Series| Coded
Hacking satellites with $300 worth of TV gear

Satellite security isn’t as stable as you might expect.

Watch on YouTube

There are approximately 2,666 artificial satellites orbiting the earth — each of which is subject to a potential breach in satellite security.

The U.S. launched its first satellite, Explorer 1, in January of 1958 and has been off to the races ever since. Since the launch, our reliance on satellites has increased dramatically, making them our most important asset in space.

Satellites are used for a wide variety of activities that most of us don’t even recognize. From mobile phone networks to GPS capabilities to a variety of IoT devices, satellites are in control. We utilize them to predict the weather and even coordinate processes for our highly complex energy system.

The United States owns and operates almost half of the satellites in space, boasting the largest collection in orbit by a significant margin. China, our closest competitor, owns just over 10%.

Most organizations are highly reliant on this vast cyber ecosystem in one way or another. Our global interconnectedness will likely remain dependent on satellites for the long haul — but they aren’t as secure as we might expect them to be.

Satellite Security 101

Satellites are constantly orbiting earth at different heights, speeds, and paths. They communicate by transferring radio waves downstream to antennas on earth that capture signals and process information. Any disruption of satellite processes — whether intentional or unintentional — can have a profound effect.

From economic losses to confidential information leaks, the potential for adverse impacts is particularly alarming for organizations, considering that they have very little authority in regulating a satellite’s cybersecurity. This is because satellite usage, in most cases, is leased to corporations from commercial satellite operators, or the government.

Although satellites orbit in space, they are operated by systems on earth. These systems have become targets for satellite hackers in search of security vulnerabilities. Loopholes create potential for hackers to intercept satellite signals and access downstream systems that connect with the satellite, enabling the hacker to invade an organization’s entire network.

Due to a large number of system entry points, including the internet, it’s almost impossible to trace and mitigate cyber attacks whether they’re against large, military-grade satellites or smaller, commercial-grade versions. Because transmissions for both uplink and downlink processes are carried out with open telecom network security protocols, they can be easily intercepted by hackers with malintent.

An exploitation of these satellite weaknesses by hackers is not only possible, it’s probable. Overlooked flaws during the manufacture and construction of satellites has opened the door for satellite hacking, and the world is playing catch up to deal with the risks.

How Can Satellite Security Be Improved? 

The ramifications of satellite hacking could be disastrous. Thousands of private and public satellites are expected to be launched in the next decade, and many without any standard security protocols.

From the outside, the answer to the satellite security problem might seem simple — just bake better security into the satellites before they’re launched. But the issue goes deeper than that.

There are thousands of satellites already in orbit, and performing maintenance and updates is difficult from down below. Additionally, because satellites have to be small and lightweight, there’s not much room for spare parts.

There’s no dark magic in exploiting a satellite. It’s just a matter of downloading a couple of open source or freely available tools, and plugging all the equipment together to face it at a satellite.

James Pavur

For James Pavur, a Rhodes Scholar and PhD candidate at Oxford University who focuses on threats to satellite systems, it’s become his life’s work to exploit and report potential vulnerabilities before hackers have the chance.

“The problem with satellites is they are not built for any level of security,” Pavur explains. “There’s no dark magic in exploiting a satellite. It’s just a matter of downloading a couple of open source or freely available tools, and plugging all the equipment together to face it at a satellite.”

Pavur demonstrated that he was able to use about $300 worth of home television equipment to intercept sensitive satellite communications. For hackers interested in wreaking havoc, there is potential for anything from intercepting Fortune 500 companies sending passwords to their internal infrastructure, to taking control of a steerable satellite and crashing it into the International Space Station.

White Hat Hackers Take on the Space Domain 

The Hack-A-Sat competition aims to find solutions to this growing problem. The US Air Force held a virtual version of the annual competition in 2020 at DEF CON, challenging hackers to reverse-engineer satellite system components to expose vulnerable software codes. The idea is that the best defense can result in proactive offense.

Carnegie Mellon University’s competitive hacking team known as the Plaid Parliament of Pwning (PPP), has won DEF CON’s Capture the Flag (CTF) event five times. Also known as the “world series of hacking,” their performance has made them the strongest team in DEF CON history.

Matthew Savage, a PPP hacker, believes the Hack A Sat competition holds great value in combating the satellite cybersecurity threats the world faces. “Letting hackers into your system for the sole purpose of having them try to hack it and then reporting their results is a very, very good thing. That’s how you get some of these deep exploits that you probably would miss otherwise,” he says.

As hackers like those from PPP continue to expose vulnerabilities, governments and organizations in charge of satellites will be more equipped to defend against them, making our interconnected society safer and the internet more reliable.

“As I’ve gotten into space, it’s started to dawn on me that it’s not just people landing on the moon and bouncing really high,” says Pavur. “There are lots of really important things that affect the lives of ordinary people. So space is a domain for everyone.”

Pavur and the PPP team have played instrumental roles in shaping the future of satellite security. For their mission to succeed, the cybersecurity community will have to learn from their findings and strive to make satellites safer.

Subscribe to Freethink for more great stories