Uncle Sam wants the DEF CON hackers to plant this Moonlighter satellite in space

Characteristic Assuming the gods of weather and engineering cooperate, a US government-funded satellite dubbed Moonlighter will launch Sunday at 1212 EDT (1612 UTC), hitchhiking on a SpaceX rocket before being released into Earth orbit.

And in about two months, five teams of DEF CON hackers will do their best to successfully infiltrate and hijack the satellite while it’s in space. The idea is to try offensive and defensive techniques and methods on real hardware and software in orbit, which we imagine could help improve our space systems.

Moonlighter, dubbed “the world’s first and only hacking sandbox in space”, is a medium-sized 3U cubesat [PDF] with a mass of about 5 kg. Stored, it measures 34cm x 11cm x 11cm, and when fully open with its solar panels out, measures 50cm x 34cm x 11cm.

It was built by the Aerospace Corporation, a federally funded research and development facility in Southern California, in collaboration with the US Space Systems Command and the Air Force Research Laboratory. It will run software developed by infosec and aerospace engineers to support in-orbit cybersecurity training and exercises.

This effort was inspired by the Hack-A-Sat contest co-hosted by the US Air Force and Space Force, now in its fourth year at the DEF CON annual cybersecurity conference.

Moonlighter’s goal was to move offensive and defensive cyber exercises for space systems out of a laboratory environment on Earth and into low-Earth orbit, according to project leader Aaron Myrick of Aerospace Corp. Not only that, but the satellite must being able to manage multiple teams competing to take control of his software without losing or damaging the whole thing and screwing up the project. Therefore, an integrated sandbox approach was taken.

“If you’re doing a hacking competition, or any kind of computer activity or exercise with a live vehicle, it’s difficult because you’re potentially putting that vehicle’s mission at risk,” Myrick said The register.

“And that’s not a good option when you’ve spent a lot of engineering hours and a lot of money to get it launched. So we said if we want to get it right, we have to build it from scratch.”

Sending into space… The Moonlighter satellite. Click to enlarge. Credit: The Aerospace Company

To that end, the tiny satellite runs a software payload that acts like a real flight computer, which it hopes will! be subjected to multiple and realistic attacks and seized without affecting the underlying critical subsystems.

“This allows computer experiments to be repeatable, realistic, and safe while maintaining the health and safety of the satellite,” says Aerospace Corp.

Moonlighter’s first test will come in August, when it’s part of the Hack-A-Sat 4 competition in Las Vegas. Five teams have qualified for the final of the competition at DEF CON, where they will compete.

This year’s annual competition will therefore be the first time conference hackers can test their skills against a live orbiting satellite. The top three teams will win a monetary prize: $50,000 for first place, $30,000 for second, and $20,000 for third.

Space jam

James Pavur, chief cybersecurity software engineer at Istari, has participated in the previous three Hack-A-Sat competitions and gave a keynote address on radio frequency attacks in space at last year’s DEF CON.

He describes himself as an “avid security researcher” when it comes to drilling holes in satellites, and did his doctoral thesis at Oxford on the security of such systems. You may also remember him from his talk on leveraging GDPR requests at the Black Hat, where a tiresome Polish airport delay inspired an insight into serious issues with the enforcement of European law.

Pavur entered the qualifying round for this year’s satellite hacking competition, though he didn’t make it to the finals.

The qualifying round included “treacherous and difficult astrodynamics problems related to general mechanics and positioning, figuring out where objects will be in space and where they’re going,” he said The register. “It’s a lot of really deep math on the physical side of things and requires a lot of experience in embedded systems and reverse engineering.”

Space systems… are always subject to a degree of environmental attack that we’re not really used to

There are a couple of things that make protecting space systems unique, he explained.

“The most obvious is that you can’t just go up there and restart them,” he said. “So your risk tolerance is very low for losing access to device communications.”

For this reason, space systems are built in a risk averse manner and employ redundancy to provide multiple communication paths to restore a system in the event of a failure or to debug equipment that is malfunctioning.

These routes, however, also give malicious actors more opportunities to gain access to a satellite and ultimately compromise it. “They can all become attack surfaces that an attacker could target,” Pavur said.


“The other big thing that makes space systems different is that they’re always subject to a degree of environmental attack that we’re not really used to,” he added.

This includes physical threats, such as solar radiation, extreme temperatures and orbital debris.

“So when people build space systems and decide which risks to prioritize, they often treat cybersecurity as a minor risk than absolutely certain aggressive environmental damage,” Pavur explained.

“They will make cost and priority choices that de-prioritise cybersecurity issues and increase physical issues.”

That’s not always a bad choice, he added, it’s just not a choice we typically have to make with terrestrial networks and nodes. And it’s one reason why space systems have struggled to keep pace with their terrestrial counterparts from a cybersecurity perspective.

Then there is the growing commercialization of the aerospace industry, coupled with hardware and software used in space becoming increasingly commoditized and mass-produced, not unlike the technology used in terrestrial systems.

“The bar is lowered for space entry,” Myrick said.

“And that goes both for people who are trying to put things there, but also for people who are willing and able to make other people have a bad day,” he continued, using Viasat’s debacle of the year last as an example of “a rather destructive event that gave people a bad day”.

“With Moonlighter, we’re trying to address the problem, before it becomes a problem.”

Space security is national security

To be clear, Russia’s cyberattack on Ukraine’s Viasat satellite broadband system, which brought down service to tens of thousands of people across Europe as Putin’s army overran a neighboring county, began with a intrusion into the company’s satellite terrestrial infrastructure.

“But they used the satellite network to deploy, which is important,” Myrick said. “He highlighted the problem and made it therefore non-theoretical.”

For many, both in the government and in the private sector, the Viasat security breach has moved the question of cybersecurity into the space away from science fiction novels and into reality.

“We are all aware that the first ‘blow’ in the current Ukrainian conflict was a cyber attack on a US space company,” US National Information Technology Director Kemba Walden told reporters at the RSA conference in April, en route to the The industry’s first White House cybersecurity workshop space.

Defending space systems from threats remains “urgent and requires top-level attention,” Walden said.

Space fanatics and hackers

However, the space industry hasn’t been the most welcoming of security researchers, not even ethical hackers who try to find and disclose bugs before the bad guys exploit them.

Pavur said he hopes Moonlighter will encourage greater “acceptance of offensive security research” in the aerospace industry. This could include companies that offer bug bounties, host hacking contests, or hire penetration testers to stress test their systems.

“Hopefully a project like Moonlighter will get the industry thinking about how to apply the fact that space is really cool and fun and that hackers are interested in that,” he said. “There are a lot of incredibly talented security people who would like to make the space world safer.”

Moonlighter will launch Sunday from Kennedy Space Center in Florida on a SpaceX Falcon 9 rocket carrying supplies and equipment to the International Space Station. A live stream of the takeoff should appear here.

The launch was supposed to take place on Saturday but was delayed due to bad weather.

#Uncle #Sam #DEF #CON #hackers #plant #Moonlighter #satellite #space

Leave a Comment