Tools & Resources | Satellite Security

Overview

Satellite security research sits at the intersection of radio frequency engineering, embedded systems, network security, and aerospace domain knowledge. The barrier to entry has dropped dramatically since 2015 — a functional satellite ground station for security research can now be assembled for under $100, and most of the critical software tools are open source. This page catalogs the hardware platforms, software tools, research papers, and community resources that form the foundation of satellite security work.

The tools are organized by function: SDR hardware for signal capture and transmission, software for signal processing and decoding, satellite-specific utilities for tracking and protocol analysis, OSINT platforms for reconnaissance, embedded security tools for firmware and hardware analysis, and simulation platforms for safe experimentation.

SDR Hardware Platforms

Software-Defined Radio (SDR) hardware is the single most important equipment category for satellite security research. SDRs replace traditional analog radio components with digital signal processing, allowing a single device to receive (and sometimes transmit) across a wide frequency range. The choice of SDR determines what satellite signals you can capture, whether you can perform active testing, and the quality of your analysis.

Hardware Comparison

Device	Price (USD)	TX/RX	Frequency Range	Max Bandwidth	ADC Resolution	Use Case
RTL-SDR V3/V4	~$30	RX only	24 MHz – 1.766 GHz	2.4 MHz	8-bit	L-band reception, NOAA/Meteor weather satellites, ADS-B, beginner satellite work
Nooelec NESDR SMArt	~$25	RX only	25 MHz – 1.75 GHz	2.4 MHz	8-bit	Budget alternative to RTL-SDR, good thermal stability with aluminum enclosure
Airspy Mini	~$100	RX only	24 MHz – 1.8 GHz	6 MHz	12-bit	Superior dynamic range for congested bands, better sensitivity for weak satellite signals
ADALM-Pluto (PlutoSDR)	~$200	TX/RX	325 MHz – 3.8 GHz	20 MHz	12-bit	Learning platform with transmit capability, ideal for lab-based satellite protocol research
LimeSDR Mini	~$200	TX/RX (Full Duplex)	10 MHz – 3.5 GHz	30.72 MHz	12-bit	Full-duplex operation for simultaneous TX/RX, protocol fuzzing
HackRF One	~$350	TX/RX (Half Duplex)	1 MHz – 6 GHz	20 MHz	8-bit	Widest frequency coverage, essential for active testing, GPS simulation, C-band work
Ettus USRP B210	~$2,000	TX/RX (Full Duplex)	70 MHz – 6 GHz	56 MHz	12-bit	Professional-grade research, 2x2 MIMO, highest bandwidth, used by government labs

Detailed Platform Notes

RTL-SDR V3/V4 — The de facto starting point for satellite security research. Based on the Realtek RTL2832U chipset, these dongles were originally designed for DVB-T television reception but were repurposed by the open-source community for wideband reception. The V3 added direct sampling mode for HF reception (below 24 MHz), and the V4 improved filtering and added a built-in notch filter for broadcast FM rejection. For satellite work, the RTL-SDR can receive Inmarsat signals on L-band (~1.5 GHz), decode NOAA APT weather imagery, capture ADS-B aircraft transponder data, and monitor some satellite downlinks. Its 8-bit ADC limits dynamic range compared to higher-end options, but for initial learning and passive reconnaissance, nothing beats the price-to-capability ratio.

HackRF One — The most versatile single-board SDR for satellite security testing. Its 1 MHz to 6 GHz range covers nearly every satellite frequency band used in practice: L-band (1–2 GHz), S-band (2–4 GHz), and C-band (4–8 GHz, partial). Transmit capability is critical for active testing scenarios including GPS signal simulation, protocol fuzzing of ground terminals, and replay attacks against satellite modems. The 8-bit ADC is its primary limitation — for signals requiring high dynamic range, the Ettus B210 or even the Airspy Mini will outperform it on the receive side. Great Scott Gadgets maintains the hardware design as open source.

Ettus USRP B210 — The professional standard for satellite security research labs. The 56 MHz of instantaneous bandwidth allows capture of wideband satellite transponders in a single acquisition. The 2x2 MIMO configuration enables direction-finding and diversity reception techniques. Full-duplex operation means you can transmit a spoofed signal while simultaneously monitoring the target’s response. The B210 integrates with GNU Radio through the UHD (USRP Hardware Driver) framework, which is extensively documented and supported. Government agencies, defense contractors, and university research labs standardize on USRP hardware for its reliability and performance.

Essential Accessories

Beyond the SDR itself, satellite signal reception requires additional hardware:

LNA (Low Noise Amplifier) — Satellite signals arrive at Earth’s surface extremely weak (often below the noise floor). An LNA placed close to the antenna boosts the signal before cable losses degrade it. The Nooelec SAWbird+ LNA (~~$35) is purpose-built for L-band satellite reception. For S-band work, a broadband LNA like the SPF5189Z (~~$15) provides adequate gain.
Bandpass Filters — Isolate the satellite band of interest and reject interference from cellular towers, broadcast FM, and other strong local signals. Critical when operating near urban environments.
Antennas — A simple V-dipole or QFH (Quadrifilar Helix) antenna works for VHF weather satellites. L-band Inmarsat reception requires a patch antenna or small dish. C-band and Ku-band work requires parabolic dishes (0.6m–1.2m) with appropriate feed horns.
Bias Tee — Powers the LNA through the coaxial cable from the SDR. The RTL-SDR V3/V4 has a built-in software-switchable bias tee. For other SDRs, an external bias tee (~$10) is needed.

SDR Software

GNU Radio

GNU Radio is the foundational open-source signal processing framework for satellite security research. It provides a graphical flowgraph editor (GNU Radio Companion / GRC) and a Python/C++ runtime for building custom signal processing chains. Nearly every satellite-specific tool listed below builds on GNU Radio or interfaces with it.

Key capabilities for satellite work:

Demodulation of FM, AM, PSK, QAM, and OFDM signals used by satellite systems
Custom protocol decoders for proprietary satellite link layers
Real-time and recorded (file-based) signal processing
Integration with all major SDR hardware through OsmoSDR, UHD, and SoapySDR interfaces
Extensive block library for filtering, resampling, synchronization, and error correction

# Install GNU Radio on Ubuntu/Debian
sudo apt install gnuradio

# Launch the graphical flowgraph editor
gnuradio-companion

# Run a flowgraph from the command line
python3 my_satellite_decoder.py

SDR++

SDR++ is a cross-platform, general-purpose SDR receiver application with a modern interface. It serves as the “first look” tool when you want to visually explore a frequency band and identify satellite signals before building a dedicated decoder. SDR++ supports waterfall displays, multiple VFOs (Virtual Frequency Oscillators), and a plugin architecture for adding demodulators. It is significantly faster and more responsive than the older SDR# (Windows-only) and GQRX applications.

SatDump

SatDump is the premier open-source tool for decoding satellite signals, with particular strength in weather satellite imagery. It supports decoding of:

NOAA POES — APT (Automatic Picture Transmission) on 137 MHz
Meteor-M — LRPT (Low Rate Picture Transmission) on 137 MHz
NOAA GOES — HRIT/LRIT on L-band (1694 MHz)
EUMETSAT Metop — HRPT (High Rate Picture Transmission) on L-band
FengYun — Chinese weather satellite imagery
Inmarsat — AERO/ACARS messaging decoding on L-band

SatDump can operate in real-time with an SDR or process recorded baseband files. For security researchers, SatDump demonstrates practical satellite signal interception — the decoded weather imagery and messaging data prove that satellite downlinks are receivable with consumer equipment.

# Install SatDump (AppImage or from source)
git clone https://github.com/SatDump/SatDump.git
cd SatDump && mkdir build && cd build
cmake .. && make -j$(nproc)

# Decode a recorded Meteor-M2 LRPT baseband file
satdump meteor_m2_lrpt baseband recorded_signal.raw --samplerate 2400000

SDRangel

SDRangel is a multi-channel SDR receiver and transmitter application. Its distinguishing feature is the ability to run multiple independent receive channels simultaneously from a single SDR, which is useful for monitoring several satellite signals at once. It includes built-in demodulators for ADS-B, AIS, APRS, and various digital voice modes, plus a channel analyzer for unknown signal identification.

CubicSDR

CubicSDR provides a clean, minimal interface for SDR reception with waterfall visualization. It uses SoapySDR as its hardware abstraction layer, giving it broad device compatibility. Less feature-rich than SDR++ but useful as a lightweight alternative.

Satellite-Specific Tools

GPS-SDR-SIM

GPS-SDR-SIM generates GPS L1 C/A baseband signals that can be transmitted using a HackRF One or other TX-capable SDR to simulate GPS satellite constellations. This is the primary tool for GPS spoofing research and testing GPS receiver resilience.

Capabilities:

Simulate any location on Earth at any time
Generate signals for up to 12 GPS satellites simultaneously
Support static position, dynamic trajectory (from NMEA or user-defined motion files), and RINEX ephemeris data
Output I/Q samples at 2.6 MHz sample rate for HackRF transmission

# Clone and build
git clone https://github.com/osqzss/gps-sdr-sim.git
cd gps-sdr-sim && gcc gpssim.c -lm -O3 -o gps-sdr-sim

# Generate GPS signal for a specific location (latitude, longitude, altitude)
./gps-sdr-sim -e brdc3540.14n -l 38.8977,−77.0365,100 -o gpssim.bin

# Transmit with HackRF (L1 frequency = 1575.42 MHz)
hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0

Legal Warning: Transmitting simulated GPS signals is illegal in most jurisdictions unless done in a shielded/anechoic environment. GPS-SDR-SIM is intended for controlled laboratory testing only. Even low-power transmissions can disrupt GPS receivers in a wide radius.

GNSS-SDR

GNSS-SDR is an open-source Global Navigation Satellite System receiver implemented entirely in software. Unlike GPS-SDR-SIM (which generates signals), GNSS-SDR processes received satellite signals to compute position, velocity, and time. Security researchers use it to:

Analyze GPS/GLONASS/Galileo/BeiDou signal structures
Implement and test spoofing detection algorithms
Study signal authentication mechanisms (e.g., Galileo OSNMA)
Process recorded RF data for forensic analysis of spoofing incidents

gr-satellites

gr-satellites is a GNU Radio out-of-tree module containing decoders for over 100 amateur and research satellites. It handles the full signal processing chain from RF samples to decoded telemetry frames. For security researchers, gr-satellites provides working implementations of the modulation, coding, and framing schemes used by real satellites — invaluable for understanding how satellite links work at the protocol level and identifying where security controls are (or aren’t) implemented.

Supported protocols include: AX.25, GOMspace CSP, CCSDS, HDLC, USP, and numerous proprietary telemetry formats.

# Install gr-satellites
pip install gr-satellites

# Decode a specific satellite from recorded IQ data
gr_satellites 'NOAA 15' --wavfile recording.wav --samp_rate 48000

SatNOGS

SatNOGS (Satellite Networked Open Ground Station) is an open-source project that builds and operates a global network of automated satellite ground stations. The network consists of hundreds of volunteer-operated stations that schedule and execute satellite passes, recording the received signals and uploading them to a central database.

Security research applications:

Access a global archive of recorded satellite transmissions without building your own ground station
Study satellite telemetry patterns over time to identify anomalies
Contribute observations to community tracking of satellite behavior
Use the SatNOGS DB API to programmatically query satellite transmissions

The SatNOGS hardware design uses RTL-SDR receivers with automated antenna rotators, demonstrating that satellite signal interception can be done at scale with commodity equipment.

Satellite Tracking Tools

Tool	Type	Purpose
gpredict	Desktop application	Real-time satellite tracking, pass prediction, antenna rotator control. Essential for knowing when a target satellite is overhead.
Orbitron	Desktop application (Windows)	Satellite tracking with TLE updates, widely used in amateur radio community
Stellarium	Desktop application	Visual astronomy tool that includes satellite tracking — useful for dish alignment
PyEphem / Skyfield	Python libraries	Programmatic satellite position calculation for scripting automated observations

OSINT & Reconnaissance Tools

Satellite security assessments begin with open-source intelligence gathering. The following tools support reconnaissance of both space and ground segments.

Space Segment OSINT

Resource	URL	Data Provided
Space-Track.org	space-track.org	Two-Line Element (TLE) orbital data, conjunction assessments, decay predictions. Requires free registration. Official source from 18th Space Defense Squadron.
CelesTrak	celestrak.org	Curated TLE data sets, supplemental orbital data, satellite catalog. Dr. T.S. Kelso’s long-running resource.
N2YO	n2yo.com	Real-time satellite tracking, pass predictions, 3D visualization. No registration required.
In-The-Sky.org	in-the-sky.org	Satellite pass predictions, visible satellite finder, orbital element database
UCS Satellite Database	ucsusa.org/satellite-database	Comprehensive database of active satellites with operator, purpose, orbit type, and launch date
SatBeams	satbeams.com	Satellite transponder frequency plans, footprint maps, EIRP contours — essential for identifying which frequencies a satellite uses
LyngSat	lyngsat.com	Detailed listings of satellite TV and radio channels with frequencies, symbol rates, and FEC parameters

Ground Segment OSINT

Tool	Purpose
Shodan	Discover internet-connected satellite ground infrastructure: VSAT terminals, ground station control interfaces, satellite modem management pages. Search queries like `"Hughes" port:80`, `"iDirect" http.title`, or `"Newtec" port:443` reveal exposed management interfaces.
Censys	Similar to Shodan with certificate-based discovery. Useful for finding TLS certificates issued to satellite operators and identifying their internet-facing infrastructure.
RIPE/ARIN/BGP tools	Identify IP address allocations belonging to satellite operators. Satellite ISPs have distinct AS numbers and IP ranges that can be enumerated.
Wigle.net	Wardriving database that can identify satellite uplink locations by correlating WiFi access point locations with known ground station sites.

OSINT Methodology for Satellite Targets

flowchart TD
    A["Identify Target Satellite"] --> B["Retrieve TLEs from Space-Track"]
    B --> C["Determine Frequencies from SatBeams/LyngSat"]
    C --> D["Calculate Pass Windows with gpredict"]
    D --> E["Scan Ground Infrastructure with Shodan/Censys"]
    E --> F["Identify Operator IP Ranges via ARIN/RIPE"]
    F --> G["Map Attack Surface: Space + Ground + User"]
    G --> H["Cross-reference with known vulnerabilities"]

Embedded & Reverse Engineering Tools

Satellite terminals, modems, and ground station controllers are embedded systems. When physical access to this equipment is obtained (through purchase of commercial VSAT terminals, decommissioned hardware, or authorized penetration testing), the following tools enable firmware extraction and analysis.

Firmware Extraction & Analysis

Tool	Purpose	Satellite Application
Binwalk	Firmware image extraction and analysis. Identifies embedded file systems, compressed archives, and executable code within binary firmware dumps.	Extract firmware from satellite modem flash dumps, identify embedded Linux file systems in VSAT terminals
Firmware Analysis Toolkit (FAT)	Automated firmware emulation using QEMU	Emulate extracted satellite modem firmware for dynamic analysis without requiring physical hardware
Jefferson	JFFS2 filesystem extraction	Many satellite embedded systems use JFFS2; Jefferson extracts the contents
ubi_reader	UBI/UBIFS filesystem extraction	Common in newer NAND-flash-based satellite terminals

Reverse Engineering

Tool	Purpose	Satellite Application
Ghidra	NSA’s open-source reverse engineering framework. Supports ARM, MIPS, PowerPC — the processor architectures used in satellite hardware.	Analyze satellite modem firmware for hardcoded credentials, backdoors, undocumented commands
IDA Pro	Commercial disassembler and decompiler (industry standard)	Professional-grade firmware reverse engineering
Radare2 / Rizin	Open-source reverse engineering framework	Scriptable analysis of satellite firmware binaries
Binary Ninja	Commercial reverse engineering platform with modern UI	Interactive firmware analysis with good automation APIs

Hardware Interfaces

Tool	Purpose	Satellite Application
Bus Pirate	Universal bus interface (UART, SPI, I2C, JTAG)	Connect to debug ports on satellite modem circuit boards
JTAG/SWD Debuggers (J-Link, ST-Link, OpenOCD)	On-chip debugging interfaces	Extract firmware directly from processor memory, set breakpoints, inspect runtime state
Logic Analyzers (Saleae, DSLogic)	Capture and decode digital bus traffic	Reverse-engineer communication between satellite modem components
ChipWhisperer	Side-channel analysis and fault injection	Test satellite hardware for power analysis and glitching vulnerabilities

Firmware Analysis Workflow

flowchart TD
    A["Obtain Satellite Terminal Hardware"] --> B["Identify Debug Ports<br/>(UART, JTAG, SWD)"]
    B --> C["Extract Firmware via JTAG<br/>or Flash Chip Desolder"]
    C --> D["Analyze with Binwalk<br/>(identify filesystems, compression)"]
    D --> E["Extract Filesystem<br/>(squashfs, JFFS2, UBIFS)"]
    E --> F["Static Analysis in Ghidra<br/>(identify credentials, protocols)"]
    F --> G["Emulate with QEMU/FAT<br/>(dynamic testing)"]
    G --> H["Identify Vulnerabilities<br/>(hardcoded creds, command injection, buffer overflows)"]

Simulation & Testing Platforms

Conducting security research against live satellites carries legal, safety, and ethical risks. Simulation platforms allow researchers to test attacks and defenses in controlled environments.

COSMOS (Ball Aerospace / OpenC3)

COSMOS (now maintained as OpenC3) is a command and telemetry system originally developed by Ball Aerospace. It provides a complete ground system for commanding and monitoring spacecraft, and is used by many CubeSat and small satellite programs. Security researchers use COSMOS to:

Set up realistic satellite command and telemetry environments
Test command injection attacks against simulated spacecraft
Develop and validate intrusion detection rules for satellite communications
Practice incident response scenarios for satellite operations

# Install OpenC3 via Docker
git clone https://github.com/OpenC3/cosmos.git
cd cosmos && ./openc3.sh start
# Access web interface at http://localhost:2900

OpenSatKit

OpenSatKit integrates NASA’s core Flight System (cFS) with COSMOS to provide a complete satellite simulation environment. cFS is the actual flight software framework used on many NASA missions and CubeSats. OpenSatKit allows researchers to:

Run realistic satellite flight software on desktop hardware
Send commands and receive telemetry using standard CCSDS protocols
Test attacks against cFS applications (command spoofing, telemetry manipulation)
Develop security extensions for the cFS framework

42 (NASA Goddard)

42 is a spacecraft attitude simulation developed by NASA Goddard Space Flight Center. It simulates multi-body spacecraft dynamics, orbital mechanics, sensor models, and actuator models. While primarily an engineering tool, 42 is relevant to security research involving:

Attitude determination and control system (ADCS) spoofing attacks
Star tracker and sun sensor manipulation
GPS spoofing effects on spacecraft navigation

Systems Tool Kit (STK)

STK (formerly Satellite Tool Kit) by Ansys/AGI is the industry-standard commercial platform for satellite mission analysis. The free tier provides:

Satellite orbit visualization and analysis
Link budget calculations for satellite communications
Coverage analysis (which ground areas a satellite can serve)
Conjunction analysis for space situational awareness

The commercial tiers add RF propagation modeling, radar cross-section analysis, and multi-domain scenario planning used by defense organizations.

Key Research Papers

The following papers represent foundational and landmark research in satellite security. Every serious satellite security researcher should be familiar with these works.

Year	Authors	Title	Venue / Publisher	Key Contribution
2014	Ruben Santamarta	A Wake-Up Call for SATCOM Security	IOActive / Black Hat USA	First systematic analysis of SATCOM terminal vulnerabilities. Found hardcoded credentials, backdoors, and insecure protocols in terminals from Harris, Hughes, Cobham, Thuraya, JRC, and Iridium.
2018	Ruben Santamarta	Last Call for SATCOM Security	IOActive / Black Hat USA	Follow-up proving remote exploitation of SATCOM terminals. Demonstrated that vulnerabilities disclosed in 2014 remained largely unpatched.
2020	James Pavur et al.	A Tale of Sea and Sky: On the Security of Maritime VSAT Communications	IEEE S&P (Oakland) / Oxford University	Demonstrated interception of unencrypted maritime VSAT traffic using a $300 home TV satellite setup. Captured crew PII, ship positions, and operational data from vessels worldwide.
2023	Johannes Willbold et al.	Space Odyssey: An Experimental Software Security Analysis of Satellites	IEEE S&P (Oakland) / Ruhr University Bochum	First security analysis of firmware from real satellites (ESTCube-1, OPS-SAT, Flying Laptop). Found complete absence of encryption, authentication, and presence of known CVEs.
2023	Gabriele Oligeri et al.	GPS Spoofing Detection Techniques	Various / Multiple institutions	Survey and evaluation of GPS spoofing detection methods including signal strength monitoring, multi-receiver correlation, and inertial navigation cross-checks.
2019	Humphreys et al.	The Texas Spoofing Test Battery	University of Texas at Austin	Systematic GPS spoofing detection evaluation framework with standardized test scenarios.
2022	Falco et al.	Cybersecurity Principles for Space Systems	AIAA Journal of Aerospace Information Systems	Comprehensive framework for applying cybersecurity principles to space system design, bridging the gap between IT security and aerospace engineering.
2015	Costin & Francillon	Ghost in the Air(Traffic)	Black Hat USA	Analysis of ADS-B security weaknesses and demonstration of aircraft position spoofing and injection attacks via SDR.

Community & Learning Resources

Capture-The-Flag & Challenges

Hack-A-Sat — The premier satellite security CTF competition, organized by the US Air Force and Space Force. Running since 2020, Hack-A-Sat challenges cover satellite bus exploitation, ground system attacks, RF signal processing, orbital mechanics, and flight software reverse engineering. The 2023 competition featured Moonlighter, the first on-orbit satellite designed to be hacked.

Challenge archives: github.com/cromulencellc/hackasat-qualifier-2023
Past challenges cover: ADCS exploitation, link budget calculation, RF capture-the-flag, cFS vulnerability discovery, satellite command authentication bypass

Conferences & Villages

Event	Focus
DEF CON Aerospace Village	Hands-on satellite hacking workshops, SATCOM terminal teardowns, GPS spoofing demos
DEF CON Satellite Hacking Village	Dedicated satellite security talks and capture-the-flag challenges
ShmooCon	Occasional satellite and space security presentations
CyberSat Summit	Industry-focused satellite cybersecurity conference
Small Satellite Conference (SmallSat)	Utah State University annual conference with growing cybersecurity track

Space ISAC (Space Information Sharing and Analysis Center) — Industry consortium for sharing satellite and space system threat intelligence. Membership-based, operated by the National Cybersecurity Center.
CISA Space Systems Cybersecurity — US government guidance and alerts relevant to satellite infrastructure.

Online Communities

Community	Platform	Focus
r/RTLSDR	Reddit	SDR hardware, satellite reception, signal identification
r/SatelliteHacking	Reddit	Satellite security research discussion
r/ADSB	Reddit	Aircraft tracking via satellite and terrestrial systems
SatNOGS Community	Discourse forum	Ground station operation, satellite signal decoding
GNU Radio Discuss	Mailing list / Discourse	Signal processing questions, custom decoder development
Hack-A-Sat Discord	Discord	Competition discussion, year-round satellite security community

Books

Title	Authors	Relevance
Satellite Communications (4th ed.)	Timothy Pratt, Charles Bostian, Jeremy Allnutt	Comprehensive textbook covering link budgets, modulation, orbital mechanics, and system design. Essential foundation for understanding what you’re attacking or defending.
Space Mission Engineering: The New SMAD	James R. Wertz et al.	The “bible” of space systems engineering. Covers every subsystem of a spacecraft including communications, command and data handling, and ground systems.
The Satellite Hacker’s Handbook	Various (community)	Practical guides for satellite signal reception, decoding, and analysis
Software-Defined Radio for Engineers	Travis Collins et al. (Analog Devices)	Free textbook covering SDR theory and practice with ADALM-Pluto exercises
Digital Signal Processing using Arm Cortex-M based Microcontrollers	Cem Ünsalan, M. Erkin Yücel	Relevant for understanding DSP in embedded satellite systems

Getting Started: Recommended Progression

For newcomers to satellite security, the following progression builds skills incrementally from passive reception to active security research.

Phase 1: Passive Reception (Weeks 1–4)

Equipment: RTL-SDR V3/V4 ($30) + V-dipole antenna (included) + laptop

Install SDR++ and familiarize yourself with the waterfall display and basic receiver operation
Receive NOAA weather satellite APT images on 137 MHz — this provides immediate visual feedback and teaches satellite pass timing, Doppler correction, and signal processing basics
Install SatDump and decode Meteor-M2 LRPT imagery for higher-resolution results
Use gpredict to track satellite passes and understand orbital mechanics
Receive ADS-B aircraft transponder signals (1090 MHz) to understand digital signal decoding

Phase 2: L-Band and Digital Signals (Weeks 5–8)

Equipment: Add an L-band patch antenna ($30) + LNA ($35)

Receive Inmarsat signals at 1545 MHz — decode AERO and ACARS messages using SatDump
Receive GOES HRIT/LRIT weather data at 1694 MHz for full-disc Earth imagery
Begin learning GNU Radio fundamentals — build simple flowgraphs for FM demodulation, then progress to digital demodulators
Study gr-satellites to understand how satellite protocol decoders are implemented

Phase 3: Active Research (Weeks 9–16)

Equipment: Add HackRF One ($350) or ADALM-Pluto ($200)

Set up GPS-SDR-SIM in a shielded environment and understand GPS signal structure
Install GNSS-SDR and process live GPS signals to understand receiver operation
Build custom GNU Radio flowgraphs for satellite signal analysis
Study the Santamarta and Pavur papers in detail
Obtain a used VSAT terminal (eBay, surplus) and begin hardware analysis with Binwalk and Ghidra

Phase 4: Advanced Research (Ongoing)

Equipment: Consider Ettus USRP B210 for professional-grade work

Participate in Hack-A-Sat qualifiers
Set up OpenSatKit/COSMOS for satellite simulation
Contribute to SatNOGS ground station network
Develop and publish original research
Engage with Space ISAC and DEF CON Aerospace Village communities

For details on how these tools apply to offensive satellite security assessments, see Penetration Testing and Red Teaming. For defensive applications, see Defenses & Mitigations.

Tool Selection by Assessment Type

Different satellite security engagements require different tool combinations. The following table maps assessment types to recommended tool loadouts.

Assessment Type	SDR Hardware	Key Software	Additional Hardware
Passive Reconnaissance	RTL-SDR V3/V4	SDR++, SatDump, gpredict	L-band patch antenna, LNA
VSAT Terminal Assessment	HackRF One	Binwalk, Ghidra, Nmap	Bus Pirate, JTAG debugger, logic analyzer
GPS Security Testing	HackRF One	GPS-SDR-SIM, GNSS-SDR	Shielded enclosure (mandatory), GPS receivers under test
Ground Station Pentest	N/A (network-based)	Shodan, Nmap, Metasploit, Burp Suite	Standard pentest laptop
Link Layer Analysis	USRP B210	GNU Radio, gr-satellites, custom decoders	Appropriate antenna for target band, LNA chain
Full Satellite System Audit	USRP B210 + HackRF	All of the above + COSMOS/OpenSatKit	Anechoic chamber access for TX testing

Legal and Ethical Considerations for Tool Use

Satellite security tools exist on a spectrum from purely passive (receiving publicly broadcast signals) to actively transmitting (which introduces legal risk). Understanding where each tool falls is critical:

Always Legal (in most jurisdictions): Receiving and decoding unencrypted satellite signals (weather satellites, Inmarsat ACARS, ADS-B). Satellite tracking and OSINT. Firmware analysis of hardware you own.
Restricted: Transmitting on any frequency requires appropriate licensing (amateur radio license for amateur bands, experimental license for others). GPS simulation must occur in shielded environments.
Prohibited without Authorization: Active attacks against satellite ground infrastructure. Interference with satellite communications. Unauthorized access to satellite control systems.

Always operate within the bounds of applicable law, including the ITU Radio Regulations, national telecommunications law, and computer fraud statutes. For authorized security assessments, obtain explicit written permission that covers both the network/cyber scope and any RF transmission activities.