A lot of marketing fluff, I did some work with Thales before and they like that style :). That being said, a lot of these end-point/edge/etc. are extremely vulnerable, either it’s a SCADA/DCS systems, robotics and drones (mostly SBCs or NUC) or satellites, as the engineers are mostly focused on ‘make it work’, the software code is mostly hacky, the OS most of the time is outdated since updating it remotely might break things, login are default ones -some I found are still admin/admin-, SSH ports are the default and uses passwords instead of pair keys, I’ve even saw production systems are still using HART protocol, usually the links between the edge and API/backend servers are not encrypted or with a broken encryption, and on top of all, most of these companies don’t invest on any cybersecurity audits or have a team dedicated for that, as they need a working PoC to milk more funding to build another PoC for another funding and so on. For example, you can use shodan (or other similar tools) to search for a specific service in these systems, the process is faster if you know some of these running services too, and take it from there, or attacking specific protocols like profibus etc. Attacking an average VPS is harder and more time consuming than any of these industrial systems.
It looks like that they didn't do a hack of the ground station, or anything like a radio signal hack.
My understanding is that ops-lab is like a kind of "SDK", and so they had allowed access to this special satellite that is a kind of shared projects machine, like a mainframe or a virtual machine host.
So, basically they did a chroot escape. The computer being a satellite instead something else is just a detail. They did not hack to get a remote access.
I hate being a critic when someone actually does something, but I have a lot of trouble justifying the effort on this one as well. It seems like the mission did a great job of checking off some ESA goals. I'm skeptical these tasks were actually useful. A lot of these things don't need to be demonstrated. Using an outdated linux kernel or OS image is going to be vulnerable if you have direct access to the machine. Security here comes in layers (encrypted links, being judicious about what changes persist through resets, good+signed firmware that won't let you break things). Saying "don't forget about the OS" doesn't need a multi-million euro endeavor.
It's also a bit frustrating because (assuming it is a useful exercise) there are plenty of private companies that could have built this for ESA much more quickly and cheaply. Planet and Spire could have dedicated or loaned out one of their satellites. Starlink certainly has spares and coverage. I suppose these companies are US-based, so it wouldn't help develop ESA capabilities. Feels a little like a handout to Thales.
It's neat that I can borrow a satellite to train a neural net, but is it useful? And if it is, do I need a demo to prove it's possible?
> The results of the ethical satellite hacking exercise, the first of its kind in the world
High time - I have been waiting for satellite hacking since the days of Golden Eye[0] and Die Another Day[1]. Interestingly, both featuring Pierce Brosnan.
James Pavur has some interesting papers on various types of satellite hacking, from using ML to determine that some "space debris" might actually be hidden spacecraft [0] to VSAT security [1] to Cyber Antisatellite weapons [2], and other interesting stuff [3].
They hacked OPS-SAT which was an experimental satellite by ESA to test different ways of operating a satellite. The very purpose of this satellite was to be a test bench for this kind of things.
The satellite was in orbit. This is an interview from the Thales CyberSecurity Manager about it. Interview is in French, but its a beautiful language to brush up on anyway, and if you can't, YouTube Autotranslate is also not bad nowadays.
I was expecting a technical manager but instead it's just some ex-Mckinsey manager. I wouldn't be suprised if they gained access via some open port or a default password or whatever the equivalent is for satellites.
I wasn't doubting that is a real satellite, just whether they hacked that, or an engineering spare laid out on a table, which seems to be common for satellite hacking challenges.
>I guess I don't understand your implicit mistrust here
It is a private press release by a company on its own site, advertising same services touted in the release. I assume every truth that can be bent in their favor has been done so by the PR and Marketing teams. However, the youtube video above with the interview seems much more unequivocal.
The test bench is OPS-SAT, their wording makes it seem like their test bench is a satellite in the sky (probably airgapped from the rest of the satellites)
They aren't that dangerous on the ground due to the reentry process but there are busses out there that could be guided into the ISS if the attacker knew what they were doing.
A GEO one, no chance. It will have enough to change out of GEO to a graveyard orbit, which means it will have enough to shift its position in GEO and collide with another satelite.
LEO sure, you don't need to adjust your perigee or even your angle of attack much to change orbit. But then very little from a satellite will reach the ground.
and what is a news about this ? 99.99999999% of satellites are vulnerable to attacks doable by middleschool teenagers.
msot of traffic between satellite and earth is unencrypted ( RC4 like encryption is not encryption ), there are hundreds satellite listening stations all over the world.
for example "Abhörstation Königswarte" can listen to african presidents talking over satelite phones.
snowden leaks provided some info about collections thru these kind of stations. ( NOTHING in snowden leaks, showed to public, was unknown / not already opensource )
You'll need to have a good source on that because the majority of the latest satellites are using at least AES128 or better AES256 for this kind of stuff. Granted, a few of the implementations I have seen are a bit exotic and probably somewhat vulnerable, and the key management can be quite manual, but we are not at the middle school teenagers level anymore.
And I doubt very much that Starlink or OneWeb (OW is using AES256) satellites are that easy to hack, and they by themselves are most of the satellites.
Many satellites are also able to monitor contacts made from the ground and if someone is able to gain access to the communication stream, they'll quickly (within 10min) have to learn how to hack the onboard software to reset these monitors.
starlink can monitor your traffic in ground station.
so you do not need ground based listening station.
optical links still does not work what i know. it is kind of dumb relay ( atleast today )
darpa had program which wanted starlink like satellites used for military purposes, with sensors AND machine learning onboard, 400 km is not very far from earth either, so you do not need complicated sensors (optics..) to see / hear / feel / receive things + capability of computation ( ML filtering, ML recognition.. ) can provide you with very powerful platform. .
plus on top - with optical interconnects you can transmit data without touching "bad" side of globe XD
so with ESA putting this amount of (american made) computation, you can see where it is going.
im proponent of having telemetry not encrypted, we need this for same reason we use ADS/AIS
there are multiple "channels" from / to satellite. not all have to use consumer grade encryption.
some other comments provide link to mission statement, there you can read it was developed to do tests about spacecraft security, im not sure they ment computer security, tho. you can write ESA, you can find some ESA people on twitter even.
what i did / did not do in my free time, 15 years ago i do not want to talk.
is 20 year old tech hackable ? is not sourcable.
what is done to satellites is not really possible to source, people need to work.
and even bull is considered secret, proprietary etc....
for threat model:
hybrid war is "new".
" attacking infrastructure was considered war, full stop "
this changed for some reason.
american corporation have 4 pictures of "earth" everyday, in database, starting from 1996...
and still even today, you can point antenna up and capture geostationary satellite pictures, not in that resolution tho. ( NOAA / old russian meteo satellites - this was not in threat model. source is point antenna up)
im not talking about things like FLTSATCOM 7 and FLTSATCOM 8 which are known and covered by news.
im not confused about what is telemetry, control, data, transponder, etc
most nonmainstream things / themes are not "googleable". because hybrid war.
hobbysite from 20 years ago - cqham.ru has some articles about "downloading" nonencrypted traffic from satellites with for todays standard, primitive equipment
The specs are usually public for GEO meteo sats in particular (NOAA's, Elektro-L, etc), specifically for amateur enthusiasts to receive the photos; unencrypted downlink is easy with them. Controlling anything is another story.
so threat model for satellites is not what we thought.( as a public hollywood goers ). and even if satellite is "hardened" is hardened by obfuscation rather then technological mechanism ( even if it had technological anything in it, which they dont. most satellites are older then 20 years, anyway.... )
