Blog · Threat Research · Earth Observation · 2026-06-10
Why satellite remote sensing AI is the newest prompt injection attack surface
Satellite AI is no longer confined to research institutions. The USDA's Farm Service Agency uses satellite-derived vegetation indices to validate $10 billion in annual crop insurance claims. The EPA uses satellite spectral data to detect unreported pesticide use and illegal land conversion. FEMA uses satellite damage assessments to allocate post-disaster public assistance. In every case, the AI's primary input is not text — it is a multi-band raster image carrying pixel values across wavelengths no human eye can see. That is an input channel every text-only prompt injection scanner on the market has never inspected, and it is the newest frontier of adversarial manipulation in production AI systems.
TL;DR
Satellite remote sensing AI processes multispectral pixel arrays — Sentinel-2 images have 13 spectral bands, Landsat 9 has 11, SAR data is complex-valued amplitude and phase. Text-only PI scanners have nothing to inspect: there is no string representation of a 13-band spectral image. Adversarial attacks in this domain perturb individual band values to shift AI-computed vegetation indices, land cover classifications, and damage severity scores toward attacker-chosen outcomes. At stake: USDA crop insurance payouts (18 USC §1001), EPA FIFRA pesticide compliance reporting (FIFRA §136), and FEMA public assistance declarations (44 CFR Part 206). The full attack surface, platform inventory, and compliance framework mapping are in satellite remote sensing AI prompt injection; this post is the argument for why the risk is real, what the attacks look like in practice, and what scanning at the right boundary actually requires.
1. What satellite AI systems actually process
To understand why satellite AI creates a novel prompt injection attack surface, start with what the data actually is. Satellite remote sensing imagery is not a photograph. It is a multi-dimensional array of numeric values where each dimension corresponds to a different portion of the electromagnetic spectrum — not just visible light but near-infrared, shortwave-infrared, thermal infrared, and for SAR (synthetic aperture radar) satellites, microwave backscatter amplitude and phase.
Multispectral imagery. Sentinel-2 (European Space Agency, freely available globally) captures 13 spectral bands including four shortwave-infrared bands and three red-edge bands invisible to human eyes. Landsat 9 (USGS/NASA) captures 11 bands including two shortwave-infrared bands and a panchromatic band. Commercial satellites from Planet Labs (PlanetScope, SkySat), Maxar (WorldView series), and Airbus (SPOT, Pléiades) add even higher spatial resolution with similar spectral profiles. The AI model ingesting this data sees a 13-band tensor per pixel — not an RGB image, not text.
Hyperspectral imagery. Airborne and satellite hyperspectral sensors (NASA's AVIRIS, DLR's DESIS aboard the ISS) capture 200–400 spectral bands per pixel. Environmental monitoring AI systems using hyperspectral data can identify specific chemical compounds from their spectral signatures — chlorophyll stress, soil moisture, pesticide residues, methane plumes. These signatures are in individual band values at sub-nanometre wavelength resolution. A text PI scanner has zero coverage of this data type.
SAR (Synthetic Aperture Radar). SAR satellites (ESA's Sentinel-1, JAXA's ALOS-2, Capella Space, ICEYE) emit microwave pulses and record the reflected energy as complex amplitude-phase values. SAR penetrates cloud cover and operates day and night — making it essential for disaster response, flood monitoring, and infrastructure surveillance. SAR data is not pixels in any visual sense; it is complex numbers representing electromagnetic backscatter. AI models trained on SAR data for change detection, flood mapping, or building damage assessment process this complex-valued tensor directly. The attack surface for SAR is in phase and amplitude manipulation, not typography or text.
The common thread: in all three modalities, the AI's primary input is a multi-dimensional numeric array representing electromagnetic measurements. There is no text to scan. Every text-only prompt injection scanner ever built — including Lakera Guard, LLM Guard, Azure Prompt Shields, and Promptfoo — is categorically inapplicable. This is not a capability gap to be closed with a larger blocklist; it is a scope boundary. The complete explanation of why text scanners are architecturally blind to image-domain attacks is in why every text-only scanner misses a 30-pixel PNG.
2. Four adversarial attack scenarios with real regulatory consequences
Scenario A — USDA crop monitoring: NDVI injection for fraudulent insurance payouts
The USDA Risk Management Agency (RMA) and Farm Service Agency (FSA) use satellite-derived vegetation indices to validate crop insurance claims under the Federal Crop Insurance Act and to determine Agricultural Risk Coverage (ARC) and Price Loss Coverage (PLC) payments under the Farm Bill. The primary index is NDVI — Normalized Difference Vegetation Index — calculated as (NIR − RED) / (NIR + RED) using near-infrared and red spectral band values. An NDVI value near 1.0 indicates dense, healthy vegetation; values near 0.0 indicate bare soil; negative values indicate water or snow. The AI systems that validate claims and flag anomalous acreage reporting are trained on this index and its derivatives (EVI, SAVI, NDWI for soil moisture).
An NDVI injection attack targets the specific spectral bands the index is calculated from. By decreasing the NIR band value or increasing the RED band value in a subset of pixels in a satellite image tile covering a target farm, an attacker can shift the computed NDVI downward — from a value indicating healthy crop to a value indicating drought stress or crop failure. If the manipulated tile enters the AI's validation pipeline as the reference image for a farm acreage report, the AI may classify the field as drought-affected and approve an insurance claim it would otherwise flag for manual review.
The regulatory consequences: filing a fraudulent crop insurance claim violates 18 USC §1006 (fraud involving federal credit institutions and insurance programs) and 18 USC §1001 (False Statements Accountability Act), with penalties up to $10,000 per violation and five years imprisonment per count. The USDA OIG has prosecuted crop insurance fraud cases in the $1M–$10M range; satellite AI manipulation would scale this attack surface dramatically. The complete compliance framework for USDA satellite AI — including specific FSA regulations, RMA actuarial standards, and the USDA OIG oversight obligations — is in satellite remote sensing AI prompt injection.
Scenario B — EPA environmental monitoring: spectral bypass for compliance evasion
The EPA uses satellite multispectral and hyperspectral imagery in its environmental compliance monitoring programs — for detecting unreported pesticide applications (FIFRA §136), identifying illegal land conversion near protected wetlands (Clean Water Act Section 404), and monitoring emissions and runoff in violation of NPDES permits (Clean Water Act Section 402). Commercial AI services from companies including Planet Labs, Descartes Labs, and Orbital Insight process satellite data for EPA regional offices and state environmental agencies on a contract basis.
The spectral signatures of pesticide stress, algal bloom formation, and soil disturbance are specific to narrow wavelength bands — exactly the bands an adversarial attack can perturb. A FIFRA-regulated pesticide applicator seeking to avoid detection could deliver a modified satellite image tile where the spectral signature of chemical application has been suppressed by adversarially adjusting the relevant shortwave-infrared and red-edge bands before the imagery enters the EPA's AI classification pipeline. The AI would classify the field as compliant; the inspection trigger would not fire.
This scenario is not hypothetical as a policy concern: EPA's Office of Inspector General has flagged satellite data integrity as a gap in its AI systems risk assessments. The compliance gap is not just environmental — it extends to ESG reporting obligations for agricultural companies whose satellite-verified environmental claims may be submitted to investors under SEC climate disclosure rules (17 CFR Parts 210 and 229). A manipulated satellite AI creates false ESG metrics that can constitute securities fraud. Related analysis: ESG and sustainability AI prompt injection.
Scenario C — FEMA disaster assessment: manipulating public assistance declarations
Following a natural disaster, FEMA uses satellite imagery and AI-powered damage assessment systems to map the geographic extent of damage, classify damage severity, and inform the federal disaster declaration that unlocks public assistance funding under 44 CFR Part 206 (Public Assistance Program). The Stafford Act (42 USC §5170) ties the magnitude of federal assistance to the declared damage scope; a manipulated damage assessment that inflates or deflates the affected area directly affects the allocation of billions of dollars in disaster relief.
SAR-based change detection is a primary tool for damage assessment in disaster response — it can operate through cloud cover and smoke, essential in the hours after a major event. An adversarial attack against a SAR-based damage assessment AI can perturb the amplitude or phase values in a SAR image covering a target area to either (a) inflate apparent damage in an area that was not affected, driving additional federal aid allocation, or (b) suppress apparent damage in a politically inconvenient area, reducing aid eligibility for affected populations. Both attack directions have real-world stakes in the billions of dollars and directly affect the lives of disaster survivors.
The Stafford Act makes false statements in connection with disaster assistance a federal crime; knowingly manipulating data that feeds a federal disaster assessment AI to obtain public assistance funding is prosecutable under 42 USC §5157(a). The technical enablement — delivering a manipulated SAR tile to a FEMA damage assessment pipeline — requires compromising one of the satellite data pipelines described in the data provenance section below.
Scenario D — Customs and trade compliance: satellite-verified shipment fraud
Customs and border enforcement agencies increasingly use satellite AI to verify declared shipment quantities, detect unreported warehouse activity, and audit port traffic against declared cargo manifests. Satellite-verified inventory AI matches cargo imagery against declared import/export volumes for anti-dumping enforcement (19 USC §1677 et seq.) and agricultural import quota compliance (19 CFR Part 132). Manipulating the satellite imagery input to this AI creates a mechanism for trade fraud at scale that is much harder to detect than falsified paper documents. The customs trade compliance AI attack surface is detailed in customs and trade compliance AI prompt injection.
3. The data provenance attack path: where to inject
A common objection to satellite AI injection attacks is that the attacker would need to compromise a satellite. That misunderstands where the actual attack surface sits. Satellites transmit data to ground stations; ground stations process and archive it; archive services expose it via API; downstream AI systems pull from those APIs. The injection attack does not need to happen at the satellite — it only needs to happen somewhere along the data pipeline before the AI model processes the tile.
Imagery API layer. Commercial satellite imagery is increasingly delivered via SaaS APIs: Sentinel Hub API (SINERGISE/Planet Labs), Planet Labs Tasking and Data API, Maxar SecureWatch API, Google Earth Engine API. An attacker who can compromise a pipeline script that pulls imagery from these APIs — via credential theft, MITM on an unencrypted API call, or supply chain compromise of an open-source Python library used in the ingestion pipeline — can substitute a manipulated tile for a legitimate one without any physical access to the satellite ground station. This is the same supply chain attack vector documented for software AI supply chains but applied to the data layer. See indirect prompt injection via image for the general taxonomy.
Local tile cache. Geospatial AI pipelines routinely cache downloaded imagery tiles locally to reduce API costs and latency. A local file system attack against a weakly-permissioned tile cache directory can substitute adversarially perturbed tiles for cached legitimate ones. The AI pipeline pulls from the local cache, processes the modified tiles, and produces a manipulated output — with no network traffic to the original API that would trigger anomaly detection.
Ingestion-time poisoning of analysis pipelines. If the satellite AI uses a training or fine-tuning data store that is fed by ongoing satellite imagery downloads — for crop pattern modelling, change detection baselines, or damage assessment calibration — ingestion-time poisoning can shift the model's learned representations over time, not just manipulate a single inference. This is the OWASP LLM03:2025 training data poisoning vector applied to earth observation AI, and it is harder to detect because it affects model behaviour gradually rather than producing an obvious single-event anomaly. Vision-language model security covers the implications for VLMs trained on satellite imagery datasets.
4. Why text-only scanning cannot be adapted to cover this threat
When satellite AI system owners encounter the multimodal PI scanning argument for the first time, the most common response is: "we run metadata validation and output anomaly detection — isn't that equivalent?" It is not, and the structural argument is the same as for medical imaging: the attack lives in the channel that text-only validation never touches.
Metadata validation covers the wrong channel. Satellite imagery metadata — acquisition timestamp, cloud cover percentage, solar zenith angle, tile ID, coordinate reference system — is the label on the box, not the contents. An adversarially perturbed tile can have perfectly valid metadata: it was acquired at the stated time, has the stated cloud cover, and covers the stated coordinates. The perturbation is in the spectral band values inside the pixel array — values that metadata validation never reads. Checking that the tile ID and timestamp are consistent with the source API tells you nothing about whether the 13-band pixel array inside was modified before delivery.
Output anomaly detection fires after the damage. Detecting that the AI's output classification is anomalous (NDVI values outside historical range, damage assessment inconsistent with adjacent tiles) may catch some attacks post-hoc — but it fires after the model has already processed the adversarial input and produced an output that may have been logged, reported, or acted on. Output anomaly detection is a compensating control, not a pre-processing security boundary. It also misses attacks calibrated to produce plausible outputs: an NDVI injection attack that shifts values from 0.7 to 0.3 (healthy-to-stressed, not to an obviously invalid value) may not trigger any output anomaly threshold while still flipping a crop insurance claim decision.
The scan must happen at the pixel boundary. Like medical imaging, the only placement that covers the attack surface is at the point where raw image bytes are received, before any spectral index calculation, before any AI preprocessing, before any model call. A scanner at this boundary can detect: adversarial pixel perturbations via CLIP-embedding anomaly, statistical distribution anomalies in individual spectral bands consistent with targeted injection, embedded typography or steganographic payloads in the visible bands, and per-band value distributions inconsistent with sensor-specific noise profiles. This is the placement Glyphward's /v1/scan supports — raw bytes in, scan record out, before the model sees anything. The complete argument for pre-processing scan placement is in the multimodal prompt-injection threat model (2026).
5. The regulatory compounding problem: one attack, multiple frameworks
A successful satellite AI manipulation attack typically implicates multiple regulatory frameworks simultaneously — and the evidence required to demonstrate control compliance under each framework is substantially the same per-request scan log. The compounding problem also means that a single detection failure carries multiplied regulatory exposure.
For a USDA crop monitoring AI system: a successful NDVI injection attack that produces a fraudulent insurance payout implicates USDA RMA crop insurance regulations (7 CFR Part 400 et seq.), False Claims Act exposure for any company providing AI services to the federal government under 31 USC §3729, and potentially NIST AI RMF obligations if the agency has committed to the framework under Executive Order 14110's AI governance requirements. NIST AI RMF MAP 5.2 specifically addresses adversarial manipulation of AI inputs as a risk that must be identified and managed. The compliance mapping is in NIST AI RMF GenAI profile and prompt injection.
For an ESG-reporting company that uses satellite AI to verify environmental compliance disclosures: a manipulated satellite assessment that produces false ESG metrics submitted to investors under SEC climate disclosure rules creates potential securities fraud exposure under 15 USC §78j(b) (Section 10(b) of the Securities Exchange Act) and Rule 10b-5 (17 CFR §240.10b-5) in addition to any EPA regulatory violation the false compliance report conceals. This is not a speculative legal theory: the SEC Office of Investigations has explicitly flagged AI-assisted ESG data fraud as an enforcement priority following the 2024 climate disclosure rules.
The evidence log that demonstrates control compliance across these frameworks is the same artifact: a per-tile scan record containing tile identifier, spectral band count, payload hash, per-band risk score, flagged pixel region (if any), and action taken (allow / block / flag for review). One instrument, multiple compliance citations — the same principle established for healthcare AI compliance in multimodal AI prompt injection in healthcare.
6. Four steps to close the satellite AI scanning gap
The remediation architecture for satellite AI is structurally similar to other high-stakes geospatial and imaging applications — the scan placement and evidence format are the same principles, adapted to the spectral data format.
- Enumerate every imagery source and delivery format. For each satellite AI pipeline: which APIs deliver imagery? (Sentinel Hub, Planet Labs API, Google Earth Engine, Maxar SecureWatch, internal STAC catalog?) In what format? (GeoTIFF, Cloud Optimized GeoTIFF, multi-band HDF5, NetCDF, SAR SAFE format?) How many spectral bands per tile? This inventory is the scope of your adversarial-input risk assessment. Under NIST AI RMF GOVERN 2.2, this enumeration is the precondition for assigning ownership of the risk. Under USDA RMA actuarial standards and FEMA Section 324 requirements, it is the starting point for demonstrating data integrity in AI-assisted assessments.
-
Place scanning at the data receipt boundary, before index calculation.
The scan must run on the raw tile bytes as received from the imagery API or data store, before any spectral index (NDVI, EVI, NDWI, SAR coherence) is calculated and before any model preprocessing (normalisation, band stacking, cloud masking). The raw bytes are the channel the attacker targets; scanning the derived index is scanning the output of the channel, not the channel itself. Glyphward's
/v1/scanaccepts multi-band GeoTIFF bytes and returns per-band risk scores alongside the standard payload-detection results. - Implement supply chain integrity verification alongside scanning. Scanning detects already-modified tiles; supply chain verification prevents delivery of modified tiles in the first place. For satellite imagery pipelines: validate TLS certificates for all imagery API connections, verify cryptographic checksums provided by the imagery source (Sentinel Hub's tile manifests, Planet Labs data delivery SHA256 hashes), and treat unsigned or unverifiable tiles as untrusted inputs requiring mandatory scanning at elevated sensitivity. Scanning and provenance verification are complementary; neither replaces the other.
- Produce a per-tile evidence log with full provenance. Every satellite image tile processed by an AI model should generate an evidence log entry: tile ID, source API, acquisition timestamp, spectral band count, tile payload hash, per-band risk score, scan timestamp, action. This log is simultaneously the evidence record for USDA data integrity requirements, EPA data quality standards (40 CFR Part 60 Appendix F data quality assurance), FEMA Section 324 program integrity documentation, and any NIST AI RMF audit trail requirements. For AI systems under multimodal AI security testing scope, this log is the primary artifact reviewed in red-team and compliance assessments.
FAQ
Can a text-only prompt injection scanner protect satellite AI systems?
No. Satellite remote sensing AI processes multispectral pixel arrays — Sentinel-2 has 13 spectral bands per pixel, Landsat 9 has 11. There is no meaningful text representation of a spectral image that a text PI scanner can inspect: the payload lives in the numeric values of individual spectral bands, not in any string. A text PI scanner running on metadata labels (date, tile ID, cloud cover percentage) inspects metadata, not the spectral data the AI model consumes. The attack surface is entirely in the pixel domain; only a scanner that operates on raw image bytes before model preprocessing can detect adversarial spectral perturbations.
What is NDVI injection and why does it matter for USDA AI?
NDVI (Normalized Difference Vegetation Index) is calculated from the ratio of near-infrared to red spectral bands: (NIR − RED) / (NIR + RED). USDA's Risk Management Agency and Farm Service Agency use NDVI-derived vegetation indices to validate crop insurance claims and determine ARC/PLC subsidy payments. An NDVI injection attack perturbs the NIR or RED band values in a satellite image tile so the computed NDVI shifts toward a target outcome — drought-affected when the crop is healthy, yielding a fraudulent insurance payout. Because the perturbation lives in floating-point spectral band values rather than text strings, every text-only PI scanner misses it structurally.
Do adversarial satellite image attacks require physical access to satellites?
No. The most practical attack vector is at the data pipeline stage. Commercial satellite imagery is delivered via API (Sentinel Hub, Planet Labs API, Maxar SecureWatch) as GeoTIFF files. An attacker who can compromise a pipeline script, inject a modified tile into a local cache, or manipulate a vendor API response via a MITM on an unencrypted pipeline can deliver adversarially perturbed spectral data without any physical access to satellites. Supply chain injection at the imagery API or caching layer is the highest-probability realistic attack path.
What regulations are implicated by a successful satellite AI manipulation?
Multiple federal frameworks simultaneously. USDA crop insurance fraud via satellite AI manipulation violates 18 USC §1006 and 18 USC §1001. An EPA satellite monitoring bypass implicates FIFRA §136 and potentially Clean Air/Water Act violations. FEMA disaster assessment manipulation implicates 44 CFR Part 206 and the Stafford Act (42 USC §5170). ESG reporting companies face potential SEC Rule 10b-5 securities fraud exposure for false satellite-verified climate disclosures. Each framework has civil and criminal penalties; the AI manipulation attack enables the fraud while leaving no trace in a text-only audit log.
How does Glyphward scan satellite imagery inputs?
Glyphward's /v1/scan endpoint accepts raw image bytes in any raster format — GeoTIFF, PNG, JPEG, multi-band arrays — and runs CLIP-based embedding analysis alongside a trained adversarial perturbation detector before the image reaches any downstream model. For multi-band satellite data, the scanner processes each spectral band and flags anomalous band-value distributions (the signature of adversarial NDVI injection) alongside FigStep-class payloads and steganographic overlays. The response includes a scan_id, per-band risk_score, flagged_region, and action — the evidence record regulators and auditors need to demonstrate that each satellite image tile was inspected before the AI processed it.
Further reading
- Satellite remote sensing AI prompt injection — the full platform inventory (Descartes Labs, Planet Labs, USDA FSA AI, ESA Copernicus AI, Palantir Foundry geospatial), attack surface map across NDVI injection, SAR manipulation, and hyperspectral bypass, and regulatory compliance mapping for USDA, EPA, FEMA, and DoD satellite AI applications.
- Customs and trade compliance AI prompt injection — satellite-verified shipment fraud via manipulated cargo imagery, anti-dumping enforcement AI vulnerabilities, and the SAFE Port Act / CBP C-TPAT compliance implications.
- ESG and sustainability AI prompt injection — satellite-verified environmental reporting manipulation, SEC climate disclosure fraud implications, and the EU Taxonomy Regulation compliance stakes for companies using satellite AI to verify ESG claims.
- Vision-language model security — how VLMs trained on geospatial and satellite imagery datasets inherit adversarial vulnerabilities from their training data, and the scanning architecture that addresses both training-time and inference-time attacks.
- Indirect prompt injection via image — the general taxonomy of image-channel supply chain injection, covering data pipeline compromise, local cache poisoning, and API response manipulation as delivery vectors.
- NIST AI RMF GenAI profile and prompt injection — how GOVERN 2.2 and MAP 5.2 adversarial-input risk obligations apply to satellite AI systems, and the evidence format that satisfies NIST AI RMF audit requirements.
- Multimodal AI security testing — the red-team methodology for satellite and geospatial AI systems: what NDVI injection payloads look like in a controlled test, how to set scanning thresholds per use case, and what a mature adversarial testing programme for earth observation AI includes.
- The multimodal prompt-injection threat model (2026) — the full attack taxonomy across text, image, and audio; the structural argument for why pixel-domain attacks bypass all text-only defences; the defender's placement playbook that applies to satellite AI as to any other image-input system.
- Why every text-only scanner misses a 30-pixel PNG — the architectural reason text PI scanners are blind to image-borne attacks: what the model sees versus what the scanner sees, and why the gap is structural, not a tuning failure.
- Glyphward pricing — free tier for evaluation (10 scans/day); Pro at $29/mo includes per-request scan logs with modality tagging, payload hashing, per-band risk scores for multi-spectral inputs, webhook delivery, and SDK; Team at $99/mo adds SSO, audit log export, and Slack alerts.