SPACESEC23: WORKSHOP ON THE SECURITY OF SPACE AND SATELLITE SYSTEMS
PROGRAM FOR MONDAY, FEBRUARY 27TH

View: session overviewtalk overview

13:30-14:20 Session 1: Welcome & Keynote
13:30
Welcome
13:35
Securing the Cosmos: On the Future of Space Systems Security Research
14:20-15:00 Session 2: Threat Modelling
14:20
Cybersecurity of COSPAS-SARSAT and EPIRB: threat and attacker models, exploits, future research
PRESENTER: Andrei Costin

ABSTRACT. COSPAS-SARSAT is an International programme for “Search and Rescue” (SAR) missions based on the “Satellite Aided Tracking” system (SARSAT). It is designed to provide accurate, timely, and reliable distress alert and location data to help SAR authorities of participating countries to assist persons and vessels in distress. Two types of satellite constellations serve COSPAS-SARSAT, low earth orbit search and rescue (LEOSAR) and geostationary orbiting search and rescue (GEOSAR). Despite its nearly-global deployment and critical importance, unfortunately enough, we found that COSPAS-SARSAT protocols and standard 406 MHz transmissions lack essential means of cybersecurity.

In this paper, we investigate the cybersecurity aspects of COSPAS-SARSAT space-/satellite-based systems. In particular, we practically and successfully implement and demonstrate the first (to our knowledge) attacks on COSPAS-SARSAT 406 MHz protocols, namely replay, spoofing, and protocol fuzzing on EPIRB protocols. We also identify a set of core research challenges preventing more effective cybersecurity research in the field and outline the main cybersecurity weaknesses and possible mitigations to increase the system’s cybersecurity level.

14:42
Position Paper: Space System Threat Models Must Account for Satellite Sensor Spoofing
PRESENTER: Benjamin Cyr

ABSTRACT. The private sector and even hobbyists are increasingly launching smaller satellites into Low Earth Orbit (LEO). Commercial off-the-shelf (COTS) components, including semiconductors for inertial measurement and other sensing, significantly reduce deployment costs. Such improvements, however, also increase the risk of satellite sensor spoofing attacks, including analog signal injection. Sensor spoofing attacks could compromise the integrity of satellites' onboard sensors, leading to mission-catastrophic kinetic actions. Based on conventional laser jamming and damaging attacks as well as the recent research discoveries on sensor spoofing attacks against terrestrial systems, this position paper (1) shares our views on open technical problems for protecting space systems from analog sensor integrity vulnerabilities, and (2) discusses future challenges of building experimental methodologies, simulations, and evaluation test beds.

15:30-16:50 Session 3: Link Segment Security
15:30
Death By A Thousand COTS: Disrupting Satellite Communications using Low Earth Orbit Constellations

ABSTRACT. Satellites in Geostationary Orbit (GEO) provide a number of commercial, government, and military services around the world, offering everything from surveillance and monitoring to video calls and internet access. However a dramatic lowering of the cost-per-kilogram to space has led to a recent explosion in real and planned constellations in Low Earth Orbit (LEO) of smaller satellites.

These constellations are managed remotely and it is important to consider a scenario in which an attacker gains control over the constituent satellites. In this paper we aim to understand what damage this attacker could cause, using the satellites to generate interference.

To ground our analysis, we simulate a number of existing and planned LEO constellations against an example GEO constellation, and evaluate the relative effectiveness of each. Our model shows that with conservative power estimates, both current and planned constellations could disrupt GEO satellite services at every groundstation considered, albeit with effectiveness varying considerably between locations.

We analyse different patterns of interference, how they reflect the structures of the constellations creating them, and how effective they might be against a number of legitimate services. We find that real-time usage (e.g. calls, streaming) would be most affected, with 3 constellation designs able to generate thousands of outages of 30 seconds or longer over the course of the day across all groundstations.

15:52
CLExtract: Recovering Highly Corrupted DVB/GSE Satellite Stream with Contrastive Learning
PRESENTER: Yueqi Chen

ABSTRACT. Since satellite systems are playing an increasingly important role in our civilization, their security and privacy weaknesses are more and more concerned. For example, prior work demonstrates that the communication channel between maritime VSAT and ground segment can be eavesdropped on using consumer-grade equipment. The stream decoder GSExtract developed in this prior work performs well for most packets but shows incapacity for corrupted streams. We discovered that such stream corruption commonly exists in not only Europe and North Atlantic areas but also Asian areas. In our experiment, using GSExtract, we are only able to decode 2.1% satellite streams we eavesdropped on in Asia. Therefore, in this work, we propose to use a contrastive learning technique with data augmentation to decode and recover such highly corrupted streams. Rather than rely on critical information in corrupted streams to search for headers and perform decoding, contrastive learning directly learns the fea- tures of packet headers at different protocol layers and identifies them in a stream sequence. By filtering them out, we can extract the innermost data payload for further analysis. Our evaluation shows that this new approach can successfully recover 71-99% eavesdropped data hundreds of times faster speed than GSExtract. Besides, the effectiveness of our approach is not largely damaged when stream corruption becomes more severe.

16:10
Firefly: Spoofing Earth Observation Satellite Data through Radio Overshadowing
PRESENTER: Edd Salkield

ABSTRACT. Data from Earth observation satellites has become crucial in private enterprises, research applications, and in coordinating national responses to events such as forest fires. These purposes are supported by data derived from a variety of satellites, some of which do not secure the wireless channel effectively. This opens the door for modern adversaries to conduct spoofing attacks by overshadowing the signal with commercially available radio equipment.

In this paper, we assess the vulnerability of current satellite Earth observation systems to spoofing attacks. We show how advances in software-defined radio hardware enable attackers to arbitrarily manipulate received satellite images with only off-the-shelf equipment. Taking NASA’s live forest fire detection system as a case study, we demonstrate that the attacker can arbitrarily manipulate fires in the derived dataset to trigger false emergency response or mislead crisis analysis, and achieve denial of service in the processing software. We conclude with a discussion of physical-layer countermeasures to detect and defend against spoofing, even when the satellite hardware cannot be upgraded.

16:32
Towards Protecting Billions and Billions of Bits on the Interplanetary Internet

ABSTRACT. As multiple nations and enterprises embark on ambitious programs to explore our solar system, the success of their endeavor is intimately tied to the cooperative establishment of an efficient and secure Interplanetary Internet (IPN)—a deep space network designed for the challenges of long-distance and non-continuous communication. Unfortunately, the high latencies and low bandwidth of deep space stymie the IPN’s adoption of the Internet’s security protocols. In this paper, we advocate the construction of new security protocols specifically designed for the constraints of space networks and based in modern cryptographic constructs for functional encryption. We argue that such protocols could securely support a range of properties beneficial to space communication, including group messaging, in-network processing, and anonymity, and discuss the open questions and research challenges of this proposal.

17:00-17:36 Session 4: Space Segment Security
17:00
A Case Study on Fuzzing Satellite Firmware

ABSTRACT. Satellites perform key functions of our modern digital infrastructure such as providing communications, navigation, and earth observation services. As maintaining a satellite requires remote access, securing that access is an important aspect of developing and operating a satellite.

While satellites have traditionally not been subjected to regular attacks, the same may not hold in the future. Hence, it becomes increasingly relevant to the community to secure satellite firmware, the software that controls the space segment of satellite missions. In this work, we perform a case study of applying recent embedded firmware analysis techniques to satellite payload data handling systems. We explore whether Fuzzware, a recent firmware fuzz testing system, is applicable to these firmware images. During this, we also describe and apply the process of manually optimizing Fuzzware configurations for firmware targets, and measure the impact of different optimizations. Finally, we identify challenging aspects of fuzz testing satellite firmware and directions for future work to optimize fuzz testing performance in a fully automated manner. As part of our case study, we identified and responsibly disclosed 6 bugs in 3 satellite firmware images.

17:18
The Vulnerabilities Less Exploited: Cyberattacks on End-of-Life Satellites
PRESENTER: Frank Lee

ABSTRACT. End-of-life (EOL) satellites are space assets that have completed their primary mission. Due to their loss in commercial or scientific priority, EOL satellites are often left in place by operators for an extended period, instead of being decommissioned in a timely manner to free up high-value orbits. This period of inactivity exposes EOL satellites to a lower level of operator vigilance, and therefore, higher level of cyberattack risk. With the recent growth in space activities, this paper estimates there will be up to 5,000 inactive satellites in low Earth orbit (LEO) within 5 years, magnifying the space cyber risks and resulting space sustainability challenges. To bolster space cybersecurity, the authors illuminate unique attack vectors against EOL satellites, as well as policy and technical mitigation measures. When part of a constellation, the vulnerability of an EOL satellite has even bigger implications, where a threat actor may use the secondary asset to target primary assets. Ultimately, the active management of EOL satellites is significant for a secure and sustainable LEO infrastructure.

17:36-18:20 Session 5: Test Beds
17:36
Towards a Unified Cybersecurity Testing Lab for Satellite, Aerospace, Avionics, Maritime, Drone (SAAMD) technologies and communications
PRESENTER: Andrei Costin

ABSTRACT. Aviation, maritime, and aerospace traffic control, radar, communication, and software technologies received increasing attention in the research literature over the past decade, as software-defined radios have enabled practical wireless attacks on communication links previously thought to be unreachable by unskilled or low-budget attackers. Moreover, recently it became apparent that both offensive and defensive cybersecurity has become a strategically differentiating factor for such technologies on the war fields (e.g., Ukraine), affecting both civilian and military missions regardless of their involvement. However, attacks and countermeasures are usually studied in simulated settings, thus introducing the lack of realism or non-systematic and highly customized practical setups, thus introducing high costs, overheads, and less reproducibility. Our ``Unified Cybersecurity Testing Lab'' seeks to close this gap by building a laboratory that can provide a systematic, affordable, highly-flexible, and extensible setup.

In this paper, we introduce and motivate our ``Unified Cybersecurity Testing Lab for Satellite, Aerospace, Avionics, Maritime, Drone (SAAMD)'' technologies and communications, as well as some peer-reviewed results and evaluation of the targeted threat vectors. We show via referenced peer-reviewed works that the current modules of the lab were successfully used to realistically attack and analyze air-traffic control, radar, communication, and software technologies such as ADS-B, AIS, ACARS, EFB, EPIRB and COSPAS-SARSAT. We are currently developing and integrating support for additional technologies (e.g., CCSDS, FLARM), and we plan future extensions on our own as well as in collaboration with research and industry. Our ``Unified Cybersecurity Testing Lab'' is open for use, experimentation, and collaboration with other researchers, contributors and interested parties.

17:58
QPEP in the Real World: A Testbed for Secure Satellite Communication Performance

ABSTRACT. Although new technologies are on the rise, traditional Geostationary Earth Orbit (GEO)-based satellite internet is still a crucial piece of critical communications infrastructure and used by many, for example in the maritime sector. Previous work found that much of the traffic over GEO links is unencrypted, as there is a lack of secure, yet performant ways to communicate for end users. A new protocol named QPEP, a hybrid between a traditional Performance Enhancing Proxy and a VPN, aims to solve this issue but has only been tested in simulations.

This work presents a newly developed testbed, which is used to collect real-world results for QPEP. Two different satellite links, one using Ka-band, the other Ku-band, were analyzed. In the Ka band, we find that QPEP offers on average 80% more goodput compared to OpenVPN. The page load time is reduced on average by 17% and the 95th percentile is reduced by 25% compared to OpenVPN. Although the average page load time of QPEP is higher compared to the unencrypted, proprietary PEP of the provider, it still manages to have the same 95 percentile. Overall, we find that the satellite environment is often a black box that is difficult to evaluate scientifically. However, we show that in typical settings QPEP can prove its benefits in the real-world and further investigations are promising.