It is a hallmark of the New Space Era that the number of satellites orbiting the Earth is on the rise. A great proportion of these is made up of LEO satellites, whose small size and cost make them accessible not only to nation states and large corporations but also to small institutions and businesses. Amazon, for instance, provides satellite communications on-demand, renting out ground stations as a service. Orbiting Now, a website gathering satellite information, counted 7,004 active LEO satellites in mid-May this year. Depending on their payload, these satellites can perform different missions, among which are earth observation, weather forecasting, navigation, communications as well as space science.
It was this sudden, wide accessibility of LEO satellites that sparked Ali Abbasi and Thorsten Holz’s research interest. “There is a paradigm shift happening. And whenever there’s a paradigm shift, there are security issues”, Abbasi says. The conviction, long-held by satellite engineers, that obscurity granted security is no longer valid, as he explains: “For a long time, the assumption was that satellites weren’t accessible and that, therefore, they were secure. But LEO satellites have lots of connectivity features”. The lack of official security standards for satellites is an additional worry, as Holz adduces: “You can only contact a satellite via a proprietary radio protocol. But the frequencies on which they are communicating are not regulated”.
Space Oddities: Examining Satellite Security
Satellites are controlled by, and communicate via, a communication mechanism called ‘bus’. It comprises the Communications Module (COM), which receives radio messages from the ground station, and the Command and Data Handling System (CDHS), which processes and executes any incoming commands. If the COM can be seen as the satellite’s ears, the CDHS functions as its brain: It carries a computer platform which operates on the basis of preinstalled, onboard software. Satellites are thus similar to other, more common computer systems and similarly vulnerable to software attacks. Hypothesizing that satellite systems would be less secure than modern Windows, Linux or MacOS systems, the researchers focused their efforts on the attack surfaces provided by satellite firmware.
As a starting point for their examination, they drew up a taxonomy of possible threats against satellite firmware, identifying three overarching attacker goals and sketching all possible attack paths that might be used for their realization. From an attacker’s point of view, the ultimate goal may be either to compromise the availability of the satellite, to gain access to satellite data or else to seize control of the entire satellite. This last attacker goal has at the same time the greatest potential for damage: If a satellite is seized and used to attack another, the debris resulting from the crash may cause a domino effect in which space becomes cluttered with loose satellite parts. Called the Kessler Syndrome, this effect is in Abbasi’s words largely “Hollywood stuff”.
“Once you have access, it’s just too bad”: Uncovering Firmware Vulnerabilities
Hollywood stuff or not, the research team lead by PhD student Johannes Willbold successfully triggered error conditions on the CDHS, seizing full control of two out of three real-life satellites in the applied part of their study. Their case studies were carried out on three real-life, in-orbit LEO satellites. After liaising with the institutional owners of these satellites over a protracted period of time, they acquired the firmware images of the satellites for the purposes of a security analysis.
The results yielded by these case studies underline the fact that research on satellite security has been a long time coming. The most important of their findings concerned the security of the COM. As the entry point for radio messages from the ground station, the COM should ideally function as a gatekeeper, keeping out suspicious commands. If it fails to fulfil this role, the CDHS can be assailed by unforeseen input. If this input then succeeds in triggering an error condition in the onboard software, it effectively interferes with the satellite’s brain.
Even though satellites are highly complex systems, the software vulnerabilities uncovered by the researchers are surprisingly standard. As Holz points out, “In the Linux or Windows world, we have studied software faults of this kind for many years. But in these embedded systems the defenses are 20 years behind of what we know from commodity systems.” As it is, the most effective defense mechanism actually lies outside the system, as Willbold highlights: “The barrier here is access. But once you have access, it’s just too bad.”
Responsible Disclosure: Promoting Satellite Security
The researchers reported all of the software issues they detected to the owners of the three satellites well before they published their study. This procedure, called responsible disclosure, is part and parcel of their professional code of conduct but it is also indispensable for the promotion of satellite security. Going forward, these systems can only be protected if researchers, operators and developers begin to cooperate, as Abbasi highlights: “Those who shared their satellite firmware with us are really brave. They really care about cybersecurity. In the short term, they have gained nothing. There may be a problem with their software, but all software has problems. But in the long term they helped protect space systems.”
