Scribd
Upload
35 views44 pages

Burning, Trashing, Spacecraft Crashing: A Collection of Vulnerabilities That Will End Your Space Mission

The document discusses various vulnerabilities in space mission software, highlighting the risks associated with open-source systems and the need for improved security measures. It presents findings from vulnerability assessments on multiple software products used in space missions, detailing specific CVEs and their severity levels. The authors emphasize the importance of addressing security in both open and closed-source systems to ensure the safety of space missions.

Uploaded by

kolmiyefyu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views44 pages

Burning, Trashing, Spacecraft Crashing: A Collection of Vulnerabilities That Will End Your Space Mission

The document discusses various vulnerabilities in space mission software, highlighting the risks associated with open-source systems and the need for improved security measures. It presents findings from vulnerability assessments on multiple software products used in space missions, detailing specific CVEs and their severity levels. The authors emphasize the importance of addressing security in both open and closed-source systems to ensure the safety of space missions.

Uploaded by

kolmiyefyu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

Burning, Trashing, Spacecraft Crashing

A Collection of Vulnerabilities that will End your Space Mission

Andrzej Olchawa, Milenko Starcik, Ricardo Fradique, Ayman Boulaich

#BHUSA @BlackHatEvents
Andrzej Milenko Ricardo Ayman
Olchawa Starcik Fradique Boulaich
Cybersecurity Engineer Head of Cybersecurity Cybersecurity Engineer Cybersecurity Intern

2 #BHUSA @BlackHatEvents
Satellites launched to LEO per year

3 Source: https://sdup.esoc.esa.int/discosweb/statistics/ #BHUSA @BlackHatEvents


Constellations

4 Source: https://sdup.esoc.esa.int/discosweb/statistics/ #BHUSA @BlackHatEvents


Commercialization

5 Source: https://sdup.esoc.esa.int/discosweb/statistics/ #BHUSA @BlackHatEvents


Re-Militarization

6 Source: https://sdup.esoc.esa.int/discosweb/statistics/ #BHUSA @BlackHatEvents


Satellite Hacking at Black Hat

2009 2014 2015


7 #BHUSA @BlackHatEvents
2018 2022 2023 …
8 #BHUSA @BlackHatEvents
2025?

9 #BHUSA @BlackHatEvents
10 #BHUSA @BlackHatEvents
Example Science Mission
Ground Station Network

Spacecraft

11 #BHUSA @BlackHatEvents
Example Science Mission
Ground Station Network

Spacecraft
Mission Control Centre

12 #BHUSA @BlackHatEvents
Example Science Mission
Ground Station Network

Science Data Centre

Spacecraft
Mission Control Centre

13 #BHUSA @BlackHatEvents
Example Science Mission
End User Ground Station Network

User Portal

Science Data Centre

Spacecraft
Mission Control Centre

14 #BHUSA @BlackHatEvents
Example Science Mission
End User Ground Station Network

User Portal

Science Data Centre

Spacecraft
Mission Control Centre
Spacecraft Operator
15 #BHUSA @BlackHatEvents
Mission Control Software
End User Ground Station Network

User Portal

Science Data Centre

Spacecraft
Mission Control Centre
Spacecraft Operator
16 #BHUSA @BlackHatEvents
Onboard Software
End User Ground Station Network

User Portal

Science Data Centre

Spacecraft
Mission Control Centre
Spacecraft Operator
17 #BHUSA @BlackHatEvents
Destroying a Satellite

18 #BHUSA @BlackHatEvents
Destroying a Satellite
What you expect

19 #BHUSA @BlackHatEvents
Destroying a Satellite
What you expect What we found

20 #BHUSA @BlackHatEvents
Water is wet
21 #BHUSA @BlackHatEvents
DEMO

22 #BHUSA @BlackHatEvents
YAMCS DEMO
End User Ground Station Network

Science Data Centre

Spacecraft

Mission Control Centre


Spacecraft Operator (YAMCS)
23 Write-up: https://visionspace.com/yamcs-v5-8-6-vulnerability-assessment/ #BHUSA @BlackHatEvents
YAMCS DEMO
Ground Station Network

Phishing + XSS = CSRF-like

Spacecraft

Mission Control Centre


Spacecraft Operator (YAMCS)
24 Write-up: https://visionspace.com/yamcs-v5-8-6-vulnerability-assessment/ #BHUSA @BlackHatEvents
DEMO

25 #BHUSA @BlackHatEvents
OpenC3 DEMO
End User Ground Station Network

Science Data Centre

Spacecraft

Mission Control Centre


Spacecraft Operator (OpenC3)
26 Write-up: https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/ #BHUSA @BlackHatEvents
OpenC3 DEMO
Ground Station Network

Phishing + XSS = RCE

Spacecraft

Mission Control Centre


Spacecraft Operator (OpenC3)
27 Write-up: https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/ #BHUSA @BlackHatEvents
DEMO

28 #BHUSA @BlackHatEvents
NASA cFS DEMO
End User Ground Station Network

Science Data Centre

Spacecraft
(cFS)
Mission Control Centre
Spacecraft Operator
29 Write-up: https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/ #BHUSA @BlackHatEvents
NASA cFS DEMO

Spacecraft
cFS → RCE (cFS)

Rogue Ground Station

30 Write-up: https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/ #BHUSA @BlackHatEvents


Public Disclosures - MCS
Product CVE Severity
CVE-2025-28380 MEDIUM
OpenC3 Cosmos CVE-2025-28381, CVE-2025-28382 HIGH
v6.0.0 CVE-2025-28384, CVE-2025-28386, CVE-2025-28388,
CRITICAL
CVE-2025-28389
CVE-2023-45279, CVE-2023-45280, CVE-2023-45281,
MEDIUM
SAS Yamcs CVE-2023-46470, CVE-2023-46471, CVE-2023-47311
5.8.6 CVE-2023-45277 HIGH
CVE-2023-45278 CRITICAL
NASA Open MCT CVE-2023-45884, CVE-2023-45885 MEDIUM
3.1.0 CVE-2023-45282 HIGH

31 #BHUSA @BlackHatEvents
Public Disclosures - MCS
Product CVE Severity
CVE-2025-28380 MEDIUM
OpenC3 Cosmos CVE-2025-28381, CVE-2025-28382 HIGH
v6.0.0 CVE-2025-28384, CVE-2025-28386, CVE-2025-28388,
CRITICAL
CVE-2025-28389
CVE-2023-45279, CVE-2023-45280, CVE-2023-45281,
MEDIUM
SAS Yamcs CVE-2023-46470, CVE-2023-46471, CVE-2023-47311
5.8.6 CVE-2023-45277 HIGH
CVE-2023-45278 CRITICAL
NASA Open MCT CVE-2023-45884, CVE-2023-45885 MEDIUM
3.1.0 CVE-2023-45282 HIGH

32 #BHUSA @BlackHatEvents
Public Disclosures - Onboard
Product CVE Severity
NASA cFS CVE-2025-25371, CVE-2025-25372, CVE-2025-25374 HIGH
Aquila CVE-2025-25373 CRITICAL
NASA Cryptolib
CVE-2024-44910, CVE-2024-44911, CVE-2024-44912 HIGH
1.3.0
NASA fprime CVE-2024-55029 MEDIUM
v3.4.3 CVE-2024-55028, CVE-2024-55030 CRITICAL
CVE-2024-35057, CVE-2024-35058, CVE-2024-35059,
NASA AIT-Core HIGH
CVE-2024-35060, CVE-2024-35061
2.5.2
CVE-2024-35056 CRITICAL

33 #BHUSA @BlackHatEvents
Public Disclosures - Onboard
Product CVE Severity
NASA cFS CVE-2025-25371, CVE-2025-25372, CVE-2025-25374 HIGH
Aquila CVE-2025-25373 CRITICAL
NASA Cryptolib
CVE-2024-44910, CVE-2024-44911, CVE-2024-44912 HIGH
1.3.0
NASA fprime CVE-2024-55029 MEDIUM
v3.4.3 CVE-2024-55028, CVE-2024-55030 CRITICAL
CVE-2024-35057, CVE-2024-35058, CVE-2024-35059,
NASA AIT-Core HIGH
CVE-2024-35060, CVE-2024-35061
2.5.2
CVE-2024-35056 CRITICAL

34 #BHUSA @BlackHatEvents
You: Publish CVEs
Other Researchers:

35 #BHUSA @BlackHatEvents
You: Publish CVEs
Other Researchers:

36 #BHUSA @BlackHatEvents
Exploring Vulnerabilities in the
SDLS Implementation of NASA’s CryptoLib
Published Dec 18, 2024
Name CVE Severity
Keystream Oracle CVE-2025-46672 LOW
SDLS Bypass CVE-2025-46673 MEDIUM
Corruption of Key Database CVE-2025-46674 LOW
Spacecraft Hijacking CVE-2025-46675 LOW

37 #BHUSA @BlackHatEvents
CryptoLib GitHub Security Advisories
Published Apr 1, Mar 17, Mar 25, 2025
Name CVE Severity
Heap Buffer Overflow CVE-2025-29909 HIGH
Memory Leak CVE-2025-29910 MEDIUM
Heap Buffer Overflow CVE-2025-29911 HIGH
Heap Buffer Overflow CVE-2025-29912 HIGH
Buffer Overflow CVE-2025-29913 HIGH
Heap Overflow CVE-2025-30216 CRITICAL
Heap Buffer Overflow CVE-2025-30356 CRITICAL

38 #BHUSA @BlackHatEvents
Final Thoughts on security in the space sector

• We found this in open source, what about closed source?


• Create rewards for researchers!
• Define security-safety-mission tradeoffs!
• Define mitigation strategies for existing missions!
• What do you do with an insecure mission?
• Space is hard, but space security is not.

39 #BHUSA @BlackHatEvents
Water is wet
40 #BHUSA @BlackHatEvents
Even in space
41 #BHUSA @BlackHatEvents
Thanks!

Andrzej Milenko Ricardo Ayman


Olchawa Starcik Fradique Boulaich

42 #BHUSA @BlackHatEvents
Black Hat Sound Bytes

• Space is hard, but space security is not.


• Vulnerabilities exist in space systems, like everywhere else.
• Our work covered just open-source; what about closed-source?

43 #BHUSA @BlackHatEvents
References
https://visionspace.com/prototype-pollution-in-nasas-open-mct-cve-2023-45282/
https://visionspace.com/xss-in-nasas-open-mct-v3-1-0/
https://visionspace.com/yamcs-v5-8-6-vulnerability-assessment/
https://visionspace.com/more-xss-and-clickjacking-in-yamcs-v5-8-6/
https://visionspace.com/remote-code-execution-via-man-in-the-middle-and-more-in-nasas-ait-core-v2-5-2/
https://visionspace.com/openc3-cosmos-a-security-assessment-of-an-open-source-mission-framework/
https://visionspace.com/remote-code-execution-and-critical-vulnerabilities-in-nasa-fprime-v3-4-3/
https://visionspace.com/crashing-cryptolib/
https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/
https://securitybynature.fr/post/hacking-cryptolib/
https://github.com/nasa/CryptoLib/security

44 #BHUSA @BlackHatEvents

You might also like