Join us for a deep dive into the cutting-edge discussions on satellite security from HackspaceCon at Kennedy Space Center. Discover the unique challenges and cybersecurity implications as they explore the impact of technological constraints on satellite functionality and the emerging realm of space cybersecurity. Engage with the complex balance between cost, security, and functionality in the satellite industry—an ever-evolving battlefield in the skies above.
00:00 Introduction to the Episode: Insights from HackspaceCon
00:50 Key Takeaways from the Conference
02:03 Deep Dive into Satellite Security Challenges
14:40 The Potential and Perils of Satellite Ransomware
16:24 Exploring Cybersecurity in Space Technology
23:52 The Deterrents Against Satellite Hacking
28:10 Closing Thoughts and Conference Acknowledgments
Hack a Virtualized Satellite: https://byos.ethoslabs.space/
Cybersecurity for Space, an awesome overview of the space written for cyber professionals with no prior space experience: https://a.co/d/fc5ZKiC
Talks and Speakers are outlined here: https://www.hackspacecon.com/speakers24
Specific Speakers referenced in this episode:
- Tim Fowler
- Celi Johnson & Erin York
- Jacob Oakley
- Kaitlyn Handelman
Tags: satellite security, cybersecurity, space technology, HackspaceCon, Kennedy Space Center, IoT in space, cyber attacks, satellite design, space junk, space rideshares, tech conference
Search Phrases:
- Insights on satellite cybersecurity from HackspaceCon
- Discussion on space technology and security at Kennedy Space Center
- Challenges in satellite security and functionality
- IoT and cybersecurity implications in space technology
- Space junk and its impact on satellite operations
- What is space rideshare and its costs
- Satellite design constraints and cybersecurity risks
- Technological advancements in satellite operations
- Latest discussions from HackspaceCon on space cybersecurity
- How cyber attacks affect satellites and space operations
Transcript:
Space Con
offsetkeyz: Welcome back to the Daily Decrypt.
Last weekend, the two hosts of this podcast got to spend some time at HackspaceCon at Kennedy Space Center in Florida, and in this episode, we’re just going to be discussing some of the takeaways we got during this conference.
Dogespan and I recorded this from the kitchen of our Airbnb on the beach in Florida. And I mention that just so you’re warned that the audio might not be the same as it is when we record in the studio. Sometimes the mic is a little too far from my mouth, sometimes it’s too close to my mouth, and sometimes you’ll hear the echo off the tile walls in the kitchen.
And before we get in, I just wanted to read through the notes that I took for this episode with my key takeaways in a very cohesive way so that you can at least get that before we start rambling about it all. So just a high level. Satellites are just IOT in space. Just computers floating around in space that are really hard to talk to. Satellites operate in only a couple different elevations, like low earth orbit. And space junk is a real thing, so if a satellite gets damaged, space junk can damage other satellites. Space junk is also a huge deterrent for cyber attack and physical attack because countries don’t want blowing up satellites to destroy their own satellites. Another point is that the supply chain for satellites is very small. There’s only a few companies that make the components that go into satellites. Thus creating a pretty narrow attack vector. Satellites are built to accomplish their mission and contain no additional resources. if a satellite is compromised by an attacker, which you’ll find out is pretty easy to do, attackers can make that satellite’s failure look like anything from radiation to a bit flip to collision to a failure, they can make it look like anything they want. And finally, one of the biggest problems is there’s no current incentive for reporting cyber incidents on satellites because there’s nothing really that can be done about them. And they’ll eventually de orbit. All right, let’s get into the episode.
dogespan: Satellites are computersin space. Never thought about it that way, to be completely honest. there’s definitely more complication to hacking a satellite than hacking a TV, but It is, it’s an IoT device. because of the limitations of space, they are stripping everything down on that operating system.
And especially nowadays, and this was another thing that I didn’t know, but there were specific operating systems that were essentially designed for satellites and space and all of the things that go into it. But now, with modern advancements in technology, these Satellites are able to run just little microcontrollers like your little hobby raspberry pi and arduino boards And you can put a regular operating system on there, but they’re completely stripped down for Whatever purpose that they need so everything that would be secure just by default on A linux operating system is usually stripped out Power and weight, those are really like,
offsetkeyz: Mm.
dogespan: main things that they were driving in constantly throughout every talk was how power and weight is going to be affected by implementing a satellite. Everything has a purpose, so
what are you gonna sacrifice?
Are
offsetkeyz: Mm-Hmm.
dogespan: gonna sacrifice satellite antenna functionality
offsetkeyz: Mm-Hmm. for
dogespan: security? No, you’re gonna sacrifice the security so that your satellite
offsetkeyz: it needs to do, and weight is a big thing because it has to get out into space. And one of the other perspectives we just heard for the first time was space rideshares. That term is a legit term. Ridesharing to space, where companies need to put satellites into space, thus they contract out to SpaceX.
And SpaceX has a little menu page with prices per kilogram, I might be misquoting, but just to give the listeners A relative gist of what they’re costing. It’s 300, 000 per kilogram. And so if your computer weighs one extra kilogram, because it has to carry up some hardening features for the operating system or to prevent intercepting of whatever, that’s going to cost an extra 300K.
dogespan: need to get a satellite up for communication for GPS or anything else and
offsetkeyz: you
dogespan: going to cost you more money to send something up that’s a little bit more secure.
Which I guess is the inherent theme on cyber security in general is that security does come with a cost.
offsetkeyz: Mhm
what
dogespan: And luckily we’re getting to a better place in business operations where
We’re understanding what that cost is and more willing to pay it, but when it comes to space, that’s still, it’s not a priority yet.
offsetkeyz: And all the points that we heard during this conference make sense, right? Satellites, by quote, law, have to de orbit within a certain amount of time, because otherwise they turn into space junk, they get outdated, they create a whole bunch of other risks, so I believe any
law abiding country keeps their satellites to under 10
years life cycle, so between 5 and 10 years seems to be
the average life cycle of a satellite, so
You’re spending millions to put
a satellite
into
orbit
for about five years,
if
you’re lucky.
so why would you spend an extra million to secure this thing that could potentially just burn up?
dogespan: I think it boils down to the use case and capabilities of the satellite. Like they all are sent up with a purpose. But as you know, with, as just any tech enthusiast, you typically look at a device that is a computer and you always think about what else it can do. So from an attacker’s perspective, you may get access to a satellite that.
Is,
only supposed to take pictures of a certain area or something, but maybe there’s other functionality that you can take advantage of to use for whatever you want.
offsetkeyz: there was a quote that I really liked and I don’t specifically remember who said it but I believe
it was
in a talk called Dude, I Broke the Satellite by Suely Johnson and Aaron York, where they said, effective software gets the job done.
Secure software only gets the job done. It doesn’t do any other functionality than what is needed. for the job. So if you think about effective software, it’s going to get that thing done. It’s going to take the pictures from the space of whatever it’s supposed to take pictures of really, really well. But what else can it do?
What else can that satellite out there do that is shooting XM radio to you while you cruise through the countrysides? Maybe it can intercept communications over China or Russia. Like maybe it can do a whole bunch of other stuff that would be very beneficial for an adversary. And also communicate XM so that’s where one of the attack vectors is that is pretty prevalent on the surface of the planet as well but very prevalent up there
dogespan: So one of the interesting points that was brought up in Extraterrestrial Security by, uh, Jacob Oakley how attackers can use the satellites as a relay. That I found really, really interesting, where an attacker would go and take control of, the satellite controller on the ground, so they don’t even have to go up to space, build any sort of radio communications to get out of Earth.
They go and attack that user, and then from there they’re able to redirect communications up to the satellite, and then bounce to another satellite. And if that satellite that they bounce to is controlled somewhere else, well now they’re able to Relay that back to the ground, to a new, a whole new destination
So that brings up another point that I found pretty interesting, which is that yes, these satellites move in what’s called constellations. There’s a bunch of them. They’re all owned by the same company and they communicate back and forth to each other to help maybe increase their processing power or accomplish their mission more effectively.
dogespan: but satellites
offsetkeyz: Cost a lot of money to get up there. And in order to recoup that money, they have to use every single minute of their time in space, because as I mentioned earlier, it is limited to make money. first of all, they don’t have the resources on board to accommodate security, but they also don’t have the time to push a patch because when a satellite is in a position to receive and send communications, That’s only maximum 40 to 50 percent of the time it’s in space. The owners of that satellite want to maximize the amount of bang they get for their buck. Right? So cybersecurity me comes in and says, Hey, we need to push a patch. A new vulnerability was,
has been exploited amongst satellites similar to yours, and we need to push a patch. And it’s going to take down your mission capabilities for three orbits.
And they say, no, they just, they won’t do it because then you’re taking away from the mission. No,
dogespan: it may take a while to get that patch up there, and I don’t remember the exact figure, but I wanna say they were talking about somewhere around the range of like 30 . Kilobytes per second
offsetkeyz: Sounds right to me.
dogespan: Yeah. It was somewhere between 30 and 50, like we’re talking old school, dial up speed, and you think about
what a patch would be to a microcontroller.
It’s still gonna be small. But the amount of data that we work with on a regular basis is just so much larger, and these microcontrollers can still support a lot, like, you can have an entire terabyte in the size of a tiny microchip. And, yeah, what if this patch was a couple hundred megabytes and your satellite’s only in view to receive communication for a short period of time?
So, yeah. It is gonna be priority of the mission over patch.
offsetkeyz: When a satellite fails, a company has gone and spent a lot of money on the satellite and everyone from the stakeholders of the satellite mission to NASA scientists want to know what happened, what caused that satellite to fail so that they can improve future satellites, right? And reduce failures in the future. So when a satellite fails, they bring in the company. Top professionals, top physicists, professors at Harvard professor to MIT, NASA scientists who work on Apollo 14, uh, whoever to tear apart the data that they got the last transmissions and figure out why it failed and figure out how to prevent it in the future.
Right. But one of the points that was made is that they never bring in a cybersecurity professional, because what’s interesting about how satellites operate is if you, if you get root on a satellite, if you get full permissions over satellite, you can control. Everything from the log outputs to the movements of the satellite to everything.
So an attacker can make that failure look like it was caused by radiation or caused by a component failure or whatever they choose. And so
honestly,
having a cybersecurity professional checking the transmission logs leading up to it, maybe the month before or something like that could help identify an attack and could help.
Yeah,
dogespan: future satellite missions. Yeah, the, um Aerospace engineers, the geniuses that they are, they know and understand the way that these things are supposed to operate.
All of the physics and everything that goes with, orbits and gravity, like all of that stuff. A crazy amount of stuff that they have to know and understand. And they’re able to get to the root cause of this, but
they are not trained to look at it forensically. They are not inherently going to think.
of the possibility of an attack. And that’s where I think it wouldn’t be beneficial to have the cyber security professional, because they are, they’re going to look at some of the things that aren’t typical. And that is one of the things that was brought up, is that engineers across the board, and I’m even calling out cyber security engineers, but software developers, aerospace engineers, like we are all inherently lazy, and if we see that something works, we will continue to follow that trend.
And Utilize things.
offsetkeyz: if
dogespan: previously, we’ll keep going down that hole. But it always helps to have looking in and
things.
offsetkeyz: helps to have outsiders looking in and inspecting things.
dogespan: Attackers, pen testers, blue teamers. Um,
offsetkeyz: that this is an untapped field and moved into
it. So one of the last talks we went to today
dogespan: T, cybersecurity by Jacob Oakley.
offsetkeyz: is a
dogespan: T,
offsetkeyz: cybersecurity, teaches at Embry Riddle University and was a former pen tester, was a former red teamer
who
got into space and he was telling us about how his first briefing with the engineers and the software engineers who were working on these satellites,
dogespan: satellites,
offsetkeyz: mentioned what happens if there’s an attack and they, this was in 2019, 2020, very recently, they, with full confidence. Mentioned that, Hey, it doesn’t matter. They have backups. It doesn’t matter. They have scripts that run to reboot. The machine and, start the mission over. They have all of these things, all of these fail safes. So it doesn’t matter if they get attacked, they have these fail safes. he might not have had the greatest retort in his first little briefing, but those are all
absolutely
destroyable by an attacker.
If someone has root, they can make that script. Do something very malicious on a recurring basis, they can erase the backups, and these engineers had thought about the possibility of attack and place these measures to help recover from that attack.
It’s not a forethought. It’s a, it’s just, they weren’t thinking
with
a cybersecurity mindset.
dogespan: What would ransomware
look like on a satellite nowadays? do we just wipe it?
offsetkeyz: Dude. I mean, I had never thought about ransomware on a satellite,
dogespan: but oh man, I hope no ransomware people listen to this cause it’s such an easy target for ransomware.
offsetkeyz: Um, now that I’m thinking
about it.
dogespan: touch an easy target for
offsetkeyz: was James that is probably one And
dogespan: It’s not like one of these other satellites that we’re talking about that You know only have a three to five year lifespan and that’s kind of hoping for the best like James Webb I think is something that they’re they’re hoping to get a lot of use out of and locking that down like how do you recover from it and Yeah, what do you do?
I know one of the things that was mentioned, I forget if it was like on a positive note or something, but it, you know, shooting down satellites. Mm hmm. Well,
offsetkeyz: Oh, before we get into shooting down satellites, that’s a whole another topic,
I just am so stuck on how perfect of a target satellites are for ransomware. It’s just hitting me now.
I’m so sad that I didn’t have a chance to talk to people about it because These companies, first of all, spend. Millions of dollars to get this thing to space. They only have a limited amount of time to use it. They care a lot about it and they have a lot of money to make sure it continues to work they don’t secure it.
So it’s very easy to hijack and the people who own it have a lot of money. That’s like just like the two components of ransomware success.
And now I’m scared so we can move on now.
dogespan: on now. Oh, I this is all kind of centered around the satellites and objects that are
offsetkeyz: orbiting
dogespan: Earth, but we are doing a lot more advanced stuff with space technology, you know,
We’ve had satellites that kind of deployed to asteroids to collect samples.
I think one of the other tests that we’ve had was a shooting of rocket at an asteroid
to
see if it could be redirected. So, What
does the cyber security look like on something like that? Because it does, just requires long range communication. So you have two points of vulnerability, or two vectors of attack.
You can either go directly towards the satellite, or rocket, or whatever it is, or you can go at the ground station and take control of it there. So, we have ransomware, but also, what if something is providing an important Service. And it’s hijacked in transit and redirected somewhere else.
You know, we have, we have the ISS up there and we’re shooting rockets into space.
offsetkeyz: ISS up there
dogespan: Sorry, if I’m going down a doomsday
offsetkeyz: space. Sorry if
you see the rabbit hole there?
dogespan: cyber
offsetkeyz: is kind of doomsday y, and it’s a ticking time bomb from what we gathered. It’s an unexplored cybersecurity vector. Which makes it fun for cybersecurity professionals. If you think about 20 to 30 years ago, what cybersecurity looked like, it was pretty much what we have in the sky at this moment, we have Linux boxes, we have all these unpatched vulnerabilities and it’s great to pen test them and it’s great to defend them because you get a lot of easy wins.
So in that realm, it’s great for us, but technology on earth has far surpassed the technology in the sky. And all satellites are, as we mentioned at the beginning, is IOT in the sky. So dogespan had mentioned at the beginning that there’s a little bit more to it than that, pretty much as far as I’m concerned, a little bit more to it than that is the fact that you can only communicate with them on a very low bandwidth.
And. On a inconsistent, well, I guess it is a pretty consistent schedule, but not all the time. if these satellites were sitting in your living room, you would be in, you would have root in
dogespan: a
offsetkeyz: a minute, two minutes for most of them,
dogespan: And so,
offsetkeyz: right?
whoever can solve the problem of communicating with them better, wins all the satellites.
dogespan: with communication communication and then also the resource constraints I think can help but it is an interesting area of cyber security, and I think it’s going to open up a lot of opportunities, especially with more private companies getting involved in it.
We have a number of companies that are, well, like we mentioned, this Rideshare, but they’re also putting their own service, their satellites and things into space, so. That’s going to help, I think, ultimately, instead of it just being only the government that’s getting involved in space. More people getting out there is, it’s going to open the door for more opportunity for cyber security professionals to pivot, and more people just being aware of how it operates and how it works.
offsetkeyz: And just like anything in tech, the more you do something, the lower it starts to cost, the more success you have, you’re driving that cost down. And if you can drive that cost down, maybe you can get the bottom line to include some budget for cybersecurity, but it’s sort of a teeter tottering effect because the more satellites we put into space, the more junk there is, the more vulnerabilities there are. But at the same time, the more we do, the more successes we have, the more likely it is, it’s going to become a blooming field of cybersecurity.
offsetkeyz: So we’re coming up on the end of our time here, but just wanted to quickly touch on why does it matter if satellites are hacked? And that is something that is only recently being discussed. At least leaning towards defend them. Like it’s probably been discussed amongst engineers and software
developers who
work on satellites, but they came up with, it doesn’t matter.
So why does it matter? I
dogespan: one of the things that was mentioned, I wish I could quote the talk there’s probably Jacob Oakley if I’m being honest, is that some of these satellites can be controlled by multiple ground stations. So if you were to control of a satellite and relay to another one, you
you
could have access to a whole nother ground control system.
Um, and That might be another nation state or another company or something, and now you kind of have a foothold in their environment.
offsetkeyz: You
dogespan: have to be really, really careful because you only have
offsetkeyz: have
dogespan: short periods of time to deliver these payloads and balance communication, and you have to stay rather stealthy, but
offsetkeyz: it’s
dogespan: it’s kind of a big thing because, yeah, you can create this backdoor into a completely different environment that you, that CISA may be secured rather well and you could cause a lot more harm.
offsetkeyz: can cause a lot more harm.
dogespan: can see a lot
offsetkeyz: satellites can see a lot of the planet. And I mean, they can see all of it at the end of their orbit, but
dogespan: is
offsetkeyz: This is why you bring a friend to a cybersecurity conference, because I completely missed that. And I’m sure there’s things that Doge completely missed as well.
dogespan: Oh yeah.
offsetkeyz: But yeah, they work so hard to secure the ground stations that communicate with the satellites and work zero hard to secure the satellites.
And it’s two way communication. So, compromise a satellite, compromise the ground station.
dogespan: Yeah, you can easily
offsetkeyz: transmit a
The
dogespan: you can weaponize images, you can There are lots
the opportunities
are there.
offsetkeyz: to hack satellites. Before I say anything else, don’t do it. There’s a lot of eyes watching those who hack satellites because it is a critical infrastructure. it was beat into us. Don’t
denial of service a satellite. You’ll go to jail, like literally go to jail.
They fun revelation. You can listen to anything
That was a fun revelation. You can, you can listen to anything coming down from a satellite.
dogespan: Don’t send it back.
offsetkeyz: Don’t send stuff back. Don’t try to send commands. There are some pretty cool labs that you can do if you want to mess with satellites using virtualization, which we all love. So we’ll shout out Tim Fowler for those. He gave two talks, one on Friday, one on Saturday, about building a CubeSat lab. And if you would like to mess around with a virtualized satellite,
you can go to byos. ethoslabs.
dogespan: bring your space
offsetkeyz: and BYOS stands for bring your own satellite.
dogespan: around
offsetkeyz: for that great talk.
And I’m excited to go play around with it in my own home lab. But if you have that itch to DDoS a fricking satellite, do it in your home lab, don’t do it in real life, you will go to jail, straight to
jail. to jail.
So we’ve covered the opportunities that there are to hack satellites. And there are plenty more that we haven’t discussed. Satellites are extremely hackable and barely secured. What’s keeping people from hacking these satellites?
dogespan: Our entire knowledge base is based off of Five to six hours worth of lectures at this point.
offsetkeyz: From what I gathered, there are no real deterrents other than hypothetical legal actions. For hacking a satellite. Nation states don’t care about the United States regulations. So why aren’t they hacking satellites left and right? Well, First of all, everyone relies on the infrastructure that satellites provide.
GPS,
time,
Maps, weather, all of these things are relied upon.
across the world.
So that’s, that’s step one. Step two is, if someone starts doing it to us, we’re gonna start doing it to them.
dogespan: to
offsetkeyz: which is what keeps us out of nuclear war, so why not keep us out of space cyber war? And if we started shooting satellites down, Which is a real thing and has happened and, uh, is bad because all satellites operate in one of three orbits, like low earth orbit, high earth orbit, deep space orbit, but they’re all pretty much in the same place because that’s how orbit works. You have to kind of stay the same elevation to use the earth’s gravitational pull to whiplash you around.
And if you blow up one, all it takes is a particle of sand to damage a satellite. And. If you blow up a satellite, I believe one of the case studies from India was like 68, 000 pieces of shrapnel traveling at 22, 000 miles per hour in the orbital field of all other satellites, including the satellites of the company that blew up the one satellite.
So if Russia started going crazy and blowing up United States satellites, it would, the shrapnel from those satellites would likely take out Russia’s satellites. So it’s not a perfect system, but it is a pretty good deterrent. There’s currently no solution, or at least viable solution for space junk, which is a technical term, but as soon as anyone figures it out, they win space
they can start blowing up satellites and collecting the space junk
and
own, they own space, right?
So
Currently,
the lack of ability to clean up space junk is what’s keeping people from blowing up satellites.
it’s like a mutual respect everybody’s kind of in agreement that
dogespan: that we rely on the technology that’s up there we understand the reprocussions of destroying. The rest of them, so it is, Yeah, if we can figure out how to clean it up, then I think you’re right. It wouldn’t really prevent much besides some of that critical infrastructure, but there’s always ways around that.
offsetkeyz: If we can own space, we can drop a billion dollars into creating our own critical infrastructure and rule the world. We can destroy the current one that’s up there. If, if it meant owning space, I don’t think there would be an expense spared. What’s interesting is all the solutions that I can come up with, which are not many,
involve earth’s atmosphere. And we, we think of things like air and gravity and all these things as constants that don’t exist out in space. Space. Like what, why don’t we have weaponized satellites that just kind of push satellites out of orbit towards earth that burn up? There’s no space junk from satellites that burn up in the atmosphere. Why don’t we do that? Because there’s no way to send like a pulse. There’s no way to send a burst of air to push this satellite. It’s very hard to even propel yourself through space because
the
most common ways of propulsion include oxygen, fans, combustion.
dogespan: There’s
offsetkeyz: lot of things that stand in the way that I don’t understand. Right.
dogespan: pushed by some form of propulsion for redirecting all of the satellite debris into orbit. Much like the snow gets redirected to the end of your driveway and then you’re stuck with a giant pile at the end of your driveway that you can’t get out.
offsetkeyz: We are stuck with a pile, and we can’t get out, but we have no plow.
but we
Huge shoutout to the coordinators of HackspaceCon and
dogespan: Everybody that came out, all the supporters, attendees the brave souls that got up in front and talked about what they know
offsetkeyz: out the industry. Especially
dogespan: it helps out the industry. Especially with space, they had mentioned that Hackspace happened last year and there was one or two talks.
offsetkeyz: What? It
dogespan: It was a very small number.
offsetkeyz: number.
dogespan: And this year it was all day long.
. And so that’s, that means that there’s more people involved with it or heading that direction and willing to learn more about it. And I’m going to be honest, I’m one of those. I’m. Was very interested to learn more about what can be done and what opportunities are there.
So really huge shoutout to everybody involved with the conference this weekend.
offsetkeyz: thanks sharing your knowledge thanks for pivoting over to this field\
And trying to keep our critical infrastructure at least a little bit safe. If you did happen to pick up one of the stickers that I littered the conference with, thank you for picking that up and we’d love to hear from you. Reach out. We’d love to have you on the podcast. Y’all are very smart and
any words you’d be willing to share with us would be greatly appreciated.
you’re
if you’re just a cybersecurity professional out there with no knowledge of space or the attack vectors that are involved in hacking satellites, highly encourage you to check out next year’s conference. It’s going to be good
Check out our other episodes: https://thedailydecrypt.com/podcast/