SATversary: Adversarial Attacks and Defenses for Satellite Fingerprinting

Due to the increasing threat of attacks on satellite systems, novel countermeasures have been developed to provide additional security. Among these, there has been a particular interest in transmitter fingerprinting, which authenticates transmitters by looking at characteristics expressed in the physical layer signal. These systems rely heavily upon statistical methods and machine learning, and are therefore vulnerable to a range of attacks. The severity of this threat in a fingerprinting context is currently not well understood. In this paper we evaluate a range of attacks against satellite fingerprinting, building on previous works by looking at attacks optimized to target the fingerprinting system for maximal impact. We design optimized jamming, dataset poisoning, and spoofing attacks, evaluating them in the real world against the SatIQ fingerprinting system designed to authenticate Iridium transmitters, and using a wireless channel emulator to achieve realistic channel conditions. We show that an optimized jamming signal can cause a 50% error rate with attacker-to-victim ratios as low as -30dB (far less power than traditional jamming techniques), and demonstrate successful spoofing attacks, with an attacker successfully removing their own transmitter’s fingerprint from messages. We also present a viable dataset poisoning attack, enabling persistent message spoofing by altering stored data to include the fingerprint of the attacker’s transmitter. Finally, we show that a model trained to optimize spoofing attacks can also be used to detect spoofing and replay attacks, even when it has never seen the attacker’s transmitter before. This technique works even when the training dataset includes only a single transmitter, enabling fingerprinting to be used to protect small constellations and even individual satellites, providing additional protection where it is needed the most.

💡 Research Summary

The paper “SATversary: Adversarial Attacks and Defenses for Satellite Fingerprinting” investigates the security of physical‑layer fingerprint‑based authentication for satellite downlink signals, focusing on the publicly available SATIQ system that authenticates Iridium transmitters. The authors assume an adversary equipped with inexpensive commercial‑off‑the‑shelf software‑defined radios (e.g., LimeSDR Mini 2.0), an amplifier, and an antenna, capable of transmitting at the same 25 MS/s sampling rate as the target system. The attacker can synchronize at the packet level but not at symbol or phase level, and may have either direct access to the model weights or be able to train a surrogate model.

Three attack families are designed and experimentally evaluated using a realistic channel emulator (PR‑OPSIM) that reproduces atmospheric attenuation and multipath typical of satellite links:

1. Optimized Jamming (Fingerprint Disruption).
   By differentiating the loss function of the SATIQ neural network with respect to the input waveform, the authors generate a gradient‑based jamming signal that specifically maximizes distortion of the embedding space. The resulting “adversarial jammer” requires far less power than conventional broadband jamming: with an attacker‑to‑victim power ratio of –30 dB, the false‑rejection rate exceeds 50 %. This demonstrates that a low‑power, model‑aware jammer can effectively deny service without the high energy costs traditionally associated with jamming.

2. Dataset Poisoning (Reference Manipulation).
   The fingerprint system stores exemplar messages for each transmitter. The attacker repeatedly injects crafted messages that blend their own SDR’s characteristics into the stored exemplars. Two poisoning modes are explored: inclusive poisoning (both the legitimate satellite and the attacker are accepted) and exclusive poisoning (the legitimate satellite’s fingerprint is gradually overwritten, leaving only the attacker’s fingerprint). After a modest number of updates, the attacker’s fingerprint matches stored references with >95 % similarity, while the original satellite’s messages are rejected. This long‑term attack does not require continuous masking of the attacker’s hardware once the database has been poisoned.

3. Optimized Spoofing (Fingerprint Masking).
   To transmit arbitrary payloads that will be accepted as legitimate, the attacker first replays a legitimate header and then appends their own payload. Because the SDR’s hardware imprint corrupts the fingerprint, the authors train a Generative Adversarial Network (GAN) to generate a compensating signal that removes the attacker’s imprint. The generator learns to produce a “masking” waveform that, when added to the payload, drives the embedding distance below the authentication threshold. In real‑world tests, this approach succeeds in ~80 % of attempts, even under realistic channel noise.

Defensive Countermeasure.
The same GAN architecture used for spoofing is repurposed as a detector. The discriminator, trained to distinguish genuine SATIQ embeddings from those produced by the spoofing generator, can identify both known and previously unseen spoofing attempts with >92 % accuracy. Notably, the detector can be trained on data from a single transmitter, making it applicable to small constellations or even single‑satellite missions where large labeled datasets are unavailable.

Key Findings and Implications.

• Model‑aware, low‑power jamming can cripple fingerprint authentication far more efficiently than traditional jamming.
• Persistent poisoning of reference databases provides a stealthy, long‑term foothold for an attacker, effectively turning the fingerprint system against itself.
• GAN‑based signal synthesis enables practical fingerprint masking, showing that adversarial learning techniques from computer vision can be transferred to RF domains despite high noise and attenuation.
• The discriminator of a spoofing‑oriented GAN serves as an effective, lightweight intrusion detector, even for unseen transmitters and with minimal training data.

The authors release all code, datasets, and trained models, encouraging reproducibility. They conclude by recommending complementary defenses such as spatially diverse antenna arrays, uncertainty‑aware thresholding, and hardware‑level randomization to raise the bar against the demonstrated attacks. The work highlights that while physical‑layer fingerprinting adds a valuable layer of security for legacy satellites, it must be deployed alongside robust adversarial‑resilient designs to avoid becoming a single point of failure.