For hackers, space is the final frontier

From offering joyrides for the ultra-rich to beaming the internet down to Earth, private space companies are very much open for business.

But some cybersecurity experts say this emerging industry is a giant target for hackers. Amid the surge in commercial rocket launches and a recent spike in ransomware attacks, cyberattacks aimed at space systems could disrupt internet access, interfere with the Global Positioning Satellite (GPS) system, and even turn satellites into weapons.

“We should be worried about that if we’re worried about people hacking into our navigation systems. We should be worried about that if we care about our electric grid staying online,” Gregory Falco, a civil engineering professor at Johns Hopkins University, told Recode. “These space systems enable all of this other critical infrastructure that we have, and we don’t even realize it.”

The United States is not currently facing a large proliferation of cyber attacks in space, but satellites have been hacked in the past. For instance, two American satellites used by the US Geological Survey and NASA to monitor climate and terrain were broken into four times over the course of 2007 and 2008. Intrusions and physical attacks on satellites, their connection systems, and the stations on Earth that control them have increased in recent years “probably due to the advancement of the tech being used and the space race,” according to Maher Yamout, a senior security researcher at the Russia-based cybersecurity company Kaspersky.

Back in April, the head of the Space Development Agency, which is a branch of the Department of Defense meant to boost the military’s space capabilities, warned that cyber attacks against satellites posed more of a threat than missiles. The Space Force, which is in charge of overseeing the military’s satellites and GPS, is also boosting its cybersecurity investments. The military is now preparing for the likelihood that there could be more cyberattacks in space, while the federal government urges the growing number of commercial space companies to beef up their cybersecurity, especially as they look to launch more satellites.

SpaceX, Amazon, OneWeb, and others have already launched hundreds of satellites in order to sell internet access around the world — and are planning to send thousands more into orbit. Those will join the thousands of satellites we rely on for everything from telephone service to weather reports to agricultural research. While most people associate satellites with navigation apps, satellites also transmit crucial timing data that’s used to run the electric grid and banking transactions, according to Travis Langster, the vice president of the space situational awareness startup Comspoc.

Our increased reliance on this tech makes the threat of hacking especially worrisome. A hacker could try to access a satellite by targeting a company’s ground systems, and once inside, the attacker could manipulate the communications or controls, download unwanted software, or even tell the satellite to change its course, according to Iain Boyd, the director of the University of Colorado Boulder’s Center for National Security Initiatives.

“It’s the same kind of thing where people are getting into your computer system and behaving badly,” Boyd told Recode. He added that hackers might also attempt to overwhelm a satellite with false signals or impersonate a satellite’s communication — a process called spoofing — to confuse vehicles on Earth’s surface.

These cyberattacks on space systems have been disruptive, but their impact could be catastrophic. For instance, in 2014, US officials blamed China for a cyberattack that forced the National Oceanic and Atmospheric Administration (NOAA) to cut off public access to imagery data from a satellite network used for weather forecasting. Russia has reportedly used GPS spoofing to confuse ships about their actual locations. And in the future, a worst-case scenario could involve a hacker tricking a satellite into crashing into other space infrastructure, according to William Akoto, an international politics professor at Fordham University, who studies cyber conflict.

“You can’t just walk down to the server room and apply a patch to something that’s in orbit,” explained Matthew Scholl, who leads the computer security division of the Information Technology Laboratory at the National Institute for Standards and Technology (NIST).

To address the impending threat of cyberattacks on space systems, the US military earlier this year transferred more than 2,000 cybersecurity experts to the newly formed Space Force. The Air Force, meanwhile, has begun hosting competitions encouraging hackers to break into satellites, with the hope of learning more about potential vulnerabilities. But cybersecurity experts warn that the private space industry hasn’t been transparent about how it’s managing security threats.

“From a commercial standpoint, we have to hope that they’re doing something,” said Falco, the Johns Hopkins professor. “But most commercial companies working on satellite systems have given zero details about anything that they have regarding the security of their space systems.”

Some of these companies are currently hiring cybersecurity professionals. Blue Origin, for instance, has been looking for an information system security officer to find vulnerabilities in the company’s systems, while SpaceX is searching for an information security assurance analyst to investigate the physical and cybersecurity of the company’s supply chain.

None of the companies Recode contacted — Virgin Galactic, Blue Origin, OneWeb, and SpaceX — responded to a request for comment about the state of their cybersecurity.

But as commercial space companies try to staff up their security teams, the federal government is also stepping in to help.

Last year, then-President Donald Trump signed an executive order recommending principles for cybersecurity and space systems, encouraging private companies to take precautions like boosting protections for control systems in their rockets and satellites and deploying antivirus software to protect their ground stations. NIST has developed cybersecurity resources for commercial space operations, including satellites.

In June, Reps. Ted Lieu and Ken Calvert proposed legislation that would classify space as critical infrastructure to boost collaboration between private space companies and the government on cybersecurity matters. The Federal Aviation Administration also helped create the Space Information Sharing Analysis Center (Space ISAC), a collaboration that coordinates with companies across the space industry to share information about potential threats and attacks to their cybersecurity.

“Infrastructure that is distributed globally means that there’s a very broad attack surface,” Erin Miller, Space ISAC’s executive director, told Recode. “We need to be building in and designing cybersecurity capabilities into every single one of our space systems.”

For now, that means that ensuring national security and addressing the cybersecurity challenges of the emerging space industry are one and the same. After all, the growing number of attacks against all sorts of private companies, whether they’re oil pipelines or meat distributors, makes it clear that when firms don’t protect themselves from hackers, the American public can feel the consequences. As more of the tech that powers our everyday lives heads to space, so should the country’s increased focus on cybersecurity.