Sponsor Announcer (9:48)

And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested US Citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI.

Maria Varmazas (10:51)

Our guests today are Milenko Starchik and Andrei Olkava from Vision Space. They recently demonstrated with their new research how easy it is to exploit software vulnerabilities in satellites. And they shared their insights from defcon.

Milenko Starchik (11:09)

So I'm Milenko Starchik. I'm currently leading the cybersecurity section at Vision Space Technologies. We're a company headquartered in Germany around for I think almost 15 years now. We also have branches now in Portugal and Spain, so currently serving the European space industry needs.

Andrei Olhava (11:30)

My name is Andrei Olhava. I've been with the company a couple of years now working as a cybersecurity engineer. And I mainly focus on offensive security activities for the space system. Things like penetration testing of some systems vulnerability research, finding zero days, and we are writing a book for no StartPress which is called the Spacecraft Hackers Handbook.

Maria Varmazas (12:00)

Milenko and Andrei, thank you both for joining me today. I'm thrilled to be speaking to both of you. And I saw an article on the Register which I read every day about some research that you all presented at Black Hat. And I really wanted to talk to you both about what you, what you found. If you want to sort of recap some of that research, especially for my audience who is predominantly not cybersecurity focused, but they do, they are in the space industry and what you would like them to know about what you've been finding, what those key takeaways are.

Milenko Starchik (12:28)

So our research was a collection of vulnerabilities that we've, we've gathered over the past years. I think 2023, we started doing systematic review of software systems used in a space. So what we were most familiar with are mission control systems. Just from the background we had from maintaining and deploying and configuring these systems, we knew that there's a lot that could be found potentially. So we did like a review of open source mission control systems and found quite a lot of vulnerabilities in them which were mostly from a cybersecurity perspective, like low hanging fruits. But from the space perspective, the software was doing what it was supposed to do. It didn't do anything unexpected. It was just that the hardening was not to the standard which you would expect from an application used for such A sensitive purpose, and that seems to be a very common problem in the space industry, is that the software is not built to withstand modern attacks and modern attackers who know how to take these systems apart, and that there is still like a thinking, yeah, people don't know how to use this application, so they will not be able to do anything without it, which is very, very dangerous. So if you say like, oh no, my software is so complex, only I can use it, that's definitely not the case. Attackers will download all your fil. They will read through thousands of pages now with large language models, even millions of pages of documents in hours and days, and they will go through it and they will figure out how it works. So I think that's a very risky assumption. This security by obscurity, which is still very popular in the space industry. So that's why we did it on open source software, so that we could actually go out and show, okay, here's a systematic problem. In every single of these mission control systems we found issues. And after that we went for onboard software frameworks. So there's two very popular ones from NASA. Core flight system, which is actively used in flying missions, and F Prime, which was developed for the mass helicopter ingenuity. And also in those, we found quite a lot of vulnerabilities, but also some more general security issues, partially due to the lack of embedded security in these frameworks.

Andrei Olhava (15:08)

At this point, we have found a little bit less than 40 CVEs, almost 400 days in those systems. We just reported a few more on all of the systems we use, and they range from different severity, between 5 or 6 to almost 10. I think the highest one we have is 9.9 or 9.8, something like that.

Maria Varmazas (15:37)

And that's out of a scale of 10. For my audience who may not know that, that's very severe. Yes.

Andrei Olhava (15:42)

Yeah. And also the impact varies between small information disclosure to actually getting a remote code execution on a platform, either spacecraft platform, or a system that is controlling the spacecraft. The ones which we have demonstrated are black hat. So we try to approach the demonstration from different angles to demonstrate what is the impact on the actual spacecraft by getting access to the mission control system either directly or through a phishing campaign. And also if you are a nation state and you are actually able to communicate with spacecraft directly because you have capabilities and you are not limited by law how you could take over the control of spacecraft or effectively you could break it. So that's how we decided to approach the presentation and that's how we show those Three demos with that in mind.

Maria Varmazas (16:43)

It was super fascinating reading through the different potential capabilities if someone were to exploit these vulnerabilities. And I don't want to try and do fear uncertainty and doubt here and go, oh, sky is falling. It is just very interesting to see what the potentials were. And I know that these vulnerabilities, it sounds like they've already been remediated. You disclosed them and they've been remediated. So am I understanding that correctly?

Andrei Olhava (17:05)

Yes, yes. So we have. When we discovered those vulnerabilities, we followed the response and disclosure process where we first notified vendor. In most of the cases it was NASA or the companies that work for NASA, and then we worked with them to fix those issues. And we also made some effort to actually test it afterwards.

Maria Varmazas (17:28)

I'm wondering from you both what your thoughts are on takeaways, especially for the commercial space industry around the world, given how much it's growing. This is anecdotal, but often in conversations I've had with people, when I talk to them about cybersecurity for space systems, there's often an attitude of a lot of this is handled by government entities. I don't really need to worry about this as much. And Milenko, you mentioned security through obscurity. I just often wonder, I mean, that model seems to be very much failing in the face of scale. I'm just curious your thoughts on that.

Milenko Starchik (18:03)

Yeah, I would say that there's a big risk with going for strictly compliance. I think what most people are referring to is, okay, we have to comply with these things. So we have a checklist, we have some threat modeling, we have some mitigations checklists done. Security, all good, right?

Maria Varmazas (18:21)

Yeah, security done.

Milenko Starchik (18:24)

At least on a legal perspective. And that's what people are afraid of is like, on a legal perspective, you're good. You can still get hacked, but it will not affect you on a legal basis. Basically. And this is usually where it gets, where people get more careful is when they are more personally impacted by this. So what we've seen is a lack of actual testing. So that's something that we're trying to push for, is that your security controls are nice, but if you still haven't tested the software that is running on your systems, like this, custom software on systems which are configured and often maintained over sometimes decades until literally the server falls apart, and then you hope that you have a spare box somewhere in the corner of the room. These systems, they need to be maintained and they need to be tested on a regular basis. And this is something that we see is definitely missing that you could maybe have the software that we had previously going through compliance cycles over and over again, no one was ever bothering to run like a simple code like static analysis on the code base to see if there are maybe some low hanging fruits in it, which they were. So a lot of the issues we found could have been easily caught early on and not kept in the software for many years.

Maria Varmazas (19:52)

That is interesting.

Andrei Olhava (19:53)

And on the commercial side of things there are pretty much two ways companies go about it. One way is to develop their own software which is closed source and we don't really know what it is. So it's going to be up to the company to make sure that it's secure. And unfortunately from our experience, it often happens that security is at the very end, end of the requirement list. So sometimes, especially for the new space companies, which are often startups, they leave security at the end or they don't consider it at all. And then the other approach is to use some of the already existing software which is open source from NASA for instance, or other entities developing the open source software and making public. And this is the software which companies would easily assume that the software is secure because, well, it was developed by NASA, so it must be. And actually this is the software we find the most vulnerabilities in.

Maria Varmazas (20:56)

That is fascinating. That is a really interesting takeaway as well. But I want to make sure that I give you both an opportunity if there's anything that you want to mention as sort of a closing thought.

Milenko Starchik (21:05)

So I think it's. For people in space industry, it's important to start early with security design and it's never too late. So even if the mission is flying, you can still do your risk assessment, threat modeling and everything. But the importance is to, to not stop with the compliance checklist, but to actually have verification of those requirements and not to go with like some crazy requirements that just are like, I don't know, someone grabs my spacecraft and deorbits it. Sure that's a risk, but maybe you should focus on a bit more realistic requirements for your case and threats that actually can impact your business severely.

Maria Varmazas (22:06)

We will be right back.

Sponsor Announcer (22:13)

At Talas, they know cyber security can be tough and you can't protect everything. But with Talas, you can secure what matters most. With Talis's industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most, applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com Cyber.

Andrei Olhava (22:53)

Foreign.

Maria Varmazas (23:00)

Welcome back. I will hand you over now to Yvette Gonzales from Spacewatch Global for the latest from the Space Defense and Security Summit at World Space Business Week in Paris.

Yvette Gonzalez (23:14)

Hi Maria and hi space watchers. And here we are at the end of day two for the World Space Business Week. Today there was a second event, the Space Defense Security Summit. And it opened with Space Command leaders from Germany, France, Canada and they were all discussing navigating a rapidly evolving space domain. The highlight from that is that we have to look at what we have changed and especially what has not changed. Really honoring the legacy of all the infrastructure and what everyone has created so far. And that's going to be key in collaborating going forward. Another common theme was that space is still a war fighting domain. The message was clear that that has not changed. And so we now share a permanence of operations, a permanence of more data and that we're going to be looking at more impressions of what space operations will look like. Together in agreement, we look at how Ukraine has demonstrated that space is the bottom line. We look at that as an example of why NATO will be opening their Space center of Excellence in Toulouse and be growing out from that area. China is also accelerating in space and everyone agreed that we are in a space race and this will also be determining how we navigate forward. It is true that we still are looking at the speed of relevance which kept coming up today. And space is becoming more tactical. Kill chains are becoming tighter temporally and that is the focus. And space has now moved from supportive to. To definitely operational. So we're bridging gaps by training the younger generation, especially in analog approaches such as using compasses maps again and marrying that with technology. They moved on to the afternoon sessions where success in space looks like a continuation of deterrence. How coalitions of partners that are trained and adversaries will now take pause at how even a presence in space can be a deterrence to and that looks like a competitive endurance approach. The exploring strategies for resilience and escalation management and deteriorating space environment. Panel discuss how escalation in space and development mean that we are now changing the use of space. There's technical advantage on the ground and we can't lose sight that we still need what's happening terrestrially. So there's a sense of urgency and our common proof together is that we have a common emergency together or a common urgency together and that we develop technology around that. The international cooperation in a fast changing space domain was a really fascinating topic today and it is about understanding how information sharing makes interoperability crucial. NATO relies on national capabilities and they want as a team and as collaborators and as allies to ensure that dialogue is that we work collectively. There was an agreement that going forward this would be really crucial. The topics of the remainder of the day really focus on space surveillance, facing a 15,000 satellite environment, and then moving on to acquisition programs from Korea and space as a strategic enabler for enhanced military forces. The bottom line at the end of the day was that everyone will be working together in collaboration for supporting a more robust ecosystem and ensuring interoperability and shared capabilities so we can see the advancement of preparations for defense technologies. Back to you Maria.

Maria Varmazas (26:52)

And that's T minus Brought to you by N2K CyberWire what do you think about our show T minus Space Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey links in the show. Notes for you and thank you for helping us continue to improve our show. We're proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps space and cybersecurity professionals grow, learn and stay informed. As the nexus for discovery and connection, we bring you the people, technology and the ideas shaping the future of secure innovation. Learn how@n2k.com N2K Senior Producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I am your host, Maria Varmazes. Thank you for listening. We'll see you tomorrow.

Milenko Starchik (28:01)

T minus.

Sponsor Announcer (28:14)

Attention Security Startups there's less than a week left to apply for the 2025 Data Tribe Challenge. This unique program accelerates early stage cyber companies. Refine your messaging with startup veterans, then pitch to top venture firms. Shaping the future of cyber the live Pitch competition takes center stage at Cyber Innovation Day, November 4th in Washington, DC. Applying is easy. Go to challenge.datatribe.com Share your company info and upload your pitch. Submissions close September 19th. Submit your entries today. Think your certificate security is covered. By March 2026 TLS certificate lifespans will be cut in half, meaning double today's renewals and in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark, proven in identity security, is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale security. Visit cyberark. Com 47day. That's cyberark. Com. The numbers 47D a Y.