Workshop on the Security of Space and Satellite Systems (SpaceSec) 2024 Program

Inter-satellite links will unlock true global access to high-speed internet delivered by Low Earth Orbit (LEO) mega-constellations. Functional packet routing within the constraints of the space environment, spacecraft design, and continual satellite mobility is uniquely challenging and requires novel routing algorithm approaches. Additionally, recent real-world events have highlighted adversarial attempts to deny and disrupt mega-constellation networking capabilities. In this paper, we advance highly resilient LEO mega-constellation dynamic routing algorithms by presenting our novel, ISL architecture-derived, network coordinate system. This coordinate system simplifies the network topology and permits increasingly impactful routing decisions with minimal computational overhead. From our topology, we demonstrate a proof-of-concept, lightweight routing algorithm that is highly resilient and scalable. To promote standardized resilience comparisons for LEO mega-constellation routing algorithms, we also propose a routing resilience testing framework that defines key performance metrics, adversarial capabilities, and testing scenarios. Using our proposed framework, we demonstrate our routing algorithm’s increased resilience over several state-of-the-art dynamic routing algorithms, with 12% packet delivery rate improvement during high adversarial disruption intensities.

Recent reports on the state of satellite security reveal that many satellite systems that are operational today do not implement sufficient protection against cyber-attacks. Most notably is the fact that many systems lack of cryptographic protection on their TT&C link. If COMSEC protection on the TT&C link is missing an attacker with access to the RF link can eavesdrop on the communication and, even worse, could be able to inject specially crafted messages that would be processed by the satellite.

In this paper, we analyze needs and establish high level requirements for concepts aiming to secure TT&C link communication (with respect to confidentiality and authentication). The requirements cover key aspects of security and operations. We assess existing standards (SDLS and SDLS EP) against our requirements and determine that SDLS is suitable for traffic protection while SDLS EP does not meet all security requirements for key management (namely, it does not meet post compromise security). Finally, we discuss alternative key management approaches such as stateless authenticated key agreement and stateful authenticated key agreement (or key evolution protocols) and how they meet our requirements.

In the wake of increasing numbers of attacks on radio communication systems, a range of techniques are being deployed to increase the security of these systems. One such technique is radio fingerprinting, in which the transmitter can be identified and authenticated by observing small hardware differences expressed in the signal. Fingerprinting has been explored in particular in the defense of satellite systems, many of which are insecure and cannot be retrofitted with cryptographic security.

In this paper, we evaluate the effectiveness of radio fingerprinting techniques under interference and jamming attacks, usually intended to deny service. By taking a pre-trained fingerprinting model and gathering a new dataset in which different levels of Gaussian noise and tone jamming have been added to the legitimate signal, we assess the attacker power required in order to disrupt the transmitter fingerprint such that it can no longer be recognized. We compare this to Gaussian jamming on the data portion of the signal, obtaining the remarkable result that transmitter fingerprints are still recognizable even in the presence of moderate levels of noise. Through deeper analysis of the results, we conclude that it takes a similar amount of jamming power in order to disrupt the fingerprint as it does to jam the message contents itself, so it is safe to include a fingerprinting system to authenticate satellite communication without opening up the system to easier denial-of-service attacks.

Satellites and the services enabled by them, like GPS, real-time world-wide imaging, weather tracking, and worldwide communication, play an increasingly important role in modern life. To support these services satellite software is becoming increasingly complex and connected. As a result, concerns about its security are becoming prevalent.

While the focus of security for satellites has historically been on encrypting the communications link, we argue that a fuller consideration of the security of satellites is necessary and presents unique challenges. Satellites are becoming increasingly accessible to attackers–thanks to supply chain attacks and Internet connected ground stations–and present a unique set of challenges for security practitioners. These challenges include the lack of any real ability for a human to be physically present to repair or recover these systems, a focus on safety and availability over confidentiality and integrity, and the need to deal with radiation-induced faults. This work characterizes the cyber threats to satellite systems, surveys the unique challenges for satellite software, and presents a future vision for research in this area.

Despite the implementation of encrypted channels, such as those offered by anonymity networks like Tor, network adversaries have demonstrated the ability to compromise users’ browsing privacy through website fingerprinting attacks. This paper studies the susceptibility of Tor users to website fingerprinting when data is exchanged over low Earth orbit (LEO) satellite Internet links. Specifically, we design an experimental testbed that incorporates a Starlink satellite Internet connection, allowing us to collect a dataset for evaluating the success of website fingerprinting attacks in satellite environments compared to conventional fiber connections. Our findings suggest that Tor traffic transmitted via Starlink is as vulnerable to fingerprinting attacks as traffic over fiber links, despite the distinct networking characteristics of Starlink connections in contrast to fiber.

Automatic Dependent Surveillance - Contract (ADS-C) is an satellite-based aviation datalink application used to monitor aircraft in remote regions. It is a crucial method for air traffic control to track aircraft where other protocols such as ADS-B lack connectivity. Even though it has been conceived more than 30 years ago, and other legacy communication protocols in aviation have shown to be vulnerable, ADS-C’s security has not been investigated so far in the literature. We conduct a first investigation to close this gap. First, we compile a comprehensive overview of the history, impact, and technical details of ADSC and its lower layers. Second, we build two software-defined radio receivers in order to analyze over 120’000 real-world ADSC messages. We further illustrate ADS-C’s lack of authentication by implementing an ADS-C transmitter, which is capable of generating and sending arbitrary ADS-C messages. Finally, we use the channel control offered through a software-defined ADSC receiver and transmitter as a basis for an in-depth analysis of the protocol weaknesses of the ADS-C system. The found vulnerabilities range from passively tracking aircraft to actively altering the position of actual aircraft through attacks on the downlink and the uplink. We assess the difficulty and impact of these attacks and discuss potential countermeasures.

This paper details our journey in designing and selecting a suitable application sandboxing mechanism for a satellite under development, with a focus on small satellites. Central to our study is the development of selection criteria for sandboxing and assessing its appropriateness for our satellite payload. We also test our approach on two already operational satellites, Suchai and SALSAT, to validate its effectiveness. These experiments highlight the practicality and efficiency of our chosen sandboxing method for real-world space systems. Our results provide insights and highlight the challenges involved in integrating application sandboxing in the space sector.

Space missions increasingly rely on Artificial Intelligence (AI) for a variety of tasks, ranging from planning and monitoring of mission operations, to processing and analysis of mission data, to assistant systems like, e.g., a bot that interactively supports astronauts on the International Space Station. In general, the use of AI brings about a multitude of security threats. In the space domain, initial attacks have already been demonstrated, including, e.g., the Firefly attack that manipulates automatic forest-fire detection using sensor spoofing. In this article, we provide an initial analysis of specific security risks that are critical for the use of AI in space and we discuss corresponding security controls and mitigations. We argue that rigorous risk analyses with a focus on AI-specific threats will be needed to ensure the reliability of future AI applications in the space domain.

Merge/Space (M/S) is a testbed designed to simulate multiple-agent security scenarios in satellite networks. By combining orbital data generated by a simulator such as STK with a synchronized set of images, M/S can accurately simulate bandwidth and connectivity constraints between ground stations and vehicles, enabling analyses of DoS attacks, scanning, malware infiltration and other analyses. We discuss the development of the testbed, the sample datasets included for release, and demonstrate the impact of various simulations.

COSPAS-Sarsat is a global satellite-based search and rescue system that provides distress alert and location information to aid in the rescue of people in distress. However, recent studies show that the system lacks proper security mechanisms, making it vulnerable to various cyberattacks, including beacon spoofing, hacking, frequency jamming, and more. This paper proposes a backward-compatible solution to address these longstanding security concerns by incorporating a message authentication code (MAC) and timestamp. The MAC and timestamp ensure the integrity and authenticity of distress signals, while backward compatibility enables seamless integration with existing beacons. The proposed solution was evaluated in both a laboratory setting and a real-world satellite environment, demonstrating its practicality and effectiveness. Experimental results indicate that our solution can effectively prevent attacks such as spoofing, man-in-the-middle, and replay attacks. This solution represents a significant step toward enhancing the security of COSPAS-Sarsat beacon communication, making it more resilient to cyberattacks, and ensuring the timely and accurate delivery of distress signals to search and rescue authorities.

Satellite services are vital for many types of critical infrastructure, including electricity, finance and transportation. Sophisticated attackers therefore may target satellites, in order to create widespread disruption. The ground infrastructure of satellite systems offers attackers direct access to satellite systems, as this is where satellites are operated and monitored. We investigate the tactics and technology utilised by attackers of satellite ground systems, through analysis of previous attacks conducted against satellite ground infrastructure. Through this investigation, we contribute to growing literature surrounding cyber attacks against satellite systems, by providing empirical analysis of techniques and tactics used to attack ground infrastructure. Analysis of attack cases is presented, and then we discuss key findings and implications for future research.

COSPAS-SARSAT is a satellite radio location system for aviation, maritime, and land travellers designed to aid search and rescue (SAR) services in distress. This system effectively detects, processes, and relays distress signals, facilitating prompt responses from SAR services. However, COSPAS-SARSAT 406 MHz protocols, both from an architectural and implementation point of view, exhibit fundamental cybersecurity weaknesses that make them an easy target for potential attackers. The two fundamental flaws of these protocols are the lack of digital signatures (i.e., integrity and authenticity) and encryption (i.e., confidentiality and privacy). The risks associated with these and other weaknesses have been repeatedly demonstrated by ethical cybersecurity researchers.

In this paper, we first present an overview of the insecure design of COSPAS-SARSAT messaging protocols. Subsequently, we propose a lightweight ECDSA message integrity and authenticity scheme that works seamlessly for COSPAS-SARSAT 406 MHz protocols. We propose that the scheme can be added as a backward-compatible software-only upgrade to existing systems without requiring expensive architectural redesign, upgrades, and retrofitting. The preliminary implementation, tests, and results from the lab show that our scheme is effective and efficient in adding message authenticity and integrity and represents a promising applied research direction for a low-cost, potentially backward-compatible upgrade for already deployed and operational systems.