Hackers square off to close gaps in satellite cybersecurity

The second annual Hack-A-Sat competition pits security researchers against real satellite equipment as the U.S. military rushes to address space cybersecurity risks. Clarification appended.

This weekend, teams of hackers from all over the world will do their damnedest to break into U.S. satellite systems and sabotage them — courtesy of America’s newest military service, the U.S. Space Force.

Hack-A-Sat 2 is a white hat hacker Capture the Flag event, a real-time contest between teams of security researchers competing to prove their offensive and defensive hacking skills. It’s being staged by U.S. Space Systems Command (SSC), the part of Space Force that manages American military satellite constellations in orbit — but the systems the hackers are trying to break will be safely on the ground, at least this year.

The second annual Hack-A-Sat CTF has “bridged the gap between the hidden world of satellite operations and the outside hacking community,” said SSC’s Enterprise Corps Special Programs Director Col. Brad Walker in a statement. Four U.S. teams plus one from Poland, two from Germany, and a multinational Francophone crew from Belgium, France, Switzerland and Mauritius, qualified for the contest out of a field of more than 1,000 teams that registered to take part in the qualifying initial challenges over the summer.

With the global economy increasingly reliant on space-based services like GPS, the gap Walker refers to is becoming more dangerous. The new generation of satellites is software-defined — upgradable via radio frequency links with ground stations — making equipment vulnerable to cybersecurity breaches. The mega constellations of satellites being built out by broadband providers like SpaceX are only set to draw more scrutiny from hackers.

“Cyberattack is where we are most likely to face the enemy in space,” Lt. Gen. Stephen Whiting, now in charge of Space Operations Command, said last year, Breaking Defense reported. Kinetic attacks, like the anti-satellite weapon Russia recently tested, create a debris field, which can have cascading and unforeseeable effects on other objects in orbit. Cyberattacks, by contrast, are limited and usually reversible.

1_Tigf6t3nhGy7QkMEzWAL9QA fish-eye lens view of computers aboard the International Space Station. NASA/Flickr

But hacking satellites is very different from attacking other kinds of IT systems, said Ben Sprague, from SingleEventUpset, one of the CTF teams competing this weekend. “The first priority is familiarity with the system,” he told README. Satellite networks traditionally use embedded software — code that’s built to run on only one, specially designed piece of hardware, rather than interchangeably on hundreds or thousands of different kinds of devices as is the norm in conventional IT systems.

As a result, he said, “You need a very broad range of skill sets [to compete.] We have that.”

The Hack-A-Sat organizers are playing their cards close to their chest, according to interviews with multiple finalists. Just this week, teams got the digital twins of the satellite systems they’ll be attacking and defending. The twins are a virtual model of the real satellite and its embedded software. When the two-day challenge kicks off Saturday, they’ll be able to access the real thing — actual satellite hardware (albeit earthbound) running just the way it would in space. These flat sats, so called because they are typically laid out as if on a workbench, will have flags buried in their software that opposing teams get points for seizing.

“On a satellite or any embedded system, the cyber Kill Chain is relatively short,” said Sprague, referring to a widely used step-by-step model for cyber defense. “There aren’t as many layers of security … because they’re running less sophisticated operating systems.”

But he said the big picture attack strategy for the competition “comes down to what it always does: Can I write to memory when I’m not supposed to? And if so, can I then execute the code that I wrote there?”

Sprague’s team name is a nod to a technical term for what happens when ionizing radiation in space unexpectedly flips a bit from one to zero (or vice versa) on a semiconductor chip. These “single event upsets” are one reason why processors on satellites have to be heavily shielded.

“It’s something you wouldn’t want to happen to your satellite,” said Sprague.

1_WWsNAHVLim_DGKp5WJvVVgMembers of the Poland Can Into Space CTF team compete in the first Hack-A-Sat contest in 2020. Stanisław Podgórski/courtesy of Poland Can Into Space

CTF camaraderie

Another Hack-A-Sat finalist is named PFS or Pwn-First Search, a play on the Depth-First and Breadth-First Search algorithms, according to team member Cyrus Malekpour.

PFS, which won the contest last year, has 32 active members on its Discord Channel, 10 of whom have signed up for this weekend’s event, Malekpour told README. Like many CTF teams, PFS operates pretty casually, he explained. “We do have a weekly [remote] meeting. It’s not required for people to show up, but I would say that even just having a weekly meeting makes us more formal than most teams.”

PFS is the latest iteration of a group of friends who have been playing together for as much as a decade in some cases, he said. Such fractal networks are the basis for many CTF teams, but others are more institutionally based.

The Plaid Parliament of Pwning, or PPP, for example, is centered on Carnegie Mellon University — faculty, students and alums have all participated. And CMU runs picoCTF, a competition for high school students, which creates a pipeline of potential new recruits, according to emailed answers to questions compiled by team member Tyler Nighswander. As for the name, the team told README that plaid is the school color of CMU, pwning explains itself and parliament was chosen for alliteration. When famed CMU computer science professor David Brumley first put the team together in 2009, the original captain Brian Pak “asked all the members for team name suggestions and that’s the one that stuck,” Nighswander said.

Like some other teams README spoke with, PPP will compete remotely this weekend, but in a hybrid fashion with a few in-person meetups, according to Nighswander.

PFS members have played almost exclusively remotely since the pandemic, said Malekpour. “In past years, for the big events, we would rent an AirBnB house and everyone would fly in and spend the weekend playing,” he explained, adding that in the dynamic environment of an attack/defend CTF, in-person teams can have an advantage.

But “there’s a core group of us that had been playing together for maybe four years,” Malekpour said. “And that definitely helped us translate over to being online, fully remote.”

Many CTF teams include small, long-lasting groups of friends who’ve often played together — or against each other — over the years, said Michał Kowalczyk of Poland Can Into Space, a self-styled Polish national “dream team” made up of members of two normally rival Polish CTF outfits plus a few friends with space industry experience.

For SingleEventUpset, the CTF is a team-building exercise for their day jobs — members are all employees of CrypticVector, a boutique government cybersecurity and IT infrastructure contractor. “None of our projects quite rise to the scale of everybody [at the company] all working on the same thing at the same time,” he explained. But in the contest, “I get to work directly with a bunch of people that I don’t normally get to.”

That’s not the only motivation: In addition to bragging rights, the winning teams will collect prize money — $50,000 for first place, $30,000 for second and $20,000 for third. And, win or lose, all of them get to keep their flat sats.

The U.S. teams should consult with a tax adviser about their liabilities to the IRS, according to the organizers’ guidance. Members of the Germany-based FluxRepeatRocket, who landed in 3rd place last year, told README that their winnings, if any, will go into an account that’s used to pay the team’s travel and other expenses.

Regular updates on the play over the weekend will be posted at https://www.hackasat.com/.

Clarification: This story has been updated to reflect additional interviews with competitors and to credit Malekpour for two quotes incorrectly attributed to a teammate.