Along with nuclear missile silos and the U.S. stock market, few other targets provide such a tantalizing challenge for U.S. foes as hacking our space endeavors.
In fact, in June of this year, NASA published an audit document from the U.S. Office of the Inspector General which revealed that the space agency’s Jet Propulsion Laboratory (JPL) had been hacked in 2018. In this case, hackers accessed an unauthorized Raspberry Pi computer connected to the JPL servers that allowed the hackers to then probe deeper into NASA’s network.
Get started on your cybersecurity degree at American Military University.
Officials from the Johnson Space Center (JSC) were worried that the attackers could move laterally from the gateway into the communications systems, potentially disrupting the signals used on human space flight missions.
As of March of this year, the JSC had not restored the use of all its communications data because of continuing concerns about its reliability.
Hacking a NASA Astronaut’s Spacesuit in Flight
To be sure, the audit makes clear that NASA has some terrestrial security concerns to deal with. But what about hacking human spaceflight systems in orbit?
Could a hacker gain remote access to, say, a spacesuit or Extravehicular Mobility Unit (EMU) while an astronaut is performing a spacewalk? Such a notion seems more likely in the realm of James Bond fiction. And yet, cybersecurity vulnerabilities continue to blindside us nearly every day in America.
NASA has politely declined to comment for this story, but several cybersecurity experts did, and their insights are revealing.
Aaron Cornelius at Grimm, a forward-thinking cybersecurity firm that we covered in a previous article, stated that “It is possible to do Extravehicular Activity (EVA) ’tethered,’ which means that power and oxygen are supplied by the space station through an umbilical cable rather than by the suit itself. In that case, it may be possible to manipulate the power or oxygen supply to the EVA suit.”
But if operated “untethered,” the suit would operate on battery power, and except for the radio, Cornelius doesn’t think that the suits have any connection to the space station.
He goes on to say, “I believe the EVA suits are basically the same as they’ve been for the almost 40 years. So the suits themselves are mostly mechanical and don’t have a very large attack surface. The worst that could be done is to disrupt radio communications. Losing communication would probably disturb many people, but I can’t imagine it would disturb astronauts very much given the amount of training that they go through.”
Long-time InCyberDefense contributor and military information system security officer Ed Hawkins II responded to our query incredulously. “Did NASA do something silly, like create a suit with network access?” he asked. “If they did, they’re subject to the same vulnerabilities that a computer has. It will ultimately come down to what types of systems were put in place.”
For example, if the suit’s vitals are monitored and regulated remotely, then an attacker could take control of the suit and potentially kill the astronaut. In another case, if the suit interfaced with any onboard system, while under the same remote conditions as the first case, it might be possible for an attacker to use the suit as a pivot point to carry out myriad attacks.
Ultimately, this level of understanding is definitely not something that NASA would want to have known publicly or in the international space community because that would put lives in danger. By the same token, if NASA did do something to this effect, the attackers would have to gain local access to the control systems or install remote connectivity in those systems. That would potentially expose the identity of the attacker(s) to direct monitoring.
Hacking the International Space Station (ISS)
While a spacesuit might be difficult to hack, what about other mission-critical components? Or even the space station itself? After all, the ISS is apparently not immune to sabotage.
On this topic, Cornelius said, “The organization and connectivity of the control systems on the space station are one of the bigger unknowns. I am not sure how old the various control systems are on the space station, or how interconnected the systems are. On one hand, some of the systems were probably designed in the ’80s and have terrible security but are less interconnected. But because they are continually updating the space station, there will be parts that have been designed more recently which have the possibility of being more secure and are more interconnected.
“I suspect the ground link doesn’t have much if any, command authentication. It may take some research to identify how to send commands to the space station, but that is just a matter of time. Once the commands are received at the space station, the interconnectedness of the systems is what determines how difficult — or impossible — it would be to do something malicious to the station’s systems. One example of a system that would be able to directly impact an EVA would be the robotic arm. This system can be controlled from the ground.”
One unique challenge about the space station is how “one-off” the devices are. Because it costs so much to manufacture the equipment used in space applications, very rarely are there any spare parts. Not having a fully representative system to use for research and experimentation increases the difficulty of finding vulnerabilities.
This makes sense. While visiting Grimm’s Michigan facilities last year, I witnessed a fully functioning mock-up of automobile systems designed to protect the most expensive computer you own, your car.
According to Cornelius, it would be much easier to use controls that are intended for remote use — such as those that control the robotic servicing arm — than it would be to identify remotely exploitable vulnerabilities in the space station’s control systems.
Going Where No Hacker Has Gone Before
Thinking about these vulnerabilities ensures that such mission-critical assets are hardened against attacks from large and sophisticated nation-state actors.
State-sponsored cyberattacks are growing more dangerous and more complex every day. Meanwhile, civilian hackers are always looking to push the limits of their abilities with more and more challenging targets.
Future NASA systems must be designed with security in mind. And while NASA’s bread and butter is expanding the limits of human knowledge in space, the agency would do well to consider inner space and keeping those systems safe, secured and in the hands of only those for which they were designed.