Didelot Maurice-Michel Hacked a Satellite — and Made the ESA's Experimental Platform Safer for All
During a contest run by security firm CYSEC, the European Space Agency's OPS-SAT satellite was tested — and found wanting.
Developer and security researcher Didelot Maurice-Michel has published details of security vulnerabilities, now thankfully fixed, in an unusual target device: an experimental satellite created by the European Space Agency (ESA).
"During January of this year I stumbled upon an ad for an hacking contest organized by an enterprise called CYSEC that is specialized in [the] space industry," Maurice-Michel explains. "This enterprise, was calling for hacker participation, with the idea be able to demonstrate in live the possibility and risk of an attack on critical device like satellite during one of their event called the HackCYSAT."
Designed to boost awareness of security issues within the space industry, the event focused on the ESA's OPS-SAT and asked participants to find and document vulnerabilities in the OPS-SAT's operating system — physical attacks being slightly more challenging when your target is whizzing around in orbit.
The OPS-SAT is an implementation of the novel NanoSAT-MF design, which allows new applications to be uploaded from the ground to boost operating lifespan, add new functionality, or fix bugs. The hardware centers around a quartet of Critical Link MitySOM-5CSX field-programmable gate array (FPGA) systems-on-module (SOMs), for redundancy, running a Linux distribution built using Yocto.
Having investigated the open-source framework underlying the platform, Maurice-Michel set about attacking it — and quickly found a range of vulnerabilities, primarily through a simple examination of the system image and subsequent reverse-engineering of the Java-based supervisor application.
"This implementation is vulnerable to ZipSlip vulnerability," the developer notes of the upload supervisor's decompression routine. "Combined with the next vulnerability, and by targeting specific files, this lead to complete takeover of the satellite with root privilege.
"I just had to put one return carriage and dummy payload [in the archive path]. Then point my tester on it, validating the exploitation of this vulnerability. This is obviously very critical has it can be triggered without the app needed to start. Simple scenario for an IRL [In Real Life] exploitation would be to convince the OPS-SAT team to upload this package, by impersonating a normal experimenter."
Maurice-Michel discovered other, less-serious vulnerabilities, in the platform, too: The supervisor account is given sudo
access without the need for a password, while in production the ESA shifted to just running the supervisor as root; a denial of service vulnerability in the Java Virtual Machine configuration; and the ability to execute remote code when an application launches.
Maurice-Michel notified the ESA of all the vulnerabilities, which were fixed prior to the publication of his write-up — but his experience with CYSEC was reportedly less pleasant. "They finally admitted that my [contest] submission has not been sent to the jury," he writes. "They then admitted the event was cancelled, and that they will fake demonstrations during their event."
Maurice-Michel's full write-up is available on his blog.