Hi, it's Weskasova. We're taking a break this week, so here's one of our favorite episodes you might have missed and an update. Since this episode aired, the US is now trying some creative ways to defend satellites from hackers. In August, the US Air Force and US Space Force hosted a cash prize competition at the Defcon hacking conference. Teams tried to hack a live satellite in orbit for the first time. The winner was a team from Italy.
I was able to see the sort of traffic people were sending over their satellite Internet connections, so stuff like text messages from people who were using in flight Wi Fi services, or things like passengers on cruise ships when they were making payments at point of sale systems. Also a lot of like passport numbers, really concerning data to be getting in clear text.
From Bloomberg News and iHeartRadio. It's the big take. I'm west Kosova today. The latest target for hackers satellites. Thousands of satellites circling high above our heads make it possible to do many of the things we take for granted every day. When you send it text, find your way with Google Maps, use your credit card. Even check the time on your phone, Chances are some bit of your info was beamed up to a satellite from one place and beamed back down instantly to where it needed to go.
The downside to this invisible miracle of technology, satellite systems aren't always as secure as they should be, and this means they can be easy targets forers looking to steal information for profit, or governments looking to steal secrets or cripple the communications systems of their rivals.
What's so extraordinary is it seems that the Russians, if it were them, were prepared to take extraordinary risks because they were aiming for the Ukrainian military.
That's my Bloomberg colleague Katrina Manson. She investigated a real life example of this, a mysterious satellite hack on the day Russia invaded Ukraine, and she joins me now to tell us what she found. Katrina, can you start by describing the satellite hack that happened in February of twenty twenty two, just a little over a year.
Ago, as Vladimir Putin was saying he was launching a special military operation on Ukraine. Ukrainian military communication connections that rely on modems that link up to a satellite were going dead, and it turned out the like communications were going dead across Europe. These are all broadband Internet connections that rely on one single satellite, and it provides satellite connections to more than one hundred thousand users across Europe.
But specifically, the thing that mattered so much to the Ukrainian military. So imagine military are often in frontline positions in remote locations where they can't get Internet the usual way you would through a static connection. This allows you to dial up essentially to connect to a satellite more than twenty thousand miles up in space, and that's how you get your Internet connection. And that's what went dead
across Ukraine and Europe. Now, this satellite is owned by a company named Viasat, that's a US company based in California, so a continent away. Users who rely on that satellite, their connections started going dead.
So when that happened, what actually was happening? Why were these connections going dead?
After a lot of research and forensic analysis and all the things that people have to do to what's called reverse engineer a hack like this, and it turns out to have been a very complicated hack attackers breached what's called a VPN, a virtual private network that's an entry point into a network that is meant to be secured. It wasn't. There was what's called a misconfiguration. We don't
have much more information about that. They got into the network and then they moved across the network again, another thing they shouldn't be able to do. There should be doors, as it were, fire doors preventing you from making the next move. They get to a network management server that's essentially something that controls the flow of information. They put in a malicious software toolkit that's basically the bad instruction, and then that bad instruction is sent to modems across
Ukraine and Europe and it wipes the modems. It overwrites a part of the modem which is used for memory, and the modems are no longer operable, they can no longer make that connection to the satellite. The rest of the system get online. So essentially a piece of malware was distributed throughout the network and it fried the modems. It's a really extraordinary attack because people connect to the
Internet through the satellite just via your home modem. That's the same thing that gets the Internet signal into your house and then it's often distributed through a router so you can connect via Wi Fi. That was the ultimate target of the attack. So more than forty five thousand modems that connected this satellite system effectively were wiped and when they were wiped, they couldn't make the connection.
So they determined that this was a hack. Do they know who did the hacking?
Well, interestingly, Viasat, the company that owned the satellite, and its partner, you tell Sat, that's a French company that ran the network in partnership with Viasat, have never said They have only ever said attackers. When I press them, they explain that they are quite cagy in order to preserve the network. What did happen is it fell to countries. It fell to the European Union, to the US, to the UK, Australia and Canada to blame Russia.
On what basis did they blame Russia for being responsible for this attack?
US intelligence spent something like four weeks looking into this attack. At the moment that the attack happened, Viasat told defense contractors and the US government through a specific way that they share information because that same satellite that provides your average Internet for users at home who just want to stream movies or just go on the Internet. That same satellite also provides sensitive government services. It's a different part
of the satellite. But Viasat immediately informed its government partners, and the US launched an intelligence investigation into what had happened, So did intelligence services in France and the UK, and after four weeks US intelligence determined that the GRU were the attackers. The GRU is a Russian military intelligence unit that has acquired quite a reputation for hacking.
Do they say with certainty that it was the Russians or they just suspected? How were they able to determine that it was actually the GRU.
They haven't said much about that, and in fact, in the public attribution, I think it's only one country, Estonia, that has ever publicly labeled it as the GRU. So all of these assessments have stayed private. But the EU blamed clearly Russia. Others blamed Russian military hackers. So there's a range of public attribution, but the private work of the intelligence community is not something that anyone's made public.
And I imagine that the Russians take exception to this conclusion.
I did speak to the Russian embassy in Washington, DC, and the statement they sent me I think said, this is total nonsense.
Internet users who were customers of this satellite had their Internet knocked out, but they weren't really the target of this hack, is there, right?
Yeah.
What's so extraordinary is it seems that the Russians, if it were them, were prepared to take extraordinary risks because they were aiming for the Ukrainian military communications and that's what was knocked out. But there was what's called overspill. So I'm told that they knew that the attack that they pursued would affect other countries. And not only did it affect other countries, they were NATO countries. And it wasn't just people sitting at home. It was critical infrastructure.
So five eight hundred systems that monitor wind turbines in Germany and across Europe, those monitoring systems were knocked out. That counts as critical infrastructure, which is protected, and the other is just sitting at home being on internet. Internet communications are considered critical infrastructure. All of that is significant because it raises the question of whether NATO had any responsibility or potential to respond. Article five, which is that
mutual defense clause. The idea that if one is attacked, everyone is attacked and you can respond has been very clearly expanded to include cyber No one's ever acted on that yet, but of course there was potential for NATO to say, we too have been attacked.
What was the fallout, what eventually happened, How did they or did they fix the problem?
They ended up having to send out more than forty five thousand modems and this took weeks. They say that they prioritized getting modems to Ukrainian distributors, so that was their main effort. And then I think the other thing that's really interesting is the US led a quiet diplomatic
campaign over the course of six weeks. Once they got that internal decision or assessment that it was the gru the Russians military hackers who were responsible for this, they tried to convince the European Union that this was the case as well. They shared tech nical information, and then they went above and beyond and shared additional intelligence information with two key members of the European Union who were also the biggest victims of this attack outside of Ukraine,
France and Germany. And that is so important because they are also the most influential members of the European Union, and they have also historically been very reluctant to blame anyone for attacks in public, even if they reach that same assessment in private. They don't tend to attribute attacks because of two main reasons. Really. One, you can make things worse, you can incite attacks against yourself, and you could be wrong. It's quite difficult to do attribution, and
a lad a third. Germany in particular was navigating very complex relations with Russia right at the start of that invasion because it took them so much by surprise, and figuring out what their response would be of course changes the rest of European history.
In the end, did the ledged target of this attack? The Ukrainian military suffer big setbacks in the early days of the war because of this. Was it successful in carrying out what it was trying to do.
One senior Ukrainian cyber official said, they suffered a really huge loss in communications at the start of the war. That's pretty much the most they've ever put on record about this. My understanding is that two main things were affected. Military communications, command and control, your ability to reach your frontline troops and say move your troops here. Really really matters at the start of any invasion, and particularly this invasion, which as we know now, the Russians were intending to
take the capital within three days. This was intended to be a blitzqueak, So disabling satellite communications and the ability for the military to move around and respond was an attempt to stave off any counterattacked by the Ukrainians. Ultimately it did not work, but that was what I'm told as the intention. The other thing is the drones for espionage for tracking, where the Russians are rely on satellite Internet,
and I'm told that it affected that as well. I think what's interesting about this is the Ukrainians were able to come back very very quickly, essentially because of a tweet to Elon Musk and saying can we please have Starlink. Starlink is the satellite system owned by SpaceX, that's Elon
Musk SpaceX that provides equivalent satellite Internet. It works in low Earth orbits, so it has multiple thousands in fact of satellites circulating the Earth, so it's harder to take out a single satellite, whereas the Viasat system relied on a geostationary satellite much higher up than just that one single satellite. VIASAC continues to face threats against this network. They told me they face ongoing and dynamic threats even
up to today. So although nothing has been successful at all in the way that that February attack was last year, it certainly could conceptually happen again.
Our conversation continues after the break Katrina, what are governments and companies doing to try to harden their systems to thwart future attacks.
I think the answer there is not enough. That's certainly what the researchers I speak to are saying. But there is a push to develop standards. These are minimum cybersecurity standards that affect all parts of code in the satellite, encrypting data in that link, raising standards across the board. But this is a process that is really just beginning. Today's something like five thousand active satellites in orbit around
the Earth. That's already a huge amount to try and protect, given you also have all the associated systems that make them work. This is growing so fast that I think that's why it's been such a wake up call to the industry. By twenty thirty, some high end estimates suggest that there could be one hundred thousand active satellites in orbit, so from five thousand to day to one hundred thousand in the space of seven years. This problem is so set to rise, and there are so many different ways
to attack satellites. Way back at the beginning of the space age, no one even conceived anyone would be hitting. And it turns out that I've spoken to hackers, individual hackers, security researchers who've proved, who've shown that each of these is vulnerable.
What are some of the things that all these satellites are doing.
Well, there's Internet, that's one. There's satellite TV, there's earth observation, earthquake monitoring, spying. The US has its own spy satellites. But it was explained to me that every single element of the US economy that matters, whether it's chemical, industrial processes, looking for oil, even atomic clocks. So the way we get our time, the way cash machines function, the way you get gas at the pump, everything now depends on satellites.
What are the things that you're paying especially close attention to Given everything that you're describing here.
I think I'm really interested in any time China puts up a system that could potentially be independent of the US anytime China has a relationship with a satellite company. All of those things are areas that I think you'll see the US government look at more and more, and really a push from the US government to see how far they're going to squeeze industry to actually do anything
about this. A White House official told me that companies need to radically improve the security of satellite ground systems, and that they even go to companies on occasion and tell them, hey, we've discovered a vulnerability. You need to patch this, And they don't want to say it in public because that would raise awareness of vulnerability that could be exploited by attackers. They tell companies in private, and they say sometimes companies do not take that advice and
do not patch. And I think companies would have just as many criticisms back if they were speaking freely of the US government too. And so that relationship between government and commercial satellite players has got to get if it's to be solved a lot closer. They haven't quite got the level of trust that I think everyone would want.
And there's a problem with classified briefings A lot of this information is classified, and yet a lot of the hacks are happening on a commercial sector, so really breaching that gap needs a lot more work.
Katrina Manson, thanks so much for talking with me today.
Thank you for having me.
Let's hear now from someone who knows how easy it can be to hack a satellite because he's done it himself. James Pavor tapped into commercial satellites as part of his PhD program at Oxford University. He now works on satellite security for the Pentagon. James, let me just start by asking you first, how did you become a hacker.
I've been doing computer security stuff basically since I was a child. So when I was like in middle school, I was playing around with like shutting down people's computers while they're sitting next to me in the labs, that kind of like little Windows hacking type thing. And I've just always been really interested in seeing how things work under the hood, and as a hacker, like exploiting things is all about like understanding technology behind the scenes, and
so that's really been super interesting for me. It's just always been like figure out how something works and then figure out how you can break.
It, and then you took that kind of plane around as a kid. Much more seriously a PhD now from Oxford, and as part of that dissertation, you actually were hacking satellites for real to show vulnerabilities. Is that right?
Yeah? Exactly so. Over the course of my PhD at Oxford, I focused on satellite system security, and in particular the like radio signals that come to satellites from Internet users and like satellite broadband services. When I say satellite broadband services, what I really mean is basically when you're using a satellite to get Internet access, and typically that means that you send a message up to the satellite, which is like get me this website, and the satelle ight. It's
basically a bent pipe. You can think of the satellites as fairly dumb objects. They receive data on one antenna and then they take the data they receive and send it out on a different antenna basically, and they do no thinking, no processing, at least for Internet satellites. So they're just a pipe. You put information in one side and it comes out another side, and the only difference is when it comes out it covers a huge area. And so when you send Internet requests up to a satellite.
You're just pumping information into this pipe and then it's coming out the other side to your internet service provider. And when you get a response, like a web page you've downloaded or a document you've received, it's the same thing. The service provider is putting it into one end of the pipe and then it's coming out at the broad
end to your dish. The interesting thing about satellite services is that beam that comes back down to you can cover like a third of the Earth's surface, So an attacker can be thousands of miles away and getting that information. So I bought some gear and pointed at its satellites
and tried to interpret what was going on. And it turns out that there's like lots of really interesting and really sense of information in these signals that an attacker with like relatively inexpensive equipment can get access to.
So you said you bought equipment, what'd you buy? I mean, is it like, you know, going on Amazon just getting common stuff?
Basically, Yeah, so about four hundred dollars in home television equipment, the kind of satellite dish that you'd see on someone's house if they had satellite internet service. And then a special card that is designed to like let you watch satellite TV on your computer, but I basically repurposed it to take these Internet signals and get them in a
format I could mess around with. I pointed my dish at satellites in geostationary orbit, so that means they're thirty thousand kilometers above the Earth's surface, and they basically don't move. They're always in the same spot in the sky, which makes them pretty easy to find and intercept signals from.
And these were primarily like broadband Internet services, and I was able to see the sort of traffic people were sending over their satellite Internet connections, So stuff like text messages from people who were using inflight Wi Fi services when they're on like Transatlantic flights, or things like passengers on cruise ships when they were making payments at point
of sale systems. So also a lot of like passport numbers, so when like crews, especially like cargo vessels pull into ports, they'll send information about everyone on the ship to the
port authorities. That's typically over a satellite feed, and so it's pretty easy to identify those messages when you're like listening to the satellite traffic and just get like a list of everyone on the crew and when they were born and what their passport number is, Like, really concerning data to be getting in clear text.
Did it surprise you how much you were able to get?
Yeah, I was stunned. I think that a lot of it comes from an assumption that you would need much more expensive equipment. The gear I used was very unreliable if I wanted to use it to actually be a satellite Internet customer. When it worked, because I was missing a lot of packets, there was a lot of corruption. But what I was able to do is basically reconstruct enough of the transactions, like enough of the data that I could start to get interesting information. Because a hacker
doesn't need one hundred percent reliability to succeed. So the change in the model was this idea that you could get away with a lot less if you're just trying to be disruptive.
So here you are hacking these satellite signals and you're doing it for academic purposes to show how vulnerable they are. But if you were doing it for nefarious reasons to try and steal this information, you would have had a lot of stuff that could have caused people a lot of.
Trouble definitely the data that was in there. I'm glad that as a security researcher, I was able to kind of get to it first and share it with the satellite internet service providers and kind of raise awareness about this vulnerability so that they could work towards fixing it, because I think adversaries, when they get access to data like this, could cause a lot of harm.
So when you went to companies like that, what did they say. Were they alarmed? Did they immediately patch it?
It was a mix of reactions. There are some companies that were fantastic. They were immediately like, thank you for sharing this information, We'll get right on fixing it. And I think they did end up making improvements to their security. They ended up checking what kind of data they were sending. There were other companies that either ignored the research, like never responded, or there were even some who like threatened
to sue us. So whole gamut of different things. But I think that's just the nature of like offensive security research and vulnerability research is that you kind of play a game where people may get very defensive or very hostile to your findings, but it's still important to get it out there, so people can kind of if they want to choose to fix things, at least they know what they should be fixing.
We'll be right back. Now that you've completed your research, you have your PhD, you've gone to work with the Pentagon, What exactly are you doing for them?
I work at the Chief Digital and Artificial Intelligence Office, which is a new office within the Office the Secretary of Defense, and my agency within that is called the Directorate for Digital Services. And it's a pretty generic name
because the job is incredibly broad. It's a lot of like emergency engineering, like something pops up in the world that needs something built, coded, or developed within like forty eight hours, and so instead of like going to defense contractors, we have like in house engineering expertise who can build
that kind of emergency tech. So obviously I can't go into a ton of detail about all the projects I work, but it's a lot of just like really rapid organic software development and security work and advisory work for like very impactful topics.
What attracted you to the Penyan I.
Think for me, the opportunity to work as a civil servant in government is really compelling because you're close to the decision makers who are kind of deciding what the future of in this case the military will look like. And having a seat at that table and having a voice in those conversations can be a much bigger impact than simply like finding vulnerabilities at a big contractor and
then selling them off. So for me, that's what really matters, is this idea that I could shape a safer future by being in the room when those conversations are happening.
So walk us through how satellites actually work, What are the different components, and where are the places that are vulnerable.
To hacking you can break satellite security into. I guess there are four domains that I like to think about. One is the ground systems, So those are the devices that users use to connect to the systems. Think like a starlink modem or a ground station that's run by a satellite service provider to collect data from their satellites. And when you're hacking ground systems, typically it's going to
look a lot like bread and butter hacking. You're going to be targeting like the Windows computer that's plugged into the satellite antenna and using your Windows malware to exploit it. Then there's the communications link so that's the radio signals that go from a ground station to a satellite, and that's what I was looking at in my PhD thesis. For the most part, that's often like radio signals engineering
type work and kind of looking at communications security. Then there's the bird, so there's the satellite in orbit, and there's kind of a zone of trust. Once you're on the satellite. Everything on the satellite trusts everything else in the satellite. So if you were to like compromise a camera on a satellite, you could send instructions to a flight controller because they're all plugged into the same like bus, which is basically like a wire that sends messages from
devices to other devices. And so when you're thinking about like satellite security, it's often about compromising these embedded systems in orbit. And then the last topic area is kind of this broader like policy domain in terms of how people interact with and regulate satellites. I did some research on my PhD on space situational awareness data, for example, which is how countries tell each other what space debris is out there, so we don't like crash into the
debris and cause damage to the space environment. And so I looked a lot at like what happens if countries lie to each other? How could those lies be detected? And that's kind of more ephemeral. There's not like a part of the satellite you can touch that is that, but it's still an important component of space security.
James, which of those four areas of vulnerability you're describing the easiest for hackers to pry their way in.
I think the vast majority of historical attacks on satellites have been against either the radio domain, primarily jamming attacks, So a lot of countries, as a mechanism of censorship or protest, will jam other people's satellites, and that's been going on for decades. And then there's also the ground systems, because there's so much like traditional IT systems with just
like Windows computers plugged into a satellite antenna. It's easy to either accidentally hack them if you're just doing like a broad attack, or to find and hire the expertise you would need for a more targeted attack against those.
So what can companies governments do to protect satellites actually enhance the security so this sort of thing doesn't happen.
I think that opening up a little bit to security research is a big step in that direction. The industry has gotten by for a long time on this assumption that satellites are so expensive and so complicated that no one will ever be able to hack them, and that has sort of been true. But as technology has advanced and satellites have become more and more like other Internet
of Things devices, basically that's getting less true. And there are transferable skills hackers might develop that can be applied to satellites, and so I don't think the space industry can continue to kind of hide in the shadows and
get by with their easier targets. So no one's going to bother with us, and so relying on like open source protocols that can be validated at like source code level for their communications, and relying on open firmware and operating systems that people can test and prove or secure will go a lot further than hoping that your embedded proprietary software will just never be figured out by an adversary.
I think that, like, there are tons and tons of people out there who would love to hack satellites, who would love to do research for free as basically a donation to the world to make it more secure because they think hacking satellites is cool. Don't think I'm the only person like that out there. I've met other people
like it. And if the space industry gives people the opportunity to contribute within the security research community, I think they'll be able to make really big progress and securing these platforms.
What concerns you the most, like, what is the thing as someone who knows how vulnerable these systems can be, makes you think, this is the thing that makes me worry.
For me, it's the environment. So most of the repercussions of a satellite compromise are like bad. They could be very bad, like you could compromise GPS and it could lead to like a terrestrial catastrophe. But however bad it is, eventually we'll get over it. So I guess one of my biggest concerns is less about the virtual effects of hacking satellites, stealing data or disabling them, and more about the kinetic and physical effects because those can have a
lasting effect on the environment. So if a satellite is destroyed and orbit in some way, that can have huge environmental repercussions. If someone hacks a rocket and causes it to break during a launch sequence, for example, then you end up with pieces of space debris that are stuck
in orbit for centuries. They move at literally bullet like speeds, and if they crash into other pieces of space debris or into each other, they can generate basically tobre cascade and block orbit for a long period of time and have a lasting detrimental impact on our abilities a species to make use about our space.
So when you look ahead, do you think satellites become more secure or do you think we go through a period of kind of chaos and uncertainty before something gets done.
I am cautiously optimistic that satellites will become more secure. There is really great momentum around satellite security that's formed in the last four or five years. We have def Con, which is a big hacker conference in Las Vegas every summer, and they have a dedicated track within what they call the Aerospace Village to just talk about space security. We
have industry advisory groups. There's a Space Information Sharing an Advisory Council which is formed between like different space industry people to talk about cyber threats. And we just have a lot of momentum building around space security and My hope is that that momentum is coming at the right time, because the decisions we make in the next three or four years I think will have a big impact on what space looks like for the next decade or.
So, James, is there anything that we can do, just as you know, people consumers of technology to protect ourselves.
Definitely, So when you're trying to protect your like satellite, internet signals, or really any traffic you send over the Internet, I think it's important to recognize that once that message you're sending leaves your house, you have basically no control over who gets to touch it as the gets handed off. Think like you send a letter in the mail, you don't know who the postal worker is grabbing your letter
at each stage. Will be same thing with Internet traffic and so using end to end encrypted protocols, whether that's using like an encrypted chat application or using websites that
use TLS. TLS is transport layer security. It's a protocol that's used to encrypt general like Internet traffic that you would have when you like visit a website, you'll see it like little lock icon in your browser when you're connected to a TLS website and it's like proven with math to be very secure against adversaries who are trying
to read the content you're sending. That's a really great way to stop people like me, because even if I got your packets off of a satellite, because it happened to get sent that way, I wouldn't be able to read the contents of them. I could see the outside of the envelope, but if I opened it up, it
would just be garbage, nonsense. And so whenever you can, using an encrypted communications protocol defends you against just a whole mix of attacks, whether it's satellite attacks or any other kind of eavesdropping threat.
James Pavor, thanks for speaking.
With me, No problem, great meeting you.
Thanks for listening to us here at The Big Tay. It's a daily podcast from Bloomberg and iHeartRadio. For more shows from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen, and we'd love to hear from you. Email us questions or comments to Big Take at Bloomberg dot net. The supervising producer of The Big Take is Vicky Virgalina. Our senior producer is Katherine Fink. Rebecca Shasson is our producer. Our associate producer is Sam Gebauer. Hilde
Garcia is our engineer. Our original music was composed by Leo Sidrin. I'm wes Kasova. We'll be back tomorrow with another big take.