The most recent DEF CON featured a demonstration of satellite hacking. In the Hack-a-Sat contest, which was organized by the US Air Force, teams of hackers were able to penetrate a cubesat called Moonlighter and bypass the satellite’s restrictions on the ground targets it can observe. The success of the hackers prompted the Office of the Director of National Intelligence, the FBI, the National Counterintelligence and Security Center, and the Air Force Office of Special Investigations to issue a warning about cyber risks facing satellites in orbit.
The excitement over the Hack-a-Sat contest puzzled me. More than a few space experts will tell you that space assets are vulnerable to cyberattack. Many satellites run on obsolete, unpatched technology. Why is it such a big deal for a team of hackers to take over a satellite? Isn’t that easy?
Even as I asked myself that question, I realized I wasn’t seeing the full picture. If hacking satellites is easy, and hackers can disrupt multi-million-dollar businesses by taking them over—and demanding ransoms to set them free—why is satellite hacking not an everyday occurrence? Satellite hacking is rare. Why?
The short answer is that hacking satellites is a lot harder than it looks. For more insight, I turned to Aaron Moore, CTO of QuSecure, the quantum security company. Moore has spent his career in space technology and space cybersecurity, with stints at Raytheon, Northrop Grumman, the NRO, and DARPA.
I asked Moore my basic question: Why haven’t more satellites been hacked if they are supposedly so vulnerable?
I asked Moore my basic question: Why haven’t more satellites been hacked if they are supposedly so vulnerable? For instance, if there are thousands of satellites in orbit, many with unencrypted data and obsolete software, why aren’t hundreds of them getting taken down by ransomware? It would seem that there’s a lot of money to be made in that kind of attack.
Moore replied that a ransomware attack on a satellite would be a very difficult thing to pull off. “For a number of reasons, it’s not really an ideal target for ransomware,” he said. “There’s not a lot of persistent data that remains on a vehicle itself, so there isn’t much to hold hostage.”
Instead, Moore suggested, a hacker might do better trying to get into a satellite’s command control (C2) system. “They could lock it up, making the satellite useless,” he said. “But, there are a lot of barriers to that, too. The waveforms and protocols that are being used to communicate to the vehicle itself and its payloads are usually segmented from the C2 system on the platform. In fact, a lot of satellites have two separate C2 systems: one for the satellite and one for the payload. It makes hacking a lot more complicated to pull off.”
He went on, saying, “You’ve got an executive on the platform, which you can think of as an operating system. They used to be much less robust. They were really only for the functions necessary to communicate directly to the hardware or the satellite platform. Your ability to have functions in an operating system was very limited. It was therefore quite a small attack surface. The instruction sets themselves are custom in a lot of cases, especially for sensitive satellites.”
This customization of instruction sets makes satellites hard to hack with “off the shelf” hacker tools, which are designed for mass market operating systems and applications.
This customization of instruction sets makes satellites hard to hack with “off the shelf” hacker tools, which are designed for mass market operating systems and applications. For instance, hackers have developed many tools to take over Linux and Windows servers, but these tools are not readily adaptable to custom instruction sets on satellites. Most satellites are not running Windows or Linux. Rather, they run real time operating systems (RTOS’s). A hacker would have to create specialized tools for an attack, a difficulty that deters a lot of malicious actors from trying to hack satellites.
Regarding data on satellites, Moore said, “The problem with the older satellites, of course, is that they used older modes of encryption. So yes, it’s very feasible to get into that. But then you’re talking about sophisticated hacking that would require breaking encryption. Now, some satellites don’t have any encryption, and that’s a problem obviously. But then the data on them is perishable. It’s in formats that usually don’t allow easily to them to be easily interpreted.”
As satellites modernize, they are starting to carry more standard IT assets like X86 servers and commercial database software, which are vulnerable to standard hacking techniques.
At the same time, Moore warned, as satellites modernize, they are starting to carry more standard IT assets like X86 servers and commercial database software, which are vulnerable to standard hacking techniques. Not that it would be easy, exactly, as he explained. An attacker still has to establish communication with a satellite, which might require hacking a ground station that is, itself, “air-gapped” from publicly accessible networks. “Anything can be hacked,” he said, “but each countermeasure adds to an overall defense that’s hard to penetrate.”
The use of data diodes is a further obstacle to satellite hacking. A data diode is a hardware appliance with a data transmitter on one end and receiver on the other. As Moore explained, with a data diode, data does not flow in two directions. It flows in one, “so you can push data from a secure environment down to a low-security environment or up to a highly secure environment, but there’s no communications between the two,” Moore pointed out. “That means it’s impossible for a ransomware attack to succeed because a malware agent cannot establish bidirectional communications. This is one of the biggest advantages within the satellite architecture.”
Does Moore worry about any aspect of satellite cybersecurity? Yes, he is concerned about a supply chain attack. Though, as he admits, the bar is quite high for such an attack, if malicious actors can implant malware into a satellite’s code at the development stage, a lot of bad outcomes are possible.
If malicious actors can implant malware into a satellite’s code at the development stage, a lot of bad outcomes are possible.
He is also concerned about physical (kinetic) attacks on satellites as well as denial of service (DoS) attacks. In his view, that’s basically electronic warfare, e.g., jamming. “If you look at a satellite signal coming down,” he said, “in terms of power, which is regulated in at least in our government, you don’t get a lot of power hitting the ground. It doesn’t take a lot to jam that signal.”
I then asked Moore what he would do if I were a “moustache twirling villain” who wanted to hire him to hack a satellite. Who would he hire to do the deed?
He replied, “I would get people who have built satellite payloads before, people who understand normal satellite office communications and satellite bus communications. I’d get people who were very familiar with vulnerabilities with runtime RTOS’s, as well as folks who were very savvy with electronic warfare as delivery mechanisms.”
The question, then, is whether people with such skills might be tempted to go to work for the bad guys…