The European Space Agency Launches Hackable Satellite

Of course this is hackable:

A sophisticated telecommunications satellite that can be completely repurposed while in space has launched.


Because the satellite can be reprogrammed in orbit, it can respond to changing demands during its lifetime.


The satellite can detect and characterise any rogue emissions, enabling it to respond dynamically to accidental interference or intentional jamming.

We can assume strong encryption, and good key management. Still, seems like a juicy target for other governments.

Posted on August 2, 2021 at 6:46 AM34 Comments


NombreNoImportane' August 2, 2021 8:28 AM

Ummm… Don’t most governments REQUIRE that satellite’s be hackable by the host nation?

Clive Robinson August 2, 2021 8:38 AM

@ Bruce, ALL,

Of course this is hackable:

Nearly all satellites launched this century are software “hackable by design” in oh so many ways you realy would not believe…

However the article you link to is not talking about “software reprograming” as such but “antenna footprint reprograming” and other communications sysytems componentsamoungst other things. It’s about 3.5 thousand kg platform with eight fully definable beams that can be updated in near real time and in theory has the capability to track an individual ship or aircraft.

Yes it is a flexible software-defined satellite, but “software-defined” is a “term of art” and used as in “software-defined radio”. That is the traditional physical parts of the radio systems have been replaced with “Digital Signal Processing”(DSP) and phased array systems. DSP is rather different to conventional programing, and does not require a Turing Compatible Processor, a simplified “state machine will frequently do”.

You have to think of DSP “filtering data” rather than “processing data”. That is it uses the likes of the MAD instruction to “scale and offset” by predefined non data dependent “filter values”, and in no way acts upon “data dependent” values, thus can not be “hacked” that way.

Further the satelite is very loosely like a 5G base station and it’s stearable antennas using phase array techniques can point at singular targets, small areas and large areas of complex coverage patterns.

The contract for this satellite was “inked” back in 2015 after half a decade of wrangling. It was developed in the UK that has been the worlds leading Satellite BUS and Payload developer, with Martin Sweeting’s Surrey Satellite being lead developer[1].

Quantum is likely to be the last such system due to Brexit, and what can be said is extreanly limited. Put simply the ESA’s rules as laid down by the European Commission preclude any further involvment of the UK or UK personnel in EU Space development other than in a very very minor capacity.

It’s why Airbus’s name is now prominant although missing at the original inking.

As for UK space development, there is a story going around that UK Prime Minister Boris Johnson is going to sell it all at a massive loss to one or two companies that are in effect owned by the Chinese, who want the technology that EU politicians would rather be used against them in weapons of war by an actively hostile power rather than buy it from the UK and politicaly have it stick in their craw…

In another more interesting “security” area for the EU,


Clive Robinson August 2, 2021 1:18 PM

@ Chelloveck,

Sure, we can assume strong encryption, and good key management… but why would we?

It’s a fair question, and the answer is one few like…

Which is,

“You have to asume a root of trust somewhere.”

John Doe August 2, 2021 1:59 PM

One satellite? Unless it has a literal death ray or something, why would anyone spend time hacking ONE satellite? Have these folks heard of Starlink? (“Each launch of 60 satellites contains more than 4,000 Linux computers”. There’s 1.5+K of them already, presumably going to 12K. SpaceX’s opsec is probably good, but is it good enough to withstand attacks by China/Russia? I am pretty sure the answer is “no”…)

SpaceLifeForm August 2, 2021 3:17 PM

One well-placed Cosmic Ray to the Root-of-Trust and it can become floating space junk.

I have to assume that scenario was addressed via multiple HSMs and comm channels, but over time, it will eventually fail.

So, there is an expected mean lifetime and it was built for the expected project timeframe.

Doing the Starlink approach does provide more redundancy, and more targets, and shorter expected lifetimes, but that does not necessarily reduce the problem for an attacker.

The attacker is more likely to attack the ground-based infrastructure.

Clive Robinson August 2, 2021 4:30 PM

@ SpaceLifeForm,

I have to assume that scenario was addressed via multiple HSMs and comm channels, but over time, it will eventually fail.

Funny you should say that…

As you might know the EU and ESA have developed their own global positioning system with some very very expensive Swiss clocks…

Well let’s just say back in 2017 the MTTF was one heck of a lot shorter than expexted…

They belive that they have since solved the problem… But in 2019 it all webt pear shaped again,

So yeh keep yer peepers peeled on ESA now EUSA and hang on tight the ride could be wild or deader than a donky down a mine shaft…

Myrtle Green August 2, 2021 4:59 PM

Wouldn’t that be ‘reconfigurable’


If that’s what it is I can definitely see an upside to malicious updates.

SpaceLifeForm August 2, 2021 5:47 PM

I am still waiting for Russia to say that the software had not been changed and that this was a totally unknown, never seen before, bug.

So far, crickets.

After initially thinking the message could perhaps be a mistake, he told The New York Times, he soon realized that it was not and that Nauka was not only firing its thrusters, but that it was trying to actually pull away from the space station that it had just docked with. And he was soon told that the module could only receive direct commands from a ground station in Russia, which the space station wouldn’t pass over for over an hour.

echo August 2, 2021 7:02 PM

There’s no mention of it in this article but the UK has done work with variable direction and adjustable footprint spy and communication satellites. Another thing not mentioned in this article as Tory nationalistic bragging gets in the way is that the UK dropped the ball with being a full partner of Airbus. What happened is due to EU solidarity the UK was treated as a “privileged partner” which meant in practice it had the same access to the work as full partners. There is of course no mention of decades of economic mismanagement by the Tories who basically gutted UK industry and left the UK not only with the lowest productivity in Europe but the largest inequality in Europe. Now the UK is a “third country” and behaving in hostile ways?

The UK is traditionally tight lipped about spy and military communciations satellites. Most people can’t remember the UK has them let alone talk about them. So Skynet is was being operated by Airbus Defence and Space. How’s that going now? Oneweb seems to have dropped out of the news too. Oh, what do we have here Oneweb’s factory is a joint venture with Airbus.

Agammamon August 2, 2021 11:22 PM

“We can assume strong encryption, and good key management.”

I don’t really think we can. Neither government nor private agencies have a great record with maintaining security. Hell, our own drones have been sent out on missions with unencrypted datalinks – it took a while before anyone thought to ask ‘hey, can the Taliban listen to us?’

SpaceLifeForm August 3, 2021 2:54 AM

@ Clive, JonKnowsNothing, Winter, MarkH, ALL

Bert is a digger. The second link is really fascinating.



Clive Robinson August 3, 2021 6:30 AM

@ SpaceLifeForm, JonKnowsNothing, MarkH, Winter, ALL

With regards “Global Navigation Satellite Systems”(GNSS) the way they work is actually very very simple, but… With great simplicity inherently great complexity is close on it’s heals.

Imagine if you will a one pulse per second highly time stable generator at exactly the center of an exactly spherical earth with satelites in exactly circular orbits and lots of people standing around with receivers at very close to sea level on the perfectly circular earth that is not in any way influenced by the Moon, Sun, gas giants or even the effects of sunlight on wind etc…

It’s not difficult to realise from this perfect model that the position of every receivers antenna is a simple triangle with regards the center of the earth, a satellite in a perfectly circular orbit and a point on the surface of a pefectly spherical earth where the person stands and back to the center of the earth.

If you know two lengths and two points the other length and point are actually quite easily calculated. Most high school kids with a nice diagram on the board and a simple equation,

C2 = B2 + A2

Writen beside it and given two distances from the centee of the eaeth to the orbit hight and the earths surface hight can work out the rest fairlt quickly.

Now as the speed of light C is allegedly a very precise constant measuring distance by time can be as accurate as you like… And again the high school kids can do this…

The problem starts with the fact the earth spins, and is thus not a perfect sphere but an oblate spheroid, the actual shape of which is dependent not just on the position of all the planets and major masses in the solar system but such apparent inconsequentials as if there are clouds over land masses etc. Satellite orbits are effected not just by the fun of “Space Weather” but “Earth Weather” as well and rhe tome be it day light or night light below it… Also the surface of the earth moves around not just like an ice cube in a drink but in hight as well.

Thus there is a great deal of unpredictability in things…

Now the Galileo ideal is it is supposed to be able to tell a distance appart of ~8inches / 20cm or the length of your hand in any orientation…. Compare that with the earths average radius of 6,371,000 meter or 31,855,000 times the length of your hand… Your average “floating point” package is not going to hack it at all.

But… Whilst it is not possible to work out so many “random variables” and perform the required vector addition you can cheat and outrageously so without much loss in accuracy. The reason being those triangles are realy determind by the harmonic functions of each circular function that contributes to the orbital path.

Thus a large Discreet Fourier Transform (DFT) will enable you to very accurately predict the points and lengths of those triangles in the fairly short term and you can compare the prediction with the integration of the previous N known points.

In essence that is all your GNSS receiver is doing. Using a prediction to make a measurment that fairly accurately predicts your position. However rather than your receiver doing the “heavy lift” this is done by software at the control center that generates fake satellite etc hights and positions (ephemeris) and takes into account relativity etc and sends it to your receiver.

If that is accurate your position is accurate, if not you are “all at sea”.

From what has been said the software that generates the ephemeris got derailed.

Now ask yourself a question, for something so important, why would the design alow a single individual to SNAFU it?

The answer is no way on Gods little Green Apple. Thus the story coming out of the EU is lets just say “highly improbable” and smacks of “Political ass wallpapering”. It’s fairly well known that Galileo only exists because of the efforts of almost a bunch of students at Surrey University in Guildford Surrey UK. Further all along Galileo’s history it all keeps comming back to the team in Surrey… However all the real provlems with Galileo started when EU politicians stuck their “camels nose” in due to power politics and Brexit…

Will the EU get Galileo right? Given time everything is possible, but will it be credible when that happens? Probably not…

But hey politicians always know better than every one else including domain experts…

My advice unless cyan is your favourite colour don’t hold your breath.

echo August 3, 2021 9:30 AM


But hey politicians always know better than every one else including domain experts…

Politics and bureaucracy is the game of MEP’s and the Commission. It’s not as easy as it looks and more than one “domain expert” has come unstuck poking their noses into these areas which they may not have experience with. With the EU and other pan European organisations there’s quite a lot going on with priorities and the single market and trade agreements and not everything is a straight line path. I also think you have forgotten the UK is a relatively modest economy with enough of its own problems and without the European initiative it’s likely nothing would have got done.


I read through the first link. I didn’t read anything to get het up about. The EU by and large is relatively open and well documented. None of the primary organisations have the history or experience of NASA or the US military. They’re open enough about teething troubles.

Clive Robinson August 3, 2021 12:39 PM

@ echo,

Politics and bureaucracy is the game of MEP’s and the Commission.

Along with major fraud, it’s certainly the game of the largely non democratic Commission. Who try to stop the MEP’s actually having any influence or real control over them.

However like project managers should take note of domain experts so should the members of the Commission but they do not.

With regards,

It’s not as easy as it looks and more than one “domain expert” has come unstuck poking their noses into these areas which they may not have experience with.

The reason it’s “not as easy” is that it is a deliberate policy to make things as dificult as possible to not just detect the fraud, but stop it. Even true domain experts in the likes of accountancy have found themselves first victimized then attacked both at work and in their homes by those working on behalf of commission members like the Kinnocks who were upto their necks in fraud, be it financial, political and electoral.

Which brings us onto,

not everything is a straight line path.

Again deliberately so, so that financial, polirical and electoral fraud may florish in the commission.

It’s time the “You don’t understand XXXican politics” nonsense stopped and fraud legislation applied vigourously.

Because you have to ask the question just how many deaths in the EU arr down to the fraud and corruption behind the COVID vaccine procurement policy the EU Commission President Ursula von der Leyen was doing very nicely by till it all blew up and the real truth about the nasty little games they play started to leak out.

As for,

I also think you have forgotten the UK is a relatively modest economy with enough of its own problems…

All “nations” have “modest economies” in one way or another, that is the nature of state expenditure per capita. However even quite small nations can be the “leading edge” of the entire world, look at the Dutch and the manufwcture of high end semiconductor fabrication equipment for instance which nobody including China, the US or any other nation comes even close to.

The UK had a number of world leading specialities ARM chips being one, ceryain power mosfets being another and Space Bus and payloads being yet another, VTOL technology and much more besides. The UK was punching well well above it’s weight in quite a few areas.

However UK politicians especially the current encumbrants are morally and fiscally bankrupt thus open to all forms of fraud. Which is why we keep having “fire sales of fire sales” where IP is given away for free with infrastructure “friends of friends” are not even paying 1 cent on the dollar for…

But hey that’s the price you, I and most other UK citizens pay to keep an oaf in power who will sell your teeth and body organs just to make a few bob for his “American and Chinese Chums”.

SpaceLifeForm August 3, 2021 3:50 PM

Schrödinger leap second

It will not exist, but you want to observe it.



Mike D. August 4, 2021 12:08 AM

I’d be surprised if they’re using DSPs for their software radio work. DSPs underperformed FPGAs in that role all the way back in 2009 when I did a grad class project on it. DSPs have to bottleneck everything through a few ALUs and load/store units compared to the huge distributed arrays of hundreds of RAM buffers and multiplier-accumulator blocks on an FPGA.

As for cosmic rays ruining your root of trust or anything else: this stuff is hardened against those kind of events, with overdesign, shielding, redundancy, and runtime checking, at the very least. One FPGA family I use has an option where it constantly runs CRCs on the loaded bit pattern and compares it to the CRC it loaded at startup, and restarts and reconfigures if there’s a mismatch. That works together with the other systems to make sure you’ve got good odds of keeping control of the satellite, and luckily modern networking doesn’t require 100% uptime for stability.

Clive Robinson August 4, 2021 5:28 AM

@ SpaceLifeForm,

It will not exist, but you want to observe it.

You might remember in the past when I’ve tried to explain the fun with leap seconds, few people actually think it’s an issue[1]…

But there is a “Dark side Luke” part of this “it’s not an issue” problem is down to a certain type of accountant wanting “pay back over Y2K” (not sure if they wear black robesor not, but hey what they do in their spare time…).

If you thought elephants could hold a grudge, trust me they have nothing on certain types of bean counters that even the rest of their proffession hope would just fall in a black hole and plate the Schwarzschild radius, forever to be seperated from the rest of not just humankind but any type of accounting system anywhere in the universe, including the fundemental laws of nature.

Put simply a lot of noise was made over Y2K and even the acountancy luminaries pointed out proffessional misconduct for not addressing it would be easy wins for the legal proffession….

But even then some accountants stuck with the view point they were not going to spend a dime on it untill they absolutly had to…

I worked for a company where Y2K was a known issue because the *nix programers had the DEC “man page” note about the year 10,000 hanging above their desks… Thus had just schedualed the work in as part of the normal system upgrade cycle.

But these “it’s our money, even though it’s the companies money” mentality accountants who did not spend whe they should have, became incensed when they learned that the laws of “supply and demand” applied to the software industry just as much as it did other places…

Thus what should have cost minimal dollar and stress if they had done it as part of schedualed work suddenly started costing them tens of thousands of dollars an hour as the clock ticked down to “doom sayer day”…

Then despite all doom mongers saying the end of the world is neigh we did not wake up in a radioactive crater new days morning the world finance markets had not colapsed and the only real headaches well leys just say no more than you would expect for people getting into the spirt of things. So these accountants felt they had been made fools of (well actually correctly they had made fools of themselves, but hey, cognative bias and all that 😉

So they wanted not just blood, not just vengence, they wanted to turn the clock back for a do-over… Well most of us know that was not going to happen…

So the idiots decided that all future questions about “time” issues was just another excuse to make them look even more foolish (as if that waa possible). So they treat each one as a “do-over” with the sort of mean spirit even the most bitter and twisted of mortals would be shocked at…

Thus they spread a strange idea that time is just a creation of man and it does not exist thus can not possibly cause any more problems than if the earth were flat etc etc.

Naturally others who hear them find such tales seductive… But as the old saying has it,

“Time and tide wait for no man”

Something an old English King (Canute) proved to his sycophantic courtiers several centuries ago…

But whilst most people begrudgingly accept “times arrow” these days, they do not realise that “time is relative” to even the wind and waves, and whilst it can not go backwards in the way ScFi stories make light of, it can in effect for ever hold you plated in a point of space just outside a black hole… Which means it can slow down…

An effect that can be seen on earth with a couple of atomic clocks at a pole and on the equator.

The funny thing is though, we now know “atomic” clocks are how shall we say a bit naff and inacurate compared to some celestial bodies such as neutron stars, or the new “nuclear” clocks when we get around to building them,

Well to misquote Shakespear,

“But stark, what sound through yonder window it breaks?
It is the accounting beast, scream at the sun.
Arise, fair sun, and kill the envious beast,
Who is already sick and pale with self deceit.

[1] Due to one or two people working veryhard in very strange ways often compleatly without thanks or acknowledgment it’s not a problem for millions of people, thus something they never have to think about.

Clive Robinson August 4, 2021 6:11 AM

@ MikeD,


blockquote>I’d be surprised if they’re using DSPs for their software radio work.



You’ld be surprised at “who?”

Have a look at the futuren and games behind “space qualified parts”, noe that realy might surprise you.

But even though,

DSPs underperformed FPGAs in that role all the way back in 2009 when I did a grad class project on it.

When you say “underperformed” you are being very very non specific. And yes before you ask, there are ways DSP chips outperform FPGA’s

Way to many make assumptions about what is important in specifications and it often goes down hill from there on in…

For instance look up the 1802 processor and why it’s still regarded by some as the way to go.

Winter August 4, 2021 6:42 AM

@Clive, Mike
“DSPs underperformed FPGAs in that role all the way back in 2009 when I did a grad class project on it.”

I think the name “Field-Programmable Gate Array” gets a whole new ring to it when applied to a satellite in orbit.

Winter August 4, 2021 8:55 AM

@Clive, Mike
“DSPs underperformed FPGAs in that role all the way back in 2009 when I did a grad class project on it.”

If I remember well, spacecraft is about weight & volume, power consumption, and durability, and very little else. Would FPGA’s measure up here? I doubt it.

Winter August 4, 2021 11:01 AM

@Clive, Mike
“DSPs underperformed FPGAs in that role all the way back in 2009 when I did a grad class project on it.”

ESA (and NASA) seem to agree with Mike and are studying the use of SRAM reprogrammable FPGAs.

ht tps://

Clive Robinson August 4, 2021 11:47 AM

@ Winter,

volume, power consumption, and durability, and very little else. Would FPGA’s measure up here?

There is another thing, amd it’s not much talked about…

If you are spending tens if not hundreds of millions getting a payload into space, you tend to be quite conservative in outlook.

One aspect of which is you are not going to be “first into space” wirh new technology as it’s got no upside in it for most people…

When they talk about “space qualified” what they realy mean is,

“Have atleast ten satellite designs before me had it functioning in space for half a decade or more?”

If no then it’s a “no fly” no matter how it’s been ground qualified…

This is causing real issues with the likes of “rechargable batteries” where the battery manufacturer sees no point in manufacturing such batteries any more, and in some cases due to legislation for environmental issues they can not even be legaly manufactured any more…

What some people do not realise is sometimes you can get “free rides”. Put simply it’s safer to put a full load of fuel in even if the satellite is only half the lift mass.

Thus the prime has two choices to “make mass” one put in “old iron” as some call it or find other satellites to make up the required mass.

When Surrey Satellites was “independent” they used to make “Technology Demonstrators” often with the likes of technology you could “buy off of the High St” like high end consumer electronics such as digital cameras. That they would put in one or three nano-micro sats / cube sats. As it was known they were doing it for “the good of all” they could frequently find a prime who had a bit of spare space. Thus new low cost technology would get a toe on the space qualified ladder. It’s one of the le

Since Air-Bus got their boots in the door many primes are now suspicious that future flights will not be for the “good of all” especially with the idiotic way EU Commission Politicians are behaving. Especially with the nonsense we have seen going on with Galileo etc.

I guess we will just have to wait and see… But for what it’s worth, every time Europe/Britain get an indipendent capabiliry that is world leading political snouts get under the tent flap and that’s the end of “independent” and shortly there after the end of “world leading” and the next thing you know all the IP gets given to some Chinese/US company for less than nothing…

It’s one of the reasons what was ESA is getting so bl**dy paranoid. They’ve had independence now the EU Commission are “re-aranging the deck chairs” with a new agency. ESA will be required to hand over all their IP etc, to the new agency which will be a financial mismanagment of epic proportions, so a case can be easily made to “sell it off” and oh look all ESA’s IP goes with it for free…

Yes I know people are going to say I’m paranoid or imagining it, or don’t understand complex politics or some other guff. But then they realy need to stick their face in a mirror and ask the reflection “Who am I realy kidding?”…

Clive Robinson August 4, 2021 12:44 PM

@ Winter,

Go down till you find,

“Functional Triple Modular Redundancy (FTMR)”

And when you look behind the fancy name you will realise they are talking about “voting circuits” and the like.

You will if you look on this blog going back over several years, see I was discussing such systems for “security” in a very great deal of depth in the “Castle-v-Prison” / “C-v-P” / “CvP” design and the likes of @Wael, @Nick P, RobertT, and others were going into it out of rather more than “polite interest”.

As I pointed out on a number of occasions the French word for “security” is the same word for “safety” and as far as most of CvP is concerned what applied to “Security” applied as well if not better to “Safety”.

Am I surprised to see FPGA’s “being considered” of course not as I indicated with the battery problem it is inevitable that they will have to move in that direction no matter how conservative they are. They will eventually have to go that way, they will not be given any choice, because “Consumer is King” and has been for most of this century. All the “military premium” nonsense of the pre-1990’s is deader than the “Norwegian blue parrot” of the Monty Python sketch.

Thus it’s a question of “being dragged kicking and screaming into the 21st Century” for satellite payload developers.

The fact “consumer is a can of sh1t” is not going to stop it happening just make things take longer to adopt…

My view point has been for years now is aim as high as you can and stop thinking “building on foundations”, that is adopt the idea of King Henry VIII and his Navy. Don’t build castles on the beach, build them to sail the seas and take the battle where it is needed.

When you analyse most modern Security / Safety systems the first criteria is “build hardware from the bottom up” and the second “code software from the top down”. Am I the only one to see the problem with such very very old thinking?

As security / safety professionals we rraly realy need to “up our game”. Because you can not have security / safety from the bottom-up any more than you can have it from the top-down… There is nobody that can “cover the entire computing-stack” so vulnerabilities will get in by accident or design, and more often than not remain hidden in there for years.

Just accept the old paradigms are broken beyond any possible repair…

That is look at “mitigation” in an “asymetric way” that gives the defender the “probabilistic advantage”. You would be quite surprised how easily you can leverage such ideas to give very high leveals of security, safety, and both together, for what is very little extra work in effect.

I develiped and tested my ideas using PIC microcontrolers back in the 1990’s because they were very cheap and very flexible and ordinary Gate Arrays let alone FPGA’s were not by a very very long way. Now you can get PIC or ARM etc microcontrolers for cents with FPGA’s attached for a dollar or two.

The cost equation has changed, the technology will follow it so eventually will the design engineers.

But at the moment we are in that “watch and wait” period with FPGA’s in space. It would only take a couple of independent and trusted “Technology Demonstrators” and FPGA use at the periphery would be up in space a year or two later. It could be done faster, as I’ve indicated there is a cube sat prototype sitting on my bench, it gets updated regularly. Using an FPGA for a SDR system to do radio-astronomy is one payload I’ve been messing with not just for satellites but other air-bourn systems.

If somebody wanted to turn it into an open source payload and stick it up for Ham / Amateur use I’d be happy to design it for them. Provided somebody else dealt with the bureaucratic paperwork crud…

Ruminant Subhuman Creature August 4, 2021 3:52 PM

@ Clive Robinson, more than one Winter

You will if you look on this blog going back over several years, see I was discussing such systems for “security” in a very great deal of depth in the “Castle-v-Prison” / “C-v-P” / “CvP” design and the likes of @Wael, @Nick P, RobertT, and others were going into it out of rather more than “polite interest”.

This stuff is truly medieval. The chain mail and the portcullis, a dungeon in the basement of the castle, ball and chains, shackles, manacles, neck irons, compressed air powered jail cell doors, whatnot.

There’s a rack to torture suspects and mental health defendants for information and extract cryptographic keys with the “rubber hose” method. Gitmo and Guantanamo Bay served the Castro family very well, staffed with U.S. military commies, “extraordinary rendition” in place of due process of law, etc., etc.

Clive Robinson August 5, 2021 2:49 AM

@ Ruminant Subhuman Creature,

This stuff is truly medieval. The chain mail and the portcullis, a dungeon in the basement of the castle, ball and chains, shackles, manacles, neck irons, compressed air powered jail cell doors, whatnot.

Not sure what it is you are ingesting but I suspect it’s not legaly prescribed…

@ ALL,

It was called “Castle-v-Prison” in a similar way to “Cathedral and the Bazarre”[1]. In his essay Eric S Raymond contrasted two Open Sorce development models. On effectively a demi-god and appointed high priests (Cathedral model) the other much more Open and in theory where anyone can contribute a part no matter how small (the Bazaar). Which gave rise to Eric’s “many eyes” idea.

What I was pointing out was the issue of a single CISC CPU (Castle) model championed by the likes of Intel which was obviously “the past” even back last century. Where the security perimiter was pushed “outwards” as far as possible, thus by default all code loaded in common “core” memory was “trusted”, “massive”, “complex” and given “free run of the system” thus made not just vulnarabilities but their exploit an absolute certainty.

I contrasted this against against a considerably more modern view point where not only was there “perimeter security” but also no task inside the computer was trusted thus was run in it’s own small “cell” CPU as a tasklet and was closely monitored by a security hierarchy of hardwqre state machines and hypervisors. The cells were multiple CPU’s issolayed from each other and external refrences running in parallel configuration that in effect formed a “Prison”.

The advantage of the Prison model over the Castle model are very many and I’m not going to list them here as they are already up on this blog, and you should be able to find them fairly easily (assuming they have not been taken down by our @host).

[1] Eric Raymonds 1997 essey and later book,

Ruminant Subhuman Creature August 5, 2021 3:03 AM

@ Clive Robinson

Not sure what it is you are ingesting but I suspect it’s not legaly prescribed…

Just put your face diaper on, get in line and get vaxxed, or they’ll put you in restraints and vaxx you where it hurts the most. Where do you get the idea that what cops and docs force people to ingest has anything do to with anything legally prescribed?

Danielle Crawford August 5, 2021 6:28 PM

FPGAs are used nowadays on the MEBs of most satellites I’ve seen. So hacking them is less script kiddie, more VHDL. But I digress.

Jiri Stary August 6, 2021 3:57 AM

It could be a juicy ransomware target – pay or we will deorbit your satellite – surprised that hasnt yet happened

Ollie Jones August 6, 2021 9:11 AM

Politics aside, let’s hope the people running this program are not relying on security by obscurity. Let’s hope they have strong crypto in their protocols. Let’s hope they have independent “factory reset” and “kill” functions also protected by strong crypto so they can give cybercreeps the boot if they do manage to break in.

If they have this stuff, a reprogrammable satellite is probably a good idea: today’s strong crypto is the next decade’s script-kiddie stuff. The ability to upgrade it in the sky is helpful.

Dr. Schneier, do you ever consult with people making this kind of stuff? Do they take at least some of your advice?

SpaceLifeForm August 8, 2021 11:44 PM



Clive Robinson August 9, 2021 1:23 AM

@ SpaceLifeForm, ALL,

From the end of the “Hack-a-sat” article,

“The set up enabled visitors to try “controlling” the flat sat — sending commands to it from a ground control terminal using Cosmos — a software platform used to control real satellites.”

Yes “Cosmos” is the way some operators communicate with Sats but it’s realy not the way to “Hack-Sats”…

It’s like having to use the preconfigured SCADA interface software to hack an ICS, when sitting on the network and getting in at the real communications level gives you so much more scope.

Engineers are by and large “conservative” one part of this is “human readable communications protocols”. That is for years you could use just telnet to talk to a port, becaise that was the way engineers got things up and running.

Whilst Sat-Comms is more complicated the same basic principles apply. Those comms ports are designed not just to be accessable and reliable but simply so.

It’s why there is a very active community of “listners” that not just find satellites by their downlink comms systems, they fairly quickly learn to “break out” signals from the “multiplex” etc and work out what the data is and can be used for.

As for flat-sats, as I’ve mentioned I’ve one on my test bench that gets more changes than a super model at a fashion show. The hard part of working with the comms is getting it to behave like it’s in actual orbit…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.