Why blow up satellites when you can just hack them? – Source: go.theregister.com

Black Hat Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it’s much easier and cheaper just to hack them.

In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them.

“I used to work at the European Space Agency on ground station IT and got sick of telling them what was wrong and not having them fix it,” Olchawa told The Register, “So I decided to go into business to do it myself.”

Satellites are proliferating. In 2005, there were fewer than 1,000 in orbit (many of them inactive). But two decades later, there are about 12,300 functioning satellites, per the European Space Agency. The majority of those are Starlink satellites owned by Elon Musk’s SpaceX, but there has also been a sharp rise in the number of military platforms thanks to rising global tensions. Plus, it’s cheaper than ever to build and launch such hardware, they explained.

• More NASA spacecraft give controllers the silent treatment
• MethaneSAT ‘likely not recoverable’ after losing contact with Earth
• Orbital datacenters subject to launch stress, nasty space weather, and expensive house calls
• Please don’t cut funds for space traffic control, industry begs Congress

The software used to manage this proliferation isn’t always secure. Take Yamcs, for example, an open source application that is used by NASA and Airbus to communicate with and control satellites in orbit. The team found five separate CVEs in the code that would allow an attacker a free run of the application for total control.

The VisionSpace duo demonstrated how it was possible to change a satellite’s orbit by sending a command to its thrusters, without the course change showing up immediately on the controller’s screen. Thankfully, this was a simulation – no satellites were harmed during the course of the presentation.

We found actual vulnerabilities which allow you to crash the entire onboard software with an unauthenticated telephone

The situation was even worse with OpenC3 Cosmos, another open source app that is used for command and control in ground stations. They discovered seven CVEs in the software, including flaws that allowed remote code execution and cross-site scripting attacks.

NASA isn’t above reproach in this regard. Its open-source Core Flight System (cFS) Aquila proved more porous than advertised: the team uncovered four critical flaws – two denial-of-service bugs, a path-traversal one, and a remote-code-execution vulnerability – that could crash the flight software and give attackers full code-execution control over NASA’s systems.

Many satellites themselves use an open-source, C-based, encryption library called CryptoLib, and that too is full of flaws, four in the version NASA uses and seven in the standard package – in the latter case, two of them rated as critical.

“We found actual vulnerabilities which allow you to crash the entire onboard software with an unauthenticated telephone,” claimed Starcik.

“So basically, you send a packet to the spacecraft, and the entire software crashes and reboots, which then actually causes the spacecraft, if it’s not properly configured, to reset all its keys. And then you have zero keys on the spacecraft that you can use from that stage on.”

For budding supervillains out there, forget about it – all of the vulnerabilities have been responsibly disclosed and fixed. But relying on buggy code to control our orbital platforms shouldn’t be tolerated, they concluded, and there may be more software nasties floating around out there. ®