Defunct satellites are a hacker’s paradise

Hours before Russia invaded Ukraine it launched a crippling cyber attack

At dawn in Moscow on Thursday, February 24th, Russian president Vladimir Putin announced the start of a special military operation in Ukraine. An hour before his address and before ground and air forces invaded, a large number of internet connections were lost across Ukraine, including many used by its armed forces.

They all were customers of the US Viacom high-speed satellite service. The modems supplied by Viacom had been remotely hacked, with all their settings and data completely wiped clean and so rendering them permanently useless. Poor targeting by the Russian hackers led to a simultaneous contamination of Viasat devices in other European countries, including thousands of German wind farm installations. The Viasat satellites in orbit were not themselves attacked, but the ease with which the ground equipment was destroyed demonstrates how fragile internet services can be.

Replacement Viasat ground equipment was shipped but Elon Musk of SpaceX was quick to spot an opportunity. Its nascent Starlink service competes with Viasat and, although as yet incomplete, is viable. The Ukrainian military and its government have praised Musk for quickly restoring internet services by donating thousands of Starlink modems and routers at very short notice. SpaceX has reported that Russian hackers have now tried to attack Starlink but so far have been repelled.

Starlink aims to place 12,000 of its satellites in orbit during this decade. Currently, since the world’s first satellite Sputnik was launched by the Russians in 1957, there are now about 6,000 satellites in orbit.

At their core, satellites are frequently based on open-source software. Many older satellites may have no means to update this software once in orbit, and so are unable to patch any vulnerabilities that may subsequently emerge. Most of us are all too conscious of what can happen if we do not enable operating system patches to our smart devices and laptops, and most satellites are similarly vulnerable. Because of the increasing awareness of the risks of hacking of critical satellite services for global communications, GPS navigation, weather and military applications, some modern satellites have an inbuilt software update capability as well as protection against hacking. But older generations of satellites frequently do not, and now an incredible 60 per cent of the 6,000 satellites currently in orbit are no longer in active service.

Satellites reaching their end of life are deliberately decommissioned so that they will naturally re-enter the atmosphere and burn up from air friction within 25 years. Satellites launched before 2007 when the 25-year rule was introduced, may not de-orbit as quickly once defunct, and some are expected only to decay after several hundred years. Some satellites are too far from Earth to ever de-orbit at their end of life. In particular, defunct geo-stationary satellites, which appear at fixed locations in the sky, are permanently parked into graveyards some 300km higher than the geo-stationary orbits.

A decade ago Brazilian satellite hackers broke into US Navy fleet communication satellites first launched in the 1970s, turning some of the capacity into a private radio network for just a few hundred dollars per handset. Because parts of Brazil are so remote and phone coverage may be sporadic, having your own private, high-quality communications network has proven a valuable asset for nefarious activities including illegal logging, drug dealing and other organised criminal gangs.

In 2020, an Oxford University researcher reported how easily he had intercepted internet satellite traffic from 18 satellites, using a cheap off the shelf satellite dish and tuner. By simply pointing his dish at satellites overhead and tuning to their broadcast frequencies, he was able to listen in on internet traffic from an oil tanker, personally identifiable information from a crew on a billionaire’s yacht, and navigational information for an airliner in-flight. Much satellite internet traffic is not securely encrypted, making such interception relatively simple. There is an obvious risk of “spoofing” traffic: to deliberately transmit misleading traffic indistinguishable to a recipient from legitimate traffic it might have been sent.

Last year a team led by a research scientist at the University of Washington (WA) successfully demonstrated a hack of a defunct Canadian TV broadcast satellite, launched in 2005 and de-commissioned in 2020. The satellite’s coverage extends from Canada south across the US, and west to beyond Hawaii and to the eastern part of Russia. The satellite is due to be moved to its end of life graveyard orbit soon as most of the TV services using it have now been migrated to a new satellite. The researchers politely requested a permit to uplink to the satellite, and then demonstrated how with relative ease and a low cost transmitting antenna they could hack into it and use it to live-stream a research presentation of their work over its TV channels across the northern hemisphere.

The Viasat modem attack, together with published research papers of how to eavesdrop on and broadcast using satellites, spotlight how equipment designed a few decades ago can become vulnerable to the sheer pace of technology development and innovation. Today’s satellite systems are much better protected against hacking but the number of defunct satellites reaching end of life are providing a new playground for a wave of hacking.