Unencrypted Flying Objects: Security Lessons from University Small Satellite Developers and Their Code

TL;DR

This paper investigates security practices of university small satellite teams, revealing widespread vulnerabilities and emphasizing the need for improved security measures in amateur satellite development.

Contribution

It provides insights into current security practices, identifies vulnerabilities, and offers considerations for enhancing security in small satellite development.

Findings

All teams had vulnerabilities accessible to ground-based attackers.

Security practices vary widely among teams.

Participants recognize significant security risks and shortcomings.

Abstract

Satellites face a multitude of security risks that set them apart from hardware on Earth. Small satellites may face additional challenges, as they are often developed on a budget and by amateur organizations or universities that do not consider security. We explore the security practices and preferences of small satellite teams, particularly university satellite teams, to understand what barriers exist to building satellites securely. We interviewed 8 university satellite club leaders across 4 clubs in the U.S. and perform a code audit of 3 of these clubs' code repositories. We find that security practices vary widely across teams, but all teams studied had vulnerabilities available to an unprivileged, ground-based attacker. Participants foresee many risks of unsecured small satellites and indicate security shortcomings in industry and government. Lastly, we identify a set of considerations for how to build future small satellites securely, in amateur organizations and beyond.