Why do hackers hack satellites and what does it lead to?

Is there room in space for hackers? Alas, where a person has created something, there will also be those who want to destroy what has been created or turn it to their advantage. The only suspect in history of hacking in orbit – astronaut Anne McClain – the court acquitted. But our neighbors on the planet have repeatedly paid an unfriendly visit to space infrastructure.

My name is Denis Makrushin, I am the technical director of MTS RED. Especially for Cosmonautics Day, I will tell you how attackers violate the cyber stability of satellite infrastructure and how they can be countered.

Responsible Hacker

Perhaps the first case of hacking a satellite in orbit was Captain Midnight, who on April 27, 1986 interrupted the HBO broadcast. Instead of the film, the following caption appeared on air: GOODEVENING HBO FROM CAPTAIN MIDNIGHT. $12.95/MONTH? NO WAY! (Good evening HBO from Captain Midnight. $12.95 a month? Not an option! – Note lane) It turned out that the superhero is supported by many users who are dissatisfied with the cost of a satellite TV subscription: more than 200 people “admitted” to the FBI that they are Captain Midnight.

However, the real culprit turned out to be satellite communications engineer John McDougall. In the United States, satellite TV appeared in the 1970s – it was used to display pay-per-view channels. But the signal was first transmitted in unencrypted form, which allowed “life hackers” to fork out money only for setting up a satellite dish and not pay a subscription fee to the operator. To avoid losing revenue due to unauthorized viewing, the largest pay TV operator, HBO, began encrypting the signal in 1986. After that, those who wanted to watch HBO channels had to pay a monthly subscription in order for the decoder that deciphers the satellite signal to work properly. There were relatively few people willing to regularly pay for TV channels, and installers’ incomes fell. Dissatisfied with the new state of affairs, the engineer compiled a picture with a message and sent a signal to the HBO satellite. By suppressing the original signal with a stronger one, it was actually the first to carry out a documented jamming attack on a satellite. The interference lasted only 5 minutes: Media reports that HBO employees increased the power of the original broadcast in an attempt to overcome the alien signal, but McDougall responded by increasing the power of the station he was working at and maintaining control. However, Captain Midnight then turned off the transmission, for fear of burning out the satellite's receiver with too strong a signal from two sources at once. Perhaps the court took into account almost noble behavior, so John McDougall got off relatively lightly: a fine of $5,000 and a year of probation.

More satellites mean more opportunities for hackers

It would seem that in the time since the first hacking of a satellite, companies could have learned to provide cyber protection for spacecraft and the information transmitted through them. However, not all operators are concerned about this. Some of them even do not use encryption or they use algorithms that are not resistant to hacking to save on the cost of the satellite and its launch: they take standard electronic components and save computing power, reducing the size and weight of the satellite.

In 2019, cybersecurity specialist James Pavur, formerly of the Pentagon, conducted an experiment for his doctoral dissertation at Oxford. With a $400 kit (small antenna, coaxial cable, and off-the-shelf digital TV tuner), he managed to intercept satellite signalstransferred by sea vessels owned by companies from the list Fortune 500. The researcher noted that after cleaning the signal from noise, you can get ship manifests, passport, credit card and payment details.

More serious devices allow you to both suppress satellite signals and and carry out spoofing (replace real data with specially generated data). An example is spoofing of navigation systems, when the map shows the user that he is far from the real point – it was his first time demonstrated students at Carnegie Melon University back in 2012. Interestingly, this is a rare case where insufficient system security is used to ensure security: spoofing of navigation systems is used near important government buildings to prevent potential terrorist attacks.

In general, there is nothing “unearthly” about satellites: you can suppress their signal with a more powerful one, and if the spacecraft manufacturer has not bothered with encryption, then an attacker can even replace a TV broadcast or Internet data.

Defense of space begins on Earth

Let's come down from heaven to Earth. Security researchers in separate category They highlight attacks on the command and control link (C2), in our case, on the communication line between satellites and ground control stations. This is not just a theory; back in 2007–2008, similar attacks caused repeated losses communication of the Norwegian tracking station with the Landsat-7 and Terra AM-1 satellites. No hacking of ground-based IT systems was detected, so the researchers decided that the attack was on the transmission line. I would like to note that the management and control of the satellites were built at the proper level: a temporary loss of communication did not put them out of action, the devices did not leave orbit – they showed resistance to failures.

Thus, protecting space begins on Earth. This is where it is easiest for hackers to obtain information from satellites using classical methods, for example, attacking ground infrastructure using brute force and exploiting vulnerabilities. This potentially threatens the loss of control over the satellite or the leakage of important information.

In 2014, researchers discoveredthat hackers gained access to more than 10,000 satellite stations in the United States. Sensitive data of users and companies, as well as service information from the electrical network control channel, were compromised. Here, even complex attack scenarios did not have to be used: default passwords for terminals were used or access via VPN was disabled (after which, apparently, the login and password were transmitted in clear text and were intercepted).

In 2018, researchers again warned of the vulnerability of civilian and military assets to cyberattacks via satellite systems. Moreover, if for US military structures and civil aviation the probability of this threat was assessed as average, then for sea vessels – as high: Both the exact coordinates of the navigation system and satellite communications are critical for ships.

These cases seemed to teach organizations how to protect satellite communications systems. But hackers are also improving, and even companies for which satellite communications are critical for the continuity of business processes cannot always protect it from cyber attacks. So, in 2022, the satellite operator Viasat suffered a large-scale cyber attack: Out of 100,000 subscribers in 13 countries in Eastern Europe and Africa, approximately 45,000 lost communications. The incident not only affected Internet users, but also led to a malfunction of about 6,000 wind turbines in Germany – they were controlled via satellites.

As a result of a joint investigation with the NSA, Viasat found that hackers first hacked access to a corporate VPN in Italy, got into the system and installed malware on the control servers. The malware sent a firmware update via satellite to many KA-SAT modems, providing users with broadband Internet access through the KA-SAT modem. spacecraft. The update overwrote the flash memory of the devices with garbage data, rendering the terminals unusable. When Viasat and NSA specialists tried to get to the bottom of the problem, the hackers launched a DDoS attack on the remaining modems. The inaccessibility of the devices prevented specialists from understanding the vector of the cyberattack, and also made it impossible to remotely connect to modems and try to restore Internet access settings. As a result, some of the company's subscribers were left without communication for about a month, and tens of thousands of modems had to be replaced.

The investigation showed that the affected modems did not require authorization to rewrite the firmware. But the penetration into the system was organized more subtly: the company assumed that the hack was caused by a mole in the Italian officebut researchers found incorrect configuration of corporate VPN. It later became known that the NSA a month before the attack warned Viasat about numerous vulnerabilities in satellite equipmentbut the operator neglected to protect the basic elements of its IT infrastructure.

Positive outcome

At first glance, it seems that space is infinitely far from earthly hackers. In fact, cyber attacks on satellite infrastructure are infrequent, but they do occur. As space-based communications permeate every aspect of our lives and work, cyberattacks from satellite constellations are likely to become commonplace and could have serious consequences for users and companies. It is better to act proactively and not wait for the actions of attackers, but to work on information and cyber security of both the orbital and ground parts of satellite systems.

Dream about space and don't forget about cyber defense on Earth!

I thank our editor Alexander Baulin for his help. He worked for Roscosmos Media for a long time and shared very useful knowledge with me.