T-Minus Space Daily – September 16, 2025
Episode Title: Exploiting Satellites and Expanding Connectivity
Host: Maria Varmazas
Podcast Network: N2K CyberWire
Episode Theme: A critical look at the cybersecurity vulnerabilities in satellite systems, with an emphasis on recent vulnerability research, and focused updates on expanding connectivity initiatives in the space industry. The episode features a deep-dive interview with Milenko Starchyk and Andrei Olkava from Vision Space, plus a field report from the Space Defense and Security Summit at World Space Business Week.
Episode Overview
Today’s episode explores two primary fronts in the evolving space sector:
- Exposing Satellite Vulnerabilities: A conversation with leading cybersecurity researchers Milenko Starchyk and Andrei Olkava about their hands-on findings regarding flaws in mission control and satellite software—plus the industry’s broader approach to risk and compliance.
- Expanding Space Connectivity & Security: Breaking news on partnerships, contracts, and technology demonstrations aimed at increasing global connectivity and advancing secure communications via satellite.
- Strategic Space Security Discourse: Reporting from the Space Defense and Security Summit in Paris, centering on the need for collaboration, resilience, and cyber preparedness within the defense context.
Key News and Industry Updates
(01:32–10:51)
Redwire, Honeywell, and Quantum-Secured Satcoms
-
Redwire has become the prime contractor for ESA’s SCIMSAT, an advanced small satellite mission in very low Earth orbit, leveraging ESA, and Thales Alenia Space in the UK will provide the propulsion subsystem.
-
Focus: Improving sustainability and mission performance at lower orbital altitudes.
-
Redwire & Honeywell signed a new MoU under ESA’s Quantum Key Distribution Satellite (QKDSAT) program.
-
Goal: Mature quantum key distribution for secure satellite communications, with a fully functional payload and platform by mid-2026.
Space42 & Viasat Launch Equatus
- Equatus—a joint effort by Space42 and Viasat—will unify satellite and terrestrial networks for direct-to-device services.
- Platform: 3GPP non-terrestrial network release compliant, supporting standard smartphones and IoT devices and offering secure, sovereign deployment for over 160 markets globally.
SES & K2 Space Medium Earth Orbit Collaboration
- SES & K2 Space are co-developing SES's future medium Earth orbit (MEO) network for resilient, multi-mission capabilities, including direct-to-device, SSA, relay, mobility applications, and sovereignty.
NOAA Space Weather Portal & Commercial Data Initiatives
- NOAA launched ‘SPOT,’ a cloud-based space weather data portal;
- PlanetIQ wins a $24.3M contract to deliver high-volume GNSS radio occultation profiles—NOAA’s biggest commercial satellite weather data buy.
Main Interview: Exposing Satellite Software Vulnerabilities
(10:51–22:06)
Guests:
- Milenko Starchyk — Cybersecurity Head, Vision Space Technologies (Germany)
- Andrei Olkava — Cybersecurity Engineer, Vision Space
Introduction & Research Focus
(11:09–12:28)
- Vision Space focuses on cybersecurity for space systems: penetration testing, zero-day discovery, securing mission-critical infrastructure.
- Work Highlighted: Recent vulnerability research presented at Black Hat and DEF CON, plus upcoming book, Spacecraft Hackers Handbook.
Findings: A Systematic Weakness
(12:28–15:08)
- Since 2023, Vision Space has systematically reviewed mission control software (esp. open source and NASA frameworks like Core Flight System and F Prime).
- Finding: “In every single of these mission control systems we found issues.” – Milenko Starchyk (13:59)
- Many vulnerabilities are “low-hanging fruit” by cybersecurity standards but pose huge risks in space contexts.
- Quote: “The software is not built to withstand modern attacks and modern attackers who know how to take these systems apart … Security by obscurity ... is still very popular in the space industry.” – Milenko Starchyk (13:10–14:05)
Scope and Severity of Vulnerabilities
(15:08–16:43)
- Nearly 40 CVEs discovered, with severity ranging from 5–10 (CVSS scale); highest at 9.9.
- Vulnerabilities include info disclosure and remote code execution—impacting both mission control and on-board spacecraft.
- Quote: "The impact varies between small information disclosure to actually getting a remote code execution ... You could take over the control of spacecraft or effectively you could break it.” – Andrei Olkava (15:42)
Demonstration of Exploits
(16:43–17:28)
- Black Hat demonstrations used real-world scenarios: exploits via mission control access (direct or phishing), and from a nation-state with direct comm capabilities.
- Systematic, not isolated: All tested open source mission control systems had problems, as did core frameworks used in live missions.
Disclosure and Remediation
(17:05–17:28)
- Vulnerabilities were responsibly disclosed (mainly to NASA/vendors), remediated, and the fixes were verified.
- Quote: “We first notified vendor ... and then we worked with them to fix those issues ... and also made some effort to actually test it afterwards.” – Andrei Olkava (17:05)
Lessons for the Commercial Space Industry
(17:28–20:56)
- Critical Misconception: Many commercial players believe cybersecurity is a government matter, or rely on checklists for compliance, neglecting rigorous testing.
- Quote: “There's a big risk with going for strictly compliance ... Security, all good, right?” – Milenko Starchyk (18:03)
- Real protection comes from actual testing (static code analysis, penetration testing), not paperwork.
- Custom or closed-source systems often have security left to the last minute; open-source systems (even NASA’s) are wrongly assumed to be ‘secure’ by default.
Notable Takeaways & Closing Thoughts
(20:56–22:06)
- “For people in space industry, it’s important to start early with security design and it’s never too late.” – Milenko Starchyk (21:05)
- Don’t just tick boxes—verify requirements with real testing, focus on realistic risk modeling, and avoid “compliance complacency.”
- Even operational missions should regularly review, test, and update their systems for emerging threats.
Defense & Security Summit: Global Collaboration in Space Security
(23:14–26:52)
Field segment with Yvette Gonzales from Spacewatch Global, reporting from World Space Business Week, Paris
Key Points
- Permanent Space Operations: Space is recognized as an operational warfighting domain, not just a support environment.
- International Collaboration: Calls for deeper NATO cooperation and a new Space Center of Excellence in Toulouse.
- Security & Deterrence: Space presence itself now acts as a deterrent; integration and training with both modern and analog tools emphasized.
- Interoperability: Strong agreement on the need for robust information sharing, coalition building, and technology development to manage the “15,000 satellite environment.”
- Resilience and Escalation Management: Preparing for technical escalation in contested space while not losing sight of terrestrial security needs.
- Bottom Line: “Collaboration for supporting a more robust ecosystem and ensuring interoperability and shared capabilities.” – Yvette Gonzales (26:37)
Noteworthy Quotes & Moments
-
On Industry complacency:
“If you say like, oh no, my software is so complex, only I can use it, that's definitely not the case. Attackers will ... figure out how it works. So I think that's a very risky assumption.”
– Milenko Starchyk (14:01) -
On the critical impact severity:
"The highest one we have is 9.9 or 9.8, something like that."
– Andrei Olkava (15:19) -
On compliance mindset:
"On a legal perspective, you're good. You can still get hacked, but it will not affect you on a legal basis."
– Milenko Starchyk (18:24) -
On the real source of risk:
“The software we find the most vulnerabilities in is the software ... developed by NASA, so it must be [secure]. And actually this is the software we find the most vulnerabilities in.”
– Andrei Olkava (20:38) -
On practical security:
“It’s never too late … don’t stop with the compliance checklist, but actually have verification of those requirements … focus on more realistic requirements for your case and threats that actually can impact your business severely.”
– Milenko Starchyk (21:05)
Timestamps for Important Segments
- [01:32] Industry news headlines and Redwire/Honeywell quantum initiative
- [10:51] Milenko Starchyk and Andrei Olkava introduction
- [12:28] In-depth research overview & key findings on satellite vulnerabilities
- [15:08] Severity and types of vulnerabilities uncovered
- [16:43] Exploit demonstrations at Black Hat
- [17:05] Responsible disclosure and remediation process
- [18:03] Commercial industry's approach and misconceptions about cybersecurity
- [20:56] Closing thoughts from researchers
- [23:14] Yvette Gonzalez—Space Defense/Security Summit field report
Tone and Language
- Technical yet accessible: The hosts and guests explain complex cybersecurity topics in clear, relatable language for a space industry audience.
- Urgent but pragmatic: There’s no “fearmongering,” but a clear call to action for more robust, realistic, and ongoing cybersecurity practices.
TL;DR
This episode delivers a sobering look at the persistence and seriousness of vulnerabilities in satellite mission control and operational systems, even among highly trusted open-source and NASA-developed software. The take-home message: Don't rely on obscurity or compliance—real security demands regular, proactive testing and tailored risk management. Meanwhile, the industry is rapidly expanding its connectivity offerings and collaborating globally, but must accelerate cybersecurity and resilience as integral to both commercial opportunity and national defense.
