What would one need to do in order to hijack a satellite?

Question

I realise this borders on sci-fi, but there's been some interesting demonstrations regarding security of various satellites.

What would be required to hack a satellite (in general terms, any hack really)? Are they all basically connected in the same way, or would I need different equipment, software, or otherwise. Are there different encryption algorithms in use? What communication protocols would I use? How should I pick one? What are the legal repercussions of doing so?

Generally, I'd like to find out how secure these computers flying above us really are, as not much is discussed about them in terms of security.

This question was IT Security Question of the Week.
Read the Feb 4, 2012 blog entry for more details or submit your own Question of the Week.

Answer 1

Overview

First, I learned a lot of my information from a combination of my amateur radio experience and an awesome talk I sat in at DEFCON 18. The majority of satellite systems are simple repeaters. The signal that comes in on a transponder is cleaned, amplified, and retransmitted. If you know the location and input frequency, and you pump more effective radiated power than anybody else, you win.

Many satellites also require command modules. These are used to interpret instructions to boost back into orbit or at the end of life, de-orbit into a "graveyard" pattern (or right into the atmosphere itself). Because most satellite systems are custom, it is a real crapshoot what you see for commands and security. I suspect that most command sequences are unencrypted and rely on the fact that a MITM attack on something in space is fairly hard.

Frequencies vary wildly from MHz to several tens of GHz. Your equipment needs to put out the right frequency through a dish that is the right size. Legally speaking, you will at a minimum foul the FCC or your national equivalent, by violating regulations on licensed broadcasting. Also, "birds" and airtime are expensive, so the civil liability if found can be bankrupting.

As far as taking a satellite transponder over is concerned, security relies on rarity of attacks, detection, and triangulation of the signal source. Then people come knocking on your door.

Finding a bird

First, you've got to have a target. Some satellites are geostationary, so they're easy. Other satellites have orbits that sending them in offset patterns around the world. The satellite will come into view at different elevations in the sky tracing different paths, so you'll need to know where it will be and how it will move in order to communicate.

Communications satellites tend to either be geostationary or part of a cluster of many satellites such that one or more is always in view of at least one ground station and any other point on the planet.

There are websites all over the place for this, and they often end up with military / disavowed satellites listed as people will track them with a telescope and then wonder why that one isn't listed yet.

Talking to a bird: Bands

Satellites operate on different frequencies, and the antenna used has to be sized to the frequency of the satellite. Most satellites operate in the microwave spectrum. The ubiquitous (in the United States) DirecTV / Dish Network antennas are usually on the higher end (smaller wavelength) of the spectrum. Because your signal has a lot of travel in its future and your target is small, your goal is to direct as much power in one direction as possible. Anything sent off to the sides, earth, etc. is wasted energy, so you will want an appropriately-sized high-gain antenna. Antenna design can be learned from amateur radio books on the topic.

Before someone chimes in and says, "You don't NEED a directional antenna and tracking motor," that's true... but it will help a hell of a lot. Just because your spot messenger or GPS doesn't have one doesn't mean you shouldn't use one if you can. It will keep your signal where you want it and limit the possibility of interference from or with other things using the same frequency. It also means that it will be harder for somebody to hunt you down. Being nicked just because you let strangers hear you might have some costs associated.

Talking to a bird: Protocol

Now we're getting a bit trickier. Some satellites are very simple, particularly amateur radio satellites. They receive a signal and they transmit that signal back. There are different variations of protocol, polarisation, modulation (QAM is a good one to understand), etc. If your target does more cleanup than just setting a noise floor and spitting things back out, you'll need to know that information as well.

Higher-level protocols may be standard IP/TCP, plaintext, encrypted, or some totally imaginary 17 bit codeword system that was dreamed up by a guy like Mel.

Taking over

You need to deliver more power to the right place with the appropriate protocol. Because almost every satellite is a custom design, that's challenging. If you goal is beyond simple re-broadcast, you're up against a big black box every time. Computers are small, low-power, and probably have next to nothing on them.

The best bet for MITM

If you can't afford to launch your own satellite, figure out where the ground station is and fly over it. Small aircraft are relatively cheap to rent (under $100 / hour to operate), tethered balloons may get high enough to have an effective angle, and if you're quite sneaky you can put something on the transmitter feed line itself.

Many smaller organizations rent their satellite time. I learned when I was 11 that the guy running the local news station's satellite truck is bored as hell when they're in between shots and will definitely show you all the cool things about his rig. Whatever he's renting is probably one of the easier things to get at because that has to be documented and relatively easy to work with.

Answer 2

What would be required to hack a satellite (in general terms, any hack really)?

When it comes to satellites, the word general does not apply. Almost every satellite, with very few exceptions is custom. Even the currently orbiting GPS satellites are not all the same: there are GPS IIA, GPS IIR, GPS IIR-M, and GPS IIF. I would venture that even satellites of the same type have minor variations. The only exception I would think would be the Iridium satellites. They may be highly similar because of the number launched at once, the short time beteen sucessive launches, and the lower value of each individual satellite.

Specific satellite or target of opportunity?

If you want to target a specific satellite you may need to travel to a location appropriate for interfacing with the satellite: either a location in the satellite's 'shadow' or to a command and control facility. Not all satellites have full earth coverage, so if a satellite you want to target does not fly over your location you will need to go where it does.

If you are looking for a target or opportunity then pick your location and find what satellites cover that spot. Realtime Satellite tracking is available from several websites like http://www.n2yo.com/.

Command and control center

One way to take control of a satellite is to take over the command and control center. All the equipment is set up and available. The command and control center vary in the level of security they provide, but a good guess is that CubeSat operation centers have poor security. http://csmarts.colorado.edu/for_operators/CGS-SYS-101.2BoulderGroundStation.pdf describes the equipment and configuration of a CubeSat operations station.

Direct communication

To communicate directly with the satellite you will need RF transmitting equipment with sufficient power and frequency range. To find the frequency range identify the type of satellite and look up what frequency range that type of satellite has allocated for Earth-to-space communication. https://web.archive.org/web/20141116185855/http://www.ntia.doc.gov/files/ntia/publications/lrsp5c.htm is a good reference.

Are they all basically connected in the same way, or would I need different equipment, software, or otherwise.

No, with potentially some exceptions satellites are different even if they are of the same type. Suppose you launch a satellite which is going to be 1 of 6. You get it into orbit but when it achieves orbit you find that your uplink bandwidth is poorer than you expected. Likely before the launch of satellite 2 you will make some modifications. And when satellite 2 achieves orbit you find that it has difficulty when achieveing max transmit power in some frequency range. Depending on the time between sucessive launches each satellite will get tweaked. Oh, and then you can update their software. Satellites are no longer doomed to run the same software forever, the can be updated, and if a security vulnerability was discovered they could be 'patched'.

Antenna

From http://cubesat.wikidot.com/coms-ground-definition

"The antenna diameter, D, required for any particular mission is primarily a function of maximum satellite range, d (km), carrier frequency fc (Hz), data rate b (bits/s) and satellite transmitter power tp (watts)."

Once you identify the satellite you need to find its altitude. Most commercial, scientific, and educational satellites and their orbits are listed in NASA's NSSDC Master Catalog. However it may be more difficult to locate the frequency range the satellite uses to recieve commands from the ground. A good starting point is to look up the frequency spectrum allocated to the class of satellite.

For example

http://www.gb.nrao.edu/IPG/Interference/Spectrum%20Summaries/KuBandAllocation-1.htm

indicates that 14.0 - 14.2 GHz is allocated to Radionavigation, Space Research, Fixed Satellite (Earth-to-Space) and Mobile Satellite (Earth-to-Space)

The Earth-to-Space is the uplink to the satellite, so this is a good range to try.

Are there different encryption algorithms in use?

Likely. Remember that a significant number of those satellites are government owned (Russian, USA, France, Japan, China, India, Israel, Ukraine, Iran). I suspect most of those government satellites use encryption, and I couldn't even guess what encryption some countries would use.

What communication protocols would I use?

The protocol of the satellite you are targeting. One of the few well agreed to standards is frequency range. Then it depends on who launched the satellite and for what purpose.

What are the legal repercussions of doing so?

I'm not sure, I may get back to you on this one.

Generally, I'd like to find out how secure these computers flying above us really are, as not much is discussed about them in terms of security.

Given that not much is publicly discussed about satellites in general. The review of a satellite system depends on its value and cost. I don't think that there is any part of a satellite system that costs hundreds of millions of dollars ($US) or even billions of dollars ($US) that isn't well reviewed.

Answer 3

In addition to the low-cost solutions presented in other answers, which rely on beaming signals at the satellites, there's the (significantly, like many orders of magnitude) more expensive technique borrowed from Ian Fleming's Moonraker of going up there and stealing the thing. You don't even really need to get it back, just pointing it in the wrong direction or giving it a nudge will be enough to deny service.

Satellites have basically no physical security, except that it's expensive to get to where they are. Once you've overcome the cost barrier, you can swap bits out, push them into the atmosphere or whatever. While this is probably beyond the means of most individual hackers and criminal organisations (the fictional SPECTRE notwithstanding), a government could probably do it to another government's satellite. The theory is that you put a space plane into a polar orbit that looks like some reconnaissance or scientific mission, but fit it with the capability to change orbit such that it can intercept your target bird. It might then photograph, nudge or ram the other satellite. You do it while both devices are "round the back" of the planet, hoping that the owner of the victim bird doesn't have good surveillance of that portion of space.

Another capability that the US has demonstrated is crashing into the target with a rocket using their SM-3 weapon. This is much cheaper than the above plan: you don't even need any explosives because satellites are so flimsy the initial impact will do all of the work. It's still likely more expensive than misusing the satellite's control communications; it's also hard to repudiate such an attack.

Answer 4

First, of all, I'm not expert on hacking satellites, I don't know how to turn GPS repeater into Death Star. What I find interesting is space exploration, travelling into space and so... Everything I'll write here is just something I read somewhere and it's all hypothetical.

Satelitte hacking (yeah, I know it's not quite the same as hijacking it) is something what is known for quite some time and it's very popular among narco cartels, but also among "ordinary" people to get in touch (I guess Skype is too lame for them). Anyway, earlier this year, there was huge police raid in Brazil on so called "satellite pirates" who used US military satelites, FLTSAT-8 and UFOs (yep, UFOs do exist and they are in the service of Uncle Sam). How did they hacked the satellites?

To use the satellite, pirates typically take an ordinary ham radio transmitter, which operates in the 144- to 148-MHZ range, and add a frequency doubler cobbled from coils and a varactor diode. That lets the radio stretch into the lower end of FLTSATCOM's 292- to 317-MHz uplink range. All the gear can be bought near any truck stop for less than $500. Ads on specialized websites offer to perform the conversion for less than $100. Taught the ropes, even rough electricians can make Bolinha-ware.

Source : Wired.com

I know this is little off-topic, but just to illustrate how hard is to get military bird - to hack a Predator (MITM attack to get video feed), you only need 30$ software (source, software is called SkyGrabber).

Another example of hacking satellite, this time non-military, is Galaxy 15 which in April of 2010 has gone rouge. In this case, satellite just stopped to respond to C&C (command and control) commands while his systems are 100% in function. Interesting thing here is that only counter-measure to this state is rebooting the system (they tried about 150k-200k to restart the satellite - source).

All in all, to hijack (or hack) satellite is not a sci-fi scenario. Don't get me wrong, it's not companies and goverment who are responsible for them are careless. C&C HQs and signals coming from them (which are encrypted) are not problem. The weak link are satellites themself. When you build satellite, you don't care about security (so to speak), but you care about MTTF (mean time to fail) and MTTR (mean time to repair). In the perfect case scenario, you want satellite who will work from day 1 to doomsday and beyond. If satellite is malfunction, cost of repair is very high and it can't be repaired immediately. There are also risks that it can crush to Earth or flow into deep space. In any case, if satellite is not working, you are loosing a lot of money, time and, possibly, reputation. And with this in mind satellites are build.

Also, keep in mind, satellites are nothing more then little bit overcloacked radios (so to tell) and every radio can be jammed. Only thing you need is just feed satellite with random signals and it will be jammed. This is well-known problem around amateur radio enthusiasts, who are jammed by more powered signals from professional users (like TV stations). In one article I found, following is said about this problems.

Analysts said there are several ways satellite systems can be disrupted. With sufficient power from a satellite dish on the ground, an orbiting satellite's signal can be blocked. "One way is simply brute force, by sending a signal up to a given satellite and jamming it," said Steve Blum, president of Tellus Venture Associates, a satellite consulting firm. "That's nothing new. That's as old as radio itself." Experts said that occasionally happens by accident, but jamming a satellite is easy to trace and communications services, such as TV signals, are rarely disrupted as programmers and providers usually have backup capacity on other satellites. The computer systems used to monitor and control the satellites also pose a potential weak link; although most are housed in secure facilities, in theory they could be infiltrated, Blum said. But industry sources said many of the potential pitfalls are not unique to satellites. Smaller radio stations have been known to have their signals blocked by more powerful transmitters. And hackers could just as easily attempt to break into the computer systems of a cable operator in an attempt to shut down services to a certain neighborhood.

So basically, what you are doing here is jamming unlink and/or downlink (something like DoS attack). To do this, you only need your own antena.

Another attack which can be preformed is orbital positioning attack (source) In this case you are feeding your target with false responses and satellite is "confused" and "lost" (he doesn't know his location).

Answer 5

You probably have read this news a long time ago: http://news.cnet.com/Satellite-hack-raises-security-questions/2100-1033_3-222516.html

Britain's Ministry of Defense is denying that the nation's military satellites were hacked, but the reported disruption raises questions about the security of all satellite-based communications services.

...

Analysts said there are several ways satellite systems can be disrupted. With sufficient power from a satellite dish on the ground, an orbiting satellite's signal can be blocked.

"One way is simply brute force, by sending a signal up to a given satellite and jamming it," said Steve Blum, president of Tellus Venture Associates, a satellite consulting firm. "That's nothing new. That's as old as radio itself."

Do some research about it and you'll find interesting facts...

You can also begin looking at satellites' positions in the sky: http://www.n2yo.com/?s=26038 and verify some information about them. You'll find that some satellites have nuclear protection, for example.

Answer 6

What would be required to hack a satellite (in general terms, any hack really)?

Just answering to 'any hack'. It is possible to use a satellite to get a completely anonymous connection to the Internet that is untraceable, because the IP address you are using is the IP address of the satellite. Tutorial here. Note: do not try this, it is totally illegal.