Space companies and telecommunications providers are racing towards junk the heavens of the Earth with tens of thousands of shiny new satellites capable of a wide variety of tasks, from Internet research and communications to military espionage. So far, the security practices of these powerful floating computers have it remained more or less a black box. But new academic research that sheds light on the practice overshadows the satellite manufacturers may neglect basic cybersecurity considerations in their rush to launch new satellites into orbit.
of explorativeled by the Ruhr University Bochum Ph.D. student Johannes Willbold, discovered multiple vulnerabilities and a lack of simple defenses in three research satellites. Overall, researchers say the space field is lagging behind security research by about ten years. This lack of up-to-date security can incur heavy costs. In theory, the researchers say, bad actors could exploit the vulnerabilities to seize full control of a satellite and send it crashing into others, causing a violent chain reaction of space debris.
“These potential consequences of a single successful satellite attack are largely ignored by the security community, even though they could greatly affect spaceflight as we know it,” the researchers wrote.
What weaknesses were found in the satellites?
After reportedly requesting access to the firmware of multiple satellites, the researchers were finally given the opportunity to analyze three that are used primarily for research purposes. Those satellites included an Estonian cube satellite called ESTCube-1, the European Space Agency’s OPS-SAT open research platform and a smaller satellite called Flying Laptop created by the University of Stuttgart and Airbus. Researchers say they have discovered six different vulnerabilities across the three satellites, and 13 separate vulnerabilities in total.
The satellites that were analyzed failed to use basic encryption leading to “insecure remote interfaces”. Another vulnerability in a code library accessed by multiple satellites maintained by the GomSpace firm was also discovered. The researchers say they discovered all the vulnerabilities for the companies involved before publication.
In addition to inspecting the firmware of the three satellites, the researchers also conducted a survey of 19 professional satellite engineers and developers who collectively work on about 132 satellites. Responses to those surveys seem to indicate a preference for function over safety. In three of the 17 satellites analyzed as part of the survey, participants said there was absolutely no measure to prevent third parties from controlling a satellite.
“We focused on providing a functional system rather than a secure system,” said one survey respondent.
The European Space Agency, Airbus and GomSpace did not immediately respond to Gizmodo’s requests for comment. The University of Tartu, which is responsible for the ESTCube satellite, also did not respond to a request for comment.
Satellite security was secretly breached
An analysis of firmware from three satellites and survey responses from less than two dozen space professionals may not seem like much to do, but the researchers behind the paper say the deeply secretive nature of satellite security makes it one of the first real demonstrations of how attackers can exploit vulnerabilities to gain control over satellites. This general lack of information, they say, is partly attributable to space companies following a philosophy of “achieving safety by obscurity.” In general, the researchers say, satellite companies act as “gatekeepers” that prevent academics from investigating their security.
Gregory Falco, an assistant professor at Johns Hopkins University, recently praised the research in a interview with Wired, saying there is “almost nothing” available to the public that offers his level of knowledge. Falco, which specializes in cyber security in space, said that security software in space is often rarely updated, making it much more vulnerable to attack. Space systems are also typically designed by aerospace engineers, who simply place less emphasis on cybersecurity than software developers.
“They absolutely do not prioritize security,” Falco told Wired.
It is unclear to what extent the vulnerabilities described in the document apply to other commercial satellites companies, but one thing is clear: satellite deployments are not slowing down. McKinsey RATINGS there are at least 5,000 satellites serving communications in Earth orbit alone as of March 2023, marking a 15% increase since 2017. They estimate that these numbers could rise to around 15,000 by 2030 due to the decrease in overhead costs. The vast majority of those communications satellites come from one company: SpaceX. Earlier this year, led by Elon Musk The space company made history from putting its 4,000th Starlink Internet satellite into orbit. The company plans to deploy at least 22,488 more satellites over the next two decades. These numbers will increase even further once The long-awaited Amazon The Kuiper Project Satellite Internet starts setting up.