Orbital infrastructure, whizzing above our heads, is vital to the modern way of life. With thousands more satellites set to clog the skies, scrutiny of their protection against cyber threats should match industry expansion.
Man-made moons relay analog and digital signals carrying voice, video, and data to multiple locations globally. Without them, we would be stuck using local communications, paper maps, and landlines. We would also have to relearn how to live without location-sensitive services.
Out of the 9,000 satellites launched into the skies, 6,000 are still orbiting our planet, and data by the Union of Concerned Scientists (UCS) show that as of August 2020, 2,787 of those were still active. However, we will remember the current period in the history of Earths’ orbit as a period of emptiness.
The World Economic Forum (WEF) estimates that humans will add almost a thousand new satellites every year. That would put the total number of satellites in orbit at 15,000 by the end of this decade. But that, too, might be a rather conservative projection.
When you’re eavesdropping on satellite internet signals, you’re effectively seeing what someone’s internet service provider would see,James Pavur.
Companies like Amazon, SpaceX, OneWeb, Samsung, Telesat, and others are eyeing the opportunity to provide global internet coverage by sending legions of small satellites into orbit. The FCC has already granted SpaceX a license to put up as many as 12,000 satellites in orbit, thwarting the number of night dwellers currently zipping around the planet.
Most new satellites will run on off-the-shelf hardware and software, breaking with the tradition to use custom-made equipment of the past. Legacy software still in use, coupled with mass-produced systems, can create an army of hackable devices orbiting the Earth. Together with the lack of regulatory oversight on satellite cybersecurity, that might spell disaster.
Hijacking the feed
Last summer’s Defcon was looking skyward. The US Air Force and the Defense Digital Service organized an event called Hack-a-Sat where competitors were asked to break into an actual satellite. At the same event, hackers, who have already proved capable of intercepting data relayed by satellites, shared their experience.
One of them was James Pavur, an Oxford PhD focusing on satellite systems security. Earlier this year, his team used $300 worth of TV equipment and free software to intercept sensitive data sent via 18 satellites over an area covering a larger part of the Northern hemisphere. The information Pavurs’ team intercepted was no random chitchat, although there was plenty of that as well.
A few hundred bucks and a great deal of ingenuity allowed Pavur to identify information sent by nine members of the Fortune 500 list, data from passengers on 6 out of 10 largest airlines, sensitive data sent from ships belonging to the behemoths of the shipping industry, and comms from an actual military jet of a North African nation.
“When you’re eavesdropping on satellite internet signals, you’re effectively seeing what someone’s internet service provider would see. You see not just one specific conversation but every website that a customer browses to, or every email that they receive for every account that they own,” Pavur explained to CyberNews.
For example, a lawyer in Spain used unencrypted email to communicate with a client about an upcoming case, allowing Pavurs’ team to see received emails, details about the lawyer’s Paypal account, and other data bad actors could easily exploit.
According to Pavur, even when traffic is encrypted with TLS certificates, the attacker can still access a list of websites the victim is visiting, making personal privacy much more challenging to maintain due to intercepted metadata. More alarmingly, the potential scope of damage to critical infrastructure is far greater.
“At the very least, we saw some sensitive information, for example, passwords for wind turbines. They are often sending clear text, especially for offshore wind facilities. And then a lot of router infrastructure that’s used to maintain these remote electrical systems,” said Pavur, adding that his team did not try to actually hack critical infrastructure due to safety concerns.
Others might not be so cautious, however. Pavur used another example of data misuse, namely – large ships such as oil tankers. These types of vessels use satellite feeds to send information to their back offices. Crucially, many navigational documents are sent over satellites, open to those savvy enough to take them.
“Compromised navigational information could lead to all kinds of incidents,” summarized Pavur.
Stealing a satellite
According to William Malik, the vice president of infrastructure systems at a cybersecurity company Trend Micro, similar attacks to those Pavur described have already been carried out before. One attack, Malik claims, was carried on a ship in the Black sea, and another on a cargo ship in the Atlantic, leading it to ‘travel astray.’
I think one of the key threats is that satellites are increasingly computers controlled by other computers,Brian Weeden.
However, Malik cares for another type of satellite-security threat – cases where bad actors aim to intercept satellites, not the data they are relaying. A stolen satellite poses an almost incomprehensible number of dangers. Threats range from ransomware planted on a hostage satellite to downright apocalyptic scenarios of a dystopian future.
One example would be a bad actor taking control of a large satellite and sending it on a collision course to kickstart the Kessler syndrome. This scenario, named after NASA’s scientist Donald J. Kessler, suggests that orbital collisions between objects would cause a cascade in which every crash increases the likelihood of more crashes.
Taken to the extreme, the Kessler syndrome would render lower Earth orbit unusable for several generations. Successful attempts to take over satellites show that such an event is possible, although unlikely.
“In the late ’90s, there was an instance where a military satellite belonging to the UK was repositioned. Apparently, it was being held hostage. The satellite returned to its regular course, the ransom was never paid, and there’s no official word on what actually happened to the hijackers,” Malik told CyberNews.
Around the same time, hackers took over the US-German ROSAT X-Ray satellite and ordered it to reposition its solar panels directly towards the sun, causing solar overheating. In the late 00’s, the US Air Force accused Chinese hackers of affecting the Earth observation satellites Landsat 7 and Terra.
Several other known cases of satellite hacking were recorded in 2007, 2008, 2014, and 2017. There might have been more breaches, but as Malik puts it, governments are not too keen on sharing information about the instances where satellites were hacked or taken over.
Still, Malik expects the future of satellite hacking to be much more pragmatic. It is unlikely that a James Bond-type villain will aim to destroy every single satellite in orbit and rob future generations of space travel by making Kesslers’ nightmare come true. It’s much more likely to be about something as mundane as ransomware.
“I’m sure that there will come a day when hackers in the conventional sense will go after satellites, but it will follow when satellites have the economic impact that would cause a satellite user to say, oh my God, we can’t lose this, we have to pay the ransom,” he said.
With a growing number of space-faring companies, there’s more opportunity and capability to blackmail one of them into submission. A recent report by the Secure World Foundation (SWF), an organization focusing on safe uses of outer space, claims that “the attack surface for cyber-attacks [on satellites] is likely to increase.”
Brian Weeden, director of program planning at SWF, explained to CyberNews that increasing satellite connectivity allows for more ways to attack them.
Early satellites were very much custom craft. There was nothing to them except their particular design and almost down to the level of the circuit itself was hand-built,William Malik.
“If I have a GPS receiver that is built into my phone, anybody that can get into the phone can possibly disrupt that or do something to that GPS software. So that’s an added vulnerability there. Back when it was a handheld Garmin device that didn’t have any network connectivity, it was a lot harder to get into than a modern smartphone,” he said.
Another challenge for satellite cybersecurity is more down to earth. Satellites are controlled via ground stations where computers in a small network run on much more recognizable operating systems such as Windows or Linux. Capable hackers are much more likely to target control stations since they are a lot easier to access.
“I think one of the key threats is that satellites are increasingly computers controlled by other computers,” Weeden said.
Companies within the space industry are new to these sorts of cybersecurity threats. Decades earlier, satellites were much more customized, with project-specific software and hardware accessible mainly to its creators. The closed community of engineers and developers acted as an indirect safety measure comparable to the secretive cabals of engineers guarding the know-how of building tombs for ancient pharaohs.
“Early satellites were very much custom craft. There was nothing to them except their particular design and almost down to the level of the circuit itself was hand-built, engineered, and tested to the best they could within the confines of the organization that was developing the satellite,” Malik explained.
That relative safety of the past is now gone. Orbital devices running on legacy software and hardware were not designed to withstand trials of 21st-century threat vectors.
Meanwhile, modern satellites are much more commoditized with standard functionality modes, control systems, and software options that are available from stock. This allows for cost reduction but opens the door for security breaches, since a backdoor in one piece of commonly used software can affect many satellites running it.
Eye-opening cases were observed as recently as 2019 when Armis researchers discovered 11 vulnerabilities in the Wind River VxWorks operating system used by two billion devices, including satellite modems, mission-critical systems such as SCADA, and even Mars rovers. The flaws meant an attacker could gain full control of the system remotely.
“My sense is space is lagging behind other industries in terms of recognizing the threat and actually making changes in the security design architecture. It’s because we just haven’t paid a lot of attention to it. So, if you think back to what the state of cybersecurity for automobiles was before they hacked the Jeep on 60 minutes. I’d say not great,” Weeden said.
Here to help
There were attempts to intercept data such as one that Pavur’s team carried out come into play. Even though experts we talked to don’t agree on whether satellite data interception should be categorized as a cyber threat, it’s hard to disagree that low-cost experiments shed light on how vulnerable to hacking satellites are.
“Aerospace is a little bit more of an insular community and is not as accustomed to getting contacts. For example, it’s very hard to find who’s the right person to talk to you at a satellite company for vulnerability disclosure. And that difference, I think, is starting to change as events like Hack-a-Sat raised the attention of how security researchers can help improve these systems,” Pavur said.
Aerospace is a little bit more of an insular community and is not as accustomed to getting contacts,James Pavur.
There’s still a long way to go. While companies with a presence in orbit need to get more accustomed to penetration testing, governments need to provide clear cybersecurity guidelines that companies could adhere to. As of now, there aren’t many.
As Weeden explained, one of the first attempts at regulating cybersecurity for satellites came only a few months prior by the outgoing Trump administration. However, at this stage, documents only highlighted a need to follow the industry’s best practices and standards.
The lack of centralization is best illustrated by the fact that licensing for satellites in the U.S. is done by three different agencies. FCC issues radio frequency licenses, NOAA issues commercial remote sensing licenses, and the FAA certifies commercial launch and re-entry.
“If you’re a contractor building up a satellite for the military, there’s going to be a lot of cybersecurity standards there because the military is aware of safety concerns. But the commercial systems are much less so,” Weeden explained.
With the possibility that private companies will own most satellites, it seems irresponsible to not have standard cyber safety measures for the devices in orbit. Even though satellites are using new encryption techniques and incorporating spectrum technologies, there’s no class on satellite safety, as Malik puts it.