Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

The Race to Hack a Satellite at DEF CON

Eight teams competed to win cash, bragging rights, and the chance to control a satellite in space.

At DEF CON 27 there was a tantalizing promise: A space-based capture-the-flag competition at DEF CON 28, featuring actual satellites to be controlled. Then came 2020.

Hack-a-Sat, as it came to be called, was still on. In the spring, more than 6,000 competitors virtually gathered, self-organized into more than 2,000 teams. In May they competed in a series of challenges, and by May 24, eight teams had risen to the top. At DEF CON 28, they spent two days working through five challenges with several rewards at stake. One (and a big one at that) was bragging rights. Another was a shared of a $100,000 prize purse. And third was the chance to have a solution uploaded to an actual, operational satellite and have it dance to the tune called by the winning team.

Image courtesy DEF CON Communications
Image courtesy DEF CON Communications

The eight teams, with members from around the world, were: Poland Can Into Space, FluxRepeatRocket, AddVulcan, Samurai, Solar Wine, PFS, 15 Fitty Tree, and 1064CBread.

On Friday morning, August 7, they began the competition, which was part of the Aerospace Village at DEF CON.

Floating on Air

Unlike many capture-the-flag (CTF) competitions, Hack-a-Sat had a physical component for each team. The sponsors had purchased a series of off-the-shelf training satellites featuring a "standard" guidance navigation and control system (GNC) and a custom Artix 7 FPGA- and Raspberry Pi-based board for onboard and payload systems. According to the team that ran the competition, code from the European Space Agency (ESA) and NASA was used on the two boards, with the off-the-shelf board chosen for its rapid access to sensor and control surfaces, and the custom board designed to be far more interesting from a CTF perspective.

The physical elements came from the "flat sat" training satellites that were platforms for the electronic components. These earth-bound physical simulators were mounted on air-bearings so they could move without resistance and simulate various elements of the scenario. The competition lab also had moving radio transceivers for each team, to simulate moving communication issues, and a virtual moon (along with other visual targets).

5 Challenges

The scenario for the contest allowed for a wide variety of challenges: A satellite has been attacked and compromised by an attacker, and is now spinning out of control. The teams need to regain control of the satellite.

To do that, they had to complete five challenges - four that were scored based on order to arrive at a solution and time required, and one that was pass/fail.

Challenge 0: Gain control of the satellite communications ground station.

The adversary had obtained access and locked others out, so teams had to use a network to access to the station.

Challenge 1: Attempt communication with the satellite spinning out of control.

They then had to regain communications with the satellite.

Challenge 2: The satellite's guidance navigation and control system (GNC) "went offline."

Teams had to repair it as quickly as possible to stop the the satellite's spinning. This was a challenge in which the satellite's physical reality became important: Each flat-sat had only so much battery power for the day, and solutions that used too much power could leave the teams unable to solve subsequent challenges until after the satellite had recharged overnight.

Challenge 3: The satellite has stopped spinning but can't communicate with the payload module or imager.

This brings up an important question: what else might be damaged? Teams had to restore communications to the payload module.

Challenge 4: Restore normal operations of the payload module to then control the imager.

Challenge 5: The teams have regained control, but now must prove it by taking an image of the moon in the lab.

This challenge was pass/fail and was important for two additional reasons. First, teams had to pass this test to be eligible for podium placement at the end of the challenge. Next, one team would be selected to have their solution uploaded to an actual satellite to see whether it could get an image of the actual moon.

Primary vectors required for proper orientation of the satellite to take an image of the moon.
Image courtesy DEF CON Communications

Primary vectors required for proper orientation of the satellite to take an image of the moon.

Image courtesy DEF CON Communications

Solving the challenges involved a combination of traditional communications hacking, diving through documentation, understanding orbital mechanics and flight controls, and hardware hacking through exploiting undocumented input and output mechanisms. Every hour throughout the two days of the competition there was an update showing a leaderboard with comments on the progress (or lack) by the various teams, and explanations of the challenges and solutions.

Story continues on the next page

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...