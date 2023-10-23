Researchers have tested the software of three satellites and they found many standard security mechanisms missing:
Thousands of satellites are currently orbiting the Earth, and there will be many more in the future. Researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security in Saarbrücken have assessed the security of these systems from an IT perspective. They analysed three current low-earth orbit satellites and found that, from a technical point of view, hardly any modern security concepts were implemented. Various security mechanisms that are standard in modern mobile phones and laptops were not to be found: for example, there was no separation of code and data. Interviews with satellite developers also revealed that the industry relies primarily on security through obscurity.
[...] Satellites orbiting the Earth can only be reached by their ground station on Earth within a time window of a few minutes. The systems must be robust against the radiation in space, and, since they can only consume a small amount of energy, they have a low power output. "The data rates are like those of modems in the 1990s," as Holz elaborates the challenges satellite developers face.
Based on the findings gained from the software analysis, the researchers worked out various attack scenarios. They showed that they could cut off the satellites from ground control and seize control of the systems, for example in order to take pictures with the satellite camera. "We were surprised that the technical security level is so low," points out Thorsten Holz, adding the following caveat with regard to potential ramifications: "It wouldn't be all that easy to steer the satellite to another location, for example, to crash it or have it collide with other objects."
To find out how the people who develop and build satellites approach security, the research team compiled a questionnaire and submitted it to research institutions, the ESA, the German Aerospace Centre and various enterprises. Nineteen developers participated anonymously in the survey. "The results show us that the understanding of security in the industry is different than in many other areas, specifically that it's security by obscurity," concludes Johannes Willbold. Many of the respondents therefore assumed that satellites could not be attacked because there is no documentation of the systems, i.e., nothing is known about them. Only a few said that they encrypt data when communicating with satellites or use authentication in order to ensure that only the ground station is allowed to communicate with the satellite.
This work was presented in an IEEE conference paper. [PDF]
(Score: 3, Insightful) by Snotnose on Tuesday October 24, @06:24PM (7 children)
Until someone ransomwares a satellite, or just permanently disables it for fun.
Mom: Alcohol is the enemy. Jesus: Love thine enemy. Case closed
(Score: 4, Interesting) by JoeMerchant on Tuesday October 24, @07:04PM (3 children)
>Interviews with satellite developers also revealed that the industry relies primarily on security through obscurity.
A) Security through obscurity works, until it doesn't.
B) People understand security through obscurity, except they over-estimate the ability of any person - let alone massive organization - to keep a secret.
C) People, by and large, don't understand how "real" security with changeable passcodes is any better, and in certain situations that added complexity does lead to unknown (at launch) vulnerabilities.
So, yeah, once they lose a multi-million dollar bird to script kiddiez, they'll probably start asking: "how can we prevent this from happening in the future?" and maybe start opening up to these little "best practices" that have been circulating in academic circles since the 1980s... Until then, they're a world class organization with a proven track record of never having been exploited (yet), who are you ivory tower types to tell them how to run their show? Do you have any idea what implementing all that mumbo-jumbo will cost IN SPACE!!!!!? /s
1988, I interviewed with the Savannah River Nuclear facility, part of the day was with a crusty old (maybe even as old as I am today) IT guy and we talked a little about security... Either he way shining me on, or... their idea of security at this facility which has a bunch of nuclear reactors all over it for the purposes of... well, they say "making submarine fuel" but in reality most of the reactors aren't running most of the time and they have a lot of flexability and capability to make whatever isotopes may be needed at any particular time... so, all in all, kinda important facility to keep secure, you would thing. Returning from tangent, their idea of security was to reduce the network packet size to 1 byte. The idea, as explained to me, was "anybody tapping into our network" (anywhere on this massive 300+ square mile campus, including aerial cables, wireless links, etc.) "would have to have massive processing power just to decipher the network traffic and re-assemble anything that made sense from it." Yeah, dude, like a RasPi Zero, that ought be about enough to read your network traffic. I asked if there was any encryption layered atop that fragmentation scheme? "Nope. No need." They made me an offer in IT tech support, I thanked them for the Surf and Turf dinner and three White Russians on my interview trip expense account and declined.
I sincerely hope they've beefed up security since then, but it would be a long and painful process rolling anything out on that campus full of diverse hardware and software with plenty of custom built from scratch systems scattered in among Microsoft/IBM, Apple, Sun, Apollo, HP, DEC, Silicon Graphics, etc. "commodity" systems with more easily developed and deployed exploits...
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 4, Funny) by maxwell demon on Wednesday October 25, @06:20AM (2 children)
But there wasn't a Raspi Zero in 1988, so they were safe! :-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Funny) by turgid on Wednesday October 25, @06:48AM
My nuclear power station used Token Ring and it didn't stay up long enough to leak any data.
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 2) by JoeMerchant on Wednesday October 25, @09:38AM
Yeah, laptops were two or three years out... But there were those portable boxes with keyboard and monitor built in, one of those and a generator would have pwned their network, and this is almost 200,000 acres of mostly woods, not a dense office park
They also told me they had an excellent track record of no radiation incidents, monitored by the local university. Less than a year later there was a leak event big enough to be detected off site and make national news. I met a local kid whose dad did "hot laundry" on the site for a few years. He told me 'They took real good care of mama after daddy passed..."
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by looorg on Tuesday October 24, @07:33PM (2 children)
Find the heaviest, probably oldest, satellite out there and use it as a kinetic weapon from space? Rods from God style. Perhaps not heavy or solid enough, I do not know. When we have space terrorists attacking then we'll get space security. Until then it is a resource waste. No brownie points to score by being proactive.
https://nationalinterest.org/blog/reboot/rods-god-strange-super-space-weapon-wasnt-174890 [nationalinterest.org]
(Score: 5, Insightful) by Unixnut on Tuesday October 24, @11:29PM
Nah, I don't think any of the satellites in orbit are large enough to leave a crater on earth, most of them will disintegrate on re-entry. In fact they are designed to (otherwise how do you de-orbit them at their end of life?).
Now some military sats and the larger ones in geostationary orbit, those might be a different matter. However military ones are most likely harder to commandeer (otherwise adversaries would do it all the time), and the large geostationary ones probably don't have enough fuel to be de-orbited to earth to make a crater (usually they only have enough fuel to push them further out into "graveyard orbits [wikipedia.org]" at their end of life).
At best you can make a sat burn upon re-entry, turning it into an artificial shooting star. This actually reminded me of an xkcd from (now) ages ago: https://xkcd.com/1337/ [xkcd.com]
(Score: 2, Insightful) by pTamok on Wednesday October 25, @06:52AM
Not easy. To get an orbiting object down to the surface again, you need to dissipate the energy to get it into orbit in the first place: it is not like throwing a stone up and it magically staying 'up' until you decide to let it drop again. In most cases, the atmosphere is used to dissipate the energy after an initial burn to alter the object's trajectory to intersect the atmosphere. Without some sophisticated guidance systems and predictable aerodynamics, the target area is rather large, as it is difficult to take into account some of the random effects in the atmosphere. You might be able to target something the size of a city, maybe.
SpaceX show what you can do with sophisticated guidance: landing on an 'X' on a launchpad. Nazi Germany's V2 rockets (which were ballistic missiles, not orbiting satellites, so more like a stone chucked up into the air) had a CEP (circular error probable - the radius within which 50% of the shots impact) of somewhere between 2 and 5 km - and they had a sophisticated guidance system (for the time) that a descending satellite would not have.
So yes, repurposing satellites as 'rods from God', you might be able to hit a city. Might.
(Score: 5, Insightful) by driverless on Wednesday October 25, @01:34AM (11 children)
They looked at CubeSats and an experimental satellite from the DLR, which particularly for the CubeSats are nothing like standard commercial satellites, and even less so military ones.
In addition the primary concern with satellites, particularly ones further out than the very LEO these ones are at, is reliability in the presence of high levels of radiation, not security. In particular since security shuts things down if there's a single bit out of place while in space while a lot of your programming is devoted to dealing with constantly getting bits out of place, they're kind of mutually exclusive.
(Score: 4, Insightful) by pTamok on Wednesday October 25, @05:57AM (3 children)
Yes. This. Cubesats and the big commercial satellites are rather different. This paper was discussed on a security forum I read occasionally where some subject matter experts pointed out that the cubesats are essentially ephemeral and disposable, and built down to a cost. Where there are significant sums of invested money, the security practices are rather better. Not perfect, of course, but the paper is not generally applicable. Makes for good headlines, though.
(Score: 2) by driverless on Wednesday October 25, @07:04AM (2 children)
Interesting, what's the forum?
(Score: 1) by pTamok on Wednesday October 25, @01:02PM (1 child)
I'd rather not say, as I keep my various social media personae reasonably separate.
But a properly targetted Internet search will probably find it.
Otherwise, it was discussed in the comments on The Register: Want to pwn a satellite? Turns out it's surprisingly easy - PhD student admits he probably shouldn't have given this talk [theregister.com], which cover much the same ground.
(Score: 2) by driverless on Thursday October 26, @10:59AM
Yeah, Soylent is kinda annoying that way in not allowing PMs AFAICT, I've got the same problem. Looks like some of the folks in the discussion on the Reg know what they're talking about, particularly the messages further down, although whoever mentioned CCSDS... at some point that's going to become a conference paper talk as well, "how not to do crypto". I think I've still got a copy of their security standards somewhere marked up with all the locations you can try attacking.
(Score: 2) by JoeMerchant on Wednesday October 25, @10:40AM (6 children)
Security can be implemented inside the redundancy layer(s).
In the old days 128 bits of security would have added significant cost to a spaceborn system, not so much today.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by driverless on Wednesday October 25, @10:52AM (5 children)
It's not a case of an inside and an outside and once the data's in it's safe, you can get an SEU bitflip anywhere at any point. Every part of the system is vulnerable. The level of defensive coding that's required is staggering, and pretty alien unless you're used to it.
(Score: 4, Informative) by JoeMerchant on Wednesday October 25, @11:58AM (4 children)
>Every part of the system is vulnerable. The level of defensive coding that's required is staggering,
Or you use basic Shannon theory (if I'm recalling the name correctly from 40 years ago...)
If you have 4 bits you want to be sure are transmitted / stored correctly, encode them as 7. You can flip one bit of the 7, so there are 8 "codes" that represent each of the original 16 values in the 4 bits - 8 * 16 = 128... You can also do "flip any 2 of..." encodings, etc. Physical separation in space/time of the 7 bits carrying the 16 values can help, depending on the nature of the interference.
Commercial ECC RAM is nowhere near that level of fault tolerant, but it's not a bad place to start: 7 banks of ECC RAM to carry 4 banks worth of data.
>and pretty alien unless you're used to it.
That's why we keep the little grey guys in Area 51, ever since the start of the space program...
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by driverless on Wednesday October 25, @12:15PM (3 children)
The stuff I've worked with uses TMR (triple modular redundant) coding with majority-logic decoding/scrubbing, because efficiency is another consideration and TMR is way simpler to implement than any rigorous error correction, at some cost in memory. It's actually pretty neat, you can corrupt random bits during testing and at the next program cycle all the errors reset themselves and you've got the original data back.
Now if only CPU vendors would include a VOTE instruction alongside all the other junk they've larded on over the years...
(Score: 2) by JoeMerchant on Wednesday October 25, @02:22PM (2 children)
Harris Semiconductor has been making custom silicon for space applications forever, I would hope by now that they (or someone) have put together a processor that abstracts all that away from the software... of course that would make space software development more accessible which is probably an anti-goal.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by driverless on Thursday October 26, @10:46AM (1 child)
The problem with space-qualified parts is that they're obscenely expensive - the Leon3 in one of the satellites in the paper probably cost more than the entire CubeSat and possibly the launch as well - they're many generations out of date, and they're export-controlled. An automotive-grade CPU with ECC and redundancy everywhere will do about as well as any space-qualified part, as will any server-grade or even desktop CPU from the last twenty years or so, which qualifies as rad-hard even if they're not sold as such. There's a great quote from a paper analysing a PIII which states that "Intel processors verge on radiation-hardened devices", to the point where a 2010-era desktop CPU exceeded the ITAR limits for rad-hard devices, 500 krad(Si) where these were taking several Mrad without blinking.
So all you need is an appropriately selected off-the-shelf part and careful programming.
(Score: 2) by JoeMerchant on Thursday October 26, @12:01PM
Again, about that "careful programming" - that could also be implemented as a "layer" where you write standard code and it calls a "careful" API to implement everything.
Storing a variable? 4 of 7 encoding with periodic refresh/repair. Oh, and note that 4 of 7 encoding is only +75% bloat, not +200%.
Performing a critical mathematical operation? Do it 3x and vote.
etc. etc. - sure, it would be slower than straight C, but slower than Python? Probably not.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/