Satellite Security Lags Decades Behind the State of the Art
hubie writes:
Thousands of satellites are currently orbiting the Earth, and there will be many more in the future. Researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security in Saarbrucken have assessed the security of these systems from an IT perspective. They analysed three current low-earth orbit satellites and found that, from a technical point of view, hardly any modern security concepts were implemented. Various security mechanisms that are standard in modern mobile phones and laptops were not to be found: for example, there was no separation of code and data. Interviews with satellite developers also revealed that the industry relies primarily on security through obscurity.
[...] Satellites orbiting the Earth can only be reached by their ground station on Earth within a time window of a few minutes. The systems must be robust against the radiation in space, and, since they can only consume a small amount of energy, they have a low power output. "The data rates are like those of modems in the 1990s," as Holz elaborates the challenges satellite developers face.
Based on the findings gained from the software analysis, the researchers worked out various attack scenarios. They showed that they could cut off the satellites from ground control and seize control of the systems, for example in order to take pictures with the satellite camera. "We were surprised that the technical security level is so low," points out Thorsten Holz, adding the following caveat with regard to potential ramifications: "It wouldn't be all that easy to steer the satellite to another location, for example, to crash it or have it collide with other objects."
To find out how the people who develop and build satellites approach security, the research team compiled a questionnaire and submitted it to research institutions, the ESA, the German Aerospace Centre and various enterprises. Nineteen developers participated anonymously in the survey. "The results show us that the understanding of security in the industry is different than in many other areas, specifically that it's security by obscurity," concludes Johannes Willbold. Many of the respondents therefore assumed that satellites could not be attacked because there is no documentation of the systems, i.e., nothing is known about them. Only a few said that they encrypt data when communicating with satellites or use authentication in order to ensure that only the ground station is allowed to communicate with the satellite.
This work was presented in an IEEE conference paper. [PDF]
Read more of this story at SoylentNews.