Could hackers turn satellites into weapons?
Satellites literally couldn't be further from view, but they are increasingly the bedrock of modern society. Whether it's beaming our TV signals or phone calls around the world or powering the Global Positioning System that tells us where we are and where we're going, they are absolutely crucial to modern life.
The sci-fi blockbuster Gravity highlighted the perilous environment this vital constellation of machines operates in, with tens of thousands of bits of space junk flying around low Earth orbit at speeds of 17,000 miles per hour, threatening to destroy anything they come into contact with.
With companies such as SpaceX promising to launch around 42,000 satellites into space over the next decade in a bid to provide global internet access, the environment is likely to become an increasingly busy one, especially with the likes of Amazon also pledging to put their own devices into orbit.
The promise of these networks is considerable, and they have the potential to truly transform a vast swathe of everyday tasks, but as with so many of the connected devices that we have grown to depend an increasing amount on, the threat of cyber attacks is a growing one.
Whether hackers do something as ‘relatively’ mundane as shutting a single device down, or use the satellite as a missile to take out a wider constellation (or even the International Space Station!), the security risks are enormous. Key infrastructure, including transportation systems and electricity grids could be crippled.
So how likely is a cyber attack on the satellite network? The very nature of the industry renders the risk a considerable one. Many of the satellites in orbit today use off-the-shelf tech to try and ensure costs are kept as low as possible. The consistent use of these components makes it much easier for hackers to investigate them for potential vulnerabilities.
The sector is also a heavy user of open-source technology, which opens the possibility of attackers inserting a backdoor into the very software used to control and operate the satellites. What’s more, the devices are typically manufactured using components from a wide range of suppliers, with even more companies involved in actually getting the devices into space, and yet more involved in operating them when they’re up there. Any network is only as secure as its most vulnerable component, so each company offers a potential way in for attackers.
Breaking into the CubeSats devices that are the workhorse of the global satellite network can often be performed by something as straightforward as delivering malicious commands via a ground antenna, but even more sophisticated satellites are far from impregnable.
Most are operated from a ground station, which contain a number of computers, all of which run software with a variety of vulnerabilities that can be exploited by a willing hacker. Once they gain control of these devices, the hacker can send malicious commands to the satellites under the command of the station.
Such events have happened in the past, most notably in 1998 when an American/German satellite was hacked after attackers infiltrated computers at the Goddard Space Flight Center. The hackers manipulated the solar panels so that they faced directly at the sun, thus destroying the batteries on the satellite and rendering it defunct.
Similarly, in 1999 Reuters reported that a ransomware attack was made on a British SkyNet satellite, after hackers had taken control of the device. The story was denied by the British military, but the incident nonetheless emphasizes the risks associated with securing such valuable hardware. Recently, such attacks have taken on a state-sponsored tone, with attackers linked to both Chinese and Iranian governments targeting satellite operators.
The matter is compounded by the lack of any real standards associated with cybersecurity of the satellite infrastructure. This typically results in responsibility being devolved to individual companies, who may not take a sufficiently coordinated approach to ensure the entire network remains safe.
As private sector firms, such as Virgin and SpaceX, enter the industry, the market forces to keep prices low have intensified as companies battle to make commercially viable propositions. As a non-core activity, it can be tempting to cut corners in areas such as cybersecurity, rendering networks more vulnerable than they should be.
The diverse supply chain of many satellite operations can also dissipate responsibility for cybersecurity, with no clear indication of who ultimately holds the can for ensuring systems remain secure.
As the sector matures, it’s likely that a greater degree of regulation will be required to ensure that satellite networks have systems in place to ensure cyber security, but it’s not immediately clear where such regulation will come from, nor who will govern it. As the number of devices operating in orbit grows, however, it’s a move that truly cannot come fast enough.