I sense the plot of the next James Bond film in the making . . .
Want to pwn a satellite? Turns out it's surprisingly easy
A study into the feasibility of hacking low-Earth orbit satellites has revealed that it's worryingly easy to do. In a presentation at the Black Hat security conference in Las Vegas, Johannes Willbold, a PhD student at Germany's Ruhr University Bochum, explained he had been investigating the security of satellites. He studied …
COMMENTS
-
Friday 11th August 2023 13:56 GMT Andy Non
This is going to blow up big time
in the face of satellite owners before long now. Bad actors gaining full control of very expensive satellites and demanding huge ransoms to relinquish control and not to destroy them. Sounds like a much bigger pay day for someone than just using ransomware on PCs. The lack of security is utterly mind boggling. What were they thinking - save a few quid on the specs of the satellites but risk millions in losses?
-
-
-
-
-
-
Monday 14th August 2023 12:11 GMT Sorry that handle is already taken.
Re: Hacking this kit would be prohibitively expensive due to the high cost of ground stations
Whenever money is involved.
Tesla hasn't felt the pinch for its nonsense, yet, because for some reason people keep buying them. On the other hand, Starlink being hacked into would be a pretty clear threat, I'd have thought.
-
-
-
-
Friday 11th August 2023 14:19 GMT Filippo
>"They have planned these systems for every milliwatt of power that is used to run the satellite, so there is not the power budget on existing systems to run encryption or authentication. It's not practical."
I suspect the budget will show up PDQ after the first time a satellite is hacked to deorbit all the way to someone's head.
-
Friday 11th August 2023 14:37 GMT Bitsminer
the larger the satellite ... the more vulnerable it was
Uhhh, a big no there.
I've worked on big space systems. (Satellites are expensive. Really expensive. And complicated. And always delivered late.)
If you think a commercial, scientific or military program is going to omit the authentication and privacy features for messages from space to ground and back, you are being misled.
The first rule of spacecraft design is: maintain positive control of the spacecraft at all times. Period. [0]
All else is secondary. Crew expendable, etc etc etc.
[0] While very small scale satellite builders might get away without following this rule, there are numerous international treaties regulating tech like, you know, missiles, guidance systems, re-entry vehicles, controls on dual-use tech like telemetry and telecommand, star sensors, rocket engines, and so on. The list is long. If you want a more detailed explanation, ask any spacecraft engineer to explain what ITAR means. Be prepared for a long rant.
-
Friday 11th August 2023 15:26 GMT Doctor Syntax
Re: the larger the satellite ... the more vulnerable it was
"there are numerous international treaties regulating tech"
This argument depends on the assumption that peole who are determined to do something illegal will be put off by providing them with more laws to break. A third of a working lifetime in forensic science tells me they aren't.
-
Friday 11th August 2023 16:09 GMT Bitsminer
Re: the larger the satellite ... the more vulnerable it was
To clarify, the builders have to observe the rules, and make, or try to make, the spacecraft fairly hackproof. Some may not be very good at it, as the paper suggested. Bigger and more expensive systems will be much better, or so I claim.
Bad actors of course will do whatever they can imagine. I'm sure you have some stories to tell!
-
Friday 11th August 2023 16:53 GMT Malcolm Weir
Re: the larger the satellite ... the more vulnerable it was
@Bitsminer is spot on! For example, some commercial satellites (especially those that use a ride-share launch vehicle) use a payload bus "derived from" (i.e. virtually identical to) the payload bus used for, say, a MIRV ICBM.
This doesn't magically confer security onto the spacecraft, but it does apply significant oversight from Serious People asking potentially awkward questions.
-
-
-
-
-
Friday 11th August 2023 20:11 GMT Paul Crawford
Usually the TT&C links for those have huge margins (so they work during periods of poor antenna pointing, tumbling, etc) so the Sun should not block out proper operations.
Proper authentication, etc, has been part of the CCSDS standards for decades, also actually using them seems to be missing from quite a lot of projects.
-
-
Saturday 12th August 2023 00:15 GMT M.V. Lipvig
The orbits on geosynchronous do have sun conjunction problems, but it actually only occurs a couple of times a year and only for a few minutes at a time. If I remember correctly we just handed control off to another station in case we couldn't get it back. And, our antenna had a memory track so provided we didn't forget to switch from auto tracking to memory before the conjunction hit we were fine. On autotrack, the antenna would follow the strongest signal, and the Sun was much stronger.
Now the satellite itself doesn't care, as during a sun conjunction it was looking away from the Sun, and geo is close enough that the Sun was mostly blocked by Earth when Earth is in the middle. I don't recall any issues when Earth was the middle man.
-
-
-
-
Friday 11th August 2023 23:32 GMT david 12
Re: GSaaS?
$3 per minute. And (on the same page!) you can register for a free 1 month trial, with $200 credit!
However, when you click through Azure Orbital Ground Station is available only to qualified customers and Microsoft will charge you a regulatory fee to defray programmatic costs associated with such application(s)
So you actually need to be associated with a satellite, and approved by the regulatory authority to use the antenna (radio transmission regulations).
They've put the GSaaS stuff on a standard Azure web page (which explains the trial and credit). Helpfully, it also gives you an AI link to explain what the word "Antenna" means.
-
-
Friday 11th August 2023 21:48 GMT DS999
Ground station as a service
Perhaps Amazon and Microsoft ought to require some sort of proof you are authorized to communicate with a given satellite before allowing their dishes to do so?
That seems like a fairly minor hoop for a company (or research group in the case of cubesats) that would rather not operate their own ground station, or contract with Intelsat, to save money.
Just because I pay for their service, I shouldn't be able to point to one of Directv's satellites and hack into it, or spam it with garbage until it reboots or hangs (ala kernel fuzzing attacks) Plus I imagine Amazon would be in a LOT of trouble if they allowed someone to point at an important DoD satellite and try the same!
-
-
-
Monday 14th August 2023 16:45 GMT DS999
Re: Ground station as a service
It depends on the satellite, how big its receive antenna is and so forth, and what type of satellite it is. You can't build a tracking dish for $10K so that could only communicate with geosynchronous satellites, and only on perfectly clear days - though that's not much of a limitation for hacking I suppose.
-
Thursday 17th August 2023 00:36 GMT Anonymous Coward
Re: Ground station as a service
I have an narrowband uplink/downlink station (2.4/10GHz) to the geostationary EsHail satellite (Google QO-100) and it can be done for about £2k. If you want something a little more wide-band such as uplinking TV, you can add another stage of amplification and that may cost you an extra £600 and use an Analog Devices Adalm Pluto if you want to do something clever with the modulation.
-
-
-
-
Tuesday 15th August 2023 21:49 GMT spuck
Re: Ground station as a service
Turns out, they do.
AWS requires you to be "onboarded" (i.e., approved) for each vehicle you want to transmit to. International frequency allocations, and whatnot. There are some satellites that they will allow to to receive from which are transmitting non-proprietary data, to prove out your workflow.
-
-
Sunday 13th August 2023 18:09 GMT fg_swe
What A Load of Nonsense
1.) Secure Command Links can be realized in about 1500 LOC, including AES Locs. Been there, done that: https://github.com/DiplIngFrankGerlach/MST. It needs an ESP8266 or even less muscle do the job. MST has the same assurances as TLS/SSL, but without the Public Key cr4p.
2.) The "researcher" apparently surveyed amateur satellite projects. Not the $500 000 000 commercial or mil satellite.
3.) Of course "hackers" lack of a high gain directional antenna plus the other RF equipement is a "protection" of some sorts. Just never expect the Russians, the Norks or the Iranians to respect this "protection". I would venture to say that HAM radio guys could build this for much less than $10000. A bit of balsa wood, flexible metal grid (1mm opening), a bunch of RF transistors and some HAM RF instruments will do the trick. That antenna might last only a few weeks until the next storm, but it is good enough to send and receive to/from the sat. After the pwn, the antenna can be blown away...
-
-
Monday 14th August 2023 14:22 GMT fg_swe
Secure HMAC
Of course, for HAM and other amateur satellites, Command Messages and Replies can be transmitted in clear, with only a secure HMAC. SHA256 will do the trick:
COMMAND_OR_REPLY ::= PLAINTEXT_COMMAND AES256(PRESHARED_KEY,SHA256(PLAINTEXT_COMMAND))
This is also "quantum secure", as AES256 has 256 bits of symmetric key, which is considered as hard as 128bit non-quant.
-
-
Thursday 17th August 2023 00:48 GMT Anonymous Coward
Re: What A Load of Nonsense
My "HAM" QO-100 ground-station has been up and running for a couple of years now and uses a 1m dish with a concentric feed. Signal to noise is good enough to easily maintain comms during a storm and no signs of it blowing away yet ;) And it did cost a LOT less than £10k- That gives me voice uplink and downlink on 2.4/10GHz to a geostationary satellite. I can also run data or even digital TV with a little more power to the dish - and that isn't expensive.
https://www.youtube.com/watch?v=badYVp76c88
-
Sunday 13th August 2023 18:41 GMT fg_swe
Hire A Professional Cryptographer
The key problem of many industries is that they believe cipher and communications security can be done by each and every half-and-self trained guy.
A major car company had this trouble with their SMS-based door opener. Other car companies were/are in love with "keyless go", which is very hard to do securely(needs high resolution timers). Replay and Relay attack opportunities all around.
The banking industry had confidentiality, replay-safety and integrity solved at the year 2000. It took others until 2015 to achieve the same, because they were too cheap to hire experts.
TLS in practical implementations is a hell of insecurity too, but often sold as "industry standard". TLS saves people from thinking themselves. The entire idea of hybrid ciphers is not necessary nor useful for most applications.
-
Monday 14th August 2023 20:38 GMT Joe Gurman
CubeSats are low-hanging fruit
At the outfit I used to work for, considerably larger spacecraft — so-called “Small Explorers,” or SMEXes in the argot of that acronymophilic agency — were considered Class D in the hierarchy of risk management. That meant that individual components required less testing or could be adopted even though they had shorter lifetimes than the more expensive kit used in larger spacecraft, that schedules had less slack built into them, and that if I recall correctly, encryption was not required in communication between spacecraft and ground.
It was a totally different picture for even larger, more expensive missions.
Lower tolerance for risk drives cost and schedule (more testing and reviews required), higher tolerance makes the development faster and cheaper — bur also riskier.
-
Tuesday 15th August 2023 08:48 GMT fg_swe
Just Stupid
As I wrote above, a very low power CPU/MCU (1W or even less) can do the required cipher(similar to MST). Using Davies-Myer, AES can also double as a Secure Hash code(as done in MST). So less than 2k Lines of C can provide a Secure Command Channel. The CPU can be powered down using a timer, or when battery is low and must first be recharged from solar cells. In power down mode, an IoT CPU will draw only a microWatt or so for the timer counter. There are plenty of IoT chips around, including those from STM and NXP.
No need for power-hungry and quantum-threatened Public Key ciphering. Program the key into the satellite when it is on the ground and from then on use this symmetric key via MST or similar.
Not encrypting at all is like letting your wallet lie on the pavement and going to sleep inside the house.
-
-
Wednesday 30th August 2023 14:10 GMT Alan Brown
About 25 years late
It's happened already.
In 1998 NASA discovered script kiddies had pwned the computers controlling Mars Pathfinder and Sojourner whilst investigating odd behaviour
In 1999 and 2000 there were more malicious hacks of command/control systems for various LEO birds (although the satellites themselves diodn't seem to be the target)
Military systems aren't much better. In a lot of instances notifying sites about odd behaviour and script kiddies (mostly Eastern European) spotted operating from obviously compromised systems in military IP ranges resulted in denials and threats until DISA stepped in during 1999 to act as intermediary on all issues
The bigger problem is that THE UNDERLAYING ISSUES HAVE NOT CHANGED - NASA and ESA staff frequently regard OpSec as a nuisanmce which slows their jobs and simply bypass it or ignore rules. Just about every compromised system in NASA found when the late Jay (Cancer Omega) Dyson audited networks had had the security disabled by staff before hackers waltzed in through the doors left gaping open.
NASA and military networks were high value targets for script kiddies back in the late 90s as they had high network bandwidth availablity and were easy to launch DoS attacks from