Turns Out Hacking LEO Satellites Is Trivial
Meet Ground Station As A Service
You might think that the satellites orbiting Earth are secured against unauthorized access but sadly it seems that is not the case. The belief that satellites are secure is mostly based on the assumption that the hardware inside is a well kept secret, and that communicating with a satellite is next to impossible without access to it’s ground station. Sadly, both assumptions are untrue.
The hardware inside commercial satellites is easy purchased to be able to tear apart, assuming you have the money. Once someone has that hardware in hand they can take all the time they need to find vulnerabilities, after all it’s non-trivial to replace hardware on a satellite in low Earth orbit. The researcher, who somewhat regrets doing this research also determined you could build your own functional ground station for around $10,000. That’s not cheap, but likely nowhere near the amount of money you might have assumed it would take.
You can also skip the ground hardware, as both AWS and Azure offer Ground Station as a Service (GSaaS) now. Again, all it takes is a bit of money to gain the ability to communicate with orbiting satellites. As an example, the popular CubeSat has no authentication protocols, and broadcast unencrypted signals. More nightmare fuel can be found at The Register.
As an academic, Willbold took a more direct approach. He just asked satellite operators for the relevant details for his paper. Some of them agreed (although he did have to sign an NDA in one case) and the results somewhat mirrored the early computing days, when security was sidelined because of the lack of computing power and memory.
More Tech News From Around The Web
- An Apple Malware-Flagging Tool Is ‘Trivially’ Easy To Bypass @ Slashdot
- MaginotDNS attacks exploit weak checks for DNS cache poisoning @ Bleeping Computer
- Sites scramble to block ChatGPT web crawler after instructions emerge @ Ars Technica
- Judge denies HP’s plea to throw out all-in-one printer lockdown lawsuit @ The Register
- Microsoft finds vulnerabilities it says could be used to shut down power plants @ Ars Technica
“As an example, the popular CubeSat has no authentication protocols, and broadcast unencrypted signals ”
A cube sat is just a form factor. The one I helped launch at my university absolutely had encrypted command and control signals.
That does make me feel a bit better, at least some of them have been secured!