Satellite communications have long benefited from the dangerous assumption that distance, specialized hardware, and proprietary protocols provide meaningful security. Complexity and low accessibility, has been treated as a barrier. But in practice, none of these defense mechanisms hold up under adversarial scrutiny.
‍

From an attacker’s perspective, modern SATCOM systems resemble under-secured enterprise networks - except their failure modes carry national, economic, and physical consequences.
‍

As security researchers at IOActive, my colleagues and I have spent more than a decade uncovering vulnerabilities across a wide range of satellite communication products. As early as 2014, IOActive published “A Wake-Up Call for SATCOM Security,” one of the first public disclosures to systematically expose these weaknesses and challenge the assumption that satellite systems were inherently secure.
‍

‍

‍

A Large, Quietly Exposed Attack Surface

‍

A satellite is not a single system. It is an ecosystem: ground infrastructure, network operations centers, modems, antennas, airborne and maritime terminals, firmware update paths, and management protocols. Some of these components can be remotely reachable, and insufficiently hardened.
‍

In real-world security assessments, it is common to encounter SATCOM systems with legacy services, weak authentication, proprietary command interfaces, and outdated embedded operating systems. In some cases, firmware images and fallback updaters are publicly accessible.

‍
Security Through Obscurity

‍

Undocumented authentication paths, maintenance credentials, and privileged vendor protocols are frequently justified as operational requirements, even in platforms claiming high-assurance or regulatory compliance. From an attacker’s standpoint, cryptography, segmentation, and redundancy offer little protection once trusted access paths are abused. Compliance frameworks cannot compensate for adversarial access built into the system by design.
‍

The Myth of Impenetrability was Shattered in 2022

‍
When Russian state-linked actors disrupted Viasat’s KA-SAT network in early 2022, tens of thousands of terminals across Europe were rendered inoperable. Civilian, commercial, and governmental users lost connectivity simultaneously. The attack demonstrated how compromising a limited number of systems could cascade across an entire satellite network.
‍

Already in 2014 IOActive’s researcher Ruben Santamarta already warned the community of potential weaknesses in equipment. Demonstrating how proprietary protocols implements by SATCOM providers could be used to remotely disable communication terminals.
‍

From Network Intrusion to Physical Effects

‍
SATCOM insecurity doesn’t just pose a risk to data or availability, but also to physical domains. Once attackers have post-exploitation access to a SATCOM system, they can isolate terminals from network operations centers, interfere with aviation or maritime communications, manipulate power and modulation parameters, or turn terminals into intentional or unintentional radiofrequency emitters.

‍
This is what makes SATCOM systems different - and more dangerous - than traditional IT infrastructure.

‍
Systems are Tested like Defenders, Not like Adversaries

‍

Much of the SATCOM industry still evaluates security through a defensive, compliance-driven lens. Threat models assume trusted ground infrastructure, legitimate firmware, and a constrained attacker.

‍
Real adversaries make none of these assumptions.

‍
They chain weaknesses across exposed services, undocumented functionality, and trusted management protocols. They pivot from modem to antenna controller, from ground terminals to airborne networks.

‍
At IOActive, we deliberately adopt this adversarial mindset during our security assessments. This approach allows us to identify real-world, exploitable vulnerabilities that consistently fall outside the scope of compliance-driven testing. When security evaluations fail to reflect adversarial reality, they do not provide protection - they provide reassurance.

‍

A Choice, Not an Inevitable Failure

‍
In our modern world, SATCOM systems underpin aviation, maritime operations, military logistics, emergency response networks, and global communications. They aren’t niche systems anymore, therefore the concept of safety through obscurity no longer applies.
‍

The path forward is neither mysterious nor optional. Industry stakeholders - from vendors and operators to regulators - should:

‍
• Eliminate undocumented access paths
• Treat exposed services and update mechanisms as primary attack vectors
• Assume network reachability, not isolation
• Test systems end-to-end from an attacker’s perspective
• Design for hostile interaction

‍
The Viasat attack was a warning - not the story. The story is whether we choose to adapt before the next demonstration is more disruptive, precisely targeted, and harder to dismiss.

‍

Satellites are no longer peripheral assets. They are contested infrastructure.

‍

^{Author: Gabriel Gonzalez, Director of Hardware Security at IOActive, Inc}

^{Photo credit: Ania Lewandowska}

‍