Flying somewhere high above the earth is a small satellite that, for the next week, will be target #1 for five teams of hackers at this year’s DEF CON conference.
The annual Hack-A-Sat capture the flag (CTF) competition held at Aerospace Village at the annual DEF CON hacking conference in Las Vegas is the first time an on-orbit satellite will test contestants mettle while bringing together hackers who don’t typically work on space systems.
In June, a SpaceX rocket launched a small square shaped satellite dubbed “Moonlighter” that hackers will try to break into. The cubesat is outfitted with bits of code called “flags” locked within a sandbox environment made to ensure hackers don’t escape the confines of the contest. This year’s challengers are: Krautsat, mhackeroni, SpaceBitsRUs, Poland Can Into Space, and jmp fs: [rcx].
Rachel Mann, a program manager at the Air Force Research Laboratory, said that really the contest is about “bridging a gap between space people and cyber people” at a time when there is growing recognition that satellites are immensely vulnerable to cyberattack, even as they grow in importance. The competition, Mann said, aims to “not only bridge the gap, but quite literally make collisions in these communities, to bring all of the necessary folks to the table and work on the problems that are occurring in front of us every day.” Mann said.
Here’s how the capture the flag works: five teams will gather at DEF CON and around the world to try to find lines of code or “flags” that can only be obtained by completing multiple challenges. The team with the most points at the end wins. There are $100,000 worth of prizes with $50,000 for first place, $30,000 for second, and $20,000 for third.
That all sounds simple enough. But hacking into a live in-orbit satellite comes with unique challenges. For one, there’s a lot of space math is involved. Additionally, the teams have no idea what challenges await them so they’ve been spending the lead up studying previous years CTF’s and creating programs and scripts with the hope that they’ll be useful down the line.
Portions of the contest will work like Jeopardy where the winners get to choose the next challenge from the pool. Last year, one of the challenges was to calculate the current orbit and figure out how do a course correction using the propulsion system.
The CTF is lead by the Air Force Research Laboratory, alongside Space Systems Command, the Aerospace Corporation, and Cromulence and seeks to address what are thought to be widespread vulnerabilities in space systems. A recent paper by a team of German researchers including Johannes Willbold, a member of the Krautsat CTF group and a doctoral student at Ruhr University Bochum, discovered major — and basic — vulnerabilities in three real-world satellite firmware images.
“What we found essentially was that a lot of the satellites were missing basic telecom protection,” Willbold said in an interview with CyberScoop describing research that he will present on Thursday at the Black Hat security conference. These missing security features included basic precautions, like a way to protect third parties from sending commands in-orbit satellites.
The widespread absence of what Willbold called “standard security measures” on satellites have alarmed security security experts at a time when the energy, agriculture, and other critical sectors increasingly depend on space systems and have spurred calls for the industry to be designated critical infrastructure.
Cyberattacks against space systems are becoming increasingly common and gained widespread attention after Russia launched a cyberattack against Viasat satellite modems at the start of its invasion of Ukraine, which caused cascading impacts on network connections in Europe and wind farms in Germany.
Willbold said that space systems tend to rely on the obscurity of boutique software and technology rather than actual defensive measures. Of the researchers who worked on the paper he will present at Black Hat, none had any background in space cybersecurity. Their ability to discover satellite vulnerabilities illustrate that space systems are no longer particularly obscure, especially as off-the-shelf-components are becoming ubiquitous.
Many of the CTF team members competing are more curious than they are expert in space systems, and that’s all a part of the experience, said Mann.
“We’ve got a guy with a PhD and he loves [radio frequency] communications, but now he’s sitting down with somebody that is doing some astrophysics and reverse engineering and cybersecurity. Those folks weren’t on a team or on any calls or any other capacity prior to that,” Mann said. “A company let us know that they set up an entire new division of their company simply to bring together their cyber and space folks.”
Many of the CTF teams are actually conglomerates of other smaller groups that have teamed up. The Hack-A-Sat contests have become so complex over the years, said Josh Christman, a member of jmp fs: [rcx] and the chief operations officer at Open Security, Inc., that it’s almost impossible to make it past the qualifiers without joining forces.
The team name “jmp fs: [rcx]” is comes from two teams that combined for the Hack-A-Sat: PFS and RTX. (The name also is a valid assembly instruction as well, Josh noted.)
“You end up with these mega teams that are formed from smaller teams in order to get kind of a critical mass needed in order to solve the wide variety of challenges that are showing up in these types of CTFs,” Christman said. “Hack-A-Sat is very different from basically any CTF that exists in that is has things like space math and radio challenges and orbital calculations that need to be done. That’s not something you do in a traditional CTF.”
Wyatt Neal, a member of the SpaceBitsRUs team and a senior staff cyber architect at Northrop Grumman, said that the contest brings together portions of the company that normally only works together during specific projects.
It’s also a great chance to work outside of contracts that often have specific requirements, Neal said. “It’s a really good opportunity to create imperfect solutions in a low risk environment.”