This study addresses the threat of insider sensor spoofing attacks in satellite systems caused by supply chain compromises, systematically uncovering and validating a telemetry falsification pathway enabled by malicious on-board components. By integrating a rogue application built upon the Core Flight Software framework into NASA’s NOS3 simulation environment, the authors demonstrate an end-to-end, protocol-compliant, and temporally coherent stealthy telemetry spoofing attack capable of deceiving ground station state estimation, concealing actual faults, and inducing hazardous operations. The work not only confirms the severe risks such attacks pose to mission integrity and availability but also proposes lightweight countermeasures, including authenticated telemetry and component attestation, to mitigate these vulnerabilities.

Spoofing attacks are among the most destructive cyber threats to terrestrial systems, and they become even more dangerous in space, where satellites cannot be easily serviced, and operators depend on accurate telemetry to ensure mission success. When telemetry is compromised, entire spaceborne missions are placed at risk. Prior work on spoofing has largely focused on attacks from Earth, such as injecting falsified uplinks or overpowering downlinks with stronger radios. In contrast, onboard spoofing originating from within the satellite itself remains an underexplored and underanalyzed threat. This vector is particularly concerning given that modern satellites, especially small satellites, rely on modular architectures and globalized supply chains that reduce cost and accelerate development but also introduce hidden risks. This paper presents an end-to-end demonstration of an internal satellite spoofing attack delivered through a compromised vendor-supplied component implemented in NASA's NOS3 simulation environment. Our rogue Core Flight Software application passed integration and generated packets in the correct format and cadence that the COSMOS ground station accepted as legitimate. By undermining both onboard estimators and ground operator views, the attack directly threatens mission integrity and availability, as corrupted telemetry can bias navigation, conceal subsystem failures, and mislead operators into executing harmful maneuvers. These results expose component-level telemetry spoofing as an overlooked supply-chain vector distinct from jamming or external signal injection. We conclude by discussing practical countermeasures-including authenticated telemetry, component attestation, provenance tracking, and lightweight runtime monitoring-and highlight the trade-offs required to secure resource-constrained small satellites.