Workshop on the Security of Space and Satellite Systems (SpaceSec) 2025 Program

Low Earth Orbit (LEO) satellites are becoming increasingly popular with private companies launching them to build vast networks that cover the globe. As these satellite systems expand, questions about their performance, security, and privacy are rising. To address these questions, researchers need to study these systems in real-world conditions. To support this kind of empirical research, we developed LeoCommon, an experimental network of ground stations. This network is designed to work with multiple satellite constellations such as Iridium, Globalstar, Starlink, and others. The LeoCommon system only uses opensource software and affordable hardware components that are easily accessible to academic researchers. We set up an initial network of ground stations in Central Europe, consisting of 10 stations. Using this setup, we have managed to collect over 500 synchronized recordings from the Iridium satellites, totaling more than 3,400 hours of data. This paper discusses the design of LeoCommon, our experiences in setting up the stations, and the initial results from testing the system with the Iridium network constellation.

Cyber threats against space infrastructures, including satellites and systems on the ground, have not been adequately understood. Testbeds are important to deepen our understanding and validate space cybersecurity studies. The state of the art is that there are very few studies on building testbeds, and there are few characterizations of testbeds. In this paper, we propose a framework for characterizing the fidelity of space cybersecurity testbeds. The framework includes 7 attributes for characterizing the system models, threat models, and defenses that can be accommodated by a testbed. We use the framework to guide us in building and characterizing a concrete testbed we have implemented, which includes space, ground, user, and link segments. In particular, we show how the testbed can accommodate some space cyber attack scenarios that have occurred in the real world, and discuss future research directions.

The rapid increase in satellite deployment, and particularly nanosatellite deployment, has heightened their exposure to cybersecurity threats, making the task of safeguarding sensitive operations and data challenging. and making the task of safeguarding sensitive operations and data increasingly challenging. To address these challenges, we developed AegisSat, an open-source satellite cybersecurity testbed to study satellite resilience to cyberattacks and test dedicated detection and defense mechanisms, including machine learning-based solutions. Our testbed includes a physical CubeSat (Earth-based) and an environment emulator that mimics realistic orbital conditions such as sunlight, and magnetic fields. We also created a comprehensive dataset consisting of telemetry data and labeled attack data from experiments conducted using different scenarios. The data was collected during hundreds of experiments we performed in the testbed. By making both the design of the testbed and the dataset accessible to the research community, this work advances understanding of satellites’ vulnerability to cyberattacks, drives the development of robust cybersecurity defenses, and establishes a platform for future research.

Global Navigation Satellite Systems (GNSS) are critical for infrastructure like energy, telecommunications, and transportation, making their accuracy vital. To enhance security especially against location spoofing, in 2024, the Galileo GNSS system adopted the Timed Efficient Stream Loss-Tolerant Authentication (TESLA) protocol, for Navigation Message Authentication (NMA). However, past and present TESLA versions have lacked formal verification due to challenges in modelling their streaming and timing mechanisms. Given the importance of formal verification in uncovering protocol flaws, this work addresses that gap by formally modelling and verifying the latest TESLA protocol used in Galileo; we verify Galileo’s TESLA protocol in the well-known Tamarin prover. We discuss our findings and, since this is work-in-progress, we contextualise them in terms of next steps for us, as well as for future Navigation Message Authentication protocols inside GNSS systems.

Space systems are critical assets and protecting them against cyberattacks is a paramount challenge that has received limited attention. In particular, it is fundamental to secure spacecraft communications by identifying and removing potential vulnerabilities in the implementations of space (communication) protocols, which could be remotely exploited by attackers. This work reports our preliminary experiences when fuzzing five open-source implementations of four space protocols using two approaches: grammar-based fuzzing and coverageguided fuzzing. To enable the fuzzing, we created grammars for the protocols and custom harnesses for the targets. Our fuzzing identified 11 vulnerabilities across four targets caused by typical memory-related bugs such as double-frees, out-of-bounds reads, and the use of uninitialized variables. We responsibly disclosed the vulnerabilities. To date, 5 vulnerabilities have been patched and 4 have been awarded CVE identifiers. Additionally, we discovered a discrepancy in how one target interprets a protocol standard, which we reported and has since been fixed.

Satellites are highly vulnerable to adversarial glitches or high-energy radiation in space, which could cause faults on the onboard computer. Various radiation- and fault-tolerant methods, such as error correction codes (ECC) and redundancybased approaches, have been explored over the last decades to mitigate temporary soft errors on software and hardware. However, conventional ECC methods fail to deal with hard errors or permanent faults in the hardware components. This work introduces a detection- and response-based countermeasure to deal with partially damaged processor chips. It recovers the processor chip from permanent faults and enables continuous operation with available undamaged resources on the chip. We incorporate digitally-compatible delay-based sensors on the target processor’s chip to reliably detect the incoming radiation or glitching attempts on the physical fabric of the chip, even before a fault occurs. Upon detecting a fault in one or more components of the processor’s arithmetic logic unit (ALU), our countermeasure employs adaptive software recompilations to resynthesize and substitute the affected instructions with instructions of still functioning components to accomplish the task. Furthermore, if the fault is more widespread and prevents the correct operation of the entire processor, our approach deploys adaptive hardware partial reconfigurations to replace and reroute the failed components to undamaged locations of the chip. To validate our claims, we deploy a high-energy nearinfrared (NIR) laser beam on a RISC-V processor implemented on a 28 nm FPGA to emulate radiation and even hard errors by partially damaging the FPGA fabric. We demonstrate that our sensor can confidently detect the radiation and trigger the processor testing and fault recovery mechanisms. Finally, we discuss the overhead imposed by our countermeasure.

An increase in availability of Software Defined Radios (SDRs) has caused a dramatic shift in the threat landscape of legacy satellite systems, opening them up to easy spoofing attacks by low-budget adversaries. Physical-layer authentication methods can help improve the security of these systems by providing additional validation without modifying the space segment. This paper extends previous research on Radio Frequency Fingerprinting (RFF) of satellite communication to the Orbcomm satellite formation. The GPS and Iridium constellations are already well covered in prior research, but the feasibility of transferring techniques to other formations has not yet been examined, and raises previously undiscussed challenges. In this paper, we collect a novel dataset containing 8992474 packets from the Orbcom satellite constellation using different SDRs and locations. We use this dataset to train RFF systems based on convolutional neural networks. We achieve an ROC AUC score of 0.53 when distinguishing different satellites within the constellation, and 0.98 when distinguishing legitimate satellites from SDRs in a spoofing scenario. We also demonstrate the possibility of mixing datasets using different SDRs in different physical locations.