To really hammer home how real the threat to space systems is, I wanted to step through a detailed example of a compromise originating with the targeting of program at a high level and ending with an impacted space vehicle (SV). To make this as relevant as possible, I am also going to include example operating systems and software used in various Internet of Things (IOT) devices and space systems as well. I will cover which exploits or techniques could actually be used to compromise those systems and will do my best to keep the targets as timely and relevant as possible.
If for some reason you are reading this book many years after I wrote it and criticize the datedness of technologies or software, understand that this chapter and the example targets and exploits herein were researched and written about in December 2019. I would also point out that to date many servers and workstations, especially those involved in space, still leverage nearly 20-year-old operating systems such as Microsoft Windows Server 2000 or 2003 and Windows XP.
The following example is not representative of any particular space system I have come across or researched and should not be seen as a how-to guide on hacking into a specific system. I will also say that I will not cover the attack process in its totality because having once been a professional ethical hacker and not wanting to encourage unprofessional behavior, I may leave out or alter certain details of the compromise process. This is intentional. What is important to take away from the following example is that space systems such as those that include small satellites can be compromised, today, right now, and that the cybersecurity and space industries are currently behind the power curve when you consider what is available through open source research on the Internet in regard to attack tools.
A Series of Unfortunate Events
Without further delay let’s get into the chain of events that could lead to the compromise and ultimately the death of a space system operation.
The Plan
Firstly, we will set a realistic stage for these events to play out in. After all, before we attack a space system and ultimately the SV it operates, we need to know why. Let’s say a nation state has decided to sponsor a cyber attack campaign against an academic space system as a proof of concept and learning evolution for potential follow-on militarized cyber domain actions. This way the target is likely a softer one, without classified or sensitive systems and some of the added protections they might come with. Additionally, since the targets are not military in nature, it will be viewed less as an act of war if the activity was somehow attributed by the targeted academic institution or host country. Lastly, there is the added benefit that many academic institutions work hand in hand with the defense sectors of many countries’ governments, and tactics, tools, and procedures learned and utilized against the test target could be rolled into actual operations.
Targeting
To determine the target for a scenario like this, which will be used as a proof of concept, the nation state is likely to let the target identify itself. This is done by simply picking what looks like the lowest hanging fruit; instead of an actual cyber operation which may have determined the target first and approached attack avenues after, here the attack avenues choose the target for ease of exploitation. So the attacker will canvass the Internet for academic instructions announcing their first ever space and small satellite programs which have recently or will soon launch their SV. This way the target set includes only institutions new at space and small satellite development and likely to make more mistakes than those with established programs.
Once the institution is identified, the attacker can canvass social media and the institutions’ web sites and other locations like LinkedIn or GitHub for those students who will be involved in the program, specifically those who are likely to be involved in writing or uploading code such as electrical engineers and computer science students. Once a target individual is picked, the attacker can research what projects and collaborations the student has been involved in. Then, creating a fake persona that looks like it is an academic within a related field from a prestigious university who wants help or to collaborate on something since they read the target’s work and were obviously thoroughly impressed.
Personal Computer
The first step in the actual exploit and compromise purpose is to gain access and privileges to the personal computers of the target individual within the target institution.
How
Why
Besides gaining an initial cyber foothold in the target space related to the institution and its space program, access to install malware on this personal computer has other opportunities beyond enabling deeper access into the organization and its computers. Installing keyloggers and applications that record off the laptop’s microphone can also enable the attackers to gain further intelligence about the individual and the organization and its space program. This could be used to tailor further social engineering attacks against other members of the organization or to glean engineering and operational details that the target talks or types about.
Phone
With access to the personal laptop gained, the attacker will look to exploit something like a personal phone as that sort of device is more likely to be taken into areas of interest than a laptop. In cases where both are taken to areas where space system work is done, then the attacker has simply doubled his or her access.
How
Why
The initial purpose of this exploitation is to pivot to a device in the smart phone which is more likely to be brought near and connected to the networks and computers of the space system. There is the added benefit of providing further situational awareness and personal connections as well as emails, text, and phone conversations between the initial target and other members of the team. Even if the smart phone never got connected to further target space, the microphone on board could be used to gather intelligence by collecting conversations in the space system lab area. Thanks to the Internet connectivity of smart phones, if plugged into something like an air-gapped network used for ground station operations, it can act as an exfiltration and remote exploit and interaction enabler.
Lab Computer
The malware installed on the phone allows the attacker to run commands remotely on the phone and to explore the file systems of other computers it is plugged in to. Using this capability, the attacker identifies that the student routinely plugs his phone in for charging via a USB cable to a server he regularly works on at the school’s space system lab. File system queries allow the attacker to determine that the server is a common Linux distribution and also that there are several scripts that are world writable, meaning anyone can append to them, which execute as root daily. The attacker leverages the phone implant to write a Linux backdoor to the file system and append code to a world writable script to execute it. This way of getting access to and escalating privilege on a Linux system is as old as there are users and admins on Linux systems who make mistakes or have bad security practices. When the script is executed by root later that day, it executes the attacker’s backdoor as root as well, enabling them to install a stealthy rootkit to persist access across reboots. Even though not connected to the Internet or any other device, when the student’s phone is plugged in to charge on it, the rootkit the attacker installed can communicate to Internet-hosted redirection servers the attacker utilizes to obfuscate their location and task the implants in this compromise chain.
How
Why
This lab server will be used by the attacker to go after and exploit the ground station virtual machine computer that is hosted on it. The ground station computer does not communicate to any external network; however, it does have a local area network it communicates with only the host computer on. This means that the only way to exploit it is from the lab server which hosts it. If this ends up being possible, the lab server serves as a path back to the exfiltration potential utilized via tools installed on the student’s phone. Additionally when files are brought back from the satellite, they are copied to the lab server as a backup so the attacker can now see what the satellite does as well as its raw collection from its payload.
Ground Station Computer
Security on the ground station is essentially the last layer of defense in depth protecting the satellite. Tasking from the ground is inherently trusted by the SV, and it affords attackers the most reasonable way to attack the SV components.
How
Why
Very simply the ground station is exploited to enable the eventual exploitation and/or unauthorized tasking of the SV itself.
Payload Computer
The first computing device on board the SV that the attackers are going to target is the payload computer since it takes very straightforward tasking from the ground station to include software and operating system updates. Additionally, altering behavior of the payload computer and/or its code will not result in immediately noticeable effects by those operating the space system as the attacker learns the rest of the attack surface on board. So long as the attacker allows the payload to continue carrying out the tasks those on the ground expect, any additional malicious activities are not likely to be noticed.
How
Why
There is malware installed on the SV payload computer which is persisted and receives and executes tasking in the privileged context from the malware installed on the ground station via infected payload tasking files. The information gained via this implant are downloaded as what appear to be corrupt copies of good image files from the payload computer which as soon as they reach the ground station are copied to another location so that when the space system operators delete the unusable image file, the data from the SV payload computer implant is maintained. This data is then sent by the ground station implant through tunnels on the host operating system out to the attacker’s server on the Internet where they can create new payload computer implant tasking and upload it via the same channels.
Data Handler
Scans run by the payload implant reveal the presence of a C&DH computer which is responsible for watchdog, health, and maintenance functions for the rest of the spacecraft and is likely what talks to the software defined radio which the attacker intends to eventually leverage to kill the satellite.
How
Why
With the ability to execute remote code at will on the data handler, the attacker can determine the location presence and location of watchdog scripts that may execute in attempts to save the SV from issues malicious or otherwise. Access to code execution on the data handler computer also allows the attacker to determine the operating system of the software defined radio which controls communications to the ground station.
SDR
The piece of computing equipment which allows the SV to communicate with the ground station is the SDR, and compromise of it and execution of malicious code could prevent any further communication to it.
How
Why
With access to execute code on the SDR, the attacker can then tell it to listen and communicate on a completely different frequency than the ground station expects. This way, each time the satellite makes a pass within view of the ground station, it is not listening on the frequency which the ground station is using to hail it so it will never respond. The access to the data handler was used to disable watchdog scripts that might trigger after so many passes without hearing from a ground station, and encryption keys are overwritten with useless data from the communications stack for good measure. The attackers have now essentially killed the SV.
Conclusion
This microanalysis walked through how an attacker could exploit a SV from an Internet accessible point with modern-day exploits on software and technologies used by the space industry. This should drive home the point to the space industry that there is a clear and present danger as well as show the security industry the challenge of just how much digitization and attack surface is available even on a simple singular smallsat and single ground station space system.