GEEKSPIN
NASA Spacecraft was hackable for years until AI found itA 3-year-old vulnerability in NASA’s communications layer went unnoticed until AI exposed the cracks in manual review
Stefan Milovanovic
Wed, December 10, 2025 at 11:30 AM EST
3 min read
NASA's Deep Space Station 35 (DSS-35) at the Canberra Deep Space Communication Complex in Tidbinbilla, Australia, photographed on May 21, 2014 | ©Image Credit: NASAEven with rigorous protocols and billion-dollar budgets, human oversight has its limits—a reality NASA was forced to confront this week. After three years of manual reviews failing to catch a critical flaw in the agency’s communications software, an AI tool from startup AISLE identified the vulnerability in a matter of days.
The flaw sat inside CryptoLib, the cryptographic library NASA uses to authenticate commands traveling between Earth and its spacecraft. No one caught it — not during reviews, not during updates — until the automated analysis flagged the specific lines of code that human eyes had missed.
In a blog post dedicated to outlining the findings, AISLE described the issue as follows: “For three years, the security system meant to protect spacecraft-to-ground communications contained a vulnerability that could undermine that protection.”
The startup’s researchers warned that such a vulnerability poses a direct threat to the billions of dollars invested in space infrastructure and the scientific missions they support.
The Authentication GapThe weak spot lived inside the authentication setup. If an attacker managed to get hold of operator credentials — phishing, malware, the usual playbook — the door opened wider than anyone expected.
Researchers described the flaw as one that “transforms what should be routine authentication configuration into a weapon,” warning that it lets attackers “inject arbitrary commands that execute with full system privileges.”
To execute such commands, however, local access would still have been required, meaning this wasn’t a remote takeover scenario. But for systems tied to active missions, that distinction only goes so far. The flaw reportedly survived several human reviews over its lifespan before AISLE’s autonomous analyzer surfaced it and guided a fix in four days.
The Case for AutomationThis shift towards automation comes as NASA’s operational landscape becomes increasingly complex, blending aging legacy hardware with decentralized ground controls.
Just last month, the Mars Reconnaissance Orbiter—which has been circling the Red Planet since 2006—relied on a newly developed “very large roll” maneuver to debunk a sub-surface lake hypothesis. That operation required precise software commands to rotate the aging spacecraft 120 degrees mid-orbit, a feat that demonstrates how deeply new code must interact with decades-old hardware.
Simultaneously, the agency is preparing for the ESCAPADE mission, where mission control will be handed over to UC Berkeley rather than NASA’s traditional hubs. With universities and private partners like Rocket Lab now managing active spacecraft, the network of “ground control” access points is expanding, creating a wider surface area for the kind of authentication vulnerabilities identified in CryptoLib.
NASA’s codebases have expanded over decades of missions, creating a complexity that AISLE’s researchers argue makes tools like theirs increasingly necessary as mission software grows older, larger, and more interconnected.
They noted that “Human review remains valuable, but autonomous analyzers can systematically examine entire codebases, flag suspicious patterns, and operate continuously as code evolves.”
Although AISLE didn’t report any evidence that the vulnerability was used in the wild, this episode adds to a growing list of reminders that spacecraft security now depends as much on software hygiene as it does on ground control protocols. And that even code written to keep things safe can carry problems no one notices until a machine points straight at them.
Sources:
Space.com,
CVE,
Daily Star,
AisleRead the
original article on GEEKSPIN.
Random quote
