| REC-0005 |
Eavesdropping |
Adversaries seek to passively (and sometimes semi-passively) capture mission communications across terrestrial networks and RF/optical links to reconstruct protocols, extract telemetry, and derive operational rhythms. On networks, packet captures, logs, and flow data from ground stations, mission control, and cloud backends can expose service boundaries, authentication patterns, and automation. In the RF domain, wideband recordings, spectrograms, and demodulation of TT&C and payload links, spanning VHF/UHF through S/L/X/Ka and, increasingly, optical, enable identification of modulation/coding, framing, and beacon structures. Even when links are encrypted, metadata such as carrier plans, symbol rates, polarization, and cadence can support traffic analysis, timing attacks, or selective interference. Community capture networks and open repositories amplify the reach of a modest adversary. |
|
REC-0005.03 |
Proximity Operations |
In proximity scenarios, an adversary platform (or co-located payload) attempts to observe emissions and intra-vehicle traffic at close range, RF side-channels, optical/lasercom leakage, and, in extreme cases, electromagnetic emanations consistent with TEMPEST/EMSEC concerns. Physical proximity can expose harmonics, intermodulation products, local oscillators, and bus activity that are undetectable from the ground, enabling reconstruction of timing, command acceptance windows, or even limited protocol content. In hosted-payload or rideshare contexts, a poorly segregated data path may permit passive observation of TT&C gateways, crosslinks, or payload buses. |
| IA-0003 |
Crosslink via Compromised Neighbor |
Where spacecraft exchange data over inter-satellite links (RF or optical), a compromise on one vehicle can become a bridgehead to others. Threat actors exploit crosslink trust: shared routing, time distribution, service discovery, or gateway functions that forward commands and data between vehicles and ground. With knowledge of crosslink framing, addressing, and authentication semantics, an adversary can craft traffic that appears to originate from a trusted neighbor, injecting control messages, malformed service advertisements, or payload tasking that propagates across the mesh. In tightly coupled constellations, crosslinks may terminate on gateways that also touch the C&DH or payload buses, providing additional pivot opportunities. Because crosslink traffic is expected and often high volume, attacker activity can be timed to blend with synchronization intervals, ranging exchanges, or scheduled data relays. |
| IA-0005 |
Rendezvous & Proximity Operations |
Adversaries may execute a sequence of orbital maneuvers to co-orbit and approach a target closely enough for local sensing, signaling, or physical interaction. Proximity yields advantages that are difficult to achieve from Earth: high signal-to-noise for interception, narrowly targeted interference or spoofing, observation of attitude/thermal behavior, and, if interfaces exist, opportunities for mechanical mating. The approach typically unfolds through phasing, far-field rendezvous, relative navigation (e.g., vision, lidar, crosslink cues), and closed-loop final approach. At close distances, an attacker can monitor side channels, stimulate acquisition beacons, test crosslinks, or prepare for contact operations (capture or docking). |
|
IA-0005.01 |
Compromise Emanations |
With a local vantage point, an adversary analyzes unintentional emissions to infer sensitive information. Crypto modules, command decoders, and main bus controllers can emit patterns correlated with key use, counter updates, or command parsing. Close-range sampling enables coherent averaging, directional sensing, and correlation against known command/telemetry sequences to separate signal from noise. If the emanations are information-bearing (e.g., side-channel leakage of keys, counters, or protocol state), they can be used to reconstruct authentication material, predict anti-replay windows, or derive decoder settings, providing a basis for initial access via crafted traffic. |
|
IA-0005.02 |
Docked Vehicle / OSAM |
Docking, berthing, or service capture during on-orbit servicing, assembly, and manufacturing (OSAM) creates a high-trust bridge between vehicles. Threat actors exploit this moment, either by pre-positioning code on a servicing vehicle or by manipulating ground updates to it, so that, once docked, lateral movement occurs across the mechanical/electrical interface. Interfaces may expose power and data umbilicals, standardized payload ports, or gateways into the target’s C&DH or payload networks (e.g., SpaceWire, Ethernet, 1553). Service tools that push firmware, load tables, transfer files, or share time/ephemeris become conduits for staged procedures or implants that execute under maintenance authority. Malware can be timed to activation triggers such as “link up,” “maintenance mode entered,” or specific device enumerations that only appear when docked. Because OSAM operations are scheduled and well-documented, the adversary can align preparation with published timelines, ensuring that the first point of execution coincides with the brief window when cross-vehicle trust is intentionally elevated. |
|
IA-0005.03 |
Proximity Grappling |
In this variant, the attacker employs a capture mechanism (robotic arm, grappling fixture, magnetic or mechanical coupler) to establish physical contact without full docking. Once grappled, covers can be manipulated, temporary umbilicals attached, or exposed test points engaged; if design provisions exist (service ports, checkout connectors, external debug pads), these become direct pathways to device programming interfaces (e.g., JTAG/SWD/UART), mass-storage access, or maintenance command sets. Grappling also enables precise attitude control relative to the target, allowing contact-based sensors to read buses inductively or capacitively, or to inject signals onto harness segments reachable from the exterior. Initial access arises when a maintenance or debug path, normally latent in flight, is electrically or logically completed by the grappled connection, allowing authentication-bypassing actions such as boot-mode strapping, image replacement, or scripted command ingress. The operation demands accurate geometry, approach constraints, and fixture knowledge, but yields a transient, high-privilege bridge tailored for short, decisive actions that leave minimal on-orbit RF signature. |
| LM-0003 |
Constellation Hopping via Crosslink |
In networks where vehicles exchange data over inter-satellite links, a compromise on one spacecraft becomes a springboard to others. The attacker crafts crosslink traffic, routing updates, service advertisements, time/ephemeris distribution, file or tasking messages, that appears to originate from a trusted neighbor and targets gateway functions that bridge crosslink traffic into command/data paths. Once accepted, those messages can queue procedures, deliver configuration/table edits, or open file transfer sessions on adjacent vehicles. In mesh or hub-and-spoke constellations, this enables “hop-by-hop” spread: a single foothold uses shared trust and protocol uniformity to reach additional satellites without contacting the ground segment. |
| LM-0004 |
Visiting Vehicle Interface(s) |
Docking, berthing, or short-duration attach events create high-trust, high-bandwidth connections between vehicles. During these operations, automatic sequences verify latches, exchange status, synchronize time, and enable umbilicals that carry data and power; maintenance tools may also push firmware or tables across the interface. An attacker positioned on the visiting vehicle can exploit these handshakes and service channels to inject commands, transfer files, or access bus gateways on the host. Because many actions are expected “just after dock,” malicious traffic can ride the same procedures that commission the interface, allowing lateral movement from the visiting craft into the target spacecraft’s C&DH, payload, or support subsystems. |
| EXF-0002 |
Side-Channel Exfiltration |
Information is extracted not by reading files or decrypting frames but by observing physical or protocol byproducts of computation, power draw, electromagnetic emissions, timing, thermal signatures, or traffic patterns. Repeated measurements create distinctive fingerprints correlated with internal states (key use, table loads, parser branches, buffer occupancy). Matching those fingerprints to models or templates yields sensitive facts without direct access to the protected data. In space systems, vantage points span proximity assets (for EM/thermal), ground testing and ATLO (for direct probing), compromised on-board modules that can sample rails or sensors, and remote observation of link-layer timing behaviors. |
|
EXF-0002.01 |
Power Analysis Attacks |
The attacker infers secrets by measuring instantaneous power consumption of target devices, often crypto engines or controllers, and correlating traces with hypothesized internal operations. Simple power analysis (SPA) extracts structure (operation sequences, key-dependent branches); differential/correlation power analysis (DPA/CPA) uses many traces and statistics to recover key bits from tiny data-dependent variations. Practically, measurements may come from instrumented rails during I&T, from a compromised payload monitoring local supplies, or from co-located hardware that senses current/voltage fluctuations. With sufficient traces and alignment (triggering on command/crypto invocation), internal values become observable through their power signatures. |
|
EXF-0002.02 |
Electromagnetic Leakage Attacks |
Switching activity in chips, buses, and clocks radiates EM energy that can be captured and analyzed to reveal internal computation. Near-field probes (in test) or proximity receivers (on-orbit assets) can observe harmonics and modulation tied to cipher rounds, key schedules, or protocol framing, sometimes with finer granularity than power analysis. Coupling paths include packages, harnesses, SDR front ends, and poorly shielded enclosures. By training on known operations and comparing spectra or time-domain signatures, an adversary can recover keys or reconstruct processed data without touching logical interfaces. |
|
EXF-0002.03 |
Traffic Analysis Attacks |
In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. In the space environment, specifically with relays and constellations, traffic analysis can be used to understand the energy capacity of spacecraft node and the fact that the transceiver component of a spacecraft node consumes the most power. The spacecraft nodes in a constellation network limit the use of the transceiver to transmit or receive information either at a regulated time interval or only when an event has been detected. This generally results in an architecture comprising some aggregator spacecraft nodes within a constellation network. These spacecraft aggregator nodes are the sensor nodes whose primary purpose is to relay transmissions from nodes toward the ground station in an efficient manner, instead of monitoring events like a normal node. The added functionality of acting as a hub for information gathering and preprocessing before relaying makes aggregator nodes an attractive target to side channel attacks. A possible side channel attack could be as simple as monitoring the occurrences and duration of computing activities at an aggregator node. If a node is frequently in active states (instead of idle states), there is high probability that the node is an aggregator node and also there is a high probability that the communication with the node is valid. Such leakage of information is highly undesirable because the leaked information could be strategically used by threat actors in the accumulation phase of an attack. |
|
EXF-0002.04 |
Timing Attacks |
Execution time varies with inputs and branches; precise measurement turns that variance into information. The attacker times acknowledgments, response latencies, or framing gaps to learn which code paths ran (e.g., MAC verified vs. failed, table entry present vs. absent) and to infer bits of secrets in timing-sensitive routines such as cryptographic checks. On resource-constrained processors and deterministic RTOSes, small differences persist across runs, making remote timing feasible over RF if clocks and propagation are accounted for. Combined with chosen inputs and statistics, these measurements leak internal state faster than brute-force cryptanalysis. |
|
EXF-0002.05 |
Thermal Imaging attacks |
Threat actors can leverage thermal imaging attacks (e.g., infrared images) to measure heat that is emitted as a means to exfiltrate information from spacecraft processors. Thermal attacks rely on temperature profiling using sensors to extract critical information from the chip(s). The availability of highly sensitive thermal sensors, infrared cameras, and techniques to calculate power consumption from temperature distribution [7] has enhanced the effectiveness of these attacks. As a result, side-channel attacks can be performed by using temperature data without measuring power pins of the chip. |
| EXF-0005 |
Proximity Operations |
A nearby vehicle serves as the collection platform for unintended emissions and other proximate signals, effectively a mobile TEMPEST/EMSEC sensor. From close range, the adversary measures near-field RF, conducted/structure-borne emissions, optical/IR signatures, or leaked crosslink traffic correlated with on-board activity, then decodes or models those signals to recover information (keys, tables, procedure execution, payload content). Proximity also enables directional gain and repeated sampling passes, turning weak side channels into usable exfiltration without engaging the victim’s logical interfaces. |