Characterizing and Analyzing LEO Satellite Cyber Landscape: A Starlink Case Study

Ushering into the ‘New Space Era’, characterized by a reduction in launch expenses and simultaneous proliferation of commercial and governmental entities involved, the prominence of Low Earth Orbit (LEO) satellite technology in the sphere of Internet connectivity has risen to the forefront. However, due to current limitations under the overarching principle of ‘security-through-obscurity’, few to no research efforts have shed light on the intricacies of these networks. To this end, this paper harnesses a multilayer empirical approach in an effort to conduct an exploratory characterization and scrutiny of the cybersecurity landscape of Starlink, the largest LEO network. Using our built-in arsenal of data feeds, composed of large dark IP addresses, passive measurement sensors, BGP collectors, coupled with publicly available sources, we unveil on the Starlink cyberspace (i) Internet-scale exploitations, (ii) illicit scanning events originating from 8,675 unique Starlink end-users, (iii) suspicious Port 0 and IKE scans, (iv) Mirai-based infections, (v) source address spoofing, (vi) 8,714 vulnerabilities ranging between medium and critical, and (vii) interesting RTBH announcements associated with possible mitigation techniques.