Thousands of satellites orbit our planet to keep various vital systems, like timing systems, GPS, and communication technologies, operational. However, an increased risk of cyberattacks on these satellites has been warned of for years by security experts.
A fresh study from a team of German academics sheds light on the current security flaws prevalent in the satellites circling Earth. Researchers from the Ruhr University Bochum and the Cispa Helmholtz Center for Information Security analyzed the software of three small satellites and found that basic protective measures were notably missing.
According to their research paper, the satellites under investigation exhibited “simple” vulnerabilities in their firmware, highlighting that “little security research from the last decade has reached the space domain.” Concerns include a lack of restriction on who can interact with the satellite systems and an absence of encryption. Theoretically, the team explains, these issues could enable an attacker to hijack a satellite and collide it with other objects.
Satellites vary in size and purpose, ranging from commercial satellites providing navigation data and Earth imaging to military satellites used for espionage, and research satellites operated by space agencies and universities.
Johannes Willbold, a PhD student at Ruhr University Bochum leading the security investigation, classifies the current satellite security status as “security by obscurity.” He praises the three organizations that agreed to have their satellite firmware inspected by his team, while most others ignored or declined the request.
The satellites inspected were ESTCube-1, an Estonian cube satellite launched in 2013; the European Space Agency’s OPS-SAT, an open research platform; and the Flying Laptop, a mini-satellite developed by Stuttgart University and defense firm Airbus. All three are used for research, orbit at low Earth altitude, and are primarily managed by universities.
According to the researchers’ analysis, six kinds of security vulnerabilities and 13 vulnerabilities in total were found across all three satellites. These included “unprotected telecommand interfaces,” the communication channels ground operators use to interact with orbiting satellites. Willbold points out that these interfaces often “lack access protection in the first place.”
The researchers also found an issue in a code library seemingly used by multiple satellites. A stack-based buffer overflow vulnerability was discovered in software developed by nanosatellite manufacturer GomSpace, last updated in 2014. GomSpace acknowledged the findings when informed by the researchers.
The creators of the inspected satellites have welcomed the findings and pledged to apply the lessons to future spacecraft. Simon Plum from the European Space Agency, Andris Slavinskis from the University of Tartu in Estonia, and Sabine Klinkner from Stuttgart University, all expressed the importance of the findings and committed to enhance future satellite cybersecurity measures.
Despite the study primarily focusing on research and academic satellites, it highlights broader security issues with satellites that have worried experts for years. Gregory Falco, a Cornell University assistant professor specializing in space cybersecurity, confirms the scarcity of research similar to what the German team completed.
Many have called for increased protection of space systems from attacks and improvements in their development. The current software development for space is plagued by outdated software and aerospace engineers, not software developers, building the systems, explains Falco.
Juliana Suess, a research analyst and policy lead on space security at the defense think tank Royal United Services Institute, highlights that there are multiple ways satellite systems can be attacked, beyond software and firmware vulnerabilities. These include jamming and spoofing attacks, which interfere with signals transmitted to and from satellites.
The increasing commercialization of the space sector poses further security risks, with companies racing to launch thousands of satellites to provide internet connections and lower-cost satellite imagery. Falco chairs a new effort by the Institute of Electrical and Electronics Engineers Standards Association announced in June this year to introduce common practices and requirements for cybersecurity across the space industry.”