DEF CON takes CTF into Space

Submitted by: Bengt Gregory-Brown (CS)²AI Co-Founder


Original Source: https://www.darkreading.com/application-security/the-race-to-hack-a-satellite-at-def-con/d/d-id/1338657

By: Curtis Franklin Jr. 8/13/20


Eight teams competed to win cash, bragging rights, and the chance to control a satellite in space.



At DEF CON 27 there was a tantalizing promise: A space-based capture-the-flag competition at DEF CON 28, featuring actual satellites to be controlled. Then came 2020.

Hack-a-Sat, as it came to be called, was still on. In the spring, more than 6,000 competitors virtually gathered, self-organized into more than 2,000 teams. In May they competed in a series of challenges, and by May 24, eight teams had risen to the top. At DEF CON 28, they spent two days working through five challenges with several rewards at stake. One (and a big one at that) was bragging rights. Another was a shared of a $100,000 prize purse. And third was the chance to have a solution uploaded to an actual, operational satellite and have it dance to the tune called by the winning team.


The eight teams, with members from around the world, were: Poland Can Into Space, FluxRepeatRocket, AddVulcan, Samurai, Solar Wine, PFS, 15 Fitty Tree, and 1064CBread.

On Friday morning, August 7, they began the competition, which was part of the Aerospace Village at DEF CON.


Floating on Air

Unlike many capture-the-flag (CTF) competitions, Hack-a-Sat had a physical component for each team. The sponsors had purchased a series of off-the-shelf training satellites featuring a "standard" guidance navigation and control system (GNC) and a custom Artix 7 FPGA- and Raspberry Pi-based board for onboard and payload systems. According to the team that ran the competition, code from the European Space Agency (ESA) and NASA was used on the two boards, with the off-the-shelf board chosen for its rapid access to sensor and control surfaces, and the custom board designed to be far more interesting from a CTF perspective.


The physical elements came from the "flat sat" training satellites that were platforms for the electronic components. These earth-bound physical simulators were mounted on air-bearings so they could move without resistance and simulate various elements of the scenario. The competition lab also had moving radio transceivers for each team, to simulate moving communication issues, and a virtual moon (along with other visual targets).


5 Challenges

The scenario for the contest allowed for a wide variety of challenges: A satellite has been attacked and compromised by an attacker, and is now spinning out of control. The teams need to regain control of the satellite.


To do that, they had to complete five challenges - four that were scored based on order to arrive at a solution and time required, and one that was pass/fail.


Challenge 0: Gain control of the satellite communications ground station.

The adversary had obtained access and locked others out, so teams had to use a network to access to the station.


Challenge 1: Attempt communication with the satellite spinning out of control.

They then had to regain communications with the satellite.


Challenge 2: The satellite's guidance navigation and control system (GNC) "went offline."

Teams had to repair it as quickly as possible to stop the the satellite's spinning. This was a challenge in which the satellite's physical reality became important: Each flat-sat had only so much battery power for the day, and solutions that used too much power could leave the teams unable to solve subsequent challenges until after the satellite had recharged overnight.


Challenge 3: The satellite has stopped spinning but can't communicate with the payload module or imager.

This brings up an important question: what else might be damaged? Teams had to restore communications to the payload module.


Challenge 4: Restore normal operations of the payload module to then control the imager.


Challenge 5: The teams have regained control, but now must prove it by taking an image of the moon in the lab.

This challenge was pass/fail and was important for two additional reasons. First, teams had to pass this test to be eligible for podium placement at the end of the challenge. Next, one team would be selected to have their solution uploaded to an actual satellite to see whether it could get an image of the actual moon.


Solving the challenges involved a combination of traditional communications hacking, diving through documentation, understanding orbital mechanics and flight controls, and hardware hacking through exploiting undocumented input and output mechanisms. Every hour throughout the two days of the competition there was an update showing a leaderboard with comments on the progress (or lack) by the various teams, and explanations of the challenges and solutions.


Story continues. . .

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ...View Full Bio