SpyChain: Multi-Vector Supply Chain Attacks on Small Satellite Systems

TL;DR

SpyChain demonstrates that supply-chain compromises in small satellites can enable stealthy, multi-component malware that exfiltrates telemetry, disrupts operations, and persists across mission phases by abusing trusted interfaces. Using NASA NOS3, the study implements five attack scenarios, from single-component triggers to coordinated multi-component attacks, revealing covert channels through software buses and hidden FIFO files and mapping novel strategies to the SPARTA framework. The work provides actionable defenses, including runtime monitoring, software-bus authentication, and per-component syscall restrictions, and argues for zero-trust flight software, supply-chain transparency, and operator training. These findings highlight significant resilience gaps in current small-satellite practice and stress the need for cybersecurity testbeds and cross-stakeholder collaboration to secure future missions.

Abstract

Small satellites are integral to scientific, commercial, and defense missions, but reliance on commercial off-the-shelf (COTS) hardware broadens their attack surface. Although supply chain threats are well studied in other cyber-physical domains, their feasibility and stealth in space systems remain largely unexplored. Prior work has focused on flight software, which benefits from strict security practices and oversight. In contrast, auxiliary COTS components often lack robust assurance yet enjoy comparable access to critical on-board resources, including telemetry, system calls, and the software bus. Despite this privileged access, the insider threat within COTS hardware supply chains has received little attention. In this work, we present SpyChain, the first end-to-end design and implementation of independent and colluding hardware supply chain threats targeting small satellites. Using NASA's satellite simulation (NOS3), we demonstrate that SpyChain can evade testing, exfiltrate telemetry, disrupt operations, and launch Denial of Service (DoS) attacks through covert channels that bypass ground monitoring. Our study traces an escalation from a simple solo component to dynamic, coordinating malware, introducing a taxonomy of stealth across five scenarios. We showcase how implicit trust in auxiliary components enables covert persistence and reveal novel attack vectors, highlighting a new multi-component execution technique that is now incorporated into the SPARTA matrix. Our findings are reinforced by acknowledgment and affirmation from NASA's NOS3 team. Finally, we implement lightweight onboard defenses, including runtime monitoring, to mitigate threats like SpyChain.

Figures (4)

• Figure 1: The same satellite passing over both a legitimate ground station and a malicious ground station.
• Figure 2: Attack architectures showing solo and colluding components. The attack pipeline is depicted in red. The GNSS sensor is a component which publishes location measurements which may be used as a trigger. The trigger can also be time based. When triggered, the attack agent can either exfiltrate data or perform a DoS attack. \ref{['fig:scenario_single_component']} shows the attack pipeline using one component (Scenario 1 and Scenario 2); \ref{['fig:scenario_multi_component']} for multiple components (Scenario 3 and Scenario 4); and \ref{['fig:scenario_multi_file']} for multiple components using a file as the communication channel (Scenario 5).
• Figure 3: Attack timeline overview for Scenario 5: (1) malicious software is embedded within the components, (2) after launch the trigger agent waits for a trigger condition, (3) the trigger agent writes commands to the FIFO file and the attack agent read them, (4) attack agent exfiltrates the mission data to malicious GS, (5) malware ceases exfiltration and performs other attacks.
• Figure 4: Comparison of real versus simulated satellite component architectures. The simulated setup preserves structural and interface fidelity, enabling realistic testing.