How a hacking crew overtook a satellite from inside a Las Vegas convention center and won $50,000
LAS VEGAS — In a room almost overflowing with spectators inside Caesars Forum, the main venue for this year’s DEF CON hacking conference, five teams of hackers from around the world waited anxiously to see who would be named the winner of the first-ever capture the flag in space.
It’s not often that a crowd this large gathers to celebrate security researchers’ work, but this was no ordinary hacking contest. It represented the culmination of many years of planning and investment from the Air Force, which organized the event, and the first time hackers have been openly encouraged to break into a satellite as it hurtles over the earth at 17,000 miles per hour.
Teams participating in the Hack-A-Sat contest at this year’s DEF CON’s Aerospace Village all had the same target: a small cubesat dubbed “Moonlighter” outfitted with challenges and “flags” that NASA and SpaceX launched in June.
From last Friday morning to Saturday night, five teams gathered in the contests area at DEF CON, a giant space filled with devices, cars, loud strange noises, and hundreds of hackers breaking into anything with some wires and electricity running through it. At the Hack-A-Sat space, a giant scoreboard was decked out cyberpunk style with the scores, location of the Moonlighter, and next time before contact with the satellite.
The competitors are a combination of multiple CTF teams. While teaming up is not uncommon for CTFs, hacking a satellite while in orbit presents unique challenges that many regular CTF competitors have yet to face. The five teams that made it to the finals in Vegas beat out hundreds of other teams made up of thousands of players.
At stake for first place was bragging rights to being the first team to win a CTF in space — and $50,000. It’s little wonder the announcement room was filled to the brim.
But the night before, the announcement had it’s own drama. A suspicious package lead to the evacuation of the entire Caesars Forum where DEF CON was hosted on late Saturday. (This is possibly the fifth time an evacuation has occurred, according to remarks made at DEF CON’s closing ceremonies.)
The Hack-A-Sat organizers were still collecting data from the Moonlighter and so the team huddled in an emergency stairwell before retreating to a hotel room to connect to the Moonlighter to collect data and determine the final scores, said U.S. Space Force Capt. Kevin Bernert at the announcement.
“The show must go on,” Bernert said.
As Jordan Wiens, creator of the reverse engineer program Binary Ninja and the CTF host at Hack-A-Sat, began to announce the winners he noted the second place winners would receive $30,000 and third would take home $20,000. The crowd audibly murmured and a few whistled at the prize money. At third place is jmp fs: [rcx], a team combined of PFS, which won the first Hack-A-Sat contest in 2020, and RTX. The team name is also a valid assembly code, one of the members told CyberScoop.
The second place winners are Poland Can Into Space, a combination from the CTF team’s Dragon Sector and p4. The name is a play on the online comic Polandball and last year’s winners of Hack-A-Sat.
“Congratulations to team mHACKeroni,” Weins said, to loud cheers, applause, and some screaming. mHACKeroni, which won both bragging rights and the prize money, consists of 60 people from Italy representing the academic world, according to their bio.
“Congratulations to all of the participants,” said Wiens. “Making it here at all is really impressive.”
Those challenges weren’t easy. One challenge called “Christmas in August” required that the Moonlighter leave its regular orbit and fly close to the North Pole. How do you move a satellite that does not have a propulsion system? By tricking the GPS receiver through script injection, of course.
Another challenge was to hack into the camera and take a photo from space. Iron Bank is a cryptography challenge that only mHACKeroni completed.
The CTF is a collaboration from the Air Force Research Laboratory, Space Systems Command, Aerospace Corporation and Cromulence.
One major challenge was that the Moonlighter is not always available. Depending where it’s located in-orbit, the satellite only had a few open windows throughout the competition to download or upload files, telemetry, and scripts. And because the CTF is operating with real-world conditions even the CTF runners could not always connect during the pre-defined contact windows.
But while Hack-A-Sat is aimed at bringing cybersecurity and space experts together in a fun competition, the threats facing space systems are real. The DEF CON and Black Hat cybersecurity conferences in Las Vegas held multiple sessions on either the danger of the current state of space cybersecurity or going over the major hack of Viasat’s systems at the start of the Ukraine invasion.
At Black Hat, a Viasat executive and an NSA official revealed that the Russian attack on satellite communications was actually a multi-pronged barrage that included not only the Acid Rain malware wiper but also flooded specific servers at Viasat that quickly overwhelmed their networks.
The reliance of space systems for critical sectors such as energy and agriculture has lead to multiple calls for the sector to be designated as critical infrastructure. Experts have noted that the surge of so-called “new space” companies and off-the-shelf components means that the risks to space systems are increasing.
