Bug identified in Elon Musk’s Starlink satellites

The prediction that satellites will be the new frontier of hacker action is coming true. A researcher recently hacked into billionaire Elon Musk’s Starlink satellite system using a simple $25 device.

Belgian Lennert Wouters of KU Leuven University demonstrated during the Black Hat Security Conference how he used a homemade circuit board to hack into Starlink terminals and execute malicious code locally and access the entire network. The researcher published the board design on GitHub.

“The wide availability of Starlink terminals exposes them to hackers and opens the door for attackers to freely exploit the network,” Wouters said. The SpaceX company’s Starlink network has launched more than 2,600 satellites to date and, according to a video presentation Musk posted via Twitter on June 5, Starlink services are available in 32 countries and have about 500,000 users.

Wouters’ work was part of SpaceX’s programme, which rewards researchers who identify bugs in Starlink’s services. According to Business Insider, SpaceX congratulated Wouters on the discovery and said it had released an update to its system.

SpaceX recently received approval from the US Federal Communications Commission to bring its services to cars, boats, and planes in transit.

Attractive airspace

This demonstration by the Belgian researcher may be just another sign that cyberattacks targeting satellites may be becoming more of a concern. One of the reasons for the attraction of these new types of targets may be the growing wave of satellite launches in recent times, expanding the opportunities for invasion. According to the United Nations agency Office For Outer Space Affairs, the year 2021 was the third consecutive year in terms of record objects launched into space and registered with the UN. Over the course of last year, 31 member states submitted registrations for 1,895 objects, a 50 per cent increase over 2020.

Another way to measure the attractiveness of the satellite market for cybercriminals is its value. The so-called space economy also reached a record high in 2020, adding up to about $447 billion. Revenue from the commercial area, consisting of Products & Services and Infrastructure & Support, accounted for almost 80% of the value.

The vulnerability of satellites in the area of security has already caught the attention of US lawmakers. Last May, two House members introduced bills seeking to pressure federal agencies to revise policies and programmes to help the country, in general, as well as satellite network owners and operators defend against hacking activities against systems and assets.

“We depend on satellites for everything from driving to ensuring our nation’s defence, but our space systems are vulnerable to cyberattacks. The commercial satellite industry has been asking for help to protect Americans against this threat. Our bill directs the US government’s primary cyber defence agency to provide this help,” said Congressman Tom Malinowski.

Among other requirements, the Cybersecurity and Infrastructure Agency (CISA) should develop voluntary cybersecurity standards and recommendations, possibly including specific guidance such as risk-based engineering with continuous monitoring, plans to maintain or recover satellite operations in the event of attacks, robust controls on physical and digital access and supply chain vulnerabilities.

Meanwhile, the Space Systems Command has already announced a new process to assess the cybersecurity of commercial satellite operators doing business with the US Department of Defense. Under this infrastructure asset pre-approval programme, commercial providers using satellite services are assessed based on their cybersecurity practices and systems and, when approved, already join a pre-approved list that dispenses with the need to complete lengthy questionnaires during the service delivery proposal phase.

At the international level, the World Economic Forum recently warned that space communications technologies will change the lives of millions of people in the coming years by bringing connectivity to places currently inaccessible by land. The exploitation of this market is expected to generate $1.2 trillion in retail revenue in the period between 2020 and 2030. And because they are fundamental to modern life, these satellite connectivity services will also become particularly attractive to cyberattackers, whose impacts are incalculable.

“Inter-council discussions at the World Economic Forum on Cybersecurity and Space held in April 2022 suggest that governments, with operators and users of space-dependent technologies, should identify which services are essential and prioritize ensuring their end-to-end levels of cyber resilience”, the forum highlights. Another important aspect is the regulatory frameworks, which are failing to keep up with the technological evolution of the sector.