07 May, 2025
penetration testing, Satellite

Houston, We Have a Problem

Houston, We Have a Problem
Kevin Johnson
Author: Kevin Johnson
Share:

Satellite Security Testing: A Holistic Approach

Last month, I had the opportunity to present at SatShow 2025, one of the industry's premier satellite technology conferences. The atmosphere was amazing coming right after the moon landing by Firefly.  During my session on satellite security, many of the people engaged with my thoughts around how to break apart security concerns into focused grouping.   Many also seemed fascinated—perhaps even alarmed—by the concept of satellite hacking.

What struck me most was how many people I spoke with misunderstood what penetration testing of satellite systems actually entails. There's a persistent belief that these systems enjoy some level of inherent security through obscurity. The thinking goes: "If it's in space and uses proprietary protocols, it must be secure." This misconception continues to be one of the most dangerous assumptions in the industry.

The Dual Frameworks of Satellite Security

When approaching security in satellite systems, we consider two complementary frameworks, each consisting of three critical elements. Understanding how these frameworks interact is essential for comprehensive security testing.

The Security Triad: Confidentiality, Availability, and Integrity

The first framework encompasses the classic security triad that applies to virtually all systems:

Confidentiality

This refers to ensuring that sensitive information is accessible only to authorized parties. For satellite systems, this might involve protecting command sequences, payload data, or user communications from interception.

Confidentiality breaches in satellite systems can have severe consequences. For Earth observation satellites, unauthorized access to imagery could compromise military operations or corporate intelligence. For communication satellites, intercepted transmissions might expose sensitive personal or financial data.

Modern satellite systems can implement multiple layers of encryption, including both link encryption (securing the transmission path) and end-to-end encryption (protecting the data regardless of path). Additionally, using key management systems ensures that even if one encryption key is compromised, the damage remains limited. Access control mechanisms, including multi-factor authentication for ground system operators, provide additional protection against unauthorized access.

Availability

This ensures that the satellite system remains operational and accessible when needed. Threats to availability include jamming, spoofing, or denial-of-service attacks that could render a satellite unreachable or inoperable.

For many satellite applications, availability is paramount. Consider navigation systems like GPS—even brief outages can disrupt transportation, financial transactions, and critical infrastructure. Similarly, communication satellites serving remote areas might provide the only link to emergency services, making continuous availability literally a matter of life and death.

Protecting availability involves multiple strategies: frequency-hopping techniques that make jamming more difficult, antenna designs that minimize vulnerability to directed interference, and redundant communication paths that can activate when primary channels are compromised. Sophisticated satellites may include autonomous recovery mechanisms that can detect anomalies and restore normal operations without ground intervention. Constellation-based systems add another layer of resilience, as multiple satellites can compensate for the loss of individual units.

Integrity

This involves safeguarding the accuracy and completeness of data and operations. For satellite systems, integrity ensures that commands received are authentic and unaltered, and that data transmitted from the satellite hasn't been tampered with.

Integrity attacks can be particularly insidious. A subtle modification to positioning data from a navigation satellite could send vehicles off course. Altered commands to a power grid satellite might trigger cascading infrastructure failures. Even minor corruptions in scientific data could invalidate research findings.

To protect integrity, satellite systems should employ cryptographic mechanisms like digital signatures and message authentication codes that can detect unauthorized modifications. Command verification protocols require multiple confirmations before executing critical operations. Checksums and error correction codes identify accidental corruptions, while more sophisticated integrity checks can detect deliberate tampering. 

The importance of each element varies significantly depending on the satellite's purpose. For military reconnaissance satellites, confidentiality might be paramount. For navigation systems like GPS, integrity is critical. For communication satellites, availability often takes precedence. This context-dependency requires organizations to work closely with security testers to properly evaluate what specific vulnerabilities mean for their mission objectives.

The System Components: Satellite, Communication Paths, and Ground Systems

The second framework divides the satellite ecosystem into three interconnected components:

The Satellite

This includes the physical spacecraft, its onboard computers, sensors, actuators, and software. While often considered the primary focus of security, the satellite itself is frequently the most difficult component to attack directly due to its physical isolation.

The satellite component consists of several critical subsystems, each with its own security implications:

  • Command and Data Handling System (C&DH): The satellite's central nervous system, processing commands and managing onboard operations. Security vulnerabilities here could allow attackers to take control of the entire satellite.
  • Attitude Determination and Control System (ADCS): Maintains the satellite's orientation and stability. Compromising this system could lead to misalignment of communication antennas or sensors, effectively disabling the satellite without destroying it.
  • Electric Power System (EPS): Manages solar panels, batteries, and power distribution. Attacks on this system could drain batteries or cut power to critical components.
  • Propulsion System: Controls orbit maintenance and adjustments. Unauthorized commands to thrusters could deplete fuel reserves or alter the satellite's orbit, potentially causing collisions or rendering the satellite unusable.
  • Payload Systems: The mission-specific equipment (cameras, transponders, scientific instruments). Security breaches here directly impact the satellite's primary functions.

Satellites increasingly use commercial off-the-shelf (COTS) components and standardized operating systems, introducing familiar vulnerabilities to space systems. However, the space environment presents unique challenges for attackers, including delayed communications, limited windows of opportunity for transmission, and the need for specialized ground equipment.

Communication Paths

These are the channels through which the satellite sends and receives data, including radio frequency (RF) links, laser communications, and relay networks. These paths are vulnerable to interception, jamming, or spoofing attacks.

Communication paths can be categorized into several types:

  • Uplink Communications: Transmissions from ground stations to the satellite, typically carrying commands. These are prime targets for spoofing attacks, where adversaries might attempt to send unauthorized commands.
  • Downlink Communications: Transmissions from the satellite to ground stations, carrying telemetry, payload data, or user communications. These are vulnerable to eavesdropping if not properly encrypted.
  • Crosslink Communications: Transmissions between satellites in a constellation, allowing for extended coverage and reduced dependency on ground stations. These present unique security challenges as they occur entirely in space.
  • User Service Links: The communications between satellites and end-user equipment (such as satellite phones, GPS receivers, or internet terminals). These often use standardized protocols with well-documented vulnerabilities.

The security of these paths involves both technological and physical considerations. Spread spectrum techniques, frequency hopping, and directional antennas can reduce vulnerability to jamming. Signal authentication protocols prevent spoofing. For the most sensitive communications, physical security measures around ground stations prevent proximity-based interception.

Ground Systems

These encompass control centers, terminals, user interfaces, and the networks connecting them. Despite receiving less attention than the satellites themselves, ground systems often represent the most vulnerable points in the overall architecture due to their connectivity and accessibility.

The ground segment includes several distinct components:

  • Mission Control Centers: The primary facilities for satellite operations, monitoring, and commanding. These represent high-value targets, as compromising a control center could provide access to entire satellite fleets.
  • Ground Stations: The physical facilities with antennas that communicate directly with satellites. Located worldwide to maintain communications as satellites orbit, each station represents a potential entry point.
  • User Terminals: The equipment used by end-users to access satellite services, ranging from sophisticated military systems to consumer-grade GPS receivers or satellite TV dishes.
  • Data Processing Centers: Facilities that process, store, and distribute the data collected by satellites. These often contain the valuable information that makes satellites worth targeting in the first place.
  • Network Infrastructure: The connections between ground facilities, including both dedicated links and connections to the public internet.

Ground systems face all the typical cybersecurity challenges of terrestrial networks—phishing attacks targeting operators, vulnerable web applications, outdated software—plus satellite-specific concerns like specialized command and control software. Unlike satellites themselves, ground systems are accessible to physical intrusion and frequently connect to other networks, creating additional attack surfaces.

The security of ground systems relies on standard cybersecurity practices: network segmentation, access controls, intrusion detection systems, and regular patching. However, the specialized nature of satellite operations and the criticality of timing often complicate security implementations. For instance, patches that might disrupt command sequences during critical maneuvers must be carefully scheduled.

The Overlooked Attack Vectors

When discussing satellite security, there's a tendency to focus primarily on the satellite itself. This is understandable—the spacecraft represents the most visible and technologically impressive component of the system. However, this focus often leads to overlooking the more vulnerable elements in the satellite ecosystem and focuses on the wrong component for most of the risks.

Ground Systems: The Path of Least Resistance

Ground systems typically present the most accessible attack vectors for several compelling reasons:

  • Network Connectivity: Unlike isolated satellites, ground facilities connect to corporate networks and often, directly or indirectly, to the internet. This connectivity creates numerous potential entry points.
  • Human Operators: Ground systems are operated by people who may fall victim to social engineering attacks. A carefully crafted phishing email targeting a satellite operator could be far more effective than attempting to breach the satellite's own security measures.
  • Commercial Software: Ground systems frequently run on commercial operating systems and applications with known vulnerabilities. While satellite firmware might be proprietary and obscure, ground systems often use Windows, Linux, or common SCADA systems with well-documented security issues.
  • Physical Accessibility: Ground stations, while secured, are physically accessible in ways that orbiting satellites are not. Physical security breaches at remote ground stations have occurred, giving attackers direct access to satellite communication equipment.
  • Legacy Systems: The long operational life of satellite programs means ground systems often include legacy components that cannot be easily updated. Some operational satellite systems still use ground equipment designed decades ago, before modern cybersecurity practices were established.

A penetration test I conducted revealed that ground stations were vulnerable to relatively straightforward attacks—including unpatched VPN vulnerabilities, weak passwords, and outdated firmware on network equipment. These vulnerabilities could have given attackers a foothold from which to pivot toward satellite control systems.

Communication Paths: Invisible but Vulnerable

Communication links between satellites and ground stations represent another frequently overlooked vulnerability:

  • Protocol Weaknesses: Many satellite communication protocols were designed with reliability, not security, as the primary concern. Legacy protocols often lack basic security features like authentication or encryption.
  • Jamming Susceptibility: Even modern satellite signals can be vulnerable to jamming—the transmission of interference on the same frequency as legitimate communications. Commercial jamming equipment capable of disrupting GPS or satellite phone communications is increasingly accessible.
  • Spoofing Risks: More sophisticated than jamming, spoofing involves transmitting fake signals that mimic legitimate ones. GPS spoofing, for example, can cause receivers to calculate false positions, potentially disrupting navigation systems.
  • Eavesdropping Concerns: Unencrypted or weakly encrypted satellite transmissions can be intercepted using commercially available equipment. In some cases, enthusiasts with modest setups have successfully received and decoded transmissions from weather and imaging satellites.

The Supply Chain Factor

Another often overlooked vulnerability lies in the supply chain for both satellite and ground components:

  • Hardware Trojans: Malicious modifications to hardware components during manufacturing could create backdoors accessible once the system is operational.
  • Software Dependencies: Satellites and ground systems rely on numerous third-party software libraries and components, each potentially introducing vulnerabilities.
  • Contractor Access: The complex nature of satellite development means multiple contractors and subcontractors require access to systems during development and testing, increasing the risk of insider threats.

As these examples illustrate, a comprehensive security approach must consider all components of the satellite ecosystem, with particular attention to these often-overlooked attack vectors.

Conclusion: The Importance of Contextual Testing

Effective satellite security testing requires a comprehensive understanding of both the security triad and the system components. It demands recognition that different satellite missions prioritize different security elements, and that vulnerabilities in one component can compromise the entire system.

Beyond the Checklist: Context-Driven Security Testing

Testing cannot be reduced to a generic checklist approach. Security professionals must understand the specific contexts in which these systems operate and the unique threats they face:

  • Mission-Specific Priorities: As discussed already, a military reconnaissance satellite has different security requirements than a weather monitoring satellite or a commercial communications platform. Testing must align with these specific priorities.
  • Threat Actor Analysis: Different satellite systems face different adversaries—nation-states, criminal organizations, hacktivists, or even competitors. Each brings different capabilities and motivations that must inform testing scenarios.
  • Operational Constraints: Security recommendations must account for the practical realities of satellite operations. A security measure that requires frequent updates might be impractical for a satellite with limited downlink opportunities.
  • Regulatory Frameworks: Satellites operate in a complex international regulatory environment. Security testing must consider compliance requirements that vary depending on the satellite's purpose and operational jurisdiction.

 

Integrated Testing Approaches

Effective satellite security testing requires multiple complementary approaches:

  • Documentation Review: Analyzing system specifications, architecture diagrams, and protocol implementations to identify potential vulnerabilities before they are implemented.
  • Component Testing: Testing individual hardware and software components before integration, when modifications are still relatively easy to implement.
  • Integration Testing: Verifying that security controls work properly when all components interact, identifying vulnerabilities that emerge from the interfaces between systems.
  • Simulation and Emulation: Using specialized environments to simulate attacks against satellite systems without risking operational platforms.
  • Red Team Exercises: Conducting adversarial simulations where security professionals attempt to compromise systems using the same techniques as potential attackers.
  • Continuous Monitoring: Implementing systems to detect and respond to anomalies that might indicate security breaches during actual operations.

 

The Future of Satellite Security

As satellite systems become increasingly integral to our global infrastructure, the stakes of security testing grow correspondingly higher. Several trends are reshaping the satellite security landscape:

  • Increased Commercialization: The rise of commercial space companies is democratizing access to space, but also introducing new security challenges as more organizations operate satellite systems.
  • Miniaturization: CubeSats and other small satellites are increasing the number of objects in orbit, creating new attack surfaces and complicating space situational awareness.
  • Software-Defined Systems: Modern satellites increasingly rely on reprogrammable software-defined radios and other flexible systems, which offer functionality benefits but may introduce new vulnerabilities.
  • Autonomous Operations: As satellites incorporate more autonomous capabilities, the security of artificial intelligence and machine learning systems becomes critically important.

By approaching security holistically, considering all components and contexts, we can better protect these critical assets from emerging threats. The obscurity of space provides no inherent protection—only thorough, context-aware security testing can ensure our satellite systems remain secure in an increasingly contested domain.

Remember: in satellite security, we're not just protecting technology—we're safeguarding the communications, navigation, weather prediction, scientific research, and defense capabilities that modern society depends upon. The stakes couldn't be higher, which is why rigorous, comprehensive, and contextual security testing isn't optional—it's essential.