White Hat Hackers Reveal Vulnerabilities in Software Used by NASA

Open-source software used by space agencies and companies to control satellites contained vulnerabilities that could have allowed hackers to hijack those satellites, according to a duo of white hat hackers. The hackers revealed the vulnerabilities, which have now been patched, at the Black Hat USA and DEF CON conferences held in August in Las Vegas.

The hackers put to the test NASA’s core Flight System, deployed on onboard computers of a wide range of space missions including the US $10 billion James Webb Space Telescope and Intuitive Machine’s Odysseus lunar lander, which touched down on the moon in February. The security researchers also examined the Yamcs mission control system developed by European company Space Applications Services, which is used by satellite controllers on the ground.

Space Systems Cybersecurity Challenges

The security researchers—Andrzej Olchawa and Milenko Starcik, from space cybersecurity company VisionSpace—described the vulnerabilities as “trivial,” “low-hanging fruit,” and “easy to exploit” by anyone able to understand the open-source code.

The vulnerabilities found in this study have since been fixed, but the researchers warn that the cybersecurity of space systems has long been overlooked and caution that closed-source software systems, which are not accessible to independent researchers to test and examine, may be equally easy to breach.

Olchawa, who in the past worked at the European Space Agency’s (ESA) space operations center in Germany, and Starcik, a space systems security specialist, spoke to IEEE Spectrum about their work and the lessons the space sector can learn from it.

What prompted you to probe the security of these systems?

Milenko Starcik: When we started looking into the security of space systems, we realized that there had not been that much done about the security of the ground segment and the space segment. Most of the security research that has been done in the past focused on the user segment, which is fair because that’s also where we saw attacks in the past, like the ViaSat attack in 2022, which took down ViaSat’s satellite broadband modems on the eve of Russia’s invasion of Ukraine.

Because we come from the space industry, we knew that there are many potential vulnerabilities in the ground segment and space segment, which, fortunately, haven’t been exploited yet. We wanted to see how ready these systems are for a possible attack.

Can you tell me what you did? Did you hack an actual satellite?

Andrzej Olchawa: No, this was just a simulation. We chose open-source software that is available for free to anyone. Anyone can look at the source code, and anyone can deploy it into their own environment and use it, for example, to control a university CubeSat. So, we looked at the code with the intention of breaking it and taking over the system, and within an hour or two, we were able to find those vulnerabilities.

We looked at two types of open-source software—the core Flight System by NASA, which is a system running on satellites, and the Yamcs system, which is used by ground controllers to command satellites. We found staggering vulnerabilities in both, which would allow somebody like a state-sponsored hacker to take complete control of a satellite.

Starcik: We found 37 separate vulnerabilities. In the demonstration at Black Hat USA, we showed that we would be able to send a command to a spacecraft and make it fire a thruster and change its orbit.

Where you surprised?

Olchawa: Yes and no. I was definitely surprised that we were able to find such low-hanging fruit in space systems that come from NASA or commercial companies that collaborate with big space agencies. But I have been aware of the fact that the whole space industry has only just recently started waking up to the problem of cybersecurity. When you talk to people, many of them think that they don’t need to bother with cybersecurity, perhaps because they are researcher organizations and they don’t see why anybody would bother hacking them. We find these views quite funny, but that’s what you hear.

Starcik: Part of the problem is that we see this move from private networks, leased lines, and closed systems toward cloud, VPN connections, and operators dialing in and performing their duties from home. Everything is getting more connected, and therefore more difficult to shield. These spacecraft control applications really are just Web-based interfaces that you use to control your spacecraft. And once you have that access, even if you don’t have full permissions, we found many ways to bypass authentication or take over the entire system, issue our own commands, delete files, and send commands to the spacecraft.

So if I were an adversary, what would I do to exploit these vulnerabilities?

Olchawa: With the NASA core Flight System, you would need to have access to a ground station and be somewhere where the frequencies used to control spacecraft are not protected. If I tried to do that in Germany, I would probably have police at my doorstep within an hour. But if you were a state-funded hacker somewhere in Russia, China, or North Korea, it would surely be possible for you to do that. Once you have that ground station access, you can uplink commands to the spacecraft and have it do whatever you want.

With the Yamcs mission control system, it’s much easier, and you can do it from anywhere. You would conduct a phishing campaign, and once you succeeded in making one of the legitimate users click a link, you would upload a configuration file into the mission control system, containing a malicious code.

These are called XSS vulnerabilities, and upon triggering, the adversaries can perform any action using any available functionality of the system. For example, send an arbitrary command to the spacecraft. At Black Hat, we demonstrated how that would work in practice by sending a command to a simulator to trigger an orbit transition maneuver by firing thrusters. I think this is the most realistic scenario the adversaries could use.

I understand that before you published those findings, you had to alert the companies that develop those systems so they could patch the vulnerabilities before you release the information. Does it mean that it’s all good and safe now, and there is no reason to worry anymore?

Starcik: We looked into open-source software because that’s accessible. We can run the source code on our computers, and we can research it. But the vast majority of software used in the space industry is closed-source. That means no one can look into that.

With the open-source software, we test it, we find vulnerabilities, we report them, and hopefully, now it’s a bit more secure. The rest, we know nothing about.

Olchawa: We have experience with the European space industry, and we know how insecure many of these systems are, although we cannot publish anything about them. From what I have seen, security tends to be the last bullet point in requirements for any mission. I think it is slowly changing. We see more requests for penetration testing and other kinds of security testing, but I think it’s still very early days.