Just how vulnerable are the thousands of government-operated satellites speeding along their orbits above our heads? A team of researchers proved they could hack into a European Space Agency-owned satellite, allowing them to take full control of its communication, imaging—and even its maneuverability systems.
The intrusion was a controlled hack as part of ESA’s ongoing CYSAT conference. According to a Tuesday release, a cybersecurity team from the multinational tech company Thales took up ESA’s Hack CYSAT challenge and found a way to seize control of an OPS-SAT nanosatellite originally sent up into low Earth orbit back in 2019. The intrusion allowed the hackers access to the satellite’s global positioning system, attitude control system, and even its onboard camera.
ESA claimed it still maintained control of the satellite during the test and that the researchers didn’t force the satellite to do any crazy tricks as it circled the globe. However, the cybersecurity team said they accessed satellite controls through its onboard system and then used standard access rights to enter its control interface. The researchers then proved they could also introduce new, malicious code into the system.
The team presented their hack at the conference on Thursday where they said a hacker could potentially mask parts of the satellite’s imaging system, allowing them to conceal themselves from the orbiting eye in the sky. Of course, gaining control of a satellite’s attitude controls and GPS could allow for a wide range of mischief.
“The space industry needs to take cybersecurity into account at every stage in the satellite’s life cycle, from initial design to systems development and maintenance,” said Pierre-Yves Jolivet, Thales’ VP of cyber solutions.
Satellite hacks are a worst-case scenario for operators and it’s a growing concern for space-faring governments across the world. A leaked CIA report documented by the Financial Times shows that the U.S. believes China is developing ways to “seize control” of foreign satellites. The document was part of the recent Pentagon leak allegedly committed by a 21-year-old government IT worker, but it describes how China could mimic signals sent from the ground to orbiting satellites, allowing them to seize control of its systems. China has been linked to past hacks of U.S. observation satellites by attacking ground stations.
This is also not the first time laypeople proved they could hack the growing constellation of satellites circling in low Earth orbit by going through ground-based systems. Last year, a Belgian researcher proved he could hack a SpaceX Starlink terminal with his own custom modchip. This allowed him to input his own custom code into the network. Another academic team out of the University of Texas managed to take control of a Starlink signal without even needing to perform any real intrusion.
Commercial satellite systems have proved extremely vulnerable. Back in February of last year, during the start of the invasion of Ukraine, European internet users described massive service disruptions. In a report from Bloomberg last month, cybersecurity experts detailed how Russia managed to hack several mainstream satellite internet systems from companies like Viasat despite U.S. intelligence agencies warning companies about their cybersecurity vulnerabilities. As described by Bloomberg, that hack involved Russian operators breaking into the company’s computer systems to cut off connections. The hacks didn’t manage to access control of the satellites themselves.
At the start of 2022, a bipartisan group of senators introduced a bill that would offer more resources for hack-proofing U.S. satellites. That bill has yet to make it to the senate floor alongside a Congressional Budget Office report, saying the proposed satellite task force would cost close to $3 million annually.
Space Force—the armed services branch meant to defend the country’s interest in space—does work to protect satellites. Much of its work includes monitoring early warning radars for anti-satellite missile attacks as well as space junk that could do harm to orbiting objects. Space Force has worked alongside the Air Force Research Laboratory (itself a military body under the U.S. Air Force) on their own Hack-A-Sat challenges offering money to anybody who can spot satellite vulnerabilities. Last week, the military group announced it was creating a new contest for hackers to look for vulnerabilities in their Moonlighter test satellite while in low Earth orbit. Moonlighter is expected to go up in June and become operational in August.