Zero Gravity Exploits: Reverse Engineering and Fuzzing Low-Earth Orbit Satellites
Satellites play an essential role in our modern lives, providing critical services such as telecommunications, global navigation, and earth observation. Recent developments taking place in the "New Space" era have skyrocketed the number of satellites in orbit, especially in Low-Earth Orbit (LEO). Although these satellites often provide critical services, little research has reviewed their security. We are the first to conduct an in-depth security analysis on these LEO satellites by reverse engineering, analyzing, and fuzzing onboard firmware of multiple satellites.
Beginning with an exploration of satellite architecture and satellite-specific software aspects, we use an active European Space Agency (ESA) satellite as a running example. We dive into reverse engineering the satellite software, focusing on the satellite's command-and-control logic; this logic is key to exploitation as it processes telecommands sent from the ground station, which are used to operate and control the satellite remotely. We then present our manual code analysis scheme and the vulnerabilities we found; when chained together, allowing us to take over the satellite. Following this full compromise of our running example, we will discuss how to utilize firmware fuzzing to uncover interesting vulnerabilities in several satellites. We highlight satellite-specific aspects for firmware fuzzing optimizations and how we fuzzed a complete satellite firmware image. We then put the vulnerabilities to the test by live-exploiting a satellite’s digital twin. The vulnerabilities allow us, an unauthenticated and external attacker, to hot-patch the satellite and to lock out the original operators.