Today The Register published a reminder of just how vulnerable the roughly 12,000 satellites orbiting the Earth are to hacking attempts. Yamcs is an open source application used by NASA and Airbus which has five known CVEs in the code that would allow an attacker to gain complete control over the software on satellites which use the software. OpenC3 Cosmos, another open source app commonly used in ground station systems has seven CVEs, five of which can be leveraged for remote code execution and cross-site scripting attacks.
NASA’s Core Flight System software, Aquila, has four critical flaws one of which is a remote-code-execution vulnerability and CryptoLib which is used in large number of satellites contains seven serious flaws; NASA’s modified version still has four. These include a flaw which can be exploited by an unauthenticated telephone which lets you crash the entire onboard software and when it reboots none of the previous security keys are recreated, leaving the satellite’s systems open for anyone to play with.
One could say that the gravity of these flaws can’t be overstated.
