Securing satellites: The new space race

A decade ago, it would have cost you a billion dollars to deploy a satellite into space. Fast forward ten years and you can now have your own personal satellite floating in orbit for around $50,000. 3D printed Rocket Labs, SpaceX and others have revolutionized and industrialized the Space Race.

This new era in satellite accessibility and innovation is due in no small part to the emergence of CubeSat, a class of nanosatellites that are in the shape of a four-inch cube weighing less than three pounds. CubeSat’s low-cost barrier to entry has opened the floodgates for new satellite expeditions. Space was once exclusive to military, governmental agencies and telecommunications giants, but no longer.

To date more than 1000 CubeSats have been successfully deployed in orbit by universities, private companies and others for a variety of tasks including Earth observation, weather monitoring, radio transponder communications, biological experiments, and interplanetary missions, among others.

But for all the benefits of CubeSat and the various successes of the individual satellite missions, there are also reasons for concern.

Satellites are vulnerable

Satellites are basically very expensive IoT devices. Unfortunately, like IoT devices here on the ground, they suffer from a lack of security and are vulnerable to being hacked and compromised. Typically, satellite engineers aren’t thinking about security, resulting in glaring vulnerabilities. There are no mandated security standards that must be met before a satellite is launched.

Many satellites run on Linux and communicate over commonly hacked channels including VHF, UHF and S Band. Some satellite communication transmissions are not encrypted. This lack of security is leaving the door wide open for a potential satellite attack. We’re developing this perfect storm of IoT devices in space with little thought to security and potentially disastrous consequences. White hat hackers have even been given permission to reboot satellites from the 1960s using modern software-defined radio technology.

Satellites under attack

A satellite being targeted for nefarious means is not a new concept. There are several documented cases of military and scientific satellites being attacked and held for ransom. NASA satellites have been popular targets and concerns have arisen about the vulnerability of the Hubble Telescope and how it could be destroyed if it were hijacked and pointed towards the sun.

Russian hackers previously hijacked commercial satellites to hide command-and-control operations and steal data from thousands of hacked computers. Now, with more satellites than ever in space, there are more hacking opportunities for cybercriminals.

Hacks in space: The sky’s the limit

Just as the cost of sending a satellite into space has plummeted, so too has the cost of conducting hacking operations. For a few hundred dollars, hackers can set up a sophisticated high-powered antenna to target satellites from a ground station. Conduct a simple Google search and you can actually find a list of equipment and step-by-step instructions on how to interrupt satellite communications. It is just that easy.

For hackers with deeper pockets, they could realistically launch their own CubeSat into orbit and then conduct hacking operations from there. The benefits are primarily related to proximity to other satellites and not having to wait for a satellite to pass over the ground station to perpetrate an attack. Whatever the method, compromising a satellite is now a realistic and attainable opportunity for hackers.

Skyrocketing ransomware

A thousand new satellites in orbit have increased the attack surface area of space-borne assets, putting new and existing satellites, along with other space-based objects, at risk of a cyber attack. While there are several scenarios that could potentially unfold, the most likely one to occur, should a hacker gain control of a satellite, is that it would be held for ransom. With limited actions they could take to combat the attack, satellite owners are likely to pay the ransom. The downside is just too great. Not just to the individual satellite being targeted, but to surrounding satellites as well.

If one of these CubeSats is attacked and potentially knocked out of orbit, it could potentially start a chain reaction, damaging other CubeSats and more costly and important satellites. What happens if someone hijacks a satellite and threatens to crash it into say… a space station unless a ransom is paid? Given what we see today on the Internet with high-value targets being held for ransom, we are likely to see that trend become more mainstream in space.

Troubleshooting satellites: Easier said than done

Once a satellite has been deployed, it is difficult to remediate any discovered vulnerabilities. The really old satellites can’t be patched. The newer satellites running Linux can be, but do you really want to patch it? There’s always risk in patching, as fixing one thing could lead to other problems. What happens if the patch breaks something else and all of a sudden your satellite doesn’t work? It’s an expensive risk to take, whether it’s a $50,000 CubeSat or a billion-dollar military, science, or telecommunications satellite.

Securing satellites

So how do we better secure our satellites? That question is currently up for debate. It obviously begins when the satellite is being built. Security can no longer be an afterthought. Like the ongoing discussions surrounding traditional IoT devices, some sort of standard or guidelines need to be established to ensure better satellite safety.

Modernizing communication between the ground and satellites must be addressed. The use of encryption is gaining traction and some have even called for a “No Encryption, No Fly” rule to be adopted. Perhaps a security audit by a third-party should be required before a satellite is launched to ensure they aren’t held for ransom or put other satellites at risk.

One thing is for certain: the escalating risks surrounding satellite vulnerabilities are simply too great to ignore any longer. As more and more satellites, both large and small, make their way into space, the likelihood of a significant satellite attack increases.