Satellite Cybersecurity Reconnaissance: Strategies and their Real-world Evaluation

The security of satellite and space systems has become a pressing concern in recent years as various high-profile incidents involving satellite-based internet access have been observed in the context of the war in Ukraine. An increase in threat level is partly due to a) rapid advancements in affordable software-defined communications equipment, which have made it easier for attackers to gain communication capabilities with orbital assets and b) the increasing adoption of commercial off-the-shelf hardware and software components in spacecraft enhancing affordability and exposing potential vulnerabilities more easily. A recent study revealed that satellite software typically lacks sufficient protection against unauthorized access. However, it remains unclear how this inherent lack of security is critical to other satellites in orbit as no public work exists on cybersecurity reconnaissance. Hence, to date, identifying non-standard commands and assessing potential vulnerabilities are deemed challenging steps for attackers to perform.In light of this current state, this paper analyzes how attackers may conduct reconnaissance on satellites’ capabilities without targeting the ground segment. We develop strategies that attackers may employ to evaluate satellites’ capabilities using a satellite implementation that adheres to the ECSS-standardized Telecommand on top of a CCSDS protocol stack. Our considered strategies encompass enumeration methods to identify the subset of the standard implemented, including non-standardized functionalities. Additionally, we present strategies to analyze implementation-specific aspects of CCSDS’ Space Data Link Security (SDLS) Protocol, which serves as the primary security protocol within the CCSDS protocol family. Our strategies test the potential for timing side channels, fault-message-based enumeration, and payload length enumeration testing. To evaluate the effectiveness of our strategies, we apply them to a real-world satellite and measure their success rate.