Workshop on Security of Space and Satellite Systems (SpaceSec) 2023 Program

COSPAS-SARSAT is an International programme for “Search and Rescue” (SAR) missions based on the “Satellite Aided Tracking” system (SARSAT). It is designed to provide accurate, timely, and reliable distress alert and location data to help SAR authorities of participating countries to assist persons and vessels in distress. Two types of satellite constellations serve COSPAS-SARSAT, low earth orbit search and rescue (LEOSAR) and geostationary orbiting search and rescue (GEOSAR). Despite its nearly-global deployment and critical importance, unfortunately enough, we found that COSPAS-SARSAT protocols and standard 406 MHz transmissions lack essential means of cybersecurity.

In this paper, we investigate the cybersecurity aspects of COSPAS-SARSAT space-/satellite-based systems. In particular, we practically and successfully implement and demonstrate the first (to our knowledge) attacks on COSPAS-SARSAT 406 MHz protocols, namely replay, spoofing, and protocol fuzzing on EPIRB protocols. We also identify a set of core research challenges preventing more effective cybersecurity research in the field and outline the main cybersecurity weaknesses and possible mitigations to increase the system’s cybersecurity level.

The private sector and even hobbyists are increasingly launching smaller satellites into Low Earth Orbit (LEO). Commercial off-the-shelf (COTS) components, including semiconductors for inertial measurement and other sensing, significantly reduce deployment costs. Such improvements, however, also increase the risk of satellite sensor spoofing attacks, including analog signal injection. Sensor spoofing attacks could compromise the integrity of satellites' onboard sensors, leading to mission-catastrophic kinetic actions. Based on conventional laser jamming and damaging attacks as well as the recent research discoveries on sensor spoofing attacks against terrestrial systems, this position paper (1) shares our views on open technical problems for protecting space systems from analog sensor integrity vulnerabilities, and (2) discusses future challenges of building experimental methodologies, simulations, and evaluation test beds.

Satellites in Geostationary Orbit (GEO) provide a number of commercial, government, and military services around the world, offering everything from surveillance and monitoring to video calls and internet access. However a dramatic lowering of the cost-per-kilogram to space has led to a recent explosion in real and planned constellations in Low Earth Orbit (LEO) of smaller satellites.

These constellations are managed remotely and it is important to consider a scenario in which an attacker gains control over the constituent satellites. In this paper we aim to understand what damage this attacker could cause, using the satellites to generate interference.

To ground our analysis, we simulate a number of existing and planned LEO constellations against an example GEO constellation, and evaluate the relative effectiveness of each. Our model shows that with conservative power estimates, both current and planned constellations could disrupt GEO satellite services at every groundstation considered, albeit with effectiveness varying considerably between locations.

We analyse different patterns of interference, how they reflect the structures of the constellations creating them, and how effective they might be against a number of legitimate services. We find that real-time usage (e.g. calls, streaming) would be most affected, with 3 constellation designs able to generate thousands of outages of 30 seconds or longer over the course of the day across all groundstations.

Since satellite systems are playing an increasingly important role in our civilization, their security and privacy weaknesses are more and more concerned. For example, prior work demonstrates that the communication channel between maritime VSAT and ground segment can be eavesdropped on using consumer-grade equipment. The stream decoder GSExtract developed in this prior work performs well for most packets but shows incapacity for corrupted streams. We discovered that such stream corruption commonly exists in not only Europe and North Atlantic areas but also Asian areas. In our experiment, using GSExtract, we are only able to decode 2.1% satellite streams we eavesdropped on in Asia.

Therefore, in this work, we propose to use a contrastive learning technique with data augmentation to decode and recover such highly corrupted streams. Rather than rely on critical information in corrupted streams to search for headers and perform decoding, contrastive learning directly learns the fea- tures of packet headers at different protocol layers and identifies them in a stream sequence. By filtering them out, we can extract the innermost data payload for further analysis. Our evaluation shows that this new approach can successfully recover 71-99% eavesdropped data hundreds of times faster speed than GSExtract. Besides, the effectiveness of our approach is not largely damaged when stream corruption becomes more severe.

Data from Earth Observation satellites has become crucial in private enterprises, research applications, and in coordinating national responses to events such as forest fires. These purposes are supported by data derived from a variety of satellites, some of which do not secure the wireless downlink channel effectively. This opens the door for modern adversaries to conduct spoofing attacks by overshadowing the signal with commercially available radio equipment.

In this paper, we assess the vulnerability of current Earth Observation systems to spoofing attacks conducted at the physical layer. The effect of these attacks is amplified since the data is received at dedicated ground stations and distributed to hundreds of downstream systems, which are themselves not designed with security in mind. Specifically, we take NASA’s live forest fire detection system as a case study, and demonstrate that the attacker can achieve arbitrary manipulation of fires in the derived dataset to trigger false emergency responses or mislead crisis analysis. We also assess the attack surface presented by ground station software which implicitly trusts data from the RF port. Against the NASA system we uncover several new vulnerabilities that can be exploited to stealthily deny service.

We conclude with a discussion of physical-layer counter-measures to detect and defend against spoofing, which can be implemented in existing deployments at the ground station.

As multiple nations and enterprises embark on ambitious programs to explore our solar system, the success of their endeavor is intimately tied to the cooperative establishment of an efficient and secure Interplanetary Internet (IPN)—a deep space network designed for the challenges of long-distance and non-continuous communication. Unfortunately, the high latencies and low bandwidth of deep space stymie the IPN’s adoption of the Internet’s security protocols. In this paper, we advocate the construction of new security protocols specifically designed for the constraints of space networks and based in modern cryptographic constructs for functional encryption. We argue that such protocols could securely support a range of properties beneficial to space communication, including group messaging, in-network processing, and anonymity, and discuss the open questions and research challenges of this proposal.

Satellites perform critical functions of our modern digital infrastructure, such as providing communications, navigation, and earth observation services. Maintaining a satellite requires remote access, so securing that access is an essential aspect of developing and operating a satellite. While satellites have traditionally not been subjected to regular attacks, this might not hold in the future. Hence, securing satellite firmware—the software that controls the space segment of satellite missions— becomes increasingly relevant.

In this work, we perform a case study of applying recent embedded firmware analysis techniques to satellite payload data handling systems. We explore whether FUZZWARE, a state-of-the-art firmware fuzz testing system, can be used to these firmware images. During this case study, we also describe and apply the process of manually optimizing FUZZWARE configurations for firmware targets, and measure the impact of different optimizations. Finally, we identify challenging aspects of fuzz testing satellite firmware and directions for future work to optimize fuzz testing performance in a fully automated manner. As part of our case study, we identified and responsibly disclosed 6 bugs in 3 satellite firmware images.

End-of-life (EOL) satellites are space assets that have completed their primary mission. Due to their loss in commercial or scientific priority, EOL satellites are often left in place by operators for an extended period, instead of being decommissioned in a timely manner to free up high-value orbits. This period of inactivity exposes EOL satellites to a lower level of operator vigilance, and therefore, higher level of cyberattack risk. With the recent growth in space activities, this paper estimates there will be up to 5,000 inactive satellites in low Earth orbit (LEO) within 5 years, magnifying the space cyber risks and resulting space sustainability challenges. To bolster space cybersecurity, the authors illuminate unique attack vectors against EOL satellites, as well as policy and technical mitigation measures. When part of a constellation, the vulnerability of an EOL satellite has even bigger implications, where a threat actor may use the secondary asset to target primary assets. Ultimately, the active management of EOL satellites is significant for a secure and sustainable LEO infrastructure.

Aviation, maritime, and aerospace traffic control, radar, communication, and software technologies received increasing attention in the research literature over the past decade, as software-defined radios have enabled practical wireless attacks on communication links previously thought to be unreachable by unskilled or low-budget attackers. Moreover, recently it became apparent that both offensive and defensive cybersecurity has become a strategically differentiating factor for such technologies on the war fields (e.g., Ukraine), affecting both civilian and military missions regardless of their involvement. However, attacks and countermeasures are usually studied in simulated settings, thus introducing the lack of realism or non-systematic and highly customized practical setups, thus introducing high costs, overheads, and less reproducibility. Our ``Unified Cybersecurity Testing Lab'' seeks to close this gap by building a laboratory that can provide a systematic, affordable, highly-flexible, and extensible setup.

In this paper, we introduce and motivate our ``Unified Cybersecurity Testing Lab for Satellite, Aerospace, Avionics, Maritime, Drone (SAAMD)'' technologies and communications, as well as some peer-reviewed results and evaluation of the targeted threat vectors. We show via referenced peer-reviewed works that the current modules of the lab were successfully used to realistically attack and analyze air-traffic control, radar, communication, and software technologies such as ADS-B, AIS, ACARS, EFB, EPIRB and COSPAS-SARSAT. We are currently developing and integrating support for additional technologies (e.g., CCSDS, FLARM), and we plan future extensions on our own as well as in collaboration with research and industry. Our ``Unified Cybersecurity Testing Lab'' is open for use, experimentation, and collaboration with other researchers, contributors and interested parties.

Although new technologies are on the rise, traditional Geostationary Earth Orbit (GEO)-based satellite internet is a crucial piece of critical communications infrastructure used by many, for example in the maritime sector. Previous work found that much GEO traffic is unencrypted, as there is a lack of secure, yet performant ways to communicate for end users. QPEP, a hybrid between a traditional Performance Enhancing Proxy and a VPN, aims to solve this issue but has only been tested in simulations. This work presents a newly developed testbed, which is used to collect real-world results for QPEP. Two different satellite links, one using Ka-band, the other Ku-band, were analyzed. In the Ka band, we find that QPEP offers on average 80% more goodput compared to OpenVPN. The page load time is reduced on average by 17% and the 95th percentile is reduced by 25% compared to OpenVPN. Although the average page load time of QPEP is higher compared to the unencrypted, proprietary PEP of the provider, the 95 percentile is equivalent. While satellite environments are often a black box that is difficult to evaluate scientifically, we show that in typical settings QPEP can prove its benefits in the real world.