers, who simply don’t care as much about cybersecurity as software developers.

“They have absolutely no security concerns,” Falco told Wired.

It is unclear to what extent the vulnerabilities described in the paper also apply to other commercial satellites companies, but one thing is clear: the use of satellites is not decreasing. McKinsey estimates for communications alone, there are at least 5,000 satellites orbiting the earth As of March 2023, up 15% since 2017. They estimate that these numbers could increase to around 15,000 by 2030 due to lower numbers Total cost. The vast majority of these communications satellites come from one company: SpaceX. Elon Musk was cited earlier this year Space companies made history launches its 4,000 Starlink internet satellites. The company plans to deploy at least 22,488 more of these satellites over the next two decades. These numbers will continue to rise Amazon is long awaited Project Kuiper Satellite Internet is beginning to roll out.