Analysis on the Security of Satellite Internet

. Satellite Internet (SI) is a new way to provide internet access all over the world. It will bring great convenience to international communication. Compared with the traditional communication networks, SI has a signiﬁcant change in network architecture and communication model, which will have an important impact on national information network security. For example, the global inter-connected SI consists of a large number of small satellites and each satellite has multi-beams to cover a vast area, which leads to the disorderly ﬂow of information across the border, and greatly increases the difﬁculty of network protection. Therefore, it is necessary to closely track the development of SI and analyze security problems brought by SI. In this paper, we analyze the security risks of SI from the perspective of national security, network security and equipment security, and thirteen security issues have been summarized to provide reference for the healthy development of SI industry.


Introduction
In recent years, the world's space powers have proposed low-earth-orbit (LEO) satellite constellation plans, which has triggered a boom in satellite internet (SI) development. Concerning the development of SI, the white paper published by China Center for Information Industry Development (CCID) points out that the world is on the eve of the dense launch of man-made satellites [1]. It is estimated that the low Earth orbit (LEO) satellites will deploy a total of about 57000 by 2029. A space resource race of satellite orbits is quietly beginning, countries all over the world have joined in the space race of SI, and the earth surface will be covered by a large number of LEO satellites intensively. Therefore, security problems brought by this will become a new challenge [2][3][4].
With the construction of SI becoming a national strategy all over the world, the industry has entered a period of rapid market growth [5,6], and it specifically reflected in the following aspects: • Fighting for frequency and orbit resources: The competition for frequency and orbit resources among countries has become increasingly white-hot. According to the data submitted to international telecommunications union (ITU), satellite companies in France, United States and United Kingdom have the largest number of resources such as key frequency bands and orbital heights. For example, OneWeb has submitted at least seven materials of network resources to ITU, including THEO, STRIPE, 102, etc., covering 8425 km / 8575 km, 1200 km and other medium and low orbital altitude, as well as Ku / Ka / V and other frequency bands; SpaceX submitted twelve materials to ITU, including usasat-ngso-3a-r / 3b-r / 3C, 3D / 3E / 3F / 3G / 3H / 3I, usasatngso-3j / 3K / 3l, covering 345.6-1325 km orbital altitude and Ku / Ka / V frequency bands. • Large-scale network deployment: SI constellation construction has entered the stage of large-scale network deployment. SpaceX plans to launch 42000 satellites, and 482 broadband Starlink satellites have been launched by June 5, 2020. In addition, OneWeb has launched 74 satellites in the past two years [7]. • International operation: The service providers of SI have been striving for landing rights in countries around the world. For example, OneWeb initially obtained market access authorization in about 19 countries in 2019.
SI can be mainly used for emergency rescue, rural and remote area coverage, maritime market (including cruise ships, merchant ships, fishing boats, yachts, etc.), aviation market, military and government applications [8]. Compared with the terrestrial mobile communication system (TMCS), the SI will face the following new security challenges: • Due to the limited computing and storage capacity, the satellites in SI constellation don't support high-complexity encryption protocols and algorithms, resulting in the weak protection of traffic data. • The topological structure of the LEO satellite networks are constantly changing, the openness of the satellite's orbit makes it very difficult to be supervised. • Communication satellite is a highly integrated product, its components are supplied by many manufacturers. There may be security holes and design defects in all aspects of integration. Especially, the technology of on-orbit satellite reprogramming is not mature, which makes it very difficult to make up for the security holes of on-orbit satellites. • Satellite communication has the characteristics of wide coverage [9], which can broadcast data to a large number of user terminals in a large range. When the SI network is attacked, the impact is greater than that of the TMCS, so it is easier to become the target of hackers.
In summary, the security problems faced by the SI are more severe than those of the TMCS. If the SI is attacked, it will have a wider range of influence and cause greater damage. Therefore, it is necessary to carry out the research on the security problems faced by the SI.

Related Work
The research on the security problems of SI is still in its infancy. 3GPP puts forward the network architecture of non-terrestrial networks (NTN) [10], but there is no systematic analysis on the security problems of NTN. Sat5G analyzes the security threats of the integration of satellite network and 5G networks, mainly including the following three main aspects [11]: 1. Security threats of satellite connections as transport network for backhaul One of the main security threats perceived by the terrestrial network is the tampering or eavesdropping of the data transmitted (the control plane signaling or the user plane data) over the backhaul connection. In addition, another threat perceived by terrestrial networks in case of sharing of the satellite network is the tampering and eavesdropping of traffic via the shared network. 2. Security threats of satellite connections as transport network among 5G core networks In this case, the two terrestrial networks usually are not in the same trust domain, and the intermediate satellite network is not considered to be part of the trust domain of either of the two terrestrial networks. At the same time, it is very common for satellite networks to be shared among multiple terrestrial networks. The security threats perceived by the terrestrial network are tampering, eavesdropping and unauthorized traffic redirection (i.e. traffic 'hijacking') [12,13]. 3. Security threats to content delivery via satellite Security threats related to content delivery networks (CDN) are DDOS at-tacks; Content leakages, such as unauthorized access to content, which is aggravated by local caching and the use of MEC servers; Deep linking, in this case, all media slices can be accessed by accessing a manifest file due to use MEPG DASH.
However, Sat5G has made a preliminary analysis of the security issues of SI, but it is not comprehensive enough. This paper summarizes and analyzes the security issues faced by SI in the future from the aspects of national security, network security and equipment security based on the existing research.

Overview of Security Issues of SI
The system architecture of SI can be divided into user segment, space segment and ground segment. The user segment includes various satellite terminals; the space segment includes satellite constellation [14], which can be divided into constellation with inter satellite link (ISL) and constellation without ISL [15]; the ground segment includes gateway station (GS), operation management and control system (OMCS), measurement and control system (MCS), network management system (NMS), etc. According to the characteristics of SI, the possible security problems in SI are summarized in Table 1. (1)

National and Military Security
The security threats include national strategic information security and military security threats.
National Strategic Information Security SI involves a large number of satellites, and the orbit altitude is concentrated between 300 km and 2000 km. If the corresponding satellites equipped with high-resolution scanning observation payloads, such a large number of satellites will expose the important military infrastructure of countries all over the world and threaten national security.
Recently, earth observation industry (EOI) company is promoting the development of a new very low earth orbit (VLEO) satellite constellation. Its propulsion system and innovative design will enable the satellite to run in a very low orbit. In order to support continuous monitoring service, the initial constellation consists of 30 satellites with an average revisit time of two hours. The company plans to launch its first satellite by the end of 2022. EOI company's mission is to enable defense and intelligence agencies and commercial customers to easily access ultra-high resolution images at affordable prices to support a range of applications such as resource management, environment and disaster assessment, asset monitoring, logistics planning, infrastructure mapping, public security, homeland security, insurance and real estate. For example, Fig. 2 shows the image of naval ship captured by EOI company's VLEO satellite. The existing kinetic energy anti-satellite weapons (KEAW) rely on the momentum of high-speed moving objects to destroy the target, which has a strong lethality for satellites with high cost and low LSR. However, for the large-scale and low-cost SI, traditional KEAW are facing many challenges. Taking Starlink constellation of SpaceX as an example: a. The traditional KEAW are all disposable. It means that a large number of KEAW need to be manufactured and maintained to deal with the threat of the Starlink constellation of 42000 satellites, and the cost will be astronomical. b. The traditional KEAW adopts the hard-kill method. The method will generate a large number of space debris, which may hit more satellites, causing uncontrollable and irreversible chain reaction, making the whole earth surrounded by satellite debris. c. If we give up the hard-kill method and study more advanced weapons such as softkill method, it will cost a lot of money to tackle key technical problems, and the development cycle will very long.
2. The cooperative operation of SI and drone swarm will pose great challenges to the national defense system.
With the accelerated evolution of the war form, a large number of intelligent equipment appear in the war. As an important part of intelligent warfare, Unmanned Aerial Vehicle (UAV) cluster warfare poses great challenges to the traditional defense system. However, the UAV cluster warfare relies on the communication link among each UAV to achieve real-time information interaction, and also relies on the control system to achieve collaborative command, so the overall viability and combat ability of the UAV cluster depends on the security and controllability of the communication link and control system. If the communication link or the control system is jammed by enemy, the UAV cluster will likely to be completely annihilated. Starlink constellation can make up for this defect, it can provide large bandwidth, low delay and wide coverage communication services through a large number of LEO satellites without being affected by any terrain and climate. It can help the UAV cluster get rid of the dependence on land-based communication system, and significantly improve the overall combat effectiveness of the cluster through flight control, situation awareness, information sharing, target allocation and intelligent decision-making, which makes it more difficult for the national defense system to deal with the threat of UAV cluster warfare.

Frequency and Orbit Resource Preemption
According to international regulations, all countries have the right to explore outer space peacefully. Radio frequencies and satellite orbits are limited natural resources and must be used equally, reasonably, economically and effectively. Effective interference control mechanisms should be adopted to make full use of frequency and orbit resources. Effective interference control mechanisms should be adopted to make full use of the limited resources. According to the ITU rules [16], orbit resources are mainly allocated in the principle of first come, first served, and the later declarers cannot cause adverse interference to the satellites of the first declarers. The LEO constellation system should not only launch the satellite in accordance with ITU regulations, but also provide relevant services to the public in accordance with the specified time and proportion, so as

Interference in Astronomical Exploration
Due to the huge scale of SI constellations, astronomical observation will become more difficult as small satellites in constellations are launched one after another. Starlink will launch 42000 satellites, with an average of about 400 satellites observed at any time and at any place. Although they are invisible to the naked eye in orbit, they have a great influence on the astronomical research of optical, infrared and radio telescopes, and are easy to leave traces in the astronomical images. The large-scale integrated Sky Survey Telescope (such as China sky eye) will be greatly affected, which will reduce our ability to observe and warn near Earth Asteroids.
In addition, LEO constellations have the most interference for astronomers who detect dark matter and dark energy, because the signals detected by related instruments are very weak. A large number of LEO satellites will interfere with the space observation of various countries to a certain extent when passing over them, and affecting the corresponding research.

Identity Impersonation
Due to the lack of identity authentication mechanism in SI's user link, feedback link and ISL, there are three problems of identity impersonation in the following aspects: 1. If the transmission mechanism adopted by the communication system is public, the attacker can calculate the uplink signal according to the downlink signal of the satellite, and then use the satellite communication equipment to disguise as a legitimate ST to access the network and illegally obtain network services. 2. The attacker disguised himself as a satellite network and induced legal STs to access the satellite network to obtain relevant user identification information and location information. 3. The attacker disguised himself as adjacent satellites in the same orbit or different orbit to induce the target satellite to establish an ISL with it, so as to obtain the relevant data transmitted by the ISL.

Data Eavesdropping and Data Integrity Attack
Due to the openness of wireless communication of user link, ISL and feed link of SI, the data transmitted through satellite network can be easily eavesdropped. In addition, data encryption will increase the cost of satellite terminal equipment and reduce the utilization rate of satellite link resources. Many satellite communication networks do not encrypt the transmitted data, so it is very easy to cause data leakage. The most possible attack methods are as follows: 1. The attacker uses a kind of satellite data receiving card to steal data, which is similar to the computer network card with low cost. 2. The attacker makes use of retired equipment abandoned by manufacturers to perform network attacks. 3. The attacker can use the VLEO or LEO satellite in the overseas satellite constellation to eavesdrop the service data on the user link and feeder link of the domestic satellite system. 4. If the satellite constellation built in a country has an ISL, which uses microwave communication, the attacker can control the foreign satellite to approach the target satellite as close as possible to implement data eavesdropping.
Data eavesdropping is often combined with data integrity attack. The attacker often implements data eavesdropping, then inserts, modifies, falsifies the stolen data, and finally send it to the data receiver to achieve the purpose of destroying data integrity.

Information Interception
If the orbit of a foreign satellite is lower than that of a domestic satellite (for example, the lowest orbit of SpaceX is about 300-500km), the attacker can use the attack means similar to the terrestrial pseudo base station to carry out network attack. For example, the torpedo attack method in 4G system can be used in SI, the attacker can use legitimate ST to launch multiple paging to the attacked ST, and this will expose the user identification information, which can be intercepted by the LEO satellite and terrestrial equipment owned by the attacker, so as to track the user's location and bring great security threat.

Signal Interference
This kind of attack is the most common but effective, and it is often used in wars. Interference can be divided into blocking interference and noise interference. Strong interference signals will cause the satellite to be unable to receive the signal normally and provide the service for the legitimate ST.
The possible attack methods are as follows: 1. If the orbit of the overseas satellite is lower than that of the domestic satellite, the attacker can deliberately transmit signals on the working frequency band of the feeder link, user link or ISL of the domestic satellite system to cause interference or interruption of the domestic satellite service. 2. Satellite transponders can be divided into on-board processing transponders and bentpipe transparent transponders. On-board processing transponders can rely on channel coding, advanced modulation technology, spread spectrum technology, coherent intermodulation product cancellation, etc. to resist interference attacks. But the bentpipe transponder has a simple structure and does not process any communication signals, so it is easy to encounter signal interference attack. Attackers can interfere with satellites by transmitting signals from high-power transmitters.

Denial of Service
The attack mode against terrestrial network is also applicable to satellite network, such as DDoS attack. Attackers make use of software to simulate massive satellite terminals to send legitimate and bogus requests, which leads to the failure of satellites to provide effective services to legitimate STs. This kind of attack is difficult to defend due to the diversity of satellite communication links. Each ST's client has a receiving and transmitting system. If the transceiver fails to get effective processing when it has problems, it will lead to unstable connection and generate a large number of connection requests. In addition, access requests will also increase greatly when satellite links suffer from signal fading caused by severe weather. However, satellites cannot blindly defend these requests, and the system design of satellite system will not defend these requests as well as the network firewall. Because satellites cannot distinguish whether these requests come from legitimate STs or malicious attackers, which leads to denial of service problems.

Anonymous Attack
Space belongs to the global commons and has no national boundaries. Therefore, it is possible for attackers to launch anonymous attacks against the target satellite in space. Moreover, it is difficult for the attacked satellite to determine and trace the attacks due to the long distance and limited information. On the one hand, there are many factors that lead to satellite failure, such as changes in space environment, design defects, device problems and even debris effects. Attacks are not the only reason for the failure of satellites in orbit. On the other hand, it is difficult for the ground station to accurately judge what is happening in space limited by distance, meteorology, technical capability and other conditions. The combined effect of these factors enables the attacker to find reasonable excuses to deny the attack.

Malicious Occupation of Satellite Bandwidth Resources
Satellite is a typically resource limited system, on-board computing resources, wireless resources are very scarce, so they are not suitable for complex communication payloads.
Most of the on-orbit satellites adopt the bent-pipe transponder without signal unpacking, so it is not possible to determine whether the received data is from a legitimate user. When the attacker sends his own illegal signal, the satellite will still forward the signal to the GS. At this time, if the attacker builds a receiving system to demodulate, decode the data and extract useful data, the purpose of privately communicating with the aid of the satellite is achieved, and a complete method of stealing satellite resources is formed. Moreover, attackers will use their own encryption algorithm to effectively encrypt communication data.

Malicious Satellite Control
Due to the lack of network security standards for commercial satellites, coupled with the complex supply chain of satellites, satellite manufacturing uses ready-made technologies to maintain low cost. The wide availability of these components means that hackers can analyze their security vulnerabilities. In addition, many components use open source technology, and hackers may insert backdoors and other vulnerabilities in satellite software, making satellites vulnerable to security risks that are maliciously controlled by attackers. The means to control the satellite maliciously are as follows: 1. The attacker can capture the target satellite in space and drag the captured satellite out of the working orbit, causing the whole satellite constellation unable to provide continuous services. Moreover, the attacker can inject virus into the captured target satellite after it has been dragged off the working orbit, and then it will be pushed back to the working orbit, causing the virus to spread throughout the whole SI. The technology of capturing on-orbit satellites is already available and has been used in the service of extending the life of on-orbit satellites in orbit. Once this technology is used by hackers, the target satellites can be captured arbitrarily. 2. Satellites are usually controlled by the GSs. These stations are vulnerable to the same network attacks as computers. Although the satellite control attack is not as simple as stealing other people's email, but it can be realized. If there are security loopholes that can be exploited by hackers in the GS, the hackers may invade these stations, and then they can send malicious instructions to control the satellite, or they can use special tools to trick the satellite, and finally achieve the purpose of attacking the SI. For example, the attacker can carry out further attacks after controlling the target satellite: the attacker can use the broadcast channel of the target satellite to send a large amount of garbage data or spread viruses to the whole SI; shutting down the target satellite to make it unable to provide normal services; if the hackers control the target satellite and it has a propeller device, they can change the orbit of the satellite and hit it on the ground, other satellites or even the international space station.

Malicious Consumption of Satellite Resources
Attackers can also directly affect the life of satellites by consuming propellants, depleting the write life of charged erasable programmable read-only memory (EEPROM) and other attacks.

Conclusion
The rapid development of SI has brought some security risks. On the one hand, we should actively develop SI industry, giving full play to the unique advantages of SI, which is not affected by geographical obstacles and disasters; on the other hand, in view of the different levels of security threats faced by SI, it is necessary to carry out forward-looking research on the satellite network security, so as to fill in the regulatory gaps.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.