The creators of the satellites examined by the researchers told WIRED that providing their firmware to the researchers was beneficial and that they will take the findings on board for future spacecraft. Simon Plum, head of the Mission Operations Department at the European Space Agency (ESA), says a different level of security is applied to OPS-SAT than to other missions, as it is a “space laboratory.” However, Plum says ESA is reviewing the findings and has made at least one change to the satellite already. “We want to protect space systems from cyber threats and develop culture and common knowledge of resilience in the field of space cybersecurity,” Plum says.

Andris Slavinskis, an associate professor at the University of Tartu in Estonia who works on the ESTCube project, says the findings are “important and relevant” and that the ESTCube-1 system was “developed and launched during the Wild West times of the cubesat world.” A second version of the satellite, ESTCube-2, is set to launch this year. Meanwhile, Sabine Klinkner, a professor of satellite technology at Stuttgart University, which partly developed the Flying Laptop, says the “weaknesses” the researchers found are a result of trade-offs around functionality and access to the satellite.

“As with many university satellites, our threat model weighted the small incentives to attack an academic satellite against the still not completely trivial challenges in establishing a link and sending valid commands to the satellite,” Klinkner says. No malicious connections to the satellite have been spotted, Klinkner adds. And she says future missions will have increased cybersecurity measures to protect against threats.

Despite the satellite security analysis mostly focusing on research and academic satellites, it highlights wider security issues around satellites that experts have been concerned about for years. Gregory Falco, an assistant professor at Johns Hopkins University who focuses on space cybersecurity, says it is rare for researchers to be able to get their hands on satellite firmware and publish research on it. There’s “almost nothing” publicly available that’s similar to the type of analysis the German team completed, Falco says.

The warnings about space systems aren’t new. Researchers have long said more needs to be done to protect space systems from attack and to improve how they are created. Falco says that space firmware and software development is a “nightmare” for two reasons. First, legacy software is often used in development and is rarely updated, Flaco says. “The other reason why is because space systems are not built by software developers. They are built by aerospace engineers, for the most part.” The German researchers also surveyed 19 satellite industry professionals about the levels of security in their systems. “We focused on providing a functioning system instead of a secure one,” one of those surveyed said, according to the academic paper.

Juliana Suess, a research analyst and policy lead on space security at the defense think tank Royal United Services Institute, explains that there are multiple ways satellite systems can be attacked, beyond software and firmware vulnerabilities. These include jamming and spoofing attacks, which interfere with the signals being transmitted to and from satellites. “You don't need to be a space power to do it,” Suess says. Last year, security researchers with permission demonstrated how a decommissioned satellite could be used to broadcast rogue TV signals. And in October 2007 and July 2008, Chinese hackers were blamed for disrupting two US satellites.