Hacking space: How to pwn a satellite
Hacking an orbiting satellite is not light years away – here’s how things can go wrong in outer space
Getting root on something floating above our planet (or any other for that matter) would seem like a new form of hacking Holy Grail. Don’t worry though, someone’s already working on it – believe it or not.
Because when you break something in space, bad things happen. Just ask any space movie fan.
Who else cares? NIST, for one. The U.S. National Institute of Standards and Technology, in a non-enforcement capacity, is hoping to convene the parties who might touch space code and hardware and provide some guidelines, ramping up some sort of international conversation amongst purveyors of space-bound computers, hoping to keep them safe over the decades-long planned life cycle for orbiting things. Speaking of U.S. agencies, who exactly will have a say about space policies, and do other countries have to agree?
While that’s being debated, Matt Scholl of NIST, speaking at the recent “Inaugural Space Cybersecurity Symposium: Access for Start-ups” security event, called NIST the “calibrators who calibrate the calibrators”, which seems apropos for setting stellar expectations in a security context. And since they have a significant history of trotting out reasonably useful frameworks that folks are free to implement, they do seem to have some provenance in helping to set those expectations and at least get space folks to the table.
What bad things can happen in space?
The first bad thing that can make lots of other bad things happen is to block communication to the device, since it makes it unusually difficult to fly up to troubleshoot on the remote end, or do anything else on your interstellar PC for that matter.
How do you prevent that? There is a certain natural risk severity escalator in space after all, which makes things like code review and hardening even more important.
Also, be less experimental in areas that have a long and boring security history. Don’t invent your own cryptography, for example. Cryptography that’s secure is hard, very hard, and rolling your own is almost inevitably a recipe for hit-and-miss security. Mostly miss.
Speaking of cryptography, it’s not just about using proven technologies, but since your flying metal might be up there for decades, using beginning-of-life cryptography algorithms that are more resistant to quantum cryptographic cracking is a good idea. Large number AES (Advanced Encryption Standard) is quantum resistant, for example, while RSA isn’t.
Indeed, NIST has a list of acceptable crypto, while we await quantum crypto standards coming in 2-5 years. Even better if you can implement crypto agility, in case yours is proven insecure in the coming years. What security do you trust now that we developed 20 years ago? Yeah, that’s why space is hard.
Interoperability with technology partners is also important, since you won’t be building the whole chain. If you build satellites, you probably won’t, for example, be building the delivery systems, though problems in one system can rapidly become problems in others.
One of the significant hacking entry points is the ground station facilities, since they represent access to communication links to stellar equipment, so there is renewed focus on security, including using hard tokens for authentication/identification, and implementation of solid processes like NIST cybersecurity framework SP‑800‑53 and SP-800-39 for risk management. If hackers can deny service at the ground station level, bad things can definitely happen, since they’re basically cutting the umbilical cord.
Also interesting are the standard best practices that AREN’T needed in space, like a screen lock. Okay, someone can walk up and access the keyboard, and maybe insert a USB key they found in the parking lot, but uh, they’d have a very expensive trip to get there, making that attack vector unusually unlikely for some time.
And even though kinetic attacks make for good movie plots, they are far less likely than hacking. Someone would no doubt notice someone else lobbing a missile at your satellite a long time before quietly probing ports on your ground station network.
Space is definitely becoming a hot startup scene. Interestingly, however, it also parallels national ambitions, with first mover advantage contributing to national pride. So, while startups are concerned with speed to deploy, nations will have to grapple with how that affects their priorities, which will take many years to define and implement. And while nation states can wait years to get something right, startups can’t.
There is, however, some kind of projection/corollary between how the commercial startup scene velocity will suggest a national superiority in space, so nations seem incentivized to help, even if their driving factors don’t match 1:1. Nations, however, can add significant hurdles for small business, forcing them to go elsewhere to do business.
While NIST is a US agency, this clearly is an international conversation, and hopefully their efforts will work toward constructive collaboration and standard setting, since they only act in a non-enforcement capacity. They point to their National Vulnerability Database and Computer Security Resource Center as resources to help.
Either way, it’s good to work issues out now to avoid problems in space, where even though there’s a higher degree of resiliency built in, it’s still exceedingly difficult to try turning your computer off and back on again. It’s better, rather, to put a “degrade gracefully” feature in place, where systems can fail somewhat more gracefully, and not do things that end in earthbound metallic fiery plunges upon re-entry.
Want to hack space for the good guys? DEF CON plans space hacking exercises this year, and the U.S. Air Force is also trotting out a “Hack A Sat” exercise, so you’re in luck.
Now back to that Sci-Fi thriller where you can hear the explosions in space, because, you know, you can’t. Oh, and Nokia got the bid to provide 4G on the moon, in case we have to abandon the planet suddenly and connectivity is an issue. You should bring along some water though, and probably sunblock. You’ll also need air and some other small items needed to summit technical hurdles. So while you plan your luggage space carefully, you might want to not book your trip just yet.