46

Does the software in the Mars Curiosity Rover have any security features built-in? I can't imagine how someone would hack into it, but if the rover does indeed have some protection against malicious hackers, what kind of attacks would it be protecting itself against?

AviD
  • 72,138
  • 22
  • 136
  • 218
pasawaya
  • 1,027
  • 1
  • 9
  • 12
  • 5
    Not a duplicate, but for reference, a question about hacking satellites: http://security.stackexchange.com/q/6424/485 – Rory Alsop Aug 07 '12 at 10:14
  • 2
    What do you mean by Mars Curiosity Security? Malicious Hackers? You watch too much tv! – Andrew Smith Aug 07 '12 at 10:55
  • @AndrewSmith - I'm talking about the rover that just landed on Mars . And by malicious hackers, I just mean those that might attempt to somehow hack into the rover and damage/take control of the rover. – pasawaya Aug 07 '12 at 11:00
  • 3
    @qegal - Anyone that could answer this question likely is not allowed to share this information. If I were to hazard to guess it would some sort of private public key authentication, the rover itself has one key, and NASA has the other. – Ramhound Aug 07 '12 at 11:52
  • [Related tweet](https://twitter.com/Viss/status/232366125013430273). – Polynomial Aug 07 '12 at 12:36
  • 6
    There are no USB ports to ensure that any Martians or visiting aliens from elsewhere are unable to upload malware –  Aug 07 '12 at 17:26
  • I think pathfinder was going plaintext, and when I watched in live on tv, I could see sessionid on one of the screens – Andrew Smith Aug 07 '12 at 21:43
  • @Ramhound I agree, if any proper security were implemented it would be that. Now the question is, how likely is it that NASA's actually doing that? – Iszi Aug 08 '12 at 18:02
  • I just read an article about "How it might be possible to hack Curiousity". It has some good points! http://www.pcmag.com/article2/0,2817,2408295,00.asp – Tie-fighter Aug 10 '12 at 12:00
  • @Ramhound Why public/private? What's wrong with using a symmetric key? – Cruncher Mar 03 '14 at 18:13

3 Answers3

45

I used to be a Command Controller (CC) at the Laboratory for Atmospheric and Space Physics (LASP) (http://lasp.colorado.edu/). I was one of the people who would sit in front of the console during the times when spacecraft were visible to the ground stations. I would read/record telemetry to ensure spacecraft health and often send up new commands that would be executed by the spacecraft.

In order to communicate with the ground stations (for both data and voice if necessary), the Mission Operation Center (MOC) at LASP had to have a connection to NASA's "red net". I am not sure if this was a LASP term or a NASA term. A google search turned up little information.

In order to be even let in the room with access to the "red net" background checks were required. Then, in order to actually interact with the console, you had to be a certified CC, or a CC in training being overseen by a certified CC. All CC activity is always overseen by a "Flight Controller" (FC) or even a "Flight Director" (FD).

In the training to become a CC, we all had to know exactly the packet structure of the communication protocol for every spacecraft we operated. While there were most certainly checksums in the protocol, I don't believe that there was any sort of encryption, authentication or verification of the data received by the spacecraft. The spacecraft are always designed to be very fault tolerant, and have fallback modes in case the RF communication is corrupted or there are other "single bit errors". Error detection and correction is a fundamental feature of RF spacecraft communication.

I also worked on one deep space mission, though not as a CC. Anything not in earth orbit would require much larger antennas and likely what NASA calls the "Deep Space Network" (http://deepspace.jpl.nasa.gov/dsn/). This makes an attack even more challenging.

The risks as I see them today are several fold. I am not sure if they have since been fixed as I haven't worked at LASP in many years. I am also completely unaware of the design of anything but a few scientific missions. The worst things I think an attacker could do would be:

  1. Threaten to deorbit the spacecraft, or even simply waste precious propulsion fuel, for mischeif or for ransom.
  2. Threaten to try to change the orbit which could possibly cause a collision with other spacecraft -- again, for mischeif or ransom.

Otherwise, I am not sure what could be gained by an attacker.

Here are the vectors I see that may make an attack possible:

  1. Forged communication with the spacecraft. This would have to be done with knowledge of the spacecraft's ephemeris and with the ability to establish communication with the spacecraft. The ephemeris is fairly easy to obtain, but getting control of a ground station may require that the attacker be a state actor.
  2. Man in the middle (MITM) attacks between the ground station and MOC. Getting onto the NASA "red net" would be highly challenging. This is the same network that the space station operates on. However, once there, it might be possible to somehow become a MITM and pass on good or forged telemetry to the MOC while sending arbitrary commands to the ground station (ignoring any commands sent by the MOC). This would also require that the attacker have fairly vast resources and prior knowledge.

In either of these cases, the payoff would likely not be worth the reward. Then again, I only worked with "smallish" scientific missions. It might certainly be worth the risk for one country to "steal" a military spacecraft from another as the cost for a country to design, launch and maintain such a spacecraft is likely much greater than the cost of the attack. I imagine these have much stronger security though.

To answer your question, I don't know how secure the Mars Curiosity mission is. However, due to the distance, it probably operates solely on the DSN ground stations (very large antennas, of which there are only a handful in the world). Any attacker would either have to commandeer one of these stations, or build his own (which would be hard to hide). Further, the security of the communications between the ground stations and mission operations is certainly a top priority for NASA and JPL.

In summary, communications reliability is a much greater concern when designing spacecraft -- it's really hard to talk to stuff so far away, with so much interference in-between and the constant bombardment of radiation that can affect just about anything in the process. While there may or may not be any sort of encryption, authentication or verification in the RF communication between the ground station and the spacecraft, the ability to actually interfere would likely only be available to nation-states. It would also be hard to hide who would be behind such an attack and the political fallout would likely be immense.

Joshua
  • 566
  • 4
  • 3
  • 2
    In military communications environments, there exists the concept of [black and red networks](http://en.wikipedia.org/wiki/RED/BLACK_concept). The red part is where the secrets are allowed to travel in the clear. It could be related to your "red net". – SquareRootOfTwentyThree Aug 14 '12 at 22:30
  • As a US Government agency, NASA would fall under the supervision of the NSA. I believe the Red Black categorization originates from the NSA and is repeated by other agencies that must have their certification for operation of sensitive resource – this.josh Apr 07 '15 at 23:06
15

Apparently, NASA is taking communication security very seriously (and I would, too, if I had 2G$+ toys to manage !). I think they've done so for a long time, because in the early times of space exploration (in the 1960s) they feared malicious interference from their arch-enemies, the Soviets.

(I do not have a reference handy, but my brain cells tell me that in the 1970s, space probe Voyager I did a radiometric occultation with Titan, a satellite of Saturn -- the probe was briefly hidden behind Titan, as seen from Earth -- in order to allow for some spectrometry on Titan's atmosphere, but the communication was jammed by a Russian satellite, so the same experiment had to be done again with Voyager II. I might have got some of the details wrong, and I am not sure the jamming was intentional.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • +1 - Okay, sounds good. I'm going to hold out on marking you as the answer just in case I get another good answer, but if no other answers trickle in, I'll make sure to mark you as the answer. – pasawaya Aug 07 '12 at 20:45
  • 1
    Sorry for changing the answer. Your answer was great, but I feel Joshua's answer was a little more comprehensive. – pasawaya Aug 08 '12 at 20:40
  • Moreover, Russian attack satellites just by putting bucket of nails to the same orbit. –  Aug 13 '13 at 10:44
6

In addition to the other excellent answers here --

You asked about some of the threats that one must defend against. One possible risk is the possibility that the launch vehicle or spacecraft could be hijacked and retargeted to de-orbit and come back to Earth, hitting some designated location on Earth -- in effect, turning the spacecraft into a kinetic-energy weapon. While I don't know much about space-based navigation, I suspect that (apart from the payload) there's a fine line between a space launch vehicle and an ICBM. It probably would not be a good thing if someone could hijack the launch vehicle and cause it to come crashing back to Earth at some targeted location. Thousands of pounds of spacecraft de-orbiting into your backyard at a thousand miles per hour might give you a very bad day.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    Actually, for the Curiosity rover, it is much worse, because it contains a substantial amount of plutonium (that's its power generator). It is Pu-238, not Pu-239, so not suitable for chain reaction, but it is still highly toxic (both from radioactivity and chemically). As for coming back from Mars, well, fortunately, there are laws (of physics) against that. But the launch part is more critical, for sure. – Tom Leek Aug 10 '12 at 11:06
  • 3
    Historically, the first rockets were derived from long-range missiles (indeed, the rocket which launched Sputnik was more or less a couple dozen German V2 tied together). The _reentry_ part is a problem, though: once the spacecraft has reached "space", getting back through the atmosphere will destroy it into small, rather harmless pieces, unless it is heavily shielded (see what a flaw in the shield did to Columbia, for instance). – Tom Leek Aug 10 '12 at 11:10
  • That's interesting! Guess there **is good reason** for NASA to be very security-conscious. – pasawaya Aug 10 '12 at 11:37