Small satellites—particularly those developed by academic and amateur teams—face significant ground-accessible vulnerability risks due to constrained resources and limited security awareness. Method: We conducted eight semi-structured interviews with U.S. university satellite teams and performed static security audits on three open-source onboard software repositories, focusing on communication protocols, key management, and command validation. Contribution/Results: Our analysis revealed critical security gaps across all audited projects—each containing vulnerabilities exploitable by ground-based adversaries—and identified six recurring security deficiencies. We propose the first lightweight security framework tailored for non-professional small satellite developers, distilling twelve actionable, implementation-ready design principles. Two university satellite projects have already adopted this framework. This work bridges a critical gap between rigorous aerospace security engineering and grassroots satellite development practices.

Satellites face a multitude of security risks that set them apart from hardware on Earth. Small satellites may face additional challenges, as they are often developed on a budget and by amateur organizations or universities that do not consider security. We explore the security practices and preferences of small satellite teams, particularly university satellite teams, to understand what barriers exist to building satellites securely. We interviewed 8 university satellite club leaders across 4 clubs in the U.S. and perform a code audit of 3 of these clubs' code repositories. We find that security practices vary widely across teams, but all teams studied had vulnerabilities available to an unprivileged, ground-based attacker. Participants foresee many risks of unsecured small satellites and indicate security shortcomings in industry and government. Lastly, we identify a set of considerations for how to build future small satellites securely, in amateur organizations and beyond.