During the August 2019 DEF CON 28 hacker convention in Las Vegas, Nev., the U.S. Air Force brought an F-15 fighter-jet data system and put out a call to any who would like to try to hack into and gain control of its operations.
Teams of hackers and security researchers took the unit apart and reported the security flaws in the system as they uncovered them. The military officials were very happy with the results of the experiment, and they decided to return in 2020—with a satellite.
DEF CON is one of the largest hacker conventions, and it has been an annual event in Las Vegas since June 1993. It attracts hackers and computer security professionals along with federal government employees, security researchers, journalists, and students. In 2019, Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics, explained to Brian Barrett of Wired magazine why his branch of the armed forces was hauling fighter-jet hardware to the conference.
“We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s…. We presume that if we build things behind closed doors and no one touches them, they’ll be secure. That might be true to some degree in an analog world. But in the increasingly digital world, everything has software in it.” To this Barrett added a footnote reminding readers that all software inevitably has bugs that can be exploited.
A MOON SHOT
This year, DEF CON 29 once again made the same offer to those attending, actual and virtual, with another competition named Hack-A-Sat 2 (HAS2). It was set up in the same way as last year with a call for submissions, a preliminary qualification round before DEF CON in August, and then the final competition among the qualifiers. Anyone who thought they might be able to hack a satellite, or its ground station, was invited to apply.
And it wasn’t just hacker prestige that would be on the line; the cash rewards were very attractive. The top 10 qualifying teams were awarded $10,000 each, third place received $20,000, second $30,000, and the top prize in the final competition was $50,000.
The preliminary phase in June 2021 had a series of challenges such as problems to be solved with coding, finding things, puzzles, and the need to show some control over the systems. That would be followed later in the year by an all-out DEF CON-style capture-the-flag (CTF) contest. The final event was hosted on physical hardware that was typical of the architectures and designs used in real satellites.
Roper described the extent of the system penetration with one of the problems to be solved: “What we’re planning on doing is taking a satellite with a camera, have it pointing at the Earth, and then have the teams try to take over control of the camera gimbals and turn toward the moon. So, a literal moon shot.” The contestants had to successfully have the satellite snap a photo of the moon and then retrieve that image to their computer.
All the applicant needed to apply was a computer to connect through a virtual private network to the game infrastructure, preferably with a broadband connection. They also had to be willing to be vetted. The “moon shot” challenge landed more than 2,000 teams made up of 6,000 individuals who were able to connect, learn, and test their skills. Aerotech News reported, “Among these teams were the world’s best hackers, who, during the final round, championed a never-been-done-before on-orbit satellite hacking challenge.”
From the point of view of the Air Force, Lt. General John F. Thompson, then-commander of the U.S. Space Force’s Space and Missile Systems Center, validated the project with the judgment, “The first Hack-A-Sat was a tremendous success in bringing together a diverse group of government, commercial, and private organizations and individuals to test and develop cybersecurity solutions for our unique space networks.”
On May 4, 2021, the application from the Air Force Research Laboratory was released for this year’s challenge. Any teams interested in a two-stage competition with cash rewards and significant hacker cache could fill out the 17-page application, which included a release form to be filled out by parents or guardians for any minors on your team, four pages of legal issues addressing liabilities in detail, and an automated clearing house form for routing the winners’ checks.
The Air Force rules for the contest offer interesting insights on how to benefit from cooperation without risking being co-opted in the process. The HAS2 Rules, like the application, is also a 17-page document. It outlines the procedures for the qualification event and the format for the final CTF contest: “The Final Event will be an ‘attack/defend’ style CTF that occurs using a simulated space system to include a virtualized ground station, a communications subsystem, and physical satellite hardware called a flatsat.
Like a more traditional attack/defend CTF, teams will have their own vulnerable system to operate and defend, while attacking opposing teams’ identical systems. A number of exploitable vulnerabilities exist in the systems and teams must patch or otherwise mitigate their own vulnerabilities to protect from exploitation attacks, while keeping the system functioning normally (Rule 3.1).” It sounds like a multidimensional, simultaneous penetration testing of your own system and all the others, and all while the organizers are regularly polling each team system for the responses.
Rule 5.1 covers eligibility with an opening premise that certain countries will be excluded from the start. Also not eligible are “Individuals, organizations or sponsors that are named in the Specially Designated Nationals list of the U.S. Department of Treasury.” Government entities and individuals (from the United States or any other country) aren’t eligible, but individuals acting on their own apart from government or military service might qualify.
In Section 5.4, there’s a list of disqualifying behaviors including use of certain hacking tools (nonspecific denial of service attacks against other competitors) and any lack of transparency in disclosures. “No physical coercion or intimidation is allowed,” and “Any acts of sabotage, tampering, misuse, attacks, or use without consent of the content organizer’s property, infrastructure, equipment, software…are expressly forbidden.”
The potential for problems could be serious, but Thompson reassured the public: “The security and cyber-resiliency of our on-orbit systems is an absolute necessity as we look to ensure the peaceful development of the global commons of space over the coming decades. This required a multitude of specialties, so partnerships across the entire professional cybersecurity spectrum are vital to developing the next-generation of secure space systems.” White-hat hackers are now part of the team in the professional cybersecurity spectrum.
THE FINAL ENGAGEMENT
The top 10 qualifiers of the 2021 DEFCON 29 include a list of colorful names including “OneSmallHackForMan” and “Poland Can Into Space.” All scores in the preliminaries (and something about each team) are posted on www.hackasat.com. The top eight with two alternates will now engage in the final CTF event scheduled over two days beginning December 11, 2021, at 1 p.m. EST. The countdown in days, hours, minutes, and seconds is ticking off on the HAS2 home page.