[MUSIC PLAYING] Today is October 28, 2025. I'm Maria Vermazis, and this is T-minus. [MUSIC PLAYING] T-minus. 22nd to LOS, T-dress. Open aboard. [INAUDIBLE] [MUSIC PLAYING] [INAUDIBLE] Space Robotics Workers has selected Space Doc's intelligent interface for integration with its robotic smart trust system. Forward. Chinese commercial space company Space Pioneer says it has completed a satellite separation test. Free. The Philippines and Malaysia have signed the Artemis Accords. No. The University of Florida, in collaboration with NASA, MIT, Vanguard Automation, AIM Photonics, and Germany's Braunhauer-Heinrich-Hertz Institute, have a suite of photonic AI chips en route to the International Space Station. What? UKSA has selected Slingshot Aerospace for a provision of Optical Delivery Partner Contract. [INAUDIBLE] [MUSIC PLAYING] [INAUDIBLE] [MUSIC PLAYING] And today we have our monthly chat with Brandon Karp about space cybersecurity. And if you've been following his advice over the last few months about looking the space for your data storage, you will probably want to listen to his latest cautionary tale. Stay with us for more on that after today's headlines. [MUSIC PLAYING] Happy Tuesday, everybody. Thank you for joining me. The UK Space Agency has selected Slingshot Aerospace for a provision of Optical Delivery Partner Contract to expand the UK's satellite tracking capabilities. The contract value was not disclosed with the press release. Slingshot currently operates 204 sensors in 21 locations across five continents. Under the contract's terms, the Space Domain Awareness Company will deploy 13 new optical sensor systems across five global sites to enable tracking and monitoring for satellites, space debris, and other near-Earth objects like asteroids and comets. Slingshot will partner with Bodder Planetarium to equip each site with all-sky domes to provide environmental protection and enable resilient, autonomous 24/7 operations across diverse conditions. Angus Stewart, who is the head of the National Space Operations Center, said this, "We are delighted to welcome Slingshot on board as our delivery partner for a global network of optical space sensors. This sensor network is critical to our mission of protecting UK and allied interests in space and on Earth and ensuring that space remains safe and sustainable here, here." The University of Florida, in collaboration with NASA, MIT, Vanguard Automation, AIM Photonics, and Germany's Fraunhauer Heinrich-Herz Institute, have a suite of photonic AI chips en route to the International Space Station right now. The experiment launched aboard JAXA's HTV X1 spacecraft this weekend, and it is expected to dock with the ISS on Thursday. And the mission is part of NASA's MISSI, or Materials International Space Station experiment, which tests how materials and devices perform when they are exposed to the harsh environment of low Earth orbit. The University of Florida's contribution focuses on testing the resilience and performance of next-generation photonic semiconductor technologies in space, a step forward toward developing faster, more efficient computing systems that are capable of withstanding extreme conditions. While the government shutdown does unfortunately continue here in the United States with sadly no end in sight, US President Donald Trump is visiting Asia. He's there to participate in the 13th annual US-ACN summit meeting, but on the sidelines, he secured new trade deals, brokered a new peace accord, and secured new signatories for the Artemis Accords. The Philippines and Malaysia have now committed to the principles of safe and transparent space exploration by signing the Artemis Accords, now bringing the total number of signatory countries to $59,000. Adding to that, President Trump secured Malaysian purchases of US semiconductors, aerospace components, and data center equipment with an estimated value of $150 billion. Chinese commercial space company Space Pioneer says it has completed a satellite separation test. Reusable carrier rocket Tianlong-3 completed a 36-satellite separation test at its intelligent manufacturing base in Zhangjiagang City in East China's Jiangsu Province. The test further validated the liquid-repellent model's capacity to launch multiple satellites simultaneously. Space Pioneer is aiming to conduct the maiden flight of the Tianlong-3 launch vehicle by the end of 2025, and it expects to progressively support over 60 launch missions annually. And Space Robotics Workers has selected Space Docks Intelligence Interface for integration with its robotic smart trust system. The system is a modular structural element designed for orbital assembly and maintenance of space infrastructure. The companies plan to conduct a ground demonstration in early 2026 to validate autonomous capture and structural connection between smart trust units using Space Docks Interface for autonomous birthing, docking, and power, fluid, and data transfer. The test will be conducted in a ground-based analog environment, and it will be a big milestone towards Space Robotics Workers' ambition to conduct robotic construction of commercial Leo destination platforms, solar power stations, and other persistent orbital structures. [MUSIC PLAYING] And that rounds up our top five stories for today. And before I catch up with friend of the show brand in carp about what is going on in the space of cybersecurity and the cybersecurity of space, and 2K senior producer Alice Carruth joins us now with a look at the other news making the headlines. Thanks, Maria. Iridium has unveiled a new chip that will provide pole-to-pole positioning, navigation, and timing data. And FrontGray Technologies has launched a next generation computing solution designed to meet the demanding requirements of the most advanced space missions. You can read out more about those product announcements and about all the other stories mentioned throughout the show by following the links in the selected reading section of our show notes. [MUSIC PLAYING] [MUSIC PLAYING] Today's guest is friend of the show Brandon Karp, founder of T-Minus Space Daily and Cybersecurity Expert. [MUSIC PLAYING] To all the listeners, my friends out there, the space and cyber community, here's my mea culpa. For months now, I've been encouraging you to start thinking about how you can transfer as much of your backbone traffic to a satellite architecture, geo or leo satellites as possible. And just two weeks ago, University of Maryland and UC San Diego released a fantastically terrifying and disappointing research report about the fact that almost all of the-- I mean, more than 50% of the traffic they were able to measure from geo satellites was being sent in the clear, like clear text, no encryption whatsoever. And we'll get into more details. But boy, I mean, this is like first grade stuff, basic stuff that we are not doing with critical telco infrastructure in space. And so clearly, the community has a lot to do to actually get ready for you all to transfer your traffic to the space architecture. Yeah, this story, when that came out, I remember in our editorial meeting, I think there was some stunned silence and a lot of reading going, wait a second, that's not supposed to be happening. And also, this wasn't very hard for these folks to do. And it wasn't this research running for like three years. And they found just a lot of stuff in the clear. A lot. A lot. I mean, they collected literal terabytes and terabytes of data using $600 of commercial off-the-shelf equipment that anyone could buy. It was literally a standard satellite dish, a really simple motor just for pointing, and then a USB tuner card, which anyone can buy that stuff. They were just listening passively. It was leaving no trace. There was no active connections made between their devices and these satellites in Geo. They scammed 39 different satellites, 411 different transponders on those 39 satellites from one location in Southern California. And what they found was more than 50% of the links were broadcasting in the clear, like sensitive data in total clear text. Yeah, there was like law enforcement information going in the clear, right? Just like a lot of stuff you don't want in the clear. And yeah. Yeah, law enforcement telecom information from like T-Mobile, AT&T, and others, corporate and financial secrets. I mean, ATM infrastructure information. Inflate Wi-Fi was part of this, including servers, private RSA keys being sent over in the clear. And then to your point, law enforcement, electric utilities, critical infrastructure, backhaul, all being sent in the clear. Okay. All right. So I think part of the reason this was stunning for me is I had assumed all of that kind of information would clearly be encrypted. Why was this not encrypted? Yeah, I also assumed, like I imagine many of our listeners and like you, that all of this was being encrypted, that the service providers here were doing the bare minimum in terms of securing, at least at the transport layer. You can encrypt at the application layer. You can encrypt at the transport at the network layer. I would have at least assumed that the transport was being encrypted. Maybe not every application here has an encryption module in it, but it's relatively trivial and quite common to implement, like especially for internet traffic, TLS or SSL. It is, you know, that being at the transport layer, it's relatively trivial nowadays to implement IPsec or another network layer protocol that has security inherent to it. But they weren't. I mean, it's not just one-offs, right? It's not just one of these users or one of these sectors. It is actually, it seems like every sector. I mean, Walmart was caught up in this. Santander Bank was caught up in this. Panasonic was caught up in this. Along with the Mexican law enforcement and government, again, they were in Southern California doing this, as well as telcos like T-Mobile and AT&T. Everything from SMS messages, voice content, browsing history, browsing traffic, all being sent in the clear. In total, they collected 3.7 terabytes of data, and more than 50% of it was sent in the clear. Okay, that is a lot of data. Who's to blame? Who's at fault for this? Who should have been encrypting stuff that didn't? Every one, yeah. I mean, the challenge here is like people will want to blame the satellite service providers. And part of the blame is theirs. I would say, you know, these were all GeoSatellites service providers. Now, some of them have offset the blame saying, you know, we're just a service provider. We're providing access and bandwidth. We're not actually looking at the traffic. However, they do have controls in terms of implementing the ground station services, et cetera, which by the way is where the encryption actually happens. There's a lot of misconception. I've even read reporting of people saying, well, these satellites are really old, and so they don't have the cryptographic, you know, hardware modules on them. None of that matters in the space segment. The space segment is a bent pipe, right? It's a reflected mirror. Yeah, data goes up, data goes down. I mean, right? Exactly. The encryption regardless is gonna happen on the ground by the users. So I would say part of it is the standards of the service providers, that the satellite service providers themselves. And then even more of it though, is all of these organizations who are relying on satellite communications for their infrastructure, for their, whether it's data backhaul for these telecommunication companies, whether it's control traffic for, you know, these distributed ATM infrastructures or the law enforcement or electric utilities, this kind of distributed power grid control signals. It really comes down to those organizations not implementing the standard of basic, I mean, basic, basic, basic level encryption. My mind boggles a little bit thinking about the geopolitical implications of this, of what may have been able to, you know, be leaked or sniffed up or, you know, my mind really boggles just thinking about this. Yeah, it actually, it reminds me of the Heartbleed incident back in 2014, where there was a critical vulnerability in open SSL. Open SSL actually being a cryptographic module used, you know, open source used throughout, pretty much every digital piece of infrastructure that allowed kind of passive memory reading that essentially broke open SSL. That was 2014 and, you know, a huge issue industry-wide, required everyone to respond to it. You know, Heartbleed was more universal because everyone was using open SSL, not everyone is using satellite for comms and for backhaul. However, anyone who is, which is as I, as, you know, we went through the list already, a significant number of industries, a significant number of organizations, they need to check what is being sent in the clear, what is being sent cryptographically secure. And based on this research, it seems like the majority is not being sent secure, which is a huge issue because this was just research done in one little region of, you know, one view of the night sky. Think about all the areas of the world that data could easily be scooped up, again, passively collected, including, again, there were server keys, there were RSA keys being sent over the clear as well. And just collected and used. This data is valuable. This provides potential intelligence on critical infrastructure control systems, even if like, even think of an offensive attack against some of these networks. If that data is sent in the clear, there's nothing keeping an adversary from collecting that, doing a replay attack, a spoofing attack against those systems, preparing that type of weaponization against our critical infrastructure. - I'm actually amazed this story wasn't bigger than it was when it dropped. - That's what I'm saying. - Yeah, honestly, the more you've been talking about it, I'm just, this is, sorry. - Yeah, right. - It's like, oh my God. - Yeah. - Like, what is going on? Why are more people not talking about this? I mean, in the US alone, I mean, you talk about the incidents with Volt and Salt Typhoon getting into our critical infrastructure and weaponizing that for a potential future military conflict. I mean, this type of vulnerability in core critical communications technologies, and not because it's a zero-day vulnerability, not because it's a misconfiguration, because we just aren't implementing the most basic forms of security, is absolutely unbelievable at this point. - Yeah, all the discussions about security, hygiene, and all that kind of stuff, we gotta take 20 steps back. - Right. - To start with encrypted data. - Blocking and tackling people. - Like the basics. - Ooh, okay, so. - And actually, one of the responses is even scarier, right? Because when they notified T-Mobile of this, right? T-Mobile US, that they were able to, in just nine hours, capture over 2,700 unique phone numbers and their SMS messages, voice call data, browsing data from those phone numbers. I think it was within like 30 days, T-Mobile had implemented encryption on those links, which means that they could have been doing it the whole time. (laughs) - Is it super difficult to encrypt this stuff? And why is this not happening? - I really think it's incentives. It's market incentives. There is a cryptographic overhead, and some have quoted numbers and like the 20% performance hit. That's a little bit much over what it really is, especially these days with hardware accelerated cryptography, with even application layer encryption, which doesn't even happen on the chip. Like think TLS, application layer encryption, that all totally bypasses limitations on old ground hardware because the data just gets encrypted by the applications before it even touches any satellite equipment. So there are arguments that there's some performance hit, that it costs more resources to implement this stuff. But at the end of the day, there are so many good technologies out there for implementing modern encryption. That's not really an excuse. So I think it's a market issue. It's just the users here are not demanding it. The providers are not making it a core part of their security infrastructure. And then finally the governments, right? Whether it's the FCC, the EU, state laws, they're not demanding it very clearly. And so I mean, head should roll for this. People need to take this seriously and demand clarity. More than just a security checklist from these providers actually demand seeing what type of security, what type of cryptography is being used for their applications and their services. - If any. - If any, right? This is unacceptable. I mean, I was heartened by the EU space act from over the summer, at least the proposed where they were gonna hold executives personally liable for lapses of compliance. I think that that type of control is really the, I mean, collective action against these organizations who aren't taking this seriously enough to implement the most basic forms of encryption, that there are dozens of tools to use that a large organization like T-Mobile could implement within 30 days once they were notified about it. I mean, there's nothing but just holding these organizations to account. (upbeat music) We will be right back. Welcome back. Did you know that the web space telescope had a bit of gunk in his eye, so to speak? Yeah, I didn't either. And Australia just helped web clear its vision. And all it took was a bit of code, thankfully not a spacewalk. Good thing too, because humanity hasn't yet figured out how to get astronauts to L2, 1.5 million kilometers away. Recently, two PhD students at the University of Sydney, Louis de Duat and Max Charles, developed a software fix that restored crisp focus to one of JWST's key scientific instruments, the Aperture Masking Interferometer, or AMI. And the tool they built, called Amigo, corrects a subtle electronic distortion that had been blurring some of web's high resolution images and a little swoosh of the metaphorical lens cleaner from a great distance and fixed. And by the way, the AMI instrument was itself an Australian innovation, and it was designed to give web a super-powered view of stars and exoplanets. But when the blurring appeared, it did remind quite a few folks of Hubble's early blurry vision days, not exactly fun memories. But instead of much-argued about shuttle missions and astronaut spacewalks, these researchers solved the problem cleanly with algorithms and neural networks. And thanks to the software correction, web can now capture sharper images of distant galaxies, black hole jets, and even the volcanic surface of Jupiter's moon Io. And a little detail about the story that I really love to mark their accomplishment, both Adwatt and Charles got tattoos of the very instrument that they helped fix. Some permanent ink feels like a fitting testament to the hard work that they put in to tune up one of humanity's most incredible observatories of the heavens. (upbeat music) And that's T-minus, brought to you by N2K Cyberwire. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing space industry. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to space@n2k.com. We're proud that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K helps space and cybersecurity professionals grow, learn, and stay informed. As the Nexus for Discovery and Connection, we bring you the people, the technology, and the ideas shaping the future of secure innovation. Learn how at N2K.com. N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliott Peltzman and Tre Hester with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I am your host, Maria Varmazis. Thank you for listening. We'll see you tomorrow. T-minus. (dramatic music) (water splashing) [BLANK_AUDIO]
