IT security Satellite security lags decades behind the state of the art

Researchers have tested the software of three satellites. And they found many standard security mechanisms missing.

Thousands of satellites are currently orbiting the Earth, and there will be many more in the future. Researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security in Saarbrücken have assessed the security of these systems from an IT perspective. They analysed three current low-earth orbit satellites and found that, from a technical point of view, hardly any modern security concepts were implemented. Various security mechanisms that are standard in modern mobile phones and laptops were not to be found: for example, there was no separation of code and data. Interviews with satellite developers also revealed that the industry relies primarily on security through obscurity.

The results were presented by a team headed by Johannes Willbold, a PhD student from Bochum, Dr. Ali Abbasi, a researcher from Saarbrücken, and Professor Thorsten Holz, formerly in Bochum, now in Saarbrücken, at the IEEE Symposium on Security and Privacy, which took place in San Francisco from 22 to 25 May 2023. The paper was awarded a Distinguished Paper Award at the conference.

Research satellites and commercial satellite put to the test

The examined satellites were two small models and one medium-sized model – research satellites as well as a satellite of a commercial company – which orbit the Earth at a short distance and are used to observe the Earth. Gaining access to satellites and their software was a challenge for the team, as commercial providers in particular rarely wish to reveal any details. The researchers eventually gained access through cooperation with the European Space Agency (ESA), various universities involved in the construction of satellites, and a commercial enterprise.

The team from Bochum and Saarbrücken conducted a thorough security analysis of the three models. They looked in detail at what the software running on the devices does and which communication protocols are used. They emulated the systems, i.e., rebuilt them virtually, so that they could test the software as if it were in a real satellite. “It was a very different world from the systems we usually study. For example, completely different communication protocols were used,” as Thorsten Holz outlines the process. 

Systems with specific requirements

Satellites orbiting the Earth can only be reached by their ground station on Earth within a time window of a few minutes. The systems must be robust against the radiation in space, and, since they can only consume a small amount of energy, they have a low power output. “The data rates are like those of modems in the 1990s,” as Holz elaborates the challenges satellite developers face.

Based on the findings gained from the software analysis, the researchers worked out various attack scenarios. They showed that they could cut off the satellites from ground control and seize control of the systems, for example in order to take pictures with the satellite camera. “We were surprised that the technical security level is so low,” points out Thorsten Holz, adding the following caveat with regard to potential ramifications: “It wouldn’t be all that easy to steer the satellite to another location, for example, to crash it or have it collide with other objects.”

Survey among developers

To find out how the people who develop and build satellites approach security, the research team compiled a questionnaire and submitted it to research institutions, the ESA, the German Aerospace Centre and various enterprises. Nineteen developers participated anonymously in the survey. “The results show us that the understanding of security in the industry is different than in many other areas, specifically that it’s security by obscurity,” concludes Johannes Willbold. Many of the respondents therefore assumed that satellites could not be attacked because there is no documentation of the systems, i.e., nothing is known about them. Only a few said that they encrypt data when communicating with satellites or use authentication in order to ensure that only the ground station is allowed to communicate with the satellite.

“However, a lack of documentation doesn’t necessarily protect against attacks,” points out Moritz Schloegel, co-author of the paper. “Today, systems can be figured out through reverse engineering and their vulnerabilities can be identified. One of the goals of our project was therefore to bring the satellite and security communities together to promote a mutual understanding of the challenges of space applications and of the security standards that are in use today.”

Funding

The research was funded by the European Research Council (grant 101045669), the Federal Ministry of Education and Research (project CPSec – 16KIS1564K) and the NRW Ministry of Culture and Science in the context of the SecHuman Research Training Group.

Original publication

Johannes Willbold, Moritz Schloegel, Manuel Vögele, Maximilian Gerhardt, Thorsten Holz, Ali Abbasi: Space odyssey: An experimental software security analysis of satellites, In IEEE Symposium on Security and Privacy Proceedings, 2023, DOI: 10.1109/SP46215.2023.00131, Download Preprint

Press contact

Johannes Willbold
System Security
Faculty of Computer Science
Ruhr University Bochum
Germany
Email: johannes.willbold@ruhr-uni-bochum.de

Prof. Dr. Thorsten Holz
Helmholtz-Zentrum für Informationssicherheit CISPA
Germany
Phone: +49 681 87083 2909
Email: holz@cispa.de

Download high-resolution images
Der Download der gewählten Bilder erfolgt als ZIP-Datei. Bildzeilen und Bildnachweise finden Sie nach dem Entpacken in der enthaltenen HTML-Datei.
Nutzungsbedingungen
Die Verwendung der Bilder ist unter Angabe des entsprechenden Copyrights für die Presse honorarfrei. Die Bilder dürfen ausschließlich für eine Berichterstattung mit Bezug zur Ruhr-Universität Bochum verwendet werden, die sich ausschließlich auf die Inhalte des Artikels bezieht, der den Link zum Bilderdownload enthält. Mit dem Download erhalten Sie ein einfaches Nutzungsrecht zur einmaligen Berichterstattung. Eine weitergehende Bearbeitung, die über das Anpassen an das jeweilige Layout hinausgeht, oder eine Speicherung der Bilder für weitere Zwecke, erfordert eine Erweiterung des Nutzungsrechts. Sollten Sie die Fotos daher auf andere Weise verwenden wollen, kontaktieren Sie bitte redaktion@ruhr-uni-bochum.de

Published

Tuesday
11 July 2023
9:54 am

By

Julia Weiler (jwe)

Translated by

Donata Zuber

Share