Satellites Are Rife With Basic Security Flaws

hundreds of miles Above the earth, thousands of satellites orbit the planet to keep the world running smoothly. Timing systems, GPS and communication technologies are all powered by satellites. But for years, security researchers have warned that more needs to be done to protect the satellites from cyberattacks.

A new analysis by a group of German scientists provides a rare glimpse into some of the security flaws in satellites currently orbiting the Earth. The researchers from Ruhr-Universität Bochum and the Cispa Helmholtz Center for Information Security examined the software used by three small satellites and found that the systems lacked some basic protective measures.

The satellites inspected by the researchers, according to one scientific work, contain “simple” vulnerabilities in their firmware and show “that little security research from the last decade has reached the space realm”. Problems include a lack of protection for those who can communicate with the satellite systems and the lack of encryption. In theory, the researchers say, the problems they’ve discovered could allow an attacker to take control of a satellite and have it crash into other objects.

There are many types of satellites in use today, varying in size and purpose. Satellites created by commercial companies photograph the earth and provide navigation data. Military satellites are classified and often used for espionage. There are also research satellites operated by space agencies and universities.

Johannes Willbold, a PhD student at Ruhr-Universität Bochum and lead researcher behind the security analysis, says the current state of satellite security can be classified as “security by darkness”. In other words, little is known about how well protected they are. Willbold says the research team reached out to several organizations with satellites in space, asking if they could review their firmware, and the vast majority declined or didn’t respond — he commends the candor of the three who worked with his team.

The three satellites the team focused on are used for research, fly in low Earth orbit and are mostly operated by universities. The researchers examined the firmware of ESTCube-1, an Estonian cube satellite launched in 2013; The OPS-SAT of the European Space Agency, an open research platform; and the Flying laptopa mini-satellite from the University of Stuttgart and the defense company Airbus.

The researchers’ analysis revealed that they found six types of vulnerabilities and a total of 13 vulnerabilities across all three satellites. These vulnerabilities included “unprotected telecommunications interfaces” that satellite operators on the ground use to communicate with the vehicles when they are in orbit. “Often they lack access security in the first place,” says Willbold, who is also presenting the research at next month’s Black Hat security conference in Las Vegas. “They’re basically not checking anything.”

In addition to the vulnerabilities in the satellites’ software, Willbold said the team also found a problem in a code library that appears to be used by several satellites. The research describes a stack-based approach Buffer overflow vulnerability in software developed by nanosatellite manufacturer GomSpace. According to the investigations, the cause of the problem lies in a library that was last updated in 2014. Willbold says GomSpace acknowledged the findings when researchers reported the issue. GomSpace did not respond to WIRED’s request for comment.