By Juan Ignacio Bousquet
Small satellites are increasingly vulnerable to cyberattacks, yet their resource constraints make implementing robust security mechanisms a significant challenge. This thesis explores how to protect the integrity of satellite and payload data against malicious software running in orbit, a problem that has received limited attention in the satellite security research community.
The Problem: Compromised Satellites in Orbit
When malware runs on a satellite in orbit, there are minimal mechanisms to protect satellite data or provide visibility to mission control. This is especially critical for low-cost, open-hardware satellites that lack sophisticated security features. Traditional security approaches either consume too many resources for small satellite platforms or require hardware that adds weight, cost, and complexity to missions.
The question we set out to answer: How can we maintain and guarantee the integrity of satellite and payload data against threats while operating within the extreme resource constraints of small satellites?
The Approach: Hardware Backed Integrity Protection
This research proposes using a combination of three key technologies:
Hardware Trusted Platform Module (TPM) - A dedicated security chip that provides cryptographic operations and secure key storage
Secure hashing and signing algorithms - Cryptographic methods optimized for resource-constrained environments
Hash chain with Proof of Work (PoW) - A blockchain-inspired approach to maintain a verifiable and immutable record of satellite operations
Four Experiments: From Software to Hardware Protection
We designed four experiments using a Raspberry Pi 2 Model B v1.1 (2014) to simulate realistic small satellite hardware constraints. This aging platform, which NASA has successfully used in space missions and will remain in production until at least January 2030, provided an ideal testbed for resource-constrained scenarios.
Raspberry Pi’s B+ v1.2 B v1.1 (2014) and LetsTrust-TPM2Go TPM used in experiments
Experiment 1 - Finding the Right Hashing Algorithm
First, we needed to identify which hashing algorithm would work best in a resource-constrained environment. We evaluated multiple algorithms (MD5, SHA-256, SHA3-256) across different parameters to measure:
I/O card load and disk performance
CPU temperature
Memory consumption
Processing time
Key Finding: We chose wolfSSL over OpenSSL for hashing operations. wolfSSL proved more suitable for space systems due to its smaller footprint, higher reliability, and better performance in resource-constrained environments.
Experiment 2 - Software-Based Protection Against Payload Modification
This experiment evaluated how malware running on the satellite could modify payload data when the satellite uses software-based hashing and signing to detect tampering.
Result: While software-based protection can detect modifications, it runs on the same compromised hardware as the malware, making it vulnerable to sophisticated attacks.
Experiment 3 - Introducing a Separate Security Domain
To address the limitations of software-only protection, we introduced new hardware, a "second domain", featuring a TPM integrated directly with the satellite camera. This setup provides hashing and signing operations immediately upon image capture, before data reaches the potentially compromised main system.
Key Innovation: By physically separating the integrity verification hardware from the main satellite computer, we create a security boundary that malware running on the primary system cannot easily bypass.
Hash and signing operations with the TPM during the experiment
Experiment 4 - The "Log Box", a Chain of Trust in Space
Our most sophisticated experiment introduced a dedicated "Log Box" containing:
A hardware TPM
Hashing and signing capabilities
A chain of hashes implementing a blockchain-like structure
Proof of Work to make chain modification computationally prohibitive
The Log Box maintains a verifiable record of all satellite and payload data operations. Hashes are compared and verified in orbit against pre-launch or last-known-good hashes. When ground stations receive the data, they can verify the entire chain's integrity, detecting any tampering attempts.
Critical Advantage: Proof of Work makes it extremely challenging for attackers to modify blocks or recreate the chain on the satellite's limited computing resources, even if they achieve code execution on the main system.
Hash chain working, monitoring periodically files and directories
Results and Contributions
Our experiments demonstrate that it is feasible to implement hardware TPM, secure hash and sign algorithms, and hash chains with Proof of Work under the constraints of resource-limited satellite hardware. This opens new possibilities for open-hardware satellites using off-the-shelf components to significantly improve security and data integrity.
Specific Contributions:
Endorsement Hierarchy for Satellite Traceability: We implemented TPM operations using the endorsement hierarchy, which cryptographically binds signatures to a specific TPM chip. This enables verification that captured images or data packages originated from a specifically authorized satellite, establishing a chain of trust. This feature is particularly valuable for customers who need to guarantee information provenance.
wolfSSL Integration: By choosing wolfSSL over OpenSSL, we provided a more appropriate cryptographic library for space applications, offering better resource efficiency without sacrificing security.
Comprehensive Raspberry Pi Profiling: We created a complete evaluation of the Raspberry Pi 2 Model B v1.1 for satellite security applications, identifying optimal configurations for hashing and verification in constrained environments.
LetsTrust-TPM2Go Debugging: During development, we contributed debug information to the LetsTrust-TPM2Go developer, helping fix compatibility issues with Raspbian GNU/Linux 12 (bookworm).
Looking Ahead: The Quantum Computing Challenge
An important consideration for future satellite security is the impending transition to quantum-resistant cryptography. The algorithms we evaluated, SHA3-256, RSA, and ECC, are vulnerable to quantum computing attacks. According to recent announcements:
Asymmetric cryptography will be discontinued by 2030
Prohibited by 2035
State actors are anticipated to achieve quantum-scale capabilities by 2028
The BSI (2024), along with 18 EU member states, has emphasized the urgency of protecting systems handling sensitive data by the end of 2030. This creates a substantial research opportunity at the intersection of quantum-resistant algorithms, satellite security, and Trusted Platform Modules.
Conclusion
The combination of hardware TPM, secure implementations of hash and sign algorithms, and hash chains with Proof of Work significantly improves the integrity of images and data from small satellites, whether CubeSats, Nanosats, or larger platforms.
This work demonstrates that even resource-constrained, open-hardware satellites can implement robust security mechanisms to protect against sophisticated threats and unknown attackers.
By establishing hardware-backed integrity verification, we provide satellite operators with visibility into potential compromises and give customers verifiable proof that their data originated from authorized satellites and remained unaltered during transmission.
Download the Full Thesis: Security of an In-orbit Satellite: Detection of Compromise Through Integrity
Thesis Author: Juan Ignacio Bousquet - juanibuqt@gmail.com
Supervisors: Assist. Prof. Sebastian Garcia, Ph.D. and Ing. Veronica Valeros.
Field of Study: Cybersecurity - Satellite Security
Date: March 2026
Keywords: Satellites, Satellite Security, Cybersecurity, Trusted Platform Module, TPM, Data Integrity, Hardware Security, CubeSat, Nanosats
This research was conducted at the Stratosphere Laboratory, CTU, with collaboration and contributions from the broader space security community. As always, we welcome contributions — whether that is a new implementation, a bug report, or feedback. Drop by the GitHub repository and join the conversation!