Eight Teams of Hackers Will Compete to Breach U.S. Satellite in Space

World
,
1

Eight Teams of Hackers Will Compete to Breach U.S. Satellite in Space

Protecting satellites from hacks is becoming more important as industries from agriculture to banking and insurance rely on space-based capabilities.

This August, at the famed DEFCON hacker convention, the U.S. military will stage a contest in which competing teams of white-hat hackers will, for the first time ever, try to penetrate and take over computer systems on a satellite actually in orbit.

It took four years, but “this year, we are in space for real,” said Steve Colenzo, Technology Transfer Lead for the Air Force Research Laboratory’s Information Directorate in Rome, New York, and one of the contest organizers.

The Hack-A-Sat 4 capture-the-flag contest comes in the wake of the notorious cyberattack on the Viasat KA-SAT European satellite network last year. Russian military hackers sought to decapitate Ukrainian command and control of its armed forces by shutting down the network, just as Russian invaders rolled across the border.

Moonlighter satellite Aerospace Corp Hack-A-Sat 4

The foot-long toaster-sized Moonlighter cubesat was designed to be hacked in contests such as Hack-A-Sat, and is built with safety features such as no propulsion.COURTESY OF AEROSPACE CORPORATION

Although there are conflicting reports about its impact on the fighting, the attack was completely effective from a technical perspective. Every one of the KA-SAT’s ground user terminals that was turned on at the time shut itself down and could not be powered up. That, plus the collateral damage the attack caused, such as the wind farms in Germany knocked offline, underlined both the integral role in the world economy of space-based global communications networks, and their vulnerability to hackers.

It also demonstrated the value of the annual Hack-A-Sat contest, which aims to highlight the cyber threat faced by space-based capabilities.

“We’ve turned a corner … A lot more people now understand” those threats, Colenzo said.

Polish hackers compete first Hack-A-Sat 2020 remotely

Members of the “Poland Can Into Space” ad hoc team of hackers compete remotely in the first U.S. Hack-A-Sat capture-the-flag contest in 2020. In previous years, the contests used genuine working satellite hardware, but running safely on the ground.STANISŁAW PODGÓRSKI/COURTESY OF POLAND CAN INTO SPACE

Industries from agriculture and mining to banking and insurance rely on space-based capabilities, he said. GPS, provided by a network of U.S. military satellites, is the best-known. GPS and its Chinese, European, Japanese and Russian equivalents, provide not just directions for clueless drivers, but controls for automated machinery on farms and the timing and location information that makes secure financial transactions possible online. Other space-based capabilities, such as earth observation satellites, which can show damage from extreme weather events, are increasingly used by insurance and other companies.

“Everyone relies on space,” said Colenzo. Traditionally, space technology was the purview of a handful of nation states. And the hardware and software used in space systems such as GPS was boutique, unique and specialized.

But now “space is democratizing,” Colenzo said, with more countries and more companies able to build their own satellites and buy rides on launch vehicles to get them into orbit. “We need all of those new entrants to be thinking about cyber security and cyber hygiene … because in five years, we are all going to be relying on their capabilities” the way we now rely on GPS.

Falcon 9 take-off SpaceX CRS-28

A Falcon 9 rocket blasts off from NASA’s Kennedy Space Center June 5, propelling a SpaceX Dragon vehicle into orbit, where it docked the following day with the International Space Station. The mission for NASA carried, along with other supplies, the Moonlighter satellite that will be the target of the hacking contest at DEFCON.SCREENGRAB FROM VIDEO FEED/COURTESY SPACEX

Hackers in Europe already succeeded

Hack-A-Sat 4, taking place live at DEFCON Aug. 10-13 in Las Vegas, will be the first-ever hacking contest staged on a vehicle in orbit. In previous years, the contests used genuine working satellite hardware, but running safely on the ground.

But the contest won’t be the first time white-hat hackers have successfully hacked a real satellite in orbit.

That honor was taken earlier this year by Brian Jouannic and his team of ethical hackers from French defense, space and technology giant Thales. They were able, over a period of several months, to penetrate and take over the controls of a European Space Agency satellite called OPS-SAT. They were also able to doctor images produced by the satellite’s camera.

OPS-SAT was uniquely easy to hack, Jouannic told Newsweek, because it was designed as a platform to host experiments, called payloads, from multiple users. More than 100 companies and institutions from 17 EU member states registered with the European Space Agency to upload their software payloads to the satellite, which runs the ubiquitous Linux software, just like an Earth-bound IT system.

“The attack on the satellite is more or less the same as an attack on a ground-based system,” Jouannic said, “but in a much more challenging environment.” The white-hat hackers could only communicate with the satellite for 10 minutes each day, as it passed overhead. So they would upload their code and then have to wait 24 hours to see if it had worked. “We had some good luck,” he said, in finding exploitable vulnerabilities in the European Space Agency’s code. Nonetheless, it took a team of four, working part time, a full three months before they were able to seize OPS-SAT’s control system and change its attitude.

“We thought for 50 years that satellites were safe [from hacking], that they were so far away no one could ever reach them,” Jouannic said. “That’s no more the case.”

Although OPS-SAT is unique, the democratization of space means increasing numbers of companies will offer the kind of shared or leased satellite access that it does, said Mathieu Bailly, CYSAT conference director. “More and more we see these new business models: Shared payload, shared launch, satellite-as-a-service,” he said.

Moonlighter satellite will be the target

Hack-A-Sat 4 is an attack/defend contest in which teams compete to hack each other’s systems while defending their own. It is being staged by the Air Force Research Laboratory and the U.S. Space Force. More than 380 teams signed up for the qualification round in April, and the eight top-scoring ones, which include contestants from Australia, Germany, Italy and Poland, as well as the U.S., will participate in the finals at DEFCON.

“We always knew our objective was to do this in space,” Colenzo said. But when, back in 2020, organizers asked satellite operators if they could stage a hacking contest on their space assets, “The answer, and there was really no hesitation, the answer was always no.”

Hack-A-Sat organizers realized that, if they wanted to reach their objective of staging such a contest in space, they would have to launch their own satellite, Colenzo said.

Technician works on Moonlighter experimental satellite

A technician works on the solar panels for the Moonlighter satellite. The four-slice toaster-sized Moonlighter satellite is slated to be deployed from the International Space Station in early July. After it enters orbit, the solar panels unfold and the satellite can power up.COURTESY AEROSPACE CORPORATION

The Moonlighter satellite was launched on a SpaceX rideshare rocket to the International Space Station June 5 by the U.S. government-backed non-profit The Aerospace Corporation. It’s a foot-long toaster-sized cubesat satellite with extendable solar panels.

If all goes according to plan, Moonlighter will be deployed into orbit early in July, Project leader Aaron Myrick told Newsweek. Moonlighter is designed to be hacked, he said, and there are numerous safety measures in place. “The first thing that we said was that propulsion was off the table,” Moonlighter can’t change its own orbit, which might make it a hazard to other satellites. And its ground controllers have the ability to reboot the system, kicking out any intruders and restoring their control.

Hacking contests like Hack-A-Sat have grown since the 1990s into an international hacker subculture, with hundreds of contests staged every year. The competitions build teamwork and develop a collaborative muscle memory while at the same time helping security researchers hone and practice defensive and offensive skills. Hack-A-Sat 4 will be a 72-hour non-stop grind in which the teams, fueled by energy drinks and snack bars, will nap briefly in shifts.

But don’t let the video-game energy fool you: The stakes could not be higher.

U.S. wargames that seek to anticipate Chinese military strategy have long emphasized the possibility of a pre-emptive strike to take out U.S. space capabilities and impact U.S. forces fighting a war half a world away from their homeland. Such a strike would blind and deafen U.S. forces in the Indo-pacific theater, cutting off their communications with headquarters back in the U.S.

Now that China’s own economy is increasingly reliant on space as well, that pre-emptive strike will likely take the form of a cyberattack, according to a classified CIA assessment leaked by 21-year-old National Guard Airman Jack Teixeira and reported by the Financial Times. The leaked document said China was developing cyber weapons that allow it “to seize control of a satellite, rendering it ineffective to support communications, weapons, or intelligence, surveillance, and reconnaissance systems.”

3 Points