Why blow up satellites when you can just hack them?
(2025/08/08)
- Reference: 1754608840
- News link: https://www.theregister.co.uk/2025/08/07/balck_hat_satellites/
- Source link:
Black Hat Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them.
In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them.
"I used to work at the European Space Agency on ground station IT and got sick of telling them what was wrong and not having them fix it," Olchawa told The Register , "So I decided to go into business to do it myself."
[1]
Satellites are proliferating. In 2005, there were [2]fewer than 1,000 in orbit (many of them inactive). But two decades later, there are about 12,300 functioning satellites, per the [3]European Space Agency . The majority of those are Starlink satellites owned by Elon Musk's SpaceX, but there has also been a sharp rise in the number of military platforms thanks to rising global tensions. Plus, it's cheaper than ever to build and launch such hardware, they explained.
[4]More NASA spacecraft give controllers the silent treatment
[5]MethaneSAT 'likely not recoverable' after losing contact with Earth
[6]Orbital datacenters subject to launch stress, nasty space weather, and expensive house calls
[7]Please don't cut funds for space traffic control, industry begs Congress
The software used to manage this proliferation isn't always secure. Take Yamcs, for example, an open source application that is used by NASA and Airbus to communicate with and control satellites in orbit. The team [8]found five separate CVEs in the code that would allow an attacker a free run of the application for total control.
The VisionSpace duo demonstrated how it was possible to change a satellite's orbit by sending a command to its thrusters, without the course change showing up immediately on the controller's screen. Thankfully, this was a simulation - no satellites were harmed during the course of the presentation.
We found actual vulnerabilities which allow you to crash the entire onboard software with an unauthenticated telephone
The situation was even worse with OpenC3 Cosmos, another open source app that is used for command and control in ground stations. They [9]discovered seven CVEs in the software, including flaws that allowed remote code execution and cross-site scripting attacks.
NASA isn't above reproach in this regard. Its open-source Core Flight System (cFS) Aquila proved more porous than advertised: the team [10]uncovered four critical flaws - two denial-of-service bugs, a path-traversal one, and a remote-code-execution vulnerability - that could crash the flight software and give attackers full code-execution control over NASA's systems.
[11]
Many satellites themselves use an open-source, C-based, encryption library called CryptoLib, and that too is full of flaws, four in the version NASA uses and seven in the standard package - in the latter case, two of them rated as critical.
"We found actual vulnerabilities which allow you to crash the entire onboard software with an unauthenticated telephone," claimed Starcik.
[12]
"So basically, you send a packet to the spacecraft, and the entire software crashes and reboots, which then actually causes the spacecraft, if it's not properly configured, to reset all its keys. And then you have zero keys on the spacecraft that you can use from that stage on."
For budding supervillains out there, forget about it – all of the vulnerabilities have been responsibly disclosed and fixed. But relying on buggy code to control our orbital platforms shouldn't be tolerated, they concluded, and there may be more software nasties floating around out there. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJV2V9VLpITvPuNhV1Cg0QAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.ucs.org/resources/satellite-database
[3] https://sdup.esoc.esa.int/discosweb/statistics/
[4] https://www.theregister.com/2025/08/06/more_nasa_spacecraft_give_controllers/
[5] https://www.theregister.com/2025/07/02/methanesat_likely_not_recoverable/
[6] https://www.theregister.com/2025/07/25/orbital_datacenters_subject_to_all/
[7] https://www.theregister.com/2025/07/10/space_traffic_control_congress/
[8] https://visionspace.com/yamcs-v5-8-6-vulnerability-assessment/
[9] https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/
[10] https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJV2V9VLpITvPuNhV1Cg0QAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJV2V9VLpITvPuNhV1Cg0QAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them.
"I used to work at the European Space Agency on ground station IT and got sick of telling them what was wrong and not having them fix it," Olchawa told The Register , "So I decided to go into business to do it myself."
[1]
Satellites are proliferating. In 2005, there were [2]fewer than 1,000 in orbit (many of them inactive). But two decades later, there are about 12,300 functioning satellites, per the [3]European Space Agency . The majority of those are Starlink satellites owned by Elon Musk's SpaceX, but there has also been a sharp rise in the number of military platforms thanks to rising global tensions. Plus, it's cheaper than ever to build and launch such hardware, they explained.
[4]More NASA spacecraft give controllers the silent treatment
[5]MethaneSAT 'likely not recoverable' after losing contact with Earth
[6]Orbital datacenters subject to launch stress, nasty space weather, and expensive house calls
[7]Please don't cut funds for space traffic control, industry begs Congress
The software used to manage this proliferation isn't always secure. Take Yamcs, for example, an open source application that is used by NASA and Airbus to communicate with and control satellites in orbit. The team [8]found five separate CVEs in the code that would allow an attacker a free run of the application for total control.
The VisionSpace duo demonstrated how it was possible to change a satellite's orbit by sending a command to its thrusters, without the course change showing up immediately on the controller's screen. Thankfully, this was a simulation - no satellites were harmed during the course of the presentation.
We found actual vulnerabilities which allow you to crash the entire onboard software with an unauthenticated telephone
The situation was even worse with OpenC3 Cosmos, another open source app that is used for command and control in ground stations. They [9]discovered seven CVEs in the software, including flaws that allowed remote code execution and cross-site scripting attacks.
NASA isn't above reproach in this regard. Its open-source Core Flight System (cFS) Aquila proved more porous than advertised: the team [10]uncovered four critical flaws - two denial-of-service bugs, a path-traversal one, and a remote-code-execution vulnerability - that could crash the flight software and give attackers full code-execution control over NASA's systems.
[11]
Many satellites themselves use an open-source, C-based, encryption library called CryptoLib, and that too is full of flaws, four in the version NASA uses and seven in the standard package - in the latter case, two of them rated as critical.
"We found actual vulnerabilities which allow you to crash the entire onboard software with an unauthenticated telephone," claimed Starcik.
[12]
"So basically, you send a packet to the spacecraft, and the entire software crashes and reboots, which then actually causes the spacecraft, if it's not properly configured, to reset all its keys. And then you have zero keys on the spacecraft that you can use from that stage on."
For budding supervillains out there, forget about it – all of the vulnerabilities have been responsibly disclosed and fixed. But relying on buggy code to control our orbital platforms shouldn't be tolerated, they concluded, and there may be more software nasties floating around out there. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJV2V9VLpITvPuNhV1Cg0QAAAEw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.ucs.org/resources/satellite-database
[3] https://sdup.esoc.esa.int/discosweb/statistics/
[4] https://www.theregister.com/2025/08/06/more_nasa_spacecraft_give_controllers/
[5] https://www.theregister.com/2025/07/02/methanesat_likely_not_recoverable/
[6] https://www.theregister.com/2025/07/25/orbital_datacenters_subject_to_all/
[7] https://www.theregister.com/2025/07/10/space_traffic_control_congress/
[8] https://visionspace.com/yamcs-v5-8-6-vulnerability-assessment/
[9] https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/
[10] https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJV2V9VLpITvPuNhV1Cg0QAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJV2V9VLpITvPuNhV1Cg0QAAAEw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Have worked on several "bespoke" satellite ground control and on-board systems
elDog
Admittedly my last on-board software experience was back in the days of trying to shoe-horn Ada into everything, and failing. And falling back to some other very "interesting" software languages and libraries (anyone know about Jovial)?
More recently it was trying to force critical components into a J2EE environment. Mission critical stuff that could never have been adequately tested by any existing software techniques. Again, this is usually "one off".
Then, the satellite ground station software written with PHP....
Number6
Overall it's much safer to just hack them. The film "Gravity" demonstrates what can happen when you just blow stuff up in orbit without paying much attention to the debris field. See also: Kessler Effect.
Catkin
Gravity is a pretty poor illustration of orbital mechanics. Unless it's prograde relative to your obit, it won't sweep through your position with each orbit. Kessler syndrome also applies more at altitudes significantly above the orbit of the Shuttle or ISS because, at those lower altitudes, there's enough atmosphere for drag to play a significant role before the cascade really gets going.
I highly recommend having a play around with KSP to understand the former, though it won't help with the latter, as its atmospheric simulation capabilities are limited for the purpose of simplifying gameplay.
Better than I thought
Henry Wertz 1
Bettrr than I thought, I thought it may have still been unencrypted.
responsibly disclosed
The phrase "responsibly disclosed" gets interesting here:
- Would it be more "responsible" to disclose Russian satellite bugs to the Russians or to the US spooks?
- Or Starlink bugs to astronomers, who might in turn feel it would be "responsible" to remove them from the skies/orbits to clear space?