TRANSMISSION OPENHACKSPACECON · COCOA BEACH, FL · MAY 2026
ICSRED · RESEARCH · TRANSMISSION 0x01
Ground Control
to Major Tom.
Breaking down AX.25, CCSDS, and DVB-S/S2 the protocols holding low-earth orbit together.
SG
Stephen Glombicki
STUDENT · OSCP+ · CRTO · CCNA · ICS.RED
ics.red / talks / major-tom1 / 35
§ 1.1THREAT LANDSCAPE
§ 1 · THE NEW SPACE REALITY
Everyone has a dish now.
10K+
ACTIVE SATELLITES · 2026
Up from ~3,000 in 2019. CubeSats, commercial constellations, science missions, military · all needing a radio link.
"Security through obscurity meant security through nobody having a dish.
Now everyone has a dish · or an SDR."
§1 · threat landscape2 / 35
§ 1.2SPACE LINK · ATTACK SURFACE
Three ways into orbit.
Three of these vectors live in the RF. The fourth kills the most modems.
§1 · threat landscape3 / 35
INCIDENT · FEB 2022KA-SAT · VIASAT
§ 1.3 · REAL-WORLD WAKE-UP CALL
FEB 24, 2022 · 03:02 UTC
As the invasion began, tens of thousands of modems dropped offline.
UKRAINE
DARK
Ukrainian KA-SAT users lost service at the invasion start.
GERMANY · ENERCON
~5,800
Enercon wind turbines lost remote monitoring. Spillover damage.
EUROPE-WIDE
tens K
Broadband subscribers across multiple European countries offline.
Attributed to Russian GRU · US · EU · UK · the satellite wasn't hacked. The ground segment was.
§1 · viasat / ka-sat / 20224 / 35
§ 1.4KILL CHAIN · ACIDRAIN
§ 1.4 · KILL CHAIN
The blast radius of one VPN.
01
Compromised VPN
Misconfigured VPN appliance into the management network.
VECTOR · EDGE
02
KA-SAT NOC
Lateral into the management servers in Turin, Italy.
VECTOR · LATERAL
03
AcidRain deployed
Wiper pushed over the legitimate management channel to every modem.
VECTOR · PAYLOAD
04
Tens of thousands offline
Legitimate management commands overwrote modem flash. Viasat shipped ~30K replacements. Not a satellite hack · a ground-segment compromise with cross-border blast radius.
IMPACT · TERMINAL
§1 · viasat / 20225 / 35
§ 1.5AGENDA
WHAT WE'RE COVERING TODAY
Three protocols, one problem.
01
AX.25 · the amateur backbone
CubeSats · ISS · ham radio · 1984 and still flying
12 MIN · §2
NO CRYPTO
02
CCSDS · the mission standard
NASA · ESA · JAXA · the professional counterpart
10 MIN · §3
DEPLOYMENT · UNEVEN
03
DVB-S / S2 · the commercial workhorse
Satellite TV · VSAT broadband · maritime · cellular backhaul
10 MIN · §4
€300 INTERCEPT
04
Demo + where we go from here
Live AX.25 decode · the gap · catching up
13 MIN · §5–7
LIVE RX
§1 · agenda6 / 35
02
SECTION 02 · 12 MINUTES
AX.25.
The amateur backbone. Flying on the ISS, hundreds of CubeSats,
and Planet Labs' commercial fleet · and it has zero cryptographic defenses.
1984 · OSI LAYER 2 · BELL 202 AFSK · GMSK · AMATEUR VHF/UHF
§ 2.1AX.25 · WHAT IS IT
§ 2.1 · THE AMATEUR BACKBONE
Ham radio went to orbit.
AX.25 is amateur X.25 · a 1984 data-link protocol built for terrestrial packet radio. It never went through a redesign. It just went up.
WHERE IT FLIESISS APRS · CubeSats · PocketQubes · Planet Labs
PHY1200 baud AFSK · 9600 baud GMSK · VHF / UHF
DATA RATE9,600 bits/sec · typical
OSILayer 2 · Data Link
FIELD OBSERVATION
Planet Labs · a commercial imaging company with hundreds of birds in orbit · has published that it uses AX.25 on its fleet.
source: Springer, 2020
§2 · ax.258 / 35
§ 2.2AX.25 · FRAME ANATOMY
§ 2.2 · FRAME STRUCTURE
Look for the encryption field.
0x7E
FLAG
1 B
ADDRESS
SRC · DEST CALLSIGNS · PLAINTEXT
14 / 28 B
CTL
CONTROL
1 / 2 B
INFO / USER DATA
TELEMETRY · COMMANDS · MESSAGES · PLAINTEXT
up to 256 B
FCS
CRC-16 · ERROR DETECTION
2 B
0x7E
FLAG
1 B
NO AUTHENTICATION FIELD
Callsign is self-asserted. That is the whole identity layer.
NO ENCRYPTION FIELD
Every byte is transmitted in the clear.
NO INTEGRITY
CRC detects errors, not attackers. Recompute, resend.
§2 · ax.25 / frame9 / 35
§ 2.3AX.25 · SECURITY ANALYSIS
§ 2.3 · WHERE SECURITY ISN'T
Everything missing, in one table.
CONTROL
AX.25 PROVIDES
CONSEQUENCE
Authentication
NONE · callsign is self-asserted
Forge any source you want.
Encryption
NONE · confidentiality crypto restricted on amateur bands
All telemetry, all commands, readable.
Integrity
CRC-16 · error detection, not tamper detection
Modify payload → recompute CRC.
Replay protection
NONE · no cryptographic anti-replay
Capture → resend → indistinguishable.
Identity
The callsign string in the address field.
That's it. That's the identity layer.
§2 · ax.25 / gap10 / 35
145.825 MHz FM · RS0ISSINTERNATIONAL SPACE STATION
§ 2.4 · AX.25 IN ORBIT, TODAY
The ISS is an open APRS digipeater.
145.825MHZ · FM · 1200 BAUD AFSK
Any amateur with a $25 RTL-SDR can receive ISS packets. They contain callsigns, position reports, and text messages · from ground stations all over the world. All in plaintext.
CALLSIGN · RS0ISS
The ISS digipeats ground packets. Anyone listening sees all the traffic.
§2 · ax.25 / iss11 / 35
§ 2.5AX.25 · ATTACK SCENARIOS
§ 2.5 · ATTACK SCENARIOS
Five ways to ruin someone's day.
01
Passive eavesdrop
RTL-SDR + Dire Wolf. Every telemetry packet, in the clear.
$25 – $100
02
Callsign spoofing
Craft a frame with any source callsign. Protocol doesn't care.
ILLEGAL · §97.119
03
Command injection
Formats often in papers. Unauthenticated TC → forged command path possible.
$300 + TX
04
Telemetry replay
Record. Replay. Mask anomalies from the operator.
FREE
05
APRS spoofing
Inject false position reports via ISS digipeater → whole network.
AMPLIFIED
§2 · ax.25 / attacks12 / 35
DEMO · LIVE DECODE145.825 MHz · AX.25 · DIRE WOLF
§ 2.6 · WHAT A LIVE DECODE LOOKS LIKE
"This is what satellite telemetry looks like in the clear."
No auth header. No encryption. The FCS line says OK · that just means the frame wasn't corrupted in transit.
EQUIPMENT · HACKRF PRO
SOFTWARE · GNU RADIO · DIRE WOLF
BACKUP · SATNOGS IQ CAPTURE
NEVER · TRANSMIT WITH SPOOFED CALLSIGN
§2 · ax.25 / demo13 / 35
§ 2.7AX.25 · THE ENCRYPTION CARVE-OUT
§ 2.7 · ENCRYPTION ON AMATEUR BANDS
Confidentiality encryption is generally banned. Spacecraft telecommand has a carve-out.
✕ FCC §97.113(a)(4) · ITU RR 25.2A
No “messages encoded for the purpose of obscuring their meaning” — so no confidentiality crypto on telemetry or mission-data downlinks.
✓ FCC §97.211(b) · ITU CARVE-OUT
Space telecommand stations may transmit obscured codes to control a space station. Command authority can be protected.
NET RESULT · cubesats on amateur bands can authenticate / obscure commands,
but generally cannot encrypt telemetry or mission-data downlinks for confidentiality.
§2 · ax.25 / regulatory14 / 35
03
SECTION 03 · 10 MINUTES
CCSDS.
NASA, ESA, JAXA, CNES, DLR · the international committee for space data systems.
The professional counterpart to AX.25.
1980s · TC · TM · AOS · SPACE PACKET PROTOCOL · REED-SOLOMON
§ 3.1CCSDS · OVERVIEW
§ 3.1 · THE MISSION STANDARD
A committee, not a protocol.
CCSDS is an international standards body · members include NASA, ESA, JAXA, CNES, DLR, CSA, ROSCOSMOS. They publish Blue Books. Everyone flies their stack.
TC · telecommand
TM · telemetry
AOS · advanced orbiting systems
SPP · space packet protocol
MEMBER AGENCIES · 11
NASA
ESA
JAXA
CNES
DLR
CSA
ROSCOSMOS
UKSA
ASI
INPE
CNSA
KARI
CCSDS standards are widely deployed across government, scientific, and commercial space missions.
§3 · ccsds16 / 35
§ 3.2CCSDS · FRAME STRUCTURE
§ 3.2 · VCDU FRAME
Reed-Solomon. Still no encryption.
SYNC
MARKER
4 B
VCDU HDR
ROUTING
4 B
VCDU DATA · CCSDS PACKETS
M_PDU HDR 2 B · CCSDS PACKET 215 B · HDR 6 B + USER 209 B
217 B · plaintext unless SDLS
REED-SOLOMON
FEC · CORRECTION
32 B
+ REED-SOLOMON FEC
Real error correction, not just detection. The hop over vacuum works.
RS ≠ SECURITY
RS protects against transmission errors. It does nothing against deliberate modification.
§3 · ccsds / frame17 / 35
§ 3.3CCSDS · INTEROP LITERATURE
§ 3.3 · FROM CCSDS SDLS INTEROPERABILITY LITERATURE
"Most civilian spacecraft operators are using the CCSDS protocol suite… currently not supporting the provision of security services."
"Space links are not secured at all, or secured using proprietary solutions."
· CCSDS SDLS INTEROPERABILITY LITERATURE
§3 · ccsds / nasa admission18 / 35
§ 3.4CCSDS · SDLS
§ 3.4 · THE FIX
SDLS exists.Adoption is the problem.
SPACE DATA LINK SECURITY
Published ~2012. A security overlay for TC/TM/AOS frames. Adds a security header and trailer around the existing payload.
BASELINE CIPHER AES-128-GCM
MODE AUTH · ENC · AEAD
KEYS SECURITY ASSOCIATIONS (SAs)
NASA IMPL cryptolib · open source · cFS
BEFORE · PLAIN TC/TM FRAME
HDR
PAYLOAD · PLAINTEXT
FCS
AFTER · SDLS WRAP
HDR
SEC HDR
ENCRYPTED
MAC
FCS
ADOPTION · GLACIAL
Legacy satellites can't be retrofitted. Many don't support OTA at all.
§3 · ccsds / sdls19 / 35
§ 3.5SDLS · LIMITATIONS
§ 3.5 · SDLS DOES NOT PROTECT
Encryption isn't the whole problem.
OUT OF SCOPE
Frame headersPLAINTEXT (for routing)
VC Operational Control FieldsPLAINTEXT
Insert Service dataPLAINTEXT
Proximity-1 (lander/rover)NO SDLS
Availability (jamming)EXPLICITLY EXCLUDED
PRACTICAL REALITY
Even with SDLS turned on, headers stay in the clear. Traffic analysis · who's talking, when, how much · still works fine.
⚠ ENC-ONLY MODE
Without authentication, SDLS provides no protection against data-substitution attacks. Pick AEAD. Pick GCM.
CCSDS SDLS rationale document
Key rotation in orbit: OTAR is defined in SDLS-EP. Complex. Rarely exercised.
§3 · ccsds / sdls limits20 / 35
§ 3.6CCSDS · ATTACK SCENARIOS
§ 3.6 · ATTACK SCENARIOS
Without SDLS, everything still works.
01 · TM EAVESDROP
Frequency + modulation + encoding are public. With enough signal processing, housekeeping data is readable.
02 · COMMAND SPOOF
Enough TX power + TC format → forged command path possible. No sender verification.
03 · REPLAY
Without SDLS or mission-specific security, link-layer correctness isn't adversarial integrity. Reliability machinery doesn't stop a captured command from being replayed.
04 · TRAFFIC ANALYSIS
Even with SDLS. Headers stay in the clear. Patterns, timing, volume · all visible.
05 · GROUND-SEGMENT TAKEOVER · THE VIASAT PATH
The most practical vector. Compromise the ground station, use legitimate management channels · protocol crypto doesn't help.
§3 · ccsds / attacks21 / 35
HACK-A-SAT · 2023MOONLIGHTER · ON-ORBIT CTF
§ 3.7 · REAL-WORLD CONTEXT
A sandbox satellite · and teams running real exploits in low earth orbit.
EDITION
2023
First on-orbit hacking competition. USAF / Space Force.
FINALISTS
5
Teams competing against Moonlighter, a real satellite in orbit.
RUN BY
USAF
Air Force / Aerospace Corp. Sponsored on-orbit CTF program.
"We get to learn all of the nuances, and all of the vulnerabilities, that we weren't anticipating." · Hack-A-Sat organizer
§3 · ccsds / hack-a-sat22 / 35
04
SECTION 04 · 10 MINUTES
DVB-S/S2.
The commercial workhorse. Over a billion receivers worldwide.
The footprint covers millions of square kilometres · and the signal doesn't know who's listening.
A billion receivers, no default IP confidentiality.
DVB-S (1995) and DVB-S2 (2005) started as satellite TV. They became the backbone of VSAT broadband, maritime, aviation, military SATCOM, and cellular backhaul.
AUTHORS DVB PROJECT · 200+ COMPANIES
LAYER PHYSICAL + DATA LINK
ENCAP IP → MPE → MPEG-TS → DVB-S2 PHY
MAX RATE GBPS PER TRANSPONDER
100sM
RECEIVERS GLOBALLY
Hundreds of millions of DVB-S/S2 endpoints across satellite TV, VSAT, maritime, in-flight, and SATCOM.
§4 · dvb24 / 35
§ 4.2DVB · ARCHITECTURE
§ 4.2 · ARCHITECTURE
The signal doesn't know who's listening.
§4 · dvb / architecture25 / 35
§ 4.3DVB · CONDITIONAL ACCESS
§ 4.3 · CONDITIONAL ACCESS
Crypto exists. It's for pay-TV.
SCHEME
WHAT IT IS
NOTES
STATUS
DVB-CSA1
Common Scrambling Algorithm · 64-bit key
Designed 1994. Cryptanalysis published (Tews et al., 2011).
BROKEN
DVB-CSA2
CSA replacement · proprietary
Harder, but no independent cryptanalysis.
PROPRIETARY
DVB-CSA3
AES-128 based
The one you want. Rarely deployed on IP broadband.
AES-128
DVB-CI
Common Interface · smartcard
Physical CAS hardware. Pay-TV set-top land.
HARDWARE
⚠ DVB-CA IS OPTIONAL · BUILT FOR CONTENT PROTECTION
IP traffic over DVB-S2 is frequently not encrypted. Protection is left to the application · and very often, no layer bothers.
§4 · dvb / ca26 / 35
WiSec 2019 · OXFORD · UCL"SECRETS IN THE SKY"
§ 4.4 · "SECRETS IN THE SKY" · 2019
€300 of gear,
100 million km² of coverage.
WHAT THE RESEARCHERS CAPTURED
→Individual customers identified by full name and address.
→Web browsing activity, captured over the air.
→Unencrypted telemetry from power plants and SCADA systems.
→Unencrypted application traffic and VoIP-class streams across multiple providers.
Several providers enabled link-layer encryption after disclosure. The point: confidentiality on commercial satellite IP is not guaranteed by the standard.
§4 · dvb / secrets in the sky27 / 35
§ 4.5DVB · ATTACK SCENARIOS
§ 4.5 · ATTACK SCENARIOS
Passive is trivial. Active, published.
01 · PASSIVE INTERCEPT
$300–800 COTS: dish + TBS-5927 USB tuner. Tools: GSExtract, DontLookUp. All unencrypted IP, dumped to Wireshark.
02 · CUSTOMER ID
MPEG-TS addressing identifies specific terminals · deanonymize subscribers, one PID at a time.
03 · SCADA OVER SATELLITE
ICS traffic on satellite links, unencrypted, in the clear. Visible to anyone in the footprint.
04 · ACTIVE SIGNAL INJECTION · PUBLISHED
Lab-demonstrated wireless signal injection against commercial VSAT modem behavior. Receivers were not designed with hostile RF inputs in mind. Different cost class than passive intercept.
USENIX Security 2024
§4 · dvb / attacks28 / 35
§ 4.6DVB · GROUND-SIDE VULNS
§ 4.6 · RECEIVER-SIDE ROT
Pro broadcast gear, IoT-grade security.
ELBER ESE DVB-S/S2 · 2024 CVES
AUTH BYPASS
Direct access to password management via unauthenticated HTTP.
UNAUTH CONFIG
Unauthenticated device configuration.
HIDDEN ENDPOINTS
Client-side hidden functionality disclosure.
CONTEXT
These are professional broadcast receivers used in radio contribution networks · not hobbyist gear.
Pattern: the ground-side equipment has the same sloppy security as any IoT camera. Protocol crypto doesn't save you from hardcoded creds on the receiver's admin panel.
§4 · dvb / receivers29 / 35
06
SECTION 06 · THE TAKEAWAY
The gap.
Why space protocols sit decades behind terrestrial security,
and what it actually takes to close the distance.
LEGACY · PHYSICS · REGULATION · CULTURE · COST
§ 6.1TERRESTRIAL · VS · SPACE
§ 6.1 · THE GAP, IN ONE TABLE
2026 on the ground. 1996 in orbit.
DOMAIN
TERRESTRIAL · 2026
SPACE PROTOCOLS
Encryption
TLS 1.3 · everywhere · default on
Optional at best, often absent
Authentication
Mutual auth · certificates · MFA
Callsign (self-asserted), or none
Key management
ACME · automated rotation
Manual · OTAR if you're lucky
Patching
CI/CD · OTA · weekly
Rarely possible · risky when it is
Monitoring
SIEM · IDS · IPS · logging
Limited downlink visibility
Regulatory
PCI-DSS · HIPAA · GDPR
ITU coordination + hope
§6 · gap31 / 35
§ 6.2WHY
§ 6.2 · WHY THE GAP EXISTS
Seven reasons we're here.
01
Legacy
Designed before modern threat models existed.
02
Physics
Link budgets are tight. Overhead costs power.
03
Regulation
Amateur bands ban encryption outright.
04
Culture
"Nobody will bother." SDRs called the bluff.
05
Cost
Space-qualified crypto is expensive. CubeSats are < $100K.
06
Immutability
Can't swap hardware in LEO. Patching is perilous.
07
Interop
Both ends must implement. Adoption is glacial.
∞
Inertia
All six reasons, compounding. On a 15-year orbit.
§6 · gap / why32 / 35
§ 6.3WHAT IT TAKES
§ 6.3 · HOW WE CATCH UP
Today, this decade, next decade.
SHORT TERM · NOW
Turn on what exists.
→Deploy NASA CryptoLib / SDLS on new missions.
→Encrypt satellite broadband IP by default.
→Patch ground VPNs. Segment the NOC.
MEDIUM TERM · 3–5 YR
Fix the constraints.
→Lightweight signed telemetry for amateur bands.
→Mandatory security in launch-provider ICDs.
→Space ISAC · threat-intel sharing.
LONG TERM · 10 YR
Rewrite the rules.
→Revisit ITU / FCC restrictions on amateur-band confidentiality.
→Post-quantum crypto for long-duration missions.
→On-board IDS. SPARTA threat modeling.
§6 · gap / catch up33 / 35
§ 7.1TAKEAWAYS
§ 7 · TAKEAWAYS
Five things to walk out with.
01
AX.25 has zero security · by design AND by regulation. Flying on the ISS and hundreds of CubeSats.
02
CCSDS can be secured with SDLS · but adoption is glacial, and most missions in orbit shipped without it.
03
DVB-S2 broadband is interceptable with €300. Encryption exists. Very often it's not turned on.
04
Viasat proved it isn't theoretical. Tens of thousands of modems dropped offline through a ground-segment intrusion. Wartime consequences.
05
The receive barrier has collapsed for the easy targets. A $25 SDR pulls down ISS APRS. €300 of gear pulled down GEO broadband in plaintext. Active attacks remain harder.
§7 · takeaways34 / 35
45 4e 44 20 4f 46 20 54 52 41 4e 53 4d 49 53 53 49 4f 4e 20 ·
54 68 61 6e 6b 20 79 6f 75 20 48 61 63 6b 53 70 61 63 65 43 6f 6e 20 2a
CHANNEL CLOSINGQ&A · COME TALK
END OF TRANSMISSION
Questions?
Thank you, HackSpaceCon. Come find me · I want to hear your weirdest SDR capture.