Zero Gravity Exploits
Reverse Engineering and Fuzzing Low Earth Orbit Satellites
Johannes Willbold & Tobias Scharnowski
@scepticctf
@jwillbold
$whoami
- Johannes Willbold
- Satellite & Space Systems Security
- PhD Student
- Ruhr University Bochum, DE
- Visiting Researcher
- Cyber-Defence Campus, CH
- Co-Founder of SpaceSec
$whoami
- Tobias Scharnowski
- Automated Firmware Security
- PhD Student @CISPA
- Pwn & RE
- DNP3 RCE @ ICS Pwn2Own
- CTF Organizer & Player
- FluxFingers, Sauercloud, ...
Space Odyssey
44th IEEE Symposium on Security and Privacy (S&P)
Distinguished Paper Award
Applications
Firmware Attacks
System Analysis
Security Analysis
Live Demo
Our Journey
LEO, MEO, GEO?
MEO
2k - 35k km
LEO
160 - 2k km
GEO
35786 km
Context
34 cm
10 cm
3U CubeSat
Context
 Context
Context
Firmware Attacks
ViaSat Incident
Space Segment
Firmware Attacks
?
?
Not so Novel
Attacker Goals
Attacker Goals
Components
Payload
Bus
?
Components
COM
Payload
CDHS
EPS
ADCS
TC / TM Flow
COM
Payload
CDHS
Telecommand (TC)
Telemetry (TM)
- Decode
- Authenticate
- Repackage
- Parse
- Execute
- Respond
EPS
ADCS
COM
PDHS
CDHS
TC / TM Traffic
- Decode
- Authenticate
- Repackage
- Parse
- Execute
- Respond
EPS
ADCS
PLCOM
Payload Traffic
TC / TM Flow
Attack Path
PDHS
PLCOM
COM
CDHS
Bus
Attack Path
PDHS
PLCOM
COM
CDHS
Bus
Attack Path
- Bypass COM Protection
- Missing AC
- Insecure Protocol
- Outdated Crypto
- Timing Side Channels
- Leaked Keys
- Timed Backdoor
- ...
COM
CDHS
Bus
Attack Path
- Bypass COM Protection
- [...]
COM
CDHS
- Deploy Attacker Payload
- Firmware Update
- Signed Image
- Slow Upload
- Complex System
- Firmware Update
Bus
Attack Path
- Bypass COM Protection
- [...]
COM
CDHS
Bus
- Deploy Attacker Payload
Firmware Update- Dangerous TC
- Vulnerbale TC
- Hijack Bus Control Flow
- Full Bus Privileges
System Analysis
OPS-Sat
Experimenter
Operated by ESA
Open for Research
OPS-Sat
Experimenter
Peripherals
S-/X-Band, SDR, Optical Rx., Camera, ...
Launched
December 2019
Payload Plattform
ARM-Based Linux + FPGA
Operated by ESA
Open for Research
System Chart
System Chart
UHF
I2C
Live Storage
 Disk Storage
S-Band
CSP
CAN
SEPP
Memory Actions
SPP
Parsing
TM Sender
Verifify
Execute
File Actions
TM Instructions
Device Actions
MAL
Time Managem.
Orbital Position
TM Sender
SEPP
TC Buffer
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
CAN Buffer
TC Buffer
Ring Buffer
TM Queue
SPP
CAN
S-Band
SEPP
UHF
I2C
CSP
 UHF-Stack
void csp_i2c_rx(i2c_frame_t *frame,void *pxTaskWoken) {
// ...
if (frame) {
frame_len = frame->len - 4;
if (frame_len > 0xfc) {
csp_if_i2c.frame = csp_if_i2c.frame + 1;
csp_buffer_free_isr(frame);
return;
}
frame->len = frame_len;
i2c_rx_csp_packet = (csp_packet_t *) frame;
h32 = csp_ntoh32(frame->data[3] | frame->data[1] << 0x10 |
frame->data[0] << 0x18 | frame->data[2] << 8);
frame->data[3] = (uint8_t)h32;
frame->data[0] = (uint8_t)(h32 >> 0x18);
frame->data[1] = (uint8_t)(h32 >> 0x10);
frame->data[2] = (uint8_t)(h32 >> 8);
csp_qfifo_write(i2c_rx_csp_packet, &csp_if_i2c, pxTaskWoken);
}
return;
}
I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
uint32_t csp_ntoh32(uint32_t n32) {
return n32;
}
 UHF-Stack
/ libcsp
Cubesat Space Protocol (CSP) v1
Source: https://en.wikipedia.org/wiki/Cubesat_Space_Protocol
I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
TCP/IP Oriented Design
 UHF-Stack
Cubesat Space Protocol (CSP) v1
- HMAC-SHA1 Authentication
- XTEA Encryption Support
Security Issues
- MAC comparison leaks timing data #44
-
memcmpto compare the digest
-
- HMAC doesn't protect headers #45
- Same problem for the CRC checks
- Â XTEA encrypt packet nonce too predictable #162
const uint32_t nonce = (uint32_t)rand();
Authors: Issues fixed in libcsp v2
I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
Security Features
 UHF-Stack
int csp_route_security_chek(...) {
if (packet->id.flags & CSP_FXTEA) {
csp_log_error("Received XTEA encrypted packet, but CSP was compiled without XTEA support. Discarding packet");
}
// ...
if (packet->id.flags & CSP_FHMAC) {
csp_log_error("Received packet with HMAC, but CSP was compiled without HMAC support. Discarding packet");
}
// ...
}I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
 UHF-Stack
if (cspServerInitialised == false) {
cspSocket = csp_socket(0);
if (!cspSocket) { return; }
ret = csp_bind(cspSocket, CSP_ANY_PORT);
if (!ret) { return; }
ret = csp_listen(cspSocket, 10);
if (!ret) { return; }
cspServerInitialised = true;
}
cspServerConn = csp_accept(cspSocket, 10);
if (cspServerConn) {
while (request_packet = csp_read(cspServerConn,0), packet) {
dest_port = csp_conn_dport(cspServerConn);
switch(dest_port) {
// ...
}
}
csp_close(cspServerConn);
}I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
Cubesat Space Protocol (CSP) v1
Socket API + TCP-based ports
- "Default" Server
-
socket,bind,listen,accept
-
 UHF-Stack
Cubesat Space Protocol (CSP) v1
Default Services
- Network Info Handlers
- Ping
- OS Tasklist
- Remaining Memory
- System Reboot
- Current Time
switch(csp_conn_dport(conn)) {
case 0: // Network information handlers
csp_cmp_handler(conn, packet);
break;
case 1: // Ping
do_csp_debug(2,"SERVICE: Ping received");
break;
case 2: // OS Tasklist
csp_sys_tasklist(str, size);
// ...
csp_send(conn, packet, 0);
break;
case 3: // Remaining Memory
val = csp_sys_memfree();
// ...
csp_send(conn, packet, 0);
break;
case 4: // System Reboot
if(packet->data[0..4] == BYTESEQ) { csp_sys_reboot(); }
// ...
}I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
 UHF-Stack
dest_port = csp_conn_dport(conn);
switch(dest_port) {
case 0x00 - 0x06:
csp_service_handler(conn, pkt);
case 0x07:
rparam_service_handler(conn, pkt);
case 0x10:
CSP_ProcessReceivedSPP(pkt);
}Central Services
// csp_listen, _bind(0x14), _accept
switch(val) {
case 0x1: // Set ADCS Mode
memcpy(packet->data + 2, _adcs_mode, 7);
packet->data[1] = '\0';
packet->length = 0;
goto send_packet_set_len;
case 0x1c:
gs_adcs_gps_on();
break;
case '\x14': // Set ADCS Wheel position
gs_adcs_wheels_diag(packet->data[2],&val0,&val1);
packet->data[1] = '\0';
h16 = util_hton16(val0);
packet->data[5] = (char)(h16 & 0xffff);
packet->data[4] = (char)((h16 & 0xffff) >> 8);
h16 = util_hton16(val1);
packet->data[7] = (char)(h16 & 0xffff);
packet->data[6] = (char)((h16 & 0xffff) >> 8);
packet->length = 0;
goto send_packet_set_len;
}ADCS Server
I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
 UHF-Stack
send_packet_set_len:
*(char *)((int)&packet->length + 1) = len;
send_packet:
ret = csp_send(conn,packet,0);
if (!ret) goto failed;;Sending Telemtry
I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
I2C
CSP
System Chart
Live Storage
 Disk Storage
S-Band
CAN
SEPP
Memory Actions
SPP
Parsing
Verifify
Execute
File Actions
TM Instructions
Device Actions
MAL
Time Managem.
Orbital Position
TM Sender
SEPP
CAN Buffer
TC Buffer
Ring Buffer
TM Queue
SPP
CAN
S-Band
SEPP
UHF
I2C
CSP
TM Sender
ADCS Server
CSP -> SPP
Parameter DB
CSP Handlers
Device Cmds.
TC Buffer
UHF
I2C
CSP
CAN Frames
void can_rx_task_gmv(void) {
// ...
if(frame_type == START) {
// Allocate packet
if (curr_buf->packet == (CFP_Packet_t *)0x0) {
tmp = csp_buffer_size();
packet = (CFP_Packet_t *)csp_buffer_get(tmp - 0xe);
curr_buf->packet = packet;
} else { ... }
curr_buf->rx_count = 0;
curr_buf->remain = frame_id >> 0xd & 0x1f;
// Copy to Global Buffer
memcpy(datablockGlobalRx.Data, &can_frame.data, can_frame.dlc);
datablockGlobalRx.Size = can_frame.dlc + datablockGlobalRx.Size;
// ...
}
else if(frame_type == CONTINUE) {
can_remain = frame_id >> 0xd & 0x1f;
// Check continous ID
if (can_remain == curr_buf->remain - 1) {
curr_buf->remain = can_remain;
curr_buf->rx_count = curr_buf->rx_count + (ushort)can_frame.dlc;
// Copy to Global Buffer
memcpy(datablockGlobalRx.Data + datablockGlobalRx.Size,
&can_frame.data, can_frame.dlc);
datablockGlobalRx.Size = (uint)can_frame.dlc + datablockGlobalRx.Size;
// ...
}
}
else if(frame_type == END) {
can_remain = frame_id >> 0xd & 0x1f;
if (can_remain != curr_buf->remain - 1) {
memcpy(datablockGlobalRx.Data + datablockGlobalRx.Size,
&can_frame.data, can_frame.dlc);
datablockGlobalRx.Size = can_frame.dlc + datablockGlobalRx.Size;
memcpy(datablockGlobalRxFinal.Data, datablockGlobalRx.Data,
datablockGlobalRx.Size);
datablockGlobalRxFinal.Size = datablockGlobalRx.Size;
datablockGlobalFlag = 1;
CAN_AddPacketToCanStore(&datablockGlobalRxFinal);
// ...
}
}
}CAN
Memory Actions
SPP
Parsing
Verifify
Execute
File Actions
TM Instructions
Device Actions
MAL
Time Managem.
Orbital Position
CAN Buffer
TC Buffer
S-Band Stack
CCSDS - Protocol Stack
CAN
Memory Actions
SPP
Parsing
Verifify
Execute
File Actions
TM Instructions
Device Actions
MAL
Time Managem.
Orbital Position
CAN Buffer
TC Buffer
S-Band Stack
Space Packet Protocol
IP
Sync. and Channel Coding Sublayer
Message Abstraction
...
IPSec
TM Space Link Protocol
TC Space Link Protocol
AOS Space Data Link P.
Proximity-1
Data Link Lay.
CCSDS - Protocol Stack
CAN
Memory Actions
SPP
Parsing
Verifify
Execute
File Actions
TM Instructions
Device Actions
MAL
Time Managem.
Orbital Position
CAN Buffer
TC Buffer