Billions of people will have a terrible time if the satellite communications networks surrounding our planet ever fail. Cell phones will stop chirping, navigation systems will crash, television screens will go dark and financial transactions will fail. The three most likely ways this could happen are: an intense geomagnetic storm resulting from a solar flare like the one that occurred in 1859, known as the Carrington Event; the cascading collision of space debris, called the Kessler effect; or a deliberate cyber attack.
On Sunday, a SpaceX rocket lifted off from Cape Canaveral with a special payload designed to reduce the last of those dangers. On board was the US government’s Moonlighter satellite, described as “the world’s first and only hacking sandbox in space”. After the satellite is deployed, five so-called “white hat” – or ethical – hacking teams in the Hack-A-Sat 4 competition in Las Vegas will attempt to hijack the Moonlighter and win a $50,000 prize for uncovering its vulnerabilities. “With Moonlighter, we’re trying to confront a problem before it becomes a problem,” one project leader told The Register.
In truth, the problem has already arisen. Last year, on the day Russia invaded Ukraine, hackers launched a malware attack on Viasat’s KA-SAT satellite. They temporarily disrupted communications for thousands of broadband users in Ukraine, as well as in Poland, Italy and Germany, where 5,800 wind turbines were also affected.
“We are all aware that the first ‘shot’ in the current conflict in Ukraine was a cyber attack on a US space company,” said Kemba Walden, acting US National Cyber Director.
CIA intelligence, reported this year by the Financial Times, warned that China was also building sophisticated cyber weapons to “deny, exploit or hijack” enemy satellites. The US has not revealed its own offensive capabilities in this area. But Washington isn’t just worried about Chinese spy balloons.
While space was once the sole domain of nation states, private companies are increasingly dominating the game as launch costs drop and satellites shrink. Last year, the US launched 1,796 objects into space, 32 times more than in 2000. The lines between military and civilians have also blurred as a result of dual-use applications, such as global positioning systems, which make commercial satellites a target. And because of the difficulty of fixing satellites in space, designers add a lot of spare parts, increasing the “attack surfaces” that hackers can exploit.
Viasat says it has learned lessons from last year’s attack and has strengthened its defenses. Basic cyber hygiene is essential at every link in the communication chain (hackers accessed a misconfigured terrestrial virtual private network device). Constant vigilance is required: the American company has been persistently attacked since the beginning of the war. And rapid response teams must be ready to re-establish control if the system is compromised.
“Anyone who claims perfect security is either lying or doesn’t know what they’re talking about,” Craig Miller, Viasat’s president of government systems, tells me. “You have to be able to respond very quickly.”
There are three main ways to hack a satellite, according to James Pavur, a cybersecurity engineer at Istari, a US start-up. The first target is ground infrastructure, the most accessible attack surface, but usually the best protected. Next, hackers can aim to intercept wireless communications between ground stations and satellites – or spoof them. The third, and most difficult, approach is to go after the “bird in orbit” by building or exploiting security backdoors in satellite components. So operators must secure their entire supply chain.
Most hacking attacks are difficult to trace. Only four countries have the known ability to remove a satellite by missile – the US, China, India and Russia – although such attacks risk triggering the Kessler effect. But anyone from anywhere at any time can hack the software.
White hat hackers are a particularly valuable community in helping to secure critical satellite infrastructure, Pavur claims. “There is a way of thinking about security through obscurity. But a sufficiently motivated adversary will find an ‘exploit,’” he says. It’s far better to discover those vulnerabilities first and fix them, rather than trying to hide in the dark.
The idea of crowdsourcing security sounds like an oxymoron. But white-hat hackers have won over skeptics in the past decade. As software developers say, “Given enough eyeballs, all bugs are shallow.” That rule may apply even in space.
john.thornhill@ft.com
