back to article Want to pwn a satellite? Turns out it's surprisingly easy

A study into the feasibility of hacking low-Earth orbit satellites has revealed that it's worryingly easy to do. In a presentation at the Black Hat security conference in Las Vegas, Johannes Willbold, a PhD student at Germany's Ruhr University Bochum, explained he had been investigating the security of satellites. He studied …

  1. Pascal Monett Silver badge

    I sense the plot of the next James Bond film in the making . . .

    1. Ochib

      It's been done

      GoldenEye

    2. FuzzyTheBear
      Pint

      already done

      Diamonds are forever. Also Golden Eye.

      Cheers.

      1. Anonymous Coward
        Anonymous Coward

        Re: already done

        Let's not forget Moonraker...

        1. Benegesserict Cumbersomberbatch Silver badge

          Re: already done

          On second thoughts, let's.

  2. Andy Non Silver badge
    Facepalm

    This is going to blow up big time

    in the face of satellite owners before long now. Bad actors gaining full control of very expensive satellites and demanding huge ransoms to relinquish control and not to destroy them. Sounds like a much bigger pay day for someone than just using ransomware on PCs. The lack of security is utterly mind boggling. What were they thinking - save a few quid on the specs of the satellites but risk millions in losses?

  3. Prst. V.Jeltz Silver badge
    Joke

    Big whup , Gus Gorman did this in 1983

  4. Howard Sway Silver badge

    Hacking this kit would be prohibitively expensive due to the high cost of ground stations

    Unfortunately, the cost is not at all prohibitive if you're a hostile state and can easily afford the kit.

    1. Andy Non Silver badge

      Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

      Indeed, now the cat is out of the bag, how long before Starlink satellites over Ukraine start to mysteriously fail?

      1. IGotOut Silver badge

        Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

        I'd be very surprised if the Russians didn't know this already.

      2. Orv Silver badge

        Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

        Starlink birds have a short life anyway, so any security flaws aren't going to persist *that* long before they're replaced with a new version.

      3. Sorry that handle is already taken. Silver badge

        Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

        The research paper is basically on a small number of cubesats and shouldn't be extrapolated to anything else.

        I'd be very surprised if Starlink wasn't both already very secure and patchable.

        1. Orv Silver badge

          Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

          One would hope, although Musk's cars seem to have security holes discovered on the regular. So who knows.

        2. Casca Silver badge

          Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

          Since when do musk care about security or people?

          1. Sorry that handle is already taken. Silver badge

            Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations

            Whenever money is involved.

            Tesla hasn't felt the pinch for its nonsense, yet, because for some reason people keep buying them. On the other hand, Starlink being hacked into would be a pretty clear threat, I'd have thought.

  5. prh99

    Sadly, someone probably had to say it very publicly before anything gets done about it. May as well be Dr. Willbold.

  6. Filippo Silver badge

    >"They have planned these systems for every milliwatt of power that is used to run the satellite, so there is not the power budget on existing systems to run encryption or authentication. It's not practical."

    I suspect the budget will show up PDQ after the first time a satellite is hacked to deorbit all the way to someone's head.

    1. Doctor Syntax Silver badge

      The power budget is fixed. If protection takes some of it something else is going to have to be cut. You can't just send up a bigger solar panel.

      1. Ken Hagan Gold badge

        So something else gets cut.

        You have a choice between 90% of the intended functions or 0%. Be quick. That choice may be short-lived.

      2. John Robson Silver badge

        Well, you *can*, but it's rather expensive (far cheaper to replace the bird altogether, unless you're dealing with something like hubble)

      3. Filippo Silver badge

        Yup. Something else will be cut. "There is no budget" always actually means "we have other priorities". So, to rephrase, the priorities will get changed PDQ after the first time a sat is hacked to deorbit over something interesting.

  7. CountCadaver Silver badge

    starlink going offline?

    Make for an interesting LEO fireworks show

    Enough pissed off astronomers out there.......

    1. X5-332960073452
      Go

      Re: starlink going offline?

      Could they please do it on a cloudless night in the UK

  8. Bitsminer Silver badge

    the larger the satellite ... the more vulnerable it was

    Uhhh, a big no there.

    I've worked on big space systems. (Satellites are expensive. Really expensive. And complicated. And always delivered late.)

    If you think a commercial, scientific or military program is going to omit the authentication and privacy features for messages from space to ground and back, you are being misled.

    The first rule of spacecraft design is: maintain positive control of the spacecraft at all times. Period. [0]

    All else is secondary. Crew expendable, etc etc etc.

    [0] While very small scale satellite builders might get away without following this rule, there are numerous international treaties regulating tech like, you know, missiles, guidance systems, re-entry vehicles, controls on dual-use tech like telemetry and telecommand, star sensors, rocket engines, and so on. The list is long. If you want a more detailed explanation, ask any spacecraft engineer to explain what ITAR means. Be prepared for a long rant.

    1. Doctor Syntax Silver badge

      Re: the larger the satellite ... the more vulnerable it was

      "there are numerous international treaties regulating tech"

      This argument depends on the assumption that peole who are determined to do something illegal will be put off by providing them with more laws to break. A third of a working lifetime in forensic science tells me they aren't.

      1. Bitsminer Silver badge

        Re: the larger the satellite ... the more vulnerable it was

        To clarify, the builders have to observe the rules, and make, or try to make, the spacecraft fairly hackproof. Some may not be very good at it, as the paper suggested. Bigger and more expensive systems will be much better, or so I claim.

        Bad actors of course will do whatever they can imagine. I'm sure you have some stories to tell!

        1. Malcolm Weir

          Re: the larger the satellite ... the more vulnerable it was

          @Bitsminer is spot on! For example, some commercial satellites (especially those that use a ride-share launch vehicle) use a payload bus "derived from" (i.e. virtually identical to) the payload bus used for, say, a MIRV ICBM.

          This doesn't magically confer security onto the spacecraft, but it does apply significant oversight from Serious People asking potentially awkward questions.

          1. Yet Another Anonymous coward Silver badge

            Re: the larger the satellite ... the more vulnerable it was

            Presumably ICBMs are expected to have a limited time window to hack into them before they disconnect ?

            1. Anonymous Coward
              Anonymous Coward

              Re: the larger the satellite ... the more vulnerable it was

              I'll have to ask the greys ... how long it took them to shut them down

              1. Toni the terrible Bronze badge
                Mushroom

                Re: the larger the satellite ... the more vulnerable it was

                Well wether or not it was the grays it was reported that some Alien or other shut down a complete ICBM base in the USA (true/false?) and almost dispatched ICBMs from a Ruskie base SO....

    2. ecofeco Silver badge

      Re: the larger the satellite ... the more vulnerable it was

      That is correct, but criminal hacking is criminal hacking.

    3. rafff

      there are numerous international treaties regulating tech

      Russia, China, and probably USA. Nuff said.

  9. Orv Silver badge
    Pirate

    I always thought a geosynchronous satellite hack during the time when the normal ground station is blinded by a solar conjunction would make a good sci-fi story detail.

    1. Paul Crawford Silver badge

      Usually the TT&C links for those have huge margins (so they work during periods of poor antenna pointing, tumbling, etc) so the Sun should not block out proper operations.

      Proper authentication, etc, has been part of the CCSDS standards for decades, also actually using them seems to be missing from quite a lot of projects.

    2. John Brown (no body) Silver badge

      It doesn't appear to affect the many geosync commercial TV broadcasting sats up there. So either it's not a problem, or their orbits are designed not to get into that position in the first place.

      1. M.V. Lipvig Silver badge

        The orbits on geosynchronous do have sun conjunction problems, but it actually only occurs a couple of times a year and only for a few minutes at a time. If I remember correctly we just handed control off to another station in case we couldn't get it back. And, our antenna had a memory track so provided we didn't forget to switch from auto tracking to memory before the conjunction hit we were fine. On autotrack, the antenna would follow the strongest signal, and the Sun was much stronger.

        Now the satellite itself doesn't care, as during a sun conjunction it was looking away from the Sun, and geo is close enough that the Sun was mostly blocked by Earth when Earth is in the middle. I don't recall any issues when Earth was the middle man.

      2. Orv Silver badge

        Back in the day I used to get solar outages on my cable TV feed certain times of year. But I think most decent-sized cable systems now are able to temporarily switch satellites when that happens.

  10. MOH

    GSaaS?

    Seriously. This cloud stuff has reached ludicrous levels.

    1. david 12 Silver badge

      Re: GSaaS?

      $3 per minute. And (on the same page!) you can register for a free 1 month trial, with $200 credit!

      However, when you click through Azure Orbital Ground Station is available only to qualified customers and Microsoft will charge you a regulatory fee to defray programmatic costs associated with such application(s)

      So you actually need to be associated with a satellite, and approved by the regulatory authority to use the antenna (radio transmission regulations).

      They've put the GSaaS stuff on a standard Azure web page (which explains the trial and credit). Helpfully, it also gives you an AI link to explain what the word "Antenna" means.

  11. DS999 Silver badge
    Facepalm

    Ground station as a service

    Perhaps Amazon and Microsoft ought to require some sort of proof you are authorized to communicate with a given satellite before allowing their dishes to do so?

    That seems like a fairly minor hoop for a company (or research group in the case of cubesats) that would rather not operate their own ground station, or contract with Intelsat, to save money.

    Just because I pay for their service, I shouldn't be able to point to one of Directv's satellites and hack into it, or spam it with garbage until it reboots or hangs (ala kernel fuzzing attacks) Plus I imagine Amazon would be in a LOT of trouble if they allowed someone to point at an important DoD satellite and try the same!

    1. John Brown (no body) Silver badge

      Re: Ground station as a service

      Sorry guv, we're just,like, the "common carrier", not our problem what the user, like, does with the service once ,like, they paid for it. Innit.

      1. Dr Dan Holdsworth
        FAIL

        Re: Ground station as a service

        Even if Microsoft et al put security and due diligence foremost, the article states that a hacker could knock together a working base station for $10,000 in parts. That really isn't enough of a barrier to stop someone from having a go.

        1. DS999 Silver badge

          Re: Ground station as a service

          It depends on the satellite, how big its receive antenna is and so forth, and what type of satellite it is. You can't build a tracking dish for $10K so that could only communicate with geosynchronous satellites, and only on perfectly clear days - though that's not much of a limitation for hacking I suppose.

          1. Anonymous Coward
            Anonymous Coward

            Re: Ground station as a service

            I have an narrowband uplink/downlink station (2.4/10GHz) to the geostationary EsHail satellite (Google QO-100) and it can be done for about £2k. If you want something a little more wide-band such as uplinking TV, you can add another stage of amplification and that may cost you an extra £600 and use an Analog Devices Adalm Pluto if you want to do something clever with the modulation.

    2. spuck

      Re: Ground station as a service

      Turns out, they do.

      AWS requires you to be "onboarded" (i.e., approved) for each vehicle you want to transmit to. International frequency allocations, and whatnot. There are some satellites that they will allow to to receive from which are transmitting non-proprietary data, to prove out your workflow.

  12. ecofeco Silver badge

    LOL!

    I knew this ten years ago.

    But as always, people just looked at me like I was crazy.

    1. david 12 Silver badge

      Re: LOL!

      people just looked at me like I was crazy.

      Well, that's because you just laugh out loud...

    2. Casca Silver badge

      Re: LOL!

      Start using three exclamation points to end your sentences, that will teach them that your not crazy!!!

  13. fg_swe Silver badge

    What A Load of Nonsense

    1.) Secure Command Links can be realized in about 1500 LOC, including AES Locs. Been there, done that: https://github.com/DiplIngFrankGerlach/MST. It needs an ESP8266 or even less muscle do the job. MST has the same assurances as TLS/SSL, but without the Public Key cr4p.

    2.) The "researcher" apparently surveyed amateur satellite projects. Not the $500 000 000 commercial or mil satellite.

    3.) Of course "hackers" lack of a high gain directional antenna plus the other RF equipement is a "protection" of some sorts. Just never expect the Russians, the Norks or the Iranians to respect this "protection". I would venture to say that HAM radio guys could build this for much less than $10000. A bit of balsa wood, flexible metal grid (1mm opening), a bunch of RF transistors and some HAM RF instruments will do the trick. That antenna might last only a few weeks until the next storm, but it is good enough to send and receive to/from the sat. After the pwn, the antenna can be blown away...

    1. fg_swe Silver badge

      Re: What A Load of Nonsense

      See also https://www.rfhamdesign.com/products/parabolicdishkit/45meterdishkit/index.php

    2. fg_swe Silver badge

      Re: What A Load of Nonsense

      https://en.wikipedia.org/wiki/WokFi

    3. sbegrupt

      Re: What A Load of Nonsense

      Also, a lot of amateur frequency allocations forbid encryption or cubesats themselves explicitly state accessibility of telemetry to HAMs as their goal, leaving HMAC on commands as the only protection.

      1. fg_swe Silver badge

        Secure HMAC

        Of course, for HAM and other amateur satellites, Command Messages and Replies can be transmitted in clear, with only a secure HMAC. SHA256 will do the trick:

        COMMAND_OR_REPLY ::= PLAINTEXT_COMMAND AES256(PRESHARED_KEY,SHA256(PLAINTEXT_COMMAND))

        This is also "quantum secure", as AES256 has 256 bits of symmetric key, which is considered as hard as 128bit non-quant.

    4. Anonymous Coward
      Anonymous Coward

      Re: What A Load of Nonsense

      My "HAM" QO-100 ground-station has been up and running for a couple of years now and uses a 1m dish with a concentric feed. Signal to noise is good enough to easily maintain comms during a storm and no signs of it blowing away yet ;) And it did cost a LOT less than £10k- That gives me voice uplink and downlink on 2.4/10GHz to a geostationary satellite. I can also run data or even digital TV with a little more power to the dish - and that isn't expensive.

      https://www.youtube.com/watch?v=badYVp76c88

  14. fg_swe Silver badge

    Hire A Professional Cryptographer

    The key problem of many industries is that they believe cipher and communications security can be done by each and every half-and-self trained guy.

    A major car company had this trouble with their SMS-based door opener. Other car companies were/are in love with "keyless go", which is very hard to do securely(needs high resolution timers). Replay and Relay attack opportunities all around.

    The banking industry had confidentiality, replay-safety and integrity solved at the year 2000. It took others until 2015 to achieve the same, because they were too cheap to hire experts.

    TLS in practical implementations is a hell of insecurity too, but often sold as "industry standard". TLS saves people from thinking themselves. The entire idea of hybrid ciphers is not necessary nor useful for most applications.

    1. fg_swe Silver badge

      Re: Hire A Professional Cryptographer

      If you need consulting in cryptologic matters, you can write an email and I will call you back: http://fgw.ddnss.de/ (Kontakte). Or just call me on the phone. I speak English, German and three words of French.

  15. Richard Pennington 1
    Pirate

    Hacking satellites is not new

    Captain Midnight (1986):

    https://en.wikipedia.org/wiki/Captain_Midnight_broadcast_signal_intrusion

  16. Joe Gurman

    CubeSats are low-hanging fruit

    At the outfit I used to work for, considerably larger spacecraft — so-called “Small Explorers,” or SMEXes in the argot of that acronymophilic agency — were considered Class D in the hierarchy of risk management. That meant that individual components required less testing or could be adopted even though they had shorter lifetimes than the more expensive kit used in larger spacecraft, that schedules had less slack built into them, and that if I recall correctly, encryption was not required in communication between spacecraft and ground.

    It was a totally different picture for even larger, more expensive missions.

    Lower tolerance for risk drives cost and schedule (more testing and reviews required), higher tolerance makes the development faster and cheaper — bur also riskier.

    1. fg_swe Silver badge

      Just Stupid

      As I wrote above, a very low power CPU/MCU (1W or even less) can do the required cipher(similar to MST). Using Davies-Myer, AES can also double as a Secure Hash code(as done in MST). So less than 2k Lines of C can provide a Secure Command Channel. The CPU can be powered down using a timer, or when battery is low and must first be recharged from solar cells. In power down mode, an IoT CPU will draw only a microWatt or so for the timer counter. There are plenty of IoT chips around, including those from STM and NXP.

      No need for power-hungry and quantum-threatened Public Key ciphering. Program the key into the satellite when it is on the ground and from then on use this symmetric key via MST or similar.

      Not encrypting at all is like letting your wallet lie on the pavement and going to sleep inside the house.

  17. Alan Brown Silver badge

    About 25 years late

    It's happened already.

    In 1998 NASA discovered script kiddies had pwned the computers controlling Mars Pathfinder and Sojourner whilst investigating odd behaviour

    In 1999 and 2000 there were more malicious hacks of command/control systems for various LEO birds (although the satellites themselves diodn't seem to be the target)

    Military systems aren't much better. In a lot of instances notifying sites about odd behaviour and script kiddies (mostly Eastern European) spotted operating from obviously compromised systems in military IP ranges resulted in denials and threats until DISA stepped in during 1999 to act as intermediary on all issues

    The bigger problem is that THE UNDERLAYING ISSUES HAVE NOT CHANGED - NASA and ESA staff frequently regard OpSec as a nuisanmce which slows their jobs and simply bypass it or ignore rules. Just about every compromised system in NASA found when the late Jay (Cancer Omega) Dyson audited networks had had the security disabled by staff before hackers waltzed in through the doors left gaping open.

    NASA and military networks were high value targets for script kiddies back in the late 90s as they had high network bandwidth availablity and were easy to launch DoS attacks from

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like