[MUSIC PLAYING] Today is September 16, 2025. I'm Maria Varmasas, and this is T-minus. [MUSIC PLAYING] T-minus. 22nd to LOS, T-dred. Open aboard. [INAUDIBLE] [MUSIC PLAYING] [INAUDIBLE] Five. Planet IQ has been awarded a $24.3 million contract from NOAA's National Environmental Satellite Data and Information Service. Four. SES and K2 Space are going to collaborate to advance the development of SES's future medium Earth orbit network. Three. Space 42 and Viasat intend to form Equatis, which is a jointly held entity to enable global direct-to-device services. Two. Redwire and Honeywell to develop a new quantum-secured satellite communication system. One. Redwire has reached an agreement with Telus Alenia Space to become the prime contractor for Skimsat. Three. [MUSIC PLAYING] [INAUDIBLE] [INAUDIBLE] [MUSIC PLAYING] Our guests today are Milenko Starczyk and Andrei Okaev from Vision Space. They recently demonstrated how easy it is to exploit software vulnerabilities in satellites, and will be sharing their research with us later in the show. And if that's not enough for you, Yvette Gonzales from SpaceWatch Global will be bringing us an update from the Space Defense and Security Summit at World Space Business Week in Paris. So stick around for that after the headlines. [MUSIC PLAYING] Happy Tuesday, everybody. Thank you for joining me. Redwire has reached an agreement with Telus Alenia Space with the support of the European Space Agency to become the prime contractor for Skimsat. And Skimsat is an ESA technology demonstration mission for a small satellite to operate in very low Earth orbit. Telus Alenia Space in the UK will be a major contributor to this mission and is currently selected to provide the electric propulsion subsystem. The Skimsat mission is funded by ESA's preparation and technology development elements of basic activities and general support technology program. It will leverage Redwire's Phantom spacecraft, an advanced European VLEO platform designed to operate in the lower reaches of Earth's atmosphere. It will leverage Redwire's Phantom spacecraft, an advanced European VLEO platform designed to operate in the lower reaches of Earth's atmosphere. The Skimsat mission aims to improve satellite sustainability and mission performance while reducing spacecraft mass and mission cost by enabling sustainable operational capability at lower altitudes. And speaking of Redwire, they have signed a memorandum of understanding with Honeywell that advances a European Space Agency-backed initiative to develop new quantum-secured satellite communication systems. The agreement is the latest milestone under the Quantum Key Distribution Satellite Consortium known as QKDSat, which was launched in 2024 and is being led by Honeywell. It will enable the two companies to explore opportunities to mature and expand the use of Quantum Key Distribution Technology as part of the consortium, which operates under the European Space Agency's QKDSat public-private partnership. The companies aim to combine Redwire's Quantum Platform technology with Honeywell's Quantum Optical Payload, creating a fully functional payload and platform by mid-2026. UAE-based AI-powered space tech company Space 42 and ViASat intend to form EquatIS, which is a jointly held entity to enable global direct-to-device services. And EquatIS is expected to unite satellite and terrestrial networks, leveraging a 3GPP non-terrestrial network release compliant platform that's accessible to standard smartphones and IoT devices, extending service to billions of people and devices worldwide. EquatIS, or EquatIS, not sure how to pronounce it, plans to provide nations with secure, standards-based infrastructure that work with their existing systems and offer sovereign deployment options. This joint venture is anticipated to be capable of supporting well over 100 megahertz of harmonized mobile satellite services spectrum that's already allocated across more than 160 markets. EquatIS, EquatIS, is planning a commercial rollout within three years. SES and K2 space are going to collaborate to advance the development of SES's future medium Earth orbit network. The collaboration combines SES's experience operating global multi-orbit networks with K2 spaces agile engineering capabilities to co-develop future network infrastructure and technologies. SES says its future MEO network will be designed to support multi-mission capabilities, such as hosted payloads, space situational awareness, direct-to-device data relay, and sovereign services, all while enabling reliable communications for mobility applications and resilient enterprise backhaul. The companies are planning an on-orbit mission in the first quarter of 2026. The National Oceanic and Atmospheric Association, better known as NOAA, has released a new space weather portal. And that new space weather portal called SPOT provides a cloud-based web portal and data processing monitor for NOAA's national centers for environmental information space weather satellite data. The first data available in SPOT is from the compact Coronagraph 1 that's aboard NOAA's geostationary operational environmental satellite 19, better known as GOVS 19. And Planet IQ has been awarded a $24.3 million contract from NOAA's National Environmental Satellite Data and Information Service. That award, issued under the Commercial Data Program's Radio Occultation Data by 2, is NOAA's single largest commercial satellite weather data purchase. Planet IQ will deliver 7,000 GNSS RO profiles per day, including 500 enhanced high signal-to-noise ratio profiles, as well as 2,500 low-latency, total electron content tracks daily. Data deliveries begin on Thursday. [MUSIC PLAYING] [MUSIC PLAYING] And while that's it for today's Intel Briefing, we will have more on the announcements coming out of World Space Business Week in Paris later in this show. But before we get to that, and our guests from Vision Space and 2K senior producer Alice Carruth joins me now with a look at what is in today's show notes. What do you have, Alice? Glad to see you better, Maria. We include links to the original sources of all the stories mentioned throughout the show in the selected reading section of our show notes. Today, we've included three additional links. Blue Force plans to purchase Helium 3 from Interloon. The first images from the multi-viewing, multi-channel, multi-polarization imager were shared at the UMetSat conference. And K-Labs, which we covered on yesterday's show, have raised 57 million euros to help scale their production. If you're interested in joining us, please subscribe to our channel. And if you're interested in joining us, please subscribe to our channel.. And I mainly focus on offensive security activities for the space systems. So things like penetration testing of some systems, vulnerability to research, finding zero days. And we are writing a book for most WordPress, which is called the Spacecraft Hacker's Handbook. - Milenko and Andre, thank you both for joining me today. I'm thrilled to be speaking to both of you. And I saw an article on the register, which I read every day, about some research that you all presented at Black Hat. And I really wanted to talk to you both about what you found, if you want to sort of recap some of that research, especially for my audience who is predominantly, not cybersecurity focused, but they are in the space industry. And what you would like them to know about what you've been finding with those key takeaways are? - So our research was a collection of vulnerabilities that we've gathered over the past years, I think 2023. We started doing like systematic review of software systems used in a space. So what we were most familiar with are mission control systems, just from the background we had from maintaining and deploying and configuring these systems. We knew that there's a lot that could be found potentially. So we did like a review of open source mission control systems and found quite a lot of vulnerabilities in them, which were mostly from a cybersecurity perspective, like though hanging fruits, but from the space perspective, the software was doing what it was supposed to do. It didn't do anything unexpected. It was just that the hardening was not to the standard, which you would expect from an application used for such a sensitive purpose. And that seems to be like a very common problem in the space industry, is that the software is not built to withstand modern attacks and modern attackers who know how to take these systems apart and that there's still like a thinking, yeah, people don't know how to use this application, so they will not be able to do anything without it, which is very, very dangerous. So if you say like, oh no, my software is so complex, only I can use it, that's definitely not the case. Attackers will download all your files, they will read through thousands of pages, now with large language models, even millions of pages of documents in hours and days, and they will go through it and they will figure out how it works. So I think that's a very risky assumption, is security by obscurity, which is still very popular in the space industry. So that's why we did it on open source software so that we could actually go out and show, okay, like here's like a systematic problem in every single of these mission control systems, we found issues, and after that we went for onboard software frameworks, so there's two very popular ones from NASA, Cofflight System, which is actively used in flying missions, and F-Prime, which was developed for the Mars helicopter engineerty, and also in those we found quite a lot of vulnerabilities, but also some more general security issues, partially due to the lack of embedded security in these frameworks. At this point we have found a little bit less than 40 CVEs, almost 40 zero days in those systems, which is reported a few more on all of the systems we use, and they range from different severity, between five or six to almost 10, I think the highest one we have is 9.9 or 9.8, something like that. - And that's out of a scale of 10 for my audience who may not know that that's very severe, yes. - Yeah, and also the impact varies between small information disclosure to actually getting a remote code execution on a platform, either spacecraft platform or a system that is controlling the spacecraft, the ones which we have demonstrated at Blackhawk, so we try to approach the demonstration from different angles to demonstrate what is the impact on the actual spacecraft by getting access to the mission control system, either directly or through a phishing campaign, and also if you are in an Asian state and you are actually able to communicate with spaceflight directly because you have capabilities and you are not limited by laws, how you could take over the control of spacecraft or effectively you could break it. So that's how we decided to approach the presentation and that's how we showed those three demos, we worked with that in mind. - It was super fascinating reading through the different potential capabilities if someone were to exploit these vulnerabilities and I don't wanna try and do fear and certainty and doubt here and go, oh, you know, sky's falling. It is just very interesting to see what the potentials were and I know that these vulnerabilities, it sounds like they've already been remediated, you disclosed them and they've been remediated, so am I understanding that correctly? - Yes, yes, so we have, when we discovered those vulnerabilities, we followed the responsible disclosure process where we first notified vendor. In most of the cases it was NASA or the companies that work for NASA and then we worked with them to fix those issues and we also made some effort to actually test it afterwards. - I'm wondering from you both what your thoughts are on takeaways especially for the commercial space industry around the world, given how much it's growing. This is anecdotal, but often in conversations I've had with people when I talk to them about cybersecurity for space systems, there's often an attitude of a lot of this is handled by government entities, I don't really need to worry about this as much and Milenko you mentioned security through obscurity. I just often wonder, I mean, that model seems to be very much failing in the face of scale. I'm just curious your thoughts on that, yeah. - I would say that there's a big risk that's like going for strictly compliance. I think what most people are referring to is like, okay, like we have to comply with these things. So like we have a checklist, we have some threat modeling, we have some mitigations, checklist done, security. - Good, right? Yeah, yeah, security done. - At least on a legal perspective, I mean, and that's what people are afraid of is like, on a legal perspective, you're good, you can still get hacked, and about it will like not affect you on like a legal basis basically. And this is usually where it gets, where people get more careful is when they are more personally impacted by this. So what we've seen is like a lack of actual testing. So that's something that we're trying to push for is that like your security controls are nice, but if you still haven't tested the software that is running on your systems, like this custom software on systems which are configured and often like maintained over sometimes decades, like until like literally the server falls apart. And then you hope that you have a spare box somewhere in the corner of the room. These systems, they need to be maintained and they need to be tested on a regular basis. And this is something that we see is definitely missing that you could maybe have the software that we had previously going through compliance cycles over and over again. No one was ever bothering to run like a simple code like static analysis on the code base to see if there are maybe some low hanging fruits in it, which they were. So a lot of the issues we found could have been easily caught early on and not kept in the software for many years. - Hmm, that is interesting. - And on the commercial side of things, there are pretty much two ways companies go about it. One way is to develop their own software, which is closed source and we don't really know what it is. So it's gonna be up to the company to make sure that it's secure. And unfortunately from our experience, it often happens that security is at the very end of the requirement list. So sometimes, especially for the new space companies, which are often startups, they leave security at the end or they don't consider it at all. And then the other approach is to use some of the already existing software, which is open source from NASA, for instance, or other entities developing the open source software and making public. And this is the software which companies would easily assume that they are the software secure because well, it was developed by NASA, so it must be. And actually this is the software we find the most vulnerabilities in. - That is fascinating. That is a really interesting takeaway as well. But I wanna make sure that I give you both an opportunity if there's anything that you wanna mention as sort of a closing thought. - So I think it's for people in space industry. It's important to start early with security design and it's never too late. So even if the mission is flying, you can still do your risk assessment, threat modeling and everything. But the importance is to not stop with the compliance checklist, but to actually have verification of those requirements and not to go with some crazy requirements that just are like, I don't know, someone grabs my spacecraft and deorbit it. That sure, that's a risk. But maybe you should focus on a bit more realistic requirements for your case and threats that actually can impact your business severely. You will be right back. Welcome back. I will hand you over now to Yvette Gonzalez from SpaceWatch Global for the latest from the Space Defense and Security Summit at World Space Business Week in Paris. - Hi, Maria and hi, Space Watchers. And here we are at the end of day two for the World Space Business Week. Today there was a second event, the Space Defense Security Summit. And it opened with Space Command leaders from Germany, France, Canada, and they were all discussing navigating a rapidly evolving space domain. The highlight from that is that we have to look at what we have changed and especially what has not changed, really honoring the legacy of all the infrastructure and what everyone has created so far. And that's gonna be key in collaborating going forward. Another common theme was that space is still a war fighting domain. The message was clear that that has not changed. And so we now share a permanence of operations, a permanence of more data, and that we're gonna be looking at more impressions of what space operations will look like together. In agreement, we look at how Ukraine has demonstrated that space is the bottom line. We look at that as an example of why NATO will be opening their Space Center of Excellence in Toulouse and be growing out from that area. China is also accelerating in space. And everyone agreed that we are in a space race. And this will also be determining how we navigate forward. It is true that we still are looking at the speed of relevance which kept coming up today. And space is becoming more tactical. Kill chains are becoming tighter, timborally, and that is the focus. And space has now moved from supportive to definitely operational. So we're bridging gaps by training the younger generation, especially in analog approaches such as using compasses, maps again, and marrying that with technology. They moved on to the afternoon sessions where success in space looks like a continuation of deterrence. How coalitions of partners that are trained in adversaries will now take pause at how even a presence in space can be a deterrence. And that looks like a competitive endurance approach. The exploring strategies for resilience and escalation management in deteriorating space environment panel discuss how escalation in space and developments mean that we are now changing the use of space. There's technical advantage on the ground and we can't lose sight that we still need what's happening terrestrally. So there's a sense of urgency and our common proof together is that we have a common emergency together or a common urgency together and that we develop technology around that. The international cooperation in a fast changing space domain was a really fascinating topic today. And it is about understanding how information sharing makes interoperability crucial. NATO relies on national capabilities and they want as a team and as collaborators and as allies to ensure that dialogue is that we work collectively. There was a good agreement that going forward this would be really crucial. The topics of the remainder of the day really focus on space surveillance, facing a 15,000 satellite environment, and then moving on to acquisition programs from Korea and spaces as strategic enabler for enhanced military forces. The bottom line at the end of the day was that everyone will be working together in collaboration for supporting a more robust ecosystem and ensuring interoperability and shared capabilities. So we can see the advancement of preparations for defense technologies. Back to you, Maria. [MUSIC PLAYING] And that's T-minus, brought to you by N2K Cyberwire. What do you think about our show T-minus Space Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey, links in the show notes for you. And thank you for helping us continue to improve our show. We're proud that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the nexus for discovery and connection, we bring you the people, technology, and the ideas, shaping the future of secure innovation. Learn how at N2K.com. N2K Senior Producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliott Peltzman and Tre Hester, with original music by Elliot Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpie is our publisher, and I am your host, Maria Varmazis. Thank you for listening. We'll see you tomorrow. [MUSIC PLAYING] T-minus. [LAUGHTER] [MUSIC PLAYING] [BLANK_AUDIO]
