Billions of people will face a terrible time if the satellite communications networks that surround our planet ever fail. Cell phones will stop beeping, navigation systems will crash, television screens will go dark, and financial transactions will fail. The three most likely ways this can happen are: an intense geomagnetic storm due to a solar flare like the one that happened in 1859, known as the Carrington event; a cascading collision of space debris, the so-called Kessler effect; or an intentional cyber-attack.
On Sunday, a SpaceX rocket blasted off from Cape Canaveral with a special payload designed to mitigate the last of those hazards. On board was a US government Moonlighter satellite, described as “the world’s first and only hacking sandbox in space”. Once the satellite is deployed, five so-called “white hat” – or ethical – hacking teams at the Hack-A-Sat 4 contest in Las Vegas will try to hijack the Moonlighter and win a $50,000 prize for exposing the vulnerabilities . “With Moonlighter, we try to face the problem before it becomes a problem,” said a project leader told The Register.
In reality, the problem has already landed. Last year, on the day Russia invaded Ukraine, hackers launched a malware attack against Viasat’s KA-SAT satellite. They temporarily disrupted communications for thousands of broadband users in Ukraine, as well as in Poland, Italy and Germany, where 5,800 wind turbines were also affected.
“We are all aware that the first ‘shot’ in the current conflict in Ukraine was a cyber-attack against a US aerospace company,” said Kemba Walden, America’s acting national cyber director.
Leaked CIA intelligence, reported by the Financial Times this year, warned that China was also building sophisticated cyberweapons to “deny, exploit or hijack” enemy satellites. The US has not disclosed its own offensive capabilities in this area. But Washington isn’t just worried about Chinese spy balloons.
Where space used to be solely the domain of nation states, private companies are increasingly dominating the game as launch costs fall and satellites get smaller. Last year, the US launched 1,796 objects into space, 32 times more than in 2000. The lines between the military and civilians have also blurred due to dual-use applications, such as global positioning systems, making commercial satellites a target. And because of the difficulties of repairing satellites in space, designers add a lot of backup parts, increasing the “attack surfaces” that hackers can exploit.
Viasat says it has learned lessons from last year’s attack and strengthened its defense. Basic cyber hygiene is essential at every link in the communication chain (the hackers have gained access to a misconfigured virtual private network appliance on the ground). Constant vigilance is required: the American company has been under constant attack since the beginning of the war. And rapid response teams must be ready to restore control if a system is compromised.
“Anyone who claims perfect security is either lying or they don’t know what they’re talking about,” said Craig Miller, Viasat’s president of government systems. “You have to be able to react very quickly.”
According to James Pavur, a cybersecurity engineer at Istari, an American start-up, there are three ways to hack a satellite. The first target is the ground infrastructure, the most accessible attack surface but usually the best protected. Then hackers can try to intercept or spoof wireless communications between ground stations and the satellites. The third, and most difficult, approach is to go after the “bird in orbit” by building or exploiting security loopholes in satellite components. Operators therefore need to secure their entire supply chain.
Most hacking attacks are difficult to trace. Only four countries have the known ability to take out a satellite with a missile – the US, China, India and Russia – although such attacks can trigger the Kessler effect. But anyone can hack software anytime, anywhere.
White hat hackers are an extremely valuable community in helping secure critical satellite infrastructure, Pavur argues. “There is a mentality of security through obscurity. But a sufficiently motivated opponent will find an ‘exploit’,” he says. It is much better to find out those vulnerabilities first and fix them instead of trying to remain in obscurity.
The idea of crowdsourcing security sounds like an oxymoron. But white hat hackers have won over skeptics over the past decade. As software developers say, “Given enough eyes, all bugs are superficial.” That rule can even apply in space.