The Satellites Powering Your World Are Insecure. Breaches Are Inevitable. And No One Is Accountable.
By Ela Buruk
There is no such thing as a secure satellite.
That’s not a prediction — it’s the current state of orbital infrastructure. From GPS and banking to military operations and disaster response, satellites are now core to modern civilization. But most of them run outdated code, communicate over unencrypted channels, and operate in an environment with almost no binding cybersecurity standards.
And no one is required to fix it.
I. A Network Without a Perimeter
Satellites are not isolated. They’re just very remote computers — connected to the internet by ground stations, radio links, mesh networks, and increasingly, cloud infrastructure. And like everything else connected to a network, they’re vulnerable.
Security has never been foundational in spacecraft design. Why?
- Hardware lock-in: Satellites are often designed years ahead of launch using legacy chipsets and hardcoded firmware.
- No over-the-air (OTA) patching: Many platforms can’t receive remote software updates without risking mission-critical failures.
- Launch-first culture: Universities, startups, and even national agencies often prioritize uptime over secure design.
According to Euroconsult, more than 60,000 satellites will be launched between 2021 and 2030 — most of them commercial, many operating without rigorous security review or regulation.
“If you can control a satellite, you can turn it into a weapon” said cybersecurity researcher James Pavur during his Black Hat Europe talk. His team used off-the-shelf gear to intercept satellite transmissions — including ship locations, medical files, and login credentials — via unencrypted downlinks.
II. Real Breaches, Sanitized for Public Consumption
Cyberattacks on orbital systems are not new — they’re just rarely called what they are.
On February 24, 2022, hours before Russian forces invaded Ukraine, GRU operatives deployed wiper malware on Viasat’s KA-SAT network. Tens of thousands of terminals across Europe were knocked offline, including critical infrastructure in Ukraine and German wind farms.
The attackers didn’t need to hit satellites directly. They breached a ground system.
Other breaches followed similar patterns:
- Security researchers at IOActive uncovered critical vulnerabilities in satellite terminals — including hardcoded credentials and unauthenticated command interfaces in use by military and commercial fleets.
- A Belgian hobbyist gained root access to a Starlink terminal using a $25 modchip and fault injection — bypassing protections in SpaceX’s user hardware.
- During a 2024 university-led CTF challenge, students successfully hijacked a live CubeSat in orbit by exploiting real, unpatched payload software.
None of these events triggered breach disclosure requirements. None resulted in accountability. In most cases, they were either quietly patched or labeled “anomalies.”
III. Cybersecurity Law Doesn’t Reach Orbit
There is no binding international framework that governs cybersecurity in space. Not for commercial operators. Not for nation-states.
The Outer Space Treaty of 1967 bans weapons of mass destruction in space — but says nothing about malware, spoofing, jamming, or digital payload interference.
Some governments are trying. The U.S. Space Force is implementing a Zero Trust architecture “from dirt to orbit,” but these practices aren’t mandatory for the rapidly growing commercial sector. They also don’t apply internationally.
Even NASA isn’t immune. In October 2023, the Office of Inspector General found its information security program “not effective,” citing poor endpoint protection, inconsistent logging, and weak oversight of third-party systems.
Elsewhere:
- China has not published any open orbital cyber doctrine but has made strategic investments in space warfare and digital reconnaissance.
- Russia has already combined kinetic and digital attacks in Ukraine.
- India and Europe have no unified cybersecurity mandate for orbital operators.
There’s no enforcement. No playbook. No Space-CERT.
IV. AI Changed the Threat Model
As tools like ChatGPT become mainstream, concerns about dual use are escalating — particularly in cyber operations.
A report on ChatGPT’s global usage trends showed a major surge in coding and scripting applications — raising red flags among cybersecurity professionals about exploit automation.
What this means for space:
- Fuzzing satellite command interfaces is now easier and faster.
- Mimicking telemetry or spoofing radio sequences can be assisted by LLMs trained on public specs.
- Social engineering campaigns targeting mission ops or contractors can be drafted by AI with real fluency in domain-specific lingo.
The same tools helping operators troubleshoot spacecraft can help adversaries break them.
V. A Fragile Cloud We Don’t Regulate
Unlike traditional warfare, a cyberattack on a satellite doesn’t leave craters or debris. It leaves uncertainty.
Was it a solar flare or a corrupted update? A hardware fault or a deliberate denial-of-service? Attribution is hard. Disclosure is optional. The incentive — from both state actors and private operators — is to downplay or bury the truth.
Meanwhile, space becomes ever more critical:
- Commercial constellations handle encrypted defense comms.
- Navigation satellites underpin logistics and air travel.
- Earth-observation satellites shape climate policy, war strategy, and disaster relief.
Yet we still treat satellites like niche technology — not the global infrastructure they are.
Final Transmission
We’ve wired our world through orbit — and left the wiring exposed.
There are no enforced cybersecurity baselines. No breach reporting. No global watchdog. Just more satellites, more code, more interdependence — and the same vulnerable assumptions.
There is no firewall in space. Only lag. And luck.
Ela Buruk is a writer and editor who specializes in technology, digital trends, and ethical issues.
Photo by Igor Mashkov: https://www.pexels.com/photo/radio-telescope-against-sky-with-stars-6325001/