June 10, 2026
Why Space Communications Fascinate Security Researchers
The engineering challenges, signal constraints, and security considerations behind modern satellite systems.
Michael Preston
12 min read
1. The Attack Surface Nobody Thought Would Matter
For most of the history of satellite communications, security was an afterthought disguised as obscurity. The equipment was expensive, the protocols were arcane, the ground segment required specialised hardware, and the assumption was that none of this was accessible to anyone who wasn't a nation-state or a major telecommunications provider. That assumption held for a while. Then software-defined radio changed everything.
Once a $25 RTL-SDR dongle became enough hardware to receive satellite telemetry, track beacon signals, decode unencrypted downlinks, and observe orbital mechanics in real time, the threat model for space systems collapsed almost overnight. The attack surface that nobody thought would matter became one of the most interesting frontiers in security research. Not because satellites are easy to attack — they are not — but because the constraints that shaped how these systems were built created a category of vulnerabilities that are genuinely novel, deeply tied to physics, and extraordinarily difficult to patch once a spacecraft is in orbit.
Security researchers started paying attention because the problems here are hard in ways that software security rarely is. You cannot push a firmware update to a satellite the way you push one to a server. You cannot reroute traffic around a compromised node when the node is travelling at seven kilometres per second in low Earth orbit. You cannot rotate credentials when the authentication system was designed in 1987 and baked into hardware that will be in space for fifteen years.
This is what makes space communications fascinating from a security perspective. The constraints are real, the failure modes are permanent, and the engineering decisions made decades ago are still running production systems today.
2. Link Budgets and Why Physics Is Already Working Against You
Before you can understand the security implications of satellite communications, you need to understand why the signals are the way they are. Everything downstream — the modulation schemes, the power levels, the error correction overhead, the vulnerability to jamming and spoofing — flows from one fundamental constraint: free-space path loss is brutal, and you cannot negotiate with it.
The Friis transmission equation tells you what you are dealing with. Signal power decreases with the square of the distance between the transmitter and receiver. A geostationary satellite sits roughly 35,786 kilometres above the equator. By the time a signal from that altitude reaches a ground receiver, even with a high-gain antenna and a well-optimised link, you are working with received power levels measured in fractions of a picowatt. The thermal noise floor of a decent low-noise amplifier at that point is already competing with your signal.
This matters for security because it shapes everything about how these systems operate. Transmitters on a spacecraft have a fixed power budget tied to solar panel area and battery capacity. You cannot simply turn up the power to improve link margin when someone is jamming your uplink. Spreading bandwidth to improve resistance to narrowband jamming costs you spectral efficiency, which costs you data throughput, which costs you mission capability. Every design decision is a tradeoff against the link budget, and most of those tradeoffs were made years before launch by engineers trying to solve a communications problem, not a security problem.
Ground-based attackers do not face symmetric constraints. A jamming transmitter on the ground pointed at a satellite uplink does not need to overcome 35,786 kilometres of path loss — it just needs to be close to the victim ground station and overpower the legitimate signal at the receiver. The asymmetry between the attacker's power budget and the defender's link budget is severe, and it is baked into the physics.
3. The Protocol Stack Has Not Aged Well
The protocols that govern satellite communications were largely standardised in an era when the primary threat model was signal degradation and interference, not adversarial actors. CCSDS — the Consultative Committee for Space Data Systems — defines the packet telemetry and telecommand standards used by most scientific and government satellites. It is a well-engineered standard for what it was designed to do. Authentication and confidentiality were not primary design goals.
The CCSDS Telecommand standard structures uplink commands into transfer frames with a two-byte checksum. That checksum is a CRC for error detection, not a MAC for authentication. A ground station that knows the command format for a given spacecraft — and command formats are often documented in publicly available mission manuals — can construct valid-looking telecommand frames without any cryptographic credentials. Whether those frames will be accepted depends entirely on whether the spacecraft implements additional authentication at the application layer, which many older spacecraft do not.
This is not a theoretical concern. Researchers have demonstrated command injection against satellite simulators using nothing but a software-defined radio and published mission documentation. The barrier is not the cryptography — there often is none — it is the operational complexity of actually getting your signal to the spacecraft and having it accepted by the receiver. That barrier is lower than most people assume, particularly for amateur satellites, CubeSats, and older government missions with known frequencies and published protocol documentation.
More modern standards address this. The CCSDS Space Data Link Security protocol adds authentication and optional encryption at the link layer. The problem is adoption. Spacecraft designed before the standard was mature, or constrained by processing power and power budgets, often do not implement it. A spacecraft launched in 2010 that is still operational today was probably designed against requirements written in 2005. The security landscape has changed considerably since then.
4. Ground Segment: Where Most of the Real Risk Lives
Satellite security discussions tend to focus on the space segment — the spacecraft itself — because it is dramatic and because the constraints are unique. But in practice, the ground segment is where most attackable infrastructure actually lives, and it looks a lot like ordinary enterprise IT with some unusual interfaces bolted on.
A modern satellite operations centre runs mission control software on commercial servers, often virtualised, often cloud-hosted or at least cloud-connected. Ground station antennas are managed through control systems that have evolved from purpose-built hardware into web-managed systems. The RF chain between the antenna and the operations centre frequently runs over IP networks. All of the standard enterprise attack surface is present: network services, authentication systems, remote access infrastructure, supply chain dependencies.
What makes the ground segment interesting is the trust relationship between the ground systems and the spacecraft. If you compromise a ground station's mission control software, you may have access to the uplink system. If you have access to the uplink system, the spacecraft trusts commands that arrive from that system. The spacecraft does not know or care that the ground station was compromised. From its perspective, commands are arriving from the right frequency, with the right framing, at the right time. It executes them.
This is a common pattern in critical infrastructure security: the endpoint at the far end of the trust chain cannot verify the integrity of the chain behind it. You see the same problem in industrial control systems, in aviation ground communications, and in maritime AIS. The physical or RF endpoint trusts the control system behind it because the alternative — cryptographic end-to-end authentication between a legacy spacecraft and a modern ground system — is often not feasible given the constraints involved.
Viasat's KA-SAT network incident in February 2022, which disrupted satellite broadband across Europe at the start of the conflict in Ukraine, was largely a ground-segment attack. Attackers gained access to the management infrastructure and pushed destructive firmware to tens of thousands of customer modems. The satellite itself was unaffected. The ground infrastructure and the customer premises equipment were the targets, and they were sufficient to create a significant operational disruption.
5. Jamming, Spoofing, and the Limits of Signal Authentication
Jamming is the blunt instrument of RF interference — flood a frequency band with noise and deny service to anyone trying to receive legitimate signals. It is illegal in most jurisdictions, technically straightforward, and extraordinarily effective against receivers with insufficient jamming resistance. Modern military waveforms spend enormous engineering effort on anti-jam capability through spread spectrum techniques, frequency hopping, and adaptive null steering in phased array antennas. Commercial and civil systems are more exposed.
GPS is the canonical example of the spoofing problem. The civilian GPS signal is unencrypted, well-documented, and broadcast at a known power level from a known orbital geometry. A spoofing transmitter that generates a coherent counterfeit GPS signal and introduces it near a target receiver can manipulate the receiver's position and time solution without the receiver detecting the attack. The receiver believes it is receiving legitimate satellite signals because the format is correct and the signal strength is plausible. The lack of authentication in the civilian GPS signal was an intentional design decision made decades ago to enable unrestricted civilian use, and it has been a persistent security liability ever since.
GPS signal authentication has improved. The European Galileo system transmits an Open Service Navigation Message Authentication signal that allows receivers to verify signal integrity using a public key. The US GPS M-code adds authentication for military users. But the transition is slow, the installed base of unauthenticated receivers is enormous, and many critical infrastructure systems — power grids, financial networks, telecommunications timing systems — still depend on civil GPS signals for timing without any spoofing detection.
For satellite communications more broadly, spoofing the uplink is harder than spoofing GPS because you need to get your signal to the spacecraft rather than to a ground receiver. But downlink spoofing against ground receivers — making a terminal believe it is receiving a legitimate satellite signal when it is not — is a realistic attack vector, particularly against systems that do not authenticate the data content of the downlink.
6. CubeSats and the Democratisation of the Attack Surface
The cost to reach orbit has dropped dramatically over the past decade. A CubeSat launch to low Earth orbit now costs tens of thousands of dollars rather than hundreds of millions. This has enabled a wave of small satellite development from universities, startups, research institutions, and amateur groups, and it has also created a large population of spacecraft with highly variable security postures.
CubeSats are built under severe constraints: power, mass, volume, and budget. The microcontrollers that run a typical CubeSat's command and data handling system are modest — often ARM Cortex-M-class processors running real-time operating systems with minimal resources for cryptographic operations. Implementing strong authentication, encrypting telemetry, and managing cryptographic keys on a CubeSat is possible but requires deliberate effort that many missions do not prioritise, particularly when the primary objective is a scientific or educational payload.
The amateur satellite community has historically operated on an honour system. Frequencies are shared, protocols are documented and open, and the assumption is that anyone with the equipment to communicate with an amateur satellite is doing so in good faith. This worked well when the barrier to participation was high enough to screen out bad actors. As that barrier has dropped, the assumption has become harder to sustain.
Security researchers have found command injection vulnerabilities in amateur satellite ground station software, observed unencrypted telemetry streams from operational CubeSats carrying potentially sensitive mission data, and demonstrated that many CubeSat command interfaces have no authentication beyond knowing the correct command format. None of this is surprising given the constraints these missions operate under. What is interesting is that these same patterns — open protocols, unauthenticated command interfaces, documented formats — appear in larger commercial constellations that were built on similar heritage or under similar commercial pressure to ship fast.
7. Megaconstellations and the New Threat Geometry
Starlink, OneWeb, and similar low-Earth-orbit broadband constellations represent a structural shift in how satellite communications infrastructure is organised. Traditional geostationary systems concentrate risk: a handful of large spacecraft serve continental-scale footprints. A compromise or disruption of one spacecraft has large-scale consequences. LEO megaconstellations distribute that risk across hundreds or thousands of small satellites, but they also create a more complex threat geometry.
With thousands of spacecraft in orbit, the management infrastructure for a megaconstellation is necessarily automated. You cannot have human operators manually scheduling contact windows and uploading commands to four thousand satellites. The control system is software, running at scale, making decisions about orbit maintenance, power management, inter-satellite link routing, and beam steering. The attack surface is not just the RF interface — it is the software stack that drives the constellation.
Starlink uses inter-satellite laser links to route traffic between spacecraft without returning to a ground station for every hop. This is elegant engineering that significantly improves latency and reduces ground infrastructure requirements. It also means that a compromised ground station cannot simply be isolated without affecting the constellation's routing. The trust relationships between spacecraft in a laser-linked mesh are a new category of problem that does not have a well-established security precedent.
The ground terminals for LEO broadband systems are also a meaningful part of the attack surface. Starlink terminals have been physically analysed by security researchers. Fault injection attacks against the boot ROM have been demonstrated. The security of the update mechanism determines whether a firmware vulnerability can be patched before it is exploited at scale, and the installed base of user terminals for a large constellation is measured in the millions.
8. Side Channels, Emissions, and Unintended Signal Leakage
One of the more subtle aspects of satellite security research involves signals that satellites were not designed to transmit. Electronic systems emit RF energy as a byproduct of normal operation — processor switching, power regulator oscillation, signal processing operations. On the ground, this is the domain of TEMPEST analysis and emissions security. In space, it creates a different class of observation opportunities.
Ground-based researchers with sensitive receivers and good antenna gain have observed incidental emissions from spacecraft that were not part of the mission's intentional downlink. In some cases, these emissions carry information about the spacecraft's operational state that is not present in the nominal telemetry. This is not a new class of vulnerability — TEMPEST-style emissions analysis has been a concern in terrestrial systems for decades — but applying it to spacecraft requires working with signals that have traversed enormous distances and arrived at extremely low power levels.
More practically accessible is the analysis of metadata from legitimate transmissions. The timing, frequency, and power characteristics of a spacecraft's transmissions carry information beyond the intended payload. Variations in transmit frequency reveal spacecraft temperature and aging effects. Changes in transmission cadence can indicate operational mode transitions. Amplitude variations in downlinks can sometimes be correlated with spacecraft attitude. None of this individually constitutes a serious vulnerability, but combined with other intelligence sources, it contributes to a detailed picture of spacecraft operations that may have been intended to be less transparent.
This kind of passive analysis is entirely legal and requires no interaction with the spacecraft. A researcher with a good software-defined radio, a tracking antenna, and a week of observation time can develop a detailed characterisation of a satellite's RF behaviour that its operators may not have fully documented themselves.
9. The Regulatory Gap and the Research Ethics Problem
Space security research occupies an uncomfortable regulatory position. Most of the interesting research involves receiving and analysing RF signals, which is legal under the Radio Act provisions governing passive reception in most jurisdictions. Actually transmitting toward a spacecraft — even for benign research purposes — implicates spectrum regulations, licensing requirements, and in some cases national security law. The threshold between legal observation and illegal interference is not always clearly defined, and it varies significantly between countries.
This creates a genuine ethical difficulty for responsible disclosure in the satellite security domain. A researcher who discovers a command injection vulnerability in a satellite's telecommand interface cannot simply notify the vendor and wait for a patch. There is no reliable patch mechanism for a spacecraft already in orbit. The disclosure timeline and the remediation options are fundamentally different from software vulnerability disclosure, and the potential impact of public disclosure — informing bad actors of a vulnerability that may be unexploitable without specialised equipment but nonetheless real — has to be weighed carefully.
The satellite industry's engagement with the security research community has improved. Bug bounty programs for ground systems exist. Some operators have begun including security researchers in design reviews. The DEF CON Aerospace Village has become a meaningful venue for this community, with coordinated vulnerability research and constructive dialogue between researchers and operators. But the norms are still developing, and the gap between the security research community's practices and the operational realities of satellite systems is wider than it is in most other domains.
10. What Building Secure Space Systems Actually Requires
Designing security into a space system from the beginning is categorically different from adding it later, and almost everything about the constraints pushes toward deferral. Mass and power are allocated to the payload. Schedule pressure discourages a thorough security review. The long design lifecycle means security requirements written today will be implemented against a threat landscape that will look different by launch. And once the spacecraft is in orbit, the options are limited.
The most important architectural decision is where to put cryptographic trust. End-to-end authenticated encryption from ground station to spacecraft is achievable with modern processors, even in the constrained environments typical of small satellites. Key management for on-orbit systems is genuinely hard — rotating a long-lived signing key on a spacecraft that cannot be physically accessed requires either pre-provisioning multiple keys or building a key update mechanism that is itself authenticated, creating a bootstrapping problem. These are solvable problems, but they require explicit attention during design.
Ground segment security deserves as much attention as the space segment, probably more. The ground segment is where conventional security practices apply most directly. Network segmentation between mission-critical uplink systems and general enterprise infrastructure, strong authentication for access to uplink-capable systems, anomaly detection on command streams, and tamper-evident logging of all uplink activity are all achievable with current technology and do not require changes to in-orbit hardware.
The realistic near-term progress is probably in the operator community's security posture rather than in the spacecraft themselves. The spacecraft flying today will continue to fly for years, and their security characteristics are largely fixed. The practices of the people operating them, the security of the infrastructure connecting them to their operators, and the quality of the monitoring and incident response around those systems are where meaningful improvement is possible on the timescale that matters.
Space communications will continue to be an interesting domain for security research precisely because the constraints are real and the solutions are not obvious. The physics does not care about your security requirements. The orbital mechanics do not wait for your patch cycle. Working within those constraints to build systems that are resilient to determined adversaries while still delivering mission capability is a genuinely hard engineering problem, and it is going to matter more as space infrastructure becomes more deeply embedded in the systems that modern life depends on.