Silent Subversion: Sensor Spoofing Attacks via Supply Chain Implants in Satellite Systems

TL;DR

An end-to-end demonstration of an internal satellite spoofing attack delivered through a compromised vendor-supplied component implemented in NASA's NOS3 simulation environment is presented, exposing component-level telemetry spoofing as an overlooked supply-chain vector distinct from jamming or external signal injection.

Abstract

Spoofing attacks are among the most destructive cyber threats to terrestrial systems, and they become even more dangerous in space, where satellites cannot be easily serviced, and operators depend on accurate telemetry to ensure mission success. When telemetry is compromised, entire spaceborne missions are placed at risk. Prior work on spoofing has largely focused on attacks from Earth, such as injecting falsified uplinks or overpowering downlinks with stronger radios. In contrast, onboard spoofing originating from within the satellite itself remains an underexplored and underanalyzed threat. This vector is particularly concerning given that modern satellites, especially small satellites, rely on modular architectures and globalized supply chains that reduce cost and accelerate development but also introduce hidden risks. This paper presents an end-to-end demonstration of an internal satellite spoofing attack delivered through a compromised vendor-supplied component implemented in NASA's NOS3 simulation environment. Our rogue Core Flight Software application passed integration and generated packets in the correct format and cadence that the COSMOS ground station accepted as legitimate. By undermining both onboard estimators and ground operator views, the attack directly threatens mission integrity and availability, as corrupted telemetry can bias navigation, conceal subsystem failures, and mislead operators into executing harmful maneuvers. These results expose component-level telemetry spoofing as an overlooked supply-chain vector distinct from jamming or external signal injection. We conclude by discussing practical countermeasures-including authenticated telemetry, component attestation, provenance tracking, and lightweight runtime monitoring-and highlight the trade-offs required to secure resource-constrained small satellites.

Figures (4)

• Figure 1: Small satellite architecture with modular components connected to a flight computer running NASA's Core Flight Software (cFS). Each component is managed by an associated cFS application.
• Figure 2: End-to-end attack chain showing how a malicious component progresses from supply chain insertion to mission impact.
• Figure 3: Spoofing Activation Sequence: (1) the ground issues an ENABLE command to the star tracker, which is received on the Software Bus (SB, an internal message bus not visible to operators); (2) SOLO, subscribed to the star tracker command MID, observes this ENABLE and activates; (3) SOLO sends a DISABLE to the genuine star tracker via the SB; (4) SOLO publishes MID-matching spoofed telemetry onto the SB; and (5) The radio forwards these correctly formatted packets to the ground, where COSMOS interprets them as genuine star tracker telemetry.
• Figure 4: SOLO implant deceiving ground operators. Top-left: COSMOS ground software displays what appears to be valid star tracker telemetry — 24 packets with correct headers, timestamps, and quaternion fields. Bottom-left: an operator issues a standard ENABLE command to the star tracker. Top-right: SOLO intercepts this command, internally disables the genuine tracker, and begins publishing spoofed telemetry under the same Message ID, making the spoofer indistinguishable from the real device. Bottom-right: raw-byte view of a spoofed packet showing correct headers and data field.