In this Chats on the Road to Black Hat USA, hosts Sean and Marco discuss the security challenges of low Earth orbit (LEO) satellites with guest Johannes Willbold, highlighting vulnerabilities, slow adoption of fixes, and the need for improved security measures in space technology.
Guest: Johannes Willbold, Doctoral Student, Ruhr University Bochum [@ruhrunibochum]
On Linkedin | https://www.linkedin.com/in/jwillbold/
On Twitter | https://twitter.com/jwillbold
Website | https://jwillbold.com/
____________________________
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Island.io | https://itspm.ag/island-io-6b5ffd
____________________________
Episode Notes
In this Chats on the Road to Black Hat USA, hosts Sean and Marco invite Johannes Willbold to discuss the security of low Earth orbit (LEO) satellites. Johannes shares his research on satellite vulnerabilities and the challenges in securing satellite systems. They discuss security by obscurity and the lack of standardized protocols in satellite technology.
Johannes emphasizes the importance of addressing security concerns in space technology and the need for organizations like NASA and the European Space Agency (ESA) to come together to address these challenges. They spend time looking into the difficulties of implementing security measures on satellites and the slow adoption of fixes due to the time-consuming nature of satellite testing and deployment.
The trio also touch on the lack of everyday defenses and mitigating controls for satellite security, as well as the challenges of monitoring and responding to threats while satellites are in orbit. Johannes highlights ongoing efforts by organizations like ESA to improve security in space and host workshops to encourage research in this area.
The hosts also cover some of the points from Johannes's upcoming talk at Black Hat USA, where he will share more details about his research.
Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa
____
Resources
Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites: https://www.blackhat.com/us-23/briefings/schedule/index.html#houston-we-have-a-problem-analyzing-the-security-of-low-earth-orbit-satellites-32468
Space Odyssey research paper: https://jwillbold.com/paper/willbold2023spaceodyssey.pdf
For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
👉 https://itspm.ag/bhusa23tsp
Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here:
👉 https://itspm.ag/bhusa23bndl
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin: Marco.
Marco Ciappelli: Sean.
Sean Martin: It's really light.
Marco Ciappelli: It's light.
Sean Martin: The light. Yeah.
Marco Ciappelli: The light is light.
Sean Martin: The sat is light.
Marco Ciappelli: The sat is light.
Sean Martin: That's right. It's not very heavy. It floats. It's so light. Up, up in the, up in the sky, beyond the sky. Watching over us, helping us navigate.
Marco Ciappelli: Are we in the low orbit, low, low Earth orbit or in the higher one?
Yes.
Sean Martin: Yes. Yeah.
Marco Ciappelli: The answer is yes. I have no idea what you're talking about, but the answer is yes. The answer is yes.
Sean Martin: No, we're... Let's stay low today. Let's stay low today.
Marco Ciappelli: Yeah, we're staying low. We're staying low. And there is a few things that... Uh, when I was looking at what, uh, Johan is here, that our guest for today that we will introduce properly in a few seconds, um, there's few things that stuck in my mind, uh, when, uh, when I was reading the abstract for his, uh, presentation and, uh, yeah, the busy low earth orbit, it's one thing that I always imagined to be a little bit too much traffic for my taste.
Sean Martin: The, uh, space traffic control center is hard at work. I'm sure I'm joking, but there's probably something like that. Uh, but look, before we, uh, keep messing around any further, Mark, let's introduce, uh, Johannes Wilbold. How are you Johannes? Good to have you on the show.
Johannes Willbold: Great. Thanks for having me. How about you?
Sean Martin: It's going to to be a fun conversation, uh, driven by a session that you've put together, which was accepted by, uh. The incredible and incredibly difficult, uh, board at black hat. So congratulations.
Johannes Willbold: I'm very grateful to be there.
Sean Martin: Yes, exactly. And, uh, it's about low earth orbit satellites. That's why we're joking about that and analyzing.
All of that, uh, which we're going to talk about here in a moment before we get into that, though, you know, honest, uh, a little bit about yourself, what you do research you're up, up to and what's going on.
Johannes Willbold: Sure. Yeah. So as you already introduced, my name is Johannes Wilbold. I'm a doctoral student at the university in Bochum that is in Germany.
And, uh, I started my PhD basically. I think a good two years ago and, uh, started in a general area of software security, system security. So really looking into systems where you can find vulnerabilities in general. And I quickly switched into the space track, let's say, um, of, of that field because And I think that's pretty, pretty self explanatory.
Um, and there's not a lot of space research, really. So that was pretty intriguing, especially when you look at satellites themselves and satellite software. So really the research that we did was first going out and try to get research, uh, Satellite software, which is not easy to get since something from a live satellite is usually, uh, let's say tricky.
Um, so we went out to people we we asked them for firmware. Can you give us your firmware? And we figure out what kind of vulnerabilities you might have in your firmware Um, and that worked decently. Well, we got several firmware images together Um from one from the university of tata for the est cube one Um, one from the ESA from the European Space Agency for OPSAT, which is an experimental satellite platform and one for flying laptop, which is basically technology tester for aerospace and defense.
And, um, we then basically went over these and first had a look into satellite systems. I, I'm really into space, but, uh, I, I never looked into a satellite. Um, so really the first stage of our research was figuring out how a satellite works in general and, uh, understanding what the technical difficulties are not, not yet on a security level.
And then in the next step, jump in and figure out what kind of architectural issues you might see talking about, for example, the encryption of the satellite. And then the next step, figuring out what kind of vulnerabilities. What kind of software vulnerabilities you might find that you find on earth and also maybe in space or maybe just some that you only find in space.
And this was kind of the first step of our research. And, uh, we found definitely quite some interesting things that, uh, um, we can probably go into details in a moment and Yeah, so several issues there
Marco Ciappelli: we can, and I know that we had few conversations. Sean had a little bit more than me in term of security of satellites, but you know, like I mentioned before we started, we're a good friend with the aerospace village, a DEF CON.
So we actually going to talk to them later today, and, uh, it's a big topic. So. Before you guys start to, to, to, to dig into the technicality of, of the security, there is one concept that I would like to kind of ask you to explain for the people that are not too much into this, which is security by obscurity, which is kind of a cool name for a website, but, uh, can you, can you explain what that is?
Johannes Willbold: Absolutely. Um, that's a pretty. Important concept. Let's say for for space for space security, which is kind of unfortunate because security obscurity is something that you don't really want to have. Um, so security obscurity says the system is secure because essentially nobody knows how it works in. Or maybe not knows how it works in detail.
So really, for example, we had encryption a long time ago and probably still there is some encryption like that, that only secure because nobody knows how exactly the steps are to, to encrypt that. And, um, really what you want to have is like security. Well, by design, by default, there are many areas like this, um, but you basically want that your system is secure against an attacker, even if everybody knows every little detail about the system.
So you want that your system is secure, even if, for example, researchers and penetration testers and hobbyists can look into the system, figure out all the vulnerabilities and tell you maybe how to fix them and how to improve the security. Um, and really. You shouldn't rely on security by not knowing people how stuff is working.
Um, this, this is, can be a fair layer of on top of your actual security. That certainly happens many times. Um, but what we are seeing a lot in space is security of obscurity is like kind of the main defense lines, people not knowing how it works and then when. And, uh, we get insights from people, then this entire constructs get pretty shaky.
Sean Martin: And, uh, so before I get into the technicalities of it, uh, I I'd like for you to maybe to describe some of the things that are, that are up there. Are there, are they floating aimlessly? Are they controlled, uh, from, from a ground station somewhere? When, what are they responsible for as a.
Johannes Willbold: So there, there are probably many thousands of objects up there and not every object in space is also a satellite.
There are debris, there are dead satellites and probably waste and other stuff. Technically, most objects that we talk about in space, satellites, um, generally have some kind of, well, Purpose and are controlled by a so called crown station. Um, so this purpose might be any application of satellite systems that is, for example, earth observation.
So you do images of the earth, um, to figure out how is land usage going to get images to Google maps and, uh, where, wherever you want to have them. Um, there is obviously internet, which is pretty famous currently. Uh, if, if you're talking starling to the. Internet is coming from space to earth. They also talks about basically doing broadcast cell phone broadcast from space so that you don't need these towers.
Um, All over the place anymore, um, there are things like research and science, obviously, like, you know, these like James Webb telescope and other telescopes, Hubble telescope, you know, doing actual science in space, um, and technology testing. So before you do space missions, basically everything has been tested in space before.
So usually put individual components up onto satellites that only have the purpose of basically testing stuff. Um, and you have a lot more telecommunications, not just the internet, those old cell phone services, obviously also television services. And, uh, I'm sure I'm forgetting something. Well, for example, global navigation systems like GPS also up there.
So if a lot of services that are pretty vital and they are all provided by some formal, by, by satellites and the satellites basically receive the service from a ground station. And so the ground station controls the satellite. It tells them where to look to and where not to look to. For example, don't look into the sun face towards earth.
So that we get our service to, to us because, well, that's what we want to do. Um, and then you have used usually some kind of like. Base station, ground station, whatever the exact term might be that, for example, puts the internet service up to the low earth orbits where it gets like kind of reflected down to earth so that people can get it.
So this is kind of the general working area. So if you do this ground segments, which is the super large antennas oftentimes, but it doesn't have to. And it can also be pretty small when you have the space segment, which is all the satellites might be one satellite or in the case of these new constellation might be thousands of satellites.
And you have to. The user segment, which is really, for example, your, your smartphone is receiving the GPS service or Galileo. So it's a user segment device. And these are kind of the three fundamental segments in space.
Marco Ciappelli: So, uh, I'm quoting from the abstract, I'm quoting Sean. I want pizza now, not that quote.
Another one says, um, many satellites are missing basic common and control traffic protection, allowing. Anyone air quotes or asterisk with a strong enough radio to control the satellites. That's scary and fun at the same time. So explain, explain that you were kind of going there with that when you were planning, you know, you can control a specific area.
You don't need the big dish. Exactly. I mean, what kind of radio are we talking about here to get to a satellite?
Johannes Willbold: So generally when I'm talking about satellites, I'm usually talking about low earth orbit satellites. I'm not sure this also applies to like medium earth orbit satellites or geostationary. So generally talking about low earth orbit satellites.
So when people are thinking about what you need to like reach these satellites, they probably have like in front of them, these gigantic dishes that you might be able to render like Amazon web services or that upcast television service. But the reality is you don't need that much. Um, you can. I have full new antenna that can talk on UHF.
So we'll try frequency or very high frequency to laws of satellites, and you can get it for new, basically for 10, 000. Now, this is obviously not super cheap, but it's, let's say in the range of motivated hobbyists and certainly in the. range for motivated groups
Marco Ciappelli: and not much for Dr. Evil. I think
Johannes Willbold: exactly.
So people assume kind of like you, you, you need to be like a nation, say the tech IO, you need all this, like millions of equipment to reach your satellites. It's, it's not the case. Like you, you can spend 10, 000 now and you get yourself to ground station and that, uh, you can talk to satellites and with, and, um, really most satellites are talking or getting their commands and sending their They have feedback on this, like lower frequencies, like we'll try frequency, very high frequency, or even S band.
And that is enough, really.
Sean Martin: So let's go back to the, one of the things that Marco talked about, the security through obscurity. Um, it's not a, it's not a favorite, uh, model, uh, limited to only aerospace. Uh, we see it in industrial control systems and, and even IOT devices at home. Um, And the reason I bring up the IOT devices at home, there's a whole web, internet, uh, maybe even publicly facing, uh, Shodan, where you can get open source information and intelligence about these devices.
Um, certainly IOT, certainly industrial control systems, do, do satellite devices end up there as well? Cause I'm trying to figure out. Okay, I have a radio. I spent the ten grand. I'm a little smart. I can, I can have it send signals, but I don't know what signal to send and where to send it unless...
Johannes Willbold: So this is kind of the thing.
So even though many of the satellites, as, as we have kind of mentioned, don't really have a strong security or security even at all, so you can just send commands up there. The problem is, um, you don't know which commands, and this is really the kind of the security of obscurity that we are talking about.
You need to know exactly how the shutdown command looks like. You need to know the exact bytes, the exact fields on internet. That's, that's easy because all protocols are standardized and on. For space, we also have a lot of protocols that are kind of the space internet, if you, if you want to say so, probably, somebody's probably not happy about that term.
Um, but it's, it kind of describes it and the general protocols are to some degree standardized, but the final parts, which really describe the instructions for the satellite should do, for example, steer in another direction or ignite the thruster or whatever, they are usually not standardized. You really don't know how they look like unless you get, for example, that the software like we did, and then you can figure it out.
And this is kind of the veil of like obscurity that people in the space community used to protect their satellites. They just don't disclose how this, this format exactly work. And this is kind of enough. And when you go to something like showdown where you find devices, you. I'm I don't want to, I don't want to say you will never find a satellite, maybe at some point currently when you search for satellite related stuff, you will probably have more luck finding, for example, the end user devices.
For example, the, the. The dishes that received internet service at some point, or, um, the, well, when you, when you book an internet service, for example, and you get a dish, you can place it somewhere in desert and then you receive internet service. These devices, if they are not properly configured, um, they can show up and show down and this has happened before.
This was also like a talk many years ago. Um, but satellites themselves usually don't because they are not integrated into the actual internet. Intended to talk to their ground station where their operators are positioned. Um, so they're really kind of in their own network. So people think about them as something that only the operators can control, but this is exactly the case that is no longer the case because you can just buy the ground station equipment and you can control them, but they won't show up on showdown like that because they're not part of the internet.
They are not. Interconnected. And right now on your PC, you can't talk to one because, um, you would have to, or you would need control of a ground station and then you can talk to them. Um, maybe, well, you can, you can probably look, look like an Amazon web service and then try it, but that's a different deal.
Marco Ciappelli: So the title of your presentation is start with Houston. We have a problem, which is something we never really want to. Here. Um, unless it's in a movie, which is going to make it fun. And then, and then we resolve the problem if things goes well, uh, but are we addressing this problem? You say you, you, you, you tested 19, if I'm not wrong, uh, satellite manufacturer that all came down with some kind of like this security.
through obscurity issue. Uh, is there an organization? Is there a global coming together of, you know, I'm thinking, you know, NASA, I'm thinking, you know, the European Space Agency, the Japanese one. Are we
Johannes Willbold: So in the paper, we looked into three satellites, specifically like me and my colleagues, we looked into three satellites and reverse engineered them and figured out every, every detail about them. And since three is not a great sample for the thousands that are up there, we did a survey. About, uh, and we received responses from 19 people over like places like ESA, NASA, businesses, um, also some academics and they basically gave us a broader picture.
Um, and there we kind of saw the, the lacking security mostly, for example, access protection, but also for issues with the general usage of protocols. And this is not something that you can just fix overnight because you have to. You kind of have to test the stuff so you can just pitch in an encryption into a satellite.
Um, because as I mentioned at the very beginning, every component that goes on a satellite has to be tested before it's, it's not kind of like has to be, but you want to be sure because, um, it's pretty hard going to space and fixing your satellite by hand. Um, not a lot of people can do this. So you really want to be sure that.
This works. And the problem with like access protection on satellites is, and I, I bought a stress, people are doing it. It's not, it's a, just a lot of people are not doing it. So it's definitely not a completely unsolved topic. Um, but the, the issue is that you have to be sure that you can recover your satellite.
Um, so for example, what happens if you, if you lose the key? That is not something that people think about a lot on, a lot, a lot about on earth, because you can just go to the server and reset it. That, that is kind of the worst outcome that you could face on, on space. Your satellite might be gone. And this is kind of a, if the satellite was like 2 million, then that's a pretty terrible outcome.
Um, so putting stuff in space and like testing it, like command encryption authentication is hard because you have so many more factors to think about. That's why it's not happening in a lot. And when you think about how we can change this, they definitely push us to change this. So we, for example, know that, uh, ESA, or when we talk to ESA about us, they were very open about it.
Dave. gave us a software because they were very interested in this topic. Um, and we were in talks a lot with them to figure out what's, what they can do it to improve security and they were very eager to do it. And therefore example now also hosting a, well, kind of an academic workshop, um, to figure out or find research, uh, to improve security on these assets.
And for example, I'm also hosting a workshop on one of the security conferences called space sec. Um, Well, we also encourage the community to the research community to identify issues in space, because it's kind of the step where we are at. We kind of have to even figure out what even are the problems, what are potential solutions, what are the challenges.
We are kind of in the very early stages here, but it's definitely picking up speed. There's a conference, for example, in Europe called SciSat, um, that is also picking up the topic. It's really conference dedicated to satellite or space system security. And you can really see basically. A lot of the big players being there and talking about security and talking about concrete things that they're doing to improve it.
Um, so that the space community has always been. It's, it's something that takes a lot of time to fix because you need to test something on a satellite and that takes years to plan a satellite and then you have to test the satellite and only then you can decide to put it on the next satellite. So if you do major decision chain or major changes, like putting encryption authentication satellites, you really want to test this years, maybe even a decade in advance.
And that's why adoption of fixes are so slow. And we are not just talking about encryption authentication for commands, we are also talking about every day. Defenses that are employed on every computer that we are currently here using and any device, any D defenses against exploitation that are currently a modern operating systems, just standards for like 20 years or longer.
They are also missing on the satellites. And this has reasons like, cause you can prove it, that it works or because it takes a little bit more energy. Um, and there are all these small things that you have to think about, like double and triple the time on a satellite that makes it hard, but people are definitely.
Trying to get there and I'm sure they will be getting there
Sean Martin: and I don't know if you have much insight to share on this because researchers obviously looking for vulnerabilities But do you have a sense to? How well we look at this from a detection and response perspective because what we're talking about is figuring out where it's broken and finding a patch and putting it building it right from the first place and or Patching it and putting it up securely before it can get compromised.
But what about while it's up there? Are they, are we able to monitor and do we have mitigating controls for if something bad does surface?
Johannes Willbold: That isn't indeed a question that we looked into. We kind of wanted to figure out if we are taking a satellite right now, if we were to do this, how would the operators notice that this is actually happening?
Um, and the answer is. They have some tools. They, for example, they have, for example, counters, how many X or how many commands were executed, how much traffic was received. And if they really monitor it, they, they can, for example, notice these kinds of things. Um, but obviously if you're talking about bigger satellites, when not just one person or two persons are responsible for controlling them, but maybe a large team, um, then.
This is obviously not, not, not kind of the way to go. You don't want to like figure out every single packet that goes to a satellite. Um, and I, I obviously I can't speak for any government agencies or military or some, some secret stuff that companies are doing. Um, generally I'm, I don't think there is much in the sense of like, for example, honey pots, um, where you figure out what kind of attack is currently going on and you want to figure out what the attacker is doing and how they're doing it, this is.
For example, called honeypots, that's something we're doing on the internet. There are PCs that are specifically designed to look interesting to attackers so that people attack them and so that we can figure out how the attack works. Something like this. We are currently researching for satellites, but it's.
Um, I don't think something that is, uh, let's say widely deployed, if at all. Oh,
Marco Ciappelli: I'm just curious and I, I don't know if it's a stupid question or not, but, um, but I'm stupid, so That's okay. Uh, the, we, you focus on the low earth orbits and so does it, what It makes harder, the one that a higher, um, heart orbit is the fact they're harder to reach or they're actually conceptualize.
Uh, different, like, are they actually safer? I mean, I know it's not your thing, but I'm, I think it's a pretty wide question that maybe, you know, the
Johannes Willbold: answer. So we looked into low earth orbit because the satellites are a lot smaller. They're a lot more. And that's why it's easier to find somebody that shares the software with, um, when you go below or above low earth orbits, then you have to deal from a like satellite engineering perspective with a lot more.
like you will have a lot more radiation and, um, probably a lot of stuff that I'm not qualified to talk about. Um, but generally the satellites get a lot bigger and with bigger satellites, you generally have a lot more money. And this comes from the fact that. A small satellite might just weigh one kilogram.
They're actually pretty small, like 10 by 10 by 10 centimeters. Um, that is 1. 3 kilograms for, that's kind of a standardized format. But these gigantic satellites that weigh multiple tons, um, they obviously have a lot bigger budget. And what we have seen in the, in our survey is that when you have a lot more budget, people are able to consider security a lot more.
Yet, we still haven't seen any of the like. We've, we've kind of seen the, like, let's say baseline defense, like encrypting and authenticating telecommands, but anything beyond that we haven't seen on any satellite and we haven't seen that anybody answered about any of these defenses on our survey. Um, so I would assume that they will have these like default protections that you should have so that not just anybody with the ground station can take control of, of these like big lower orbit satellites.
Um. But apart from that, like the default defense is like, if for people knowing more insights about security, like ASLR or stack cookies, it's something that I would expect not to find there either. But. I haven't looked into this. I don't know that. Yeah, I
Marco Ciappelli: didn't want to put you in a spot. I was just thinking, like, if I'm a listener right now, I probably would like to ask that question.
So I did. Thank you.
Johannes Willbold: No, it's a good question. It's, uh, they, these teams have a lot more money and obviously, usually they are put up. Up there by big corporations that have a significant interest. If they lose one of these satellites, it might just be a pretty big issue for the business in general. So they, they go there with different considerations.
And this, I hope, results in, uh, according security measures, but I don't know.
Sean Martin: As long as, as long as I can still find the best pizza in New York through my navigation enabled app, I'm, I'm doing all right. So, um, no, all joking aside, I mean, super important topic, obviously. And, uh, I'm grateful to see that you're doing this research with some of your, uh, your peers and colleagues and, uh, for the, obviously we didn't give anything away.
Right. We're just talking about in general. You have all the goods to share during your talk at Black Hat on Thursday, the 10th at 1. 30 Pacific, obviously. So 40 minutes of goodness from Johannes there. All the, all the deets from, uh, from the research you did. And... Yeah. I'm excited to hear more about that.
Um, and hopefully people get a chance to talk to you afterwards as well. Um, to build this community up. Yep.
Johannes Willbold: Absolutely. So you will definitely be able to talk to me after the talk, just come to me. Um, and I'm happy to discuss any, any. space issues, space security issues, really anything. And, uh, I hope you all like to talk if you get a chance to hear it.
Sean Martin: Perfect. Cool. Yep. I love it. Well, thanks Johannes, uh, for joining us and, uh, giving us a sneak peek into your session. Hopefully everybody joins you there and. Thanks everybody for listening to another Chats on the Road to Black Hat, USA, Las Vegas, uh, part of summer camp, of course. So stay tuned. We have many more.
Another one from the aerospace village, not too far from this moment. Uh, so stay tuned for that one as well and, uh, everything else coming to you from, from Las Vegas that we're covering. So stay tuned.
Johannes Willbold: Thanks for having me.