Satellite Cybersecurity Reconnaissance
Strategies and their Real-world Evaluation
Johannes Willbold*, Franklyn Sciberras‡,
Martin Strohmeier^, Vincent Lenders^
*Ruhr University Bochum, Chair for Systems Security
‡ETH Zürich, Department of Computer Science,
^armasuisse Science + Technology, Cyber-Defence Campus
v1.0
Security by Obscurity
- Unsecured satellites
- Satellites rely on Security-by-Obscurity
- Where is the obscurity-breaking information coming from?
Reconnaissance
- How can attackers break obscurity?
- => How feasible is reconnaissance for satellites?
- What information is public?
Attacker Models
External Attacker
Privilieged Attacker
Privileged Attacker
Privilieged Attacker
No Technical Insights
Received Access Credentials
→ On-Board Reconnaissance
Approach
18 Reconnaissance Goals
12 Reconnaissance Strategies
2 Strategy Evaluations
Reconnaissance Goals
Spacecraft Tracking & Operations
Radio Communication Parameters
Network Protocol Stacks
TMTC Protocols
=> Common goals not all
Spacecraft Tracking & Operations
- Tracking (TLE)
- GS Pointing
- Satellite Attitude
- Operational Time Frame
Spacecraft Tracking & Operations
- Tracking (TLE)
- GS Pointing
- Satellite Attitude
- Operational Time Frame
Spacecraft Tracking & Operations
- Tracking (TLE)
- GS Pointing
- Satellite Attitude
- Operational Time Frame
Radio Communication Parameters
- Signal Strength
- Frequency
- Error Correction
Radio Communication Parameters
- Signal Strength
- Frequency
- Error Correction
Radio Communication Parameters
- Signal Strength
- Frequency
- Error Correction
Network Protocol Stacks
- Point-to-Point Protocols
- Vendor-specific Implementation Details
- Cryptographic Communications Protection
- Network Protocols and Routing
TMTC Protocols
- Telecommand Set
- TMTC Formats
Strategies
Open Databases
Public Regulator Filings
Common Options
COTS Analysis
Passive Traffic Analysis
Active Enumeration
Open Databases
- Launch: YYYY-XXX
- INTELDES/COSPAR ID: YYYY-XXXA/B/...
- JWST: 2021-130A
- US Space Surveillance Network (SSN)
- Tracked Obj -> SATCAT/NORAD ID
- => TLE
- space-track website: COSPAR ID <=> NORAD ID
Public Regulator Filings
Satellite Space Stations: Application to Launch and Operate
- TT&C Frequency
- Payload Frequency
- GS Location
- Other
Common Options
GS Location Inference
COTS Analysis
Vendor Documentation
Software Reverse Engineering
Passive Traffic Analysis
?
!
Active enumeration
TC ID 0x1
TC ID 0x2
TC ID 0x1337
?
Goal-to-Strategy
Evaluation
Public Regulator Filings -> FCC Filings
Active Enumeration
-> ECSS PUS Analysis
FCC Filings
TT&C Analysis
TT&C Analysis
- 255 potential services
- Each Services: 255 potential subservices
=> 65.035 potential Subservices
TT&C Analysis
- Service 1, SubService 1 => Error 3
- Service doesn't exist
- Service 2, SubService 1 -> Error 5
- Service exists, SubService exists, Wrong data
- Service 2, SubService 2 -> Error 4
- Service exists SubService does not exist
- Service exists SubService does not exist
TT&C Analysis
- Command ID
- Subcommand ID
- Error Message
=> Simple Iteration
Q&A
18 Reconnaissance Goals
12 Reconnaissance Strategies
2 Strategy Evaluations