The Feds Want These Teams to Hack a Satellite—From Home

“The Feds Want These Teams to Hack a Satellite—From Home”
WIRED, August 6, 2020
Security
By Sarah Scoles

“Meet the hackers who, this weekend, will try to commandeer an actual orbiter as part of a Defcon contest hosted by the Air Force and the Defense Digital Service.”

As a kid, Alvaro Prieto kept “astronaut” open as a career option. When his family moved from Mexico to Florida—the state where the actual astronauts lift off—his off-world fascination only grew. “After surviving one year in the US, my gift was Space Camp,” he says, referring to the famous kids’ program in Huntsville, Alabama. Later, he convinced his dad to drive up to Cape Canaveral to watch the shuttle Discovery’s final ride, soon bidding farewell to the era of spaceflight he’d grown up with.

So, yeah, Prieto likes space. But, no, he didn’t become an astronaut: Instead, he’s an electrical and firmware engineer who has worked in the telecommunications, consumer electronics, semiconductors, and medical industries. With his combo of cosmic interests and cyber skills, though, he is the target demographic for a contest called Hack-a-Sat, hosted by the Air Force and the Defense Digital Service. Hack-a-Sat is what it sounds like: From August 7 to 9, competitors will try to hack an actual satellite during a socially distanced, online-only Defcon, one of the world’s largest hacker conferences, as part of the Aerospace Village.

Prieto’s Hack-a-Sat team, called ADDVulcan, is one of eight—out of a total of around 1,300—that made it through the qualifiers back in May and are now vying for the $50,000 first prize. Teams could be of unlimited size and made up of people from different companies or universities, as long as they contained one US citizen and nobody on the Department of Treasury’s “Specially Designated Nationals” list, a database of people and companies the government has deemed to be acting on behalf of “targeted countries,” or non-state organizations like terrorist groups or drug trafficking networks. Once the hackers registered a group (or boldly filled in the forms solo), they were eligible for the 48-hour-long qualifying round.

Normally, many would have booked an Airbnb, bought a bunch of snacks and caffeine, and hacked it out in the house together. With everything going virtual, though, teams largely stayed home and chatted on the likes of Discord servers and Slack channels.

When they logged in for the qualifiers, competitors saw a Jeopardy!-style board, with 32 challenges arranged from easy to hard under six categories, like “Astronomy, Astrophysics, Astrometry, Astrodynamics,” or “Payload Modules.” “Most are areas of study I’m unfamiliar with,” says Prieto’s teammate Amie Dansby, who says her “day-walker job” is being a simulation software engineer. “Everyone starts knowing nothing, and I definitely felt like I was starting at the I-know-nothing phase.” Dansby first floated the challenge to a few friends during a video hangout, and then team leader Will Caruana helped gather a larger team totaling 51 people, some of whom did have space know-how.

At the start, only a few of the perplexing challenges were unlocked. The first team to solve a particular problem—to “capture a flag”—got to unlock another challenge for everyone. Each successful solve earned the teams points, with the specific scoring for each problem determined by the total number of correct answers.

Those qualifiers were kind of a gauntlet. For Prieto, one memorable challenge was called “Don’t Tweet That Picture.” Participants were given three illustrations of five buildings, meant to simulate photos taken on a certain date, each casting shadows, along with their latitude and longitude. Their mission, should they choose to accept it, was to figure out where the camera and light source were. Immediately, Prieto knew this fictional-game scenario was based on a past real-world problem: the time President Donald Trump tweeted a creepily high-res, from-above photo of an Iranian spaceport where a rocket had just blown up. In HD detail, you could see the writing on the launch pad, the damaged cars, the disturbed earth. “The United States of America was not involved in the catastrophic accident,” Trump wrote, attaching a satellite picture sharper than the public had ever seen and so broadcasting previously undisclosed surveillance capabilities.

Trump didn’t say where the photo had come from, or even that it was a satellite shot. But online analysts, energized by its unknown origin, started trying to figure out which shutter snapped it. And they succeeded, detailing the effort on the “SatTrackCam Leiden (b)log.” The blog’s host, Marco Langbroek, uses a network of cameras to gather information about classified sats and missile tests. His post about the rocket failure revealed how shadows, satellite orbits, and the viewing angle revealed which satellite had likely seen that Iranian launchpad so clearly.

Prieto looked at the fictional buildings on his own screen, recalling the SatTrack work and thinking perhaps he could replicate the analysis for these fake Hack-a-Sat photos. “I only tried it because I remembered, ‘Oh, the math has been solved,’” he says. “It’s in this blog post.”

That didn’t quite work out as planned. There was actually a bug in the problem itself, meaning that—as the competition organizers put it to participants—the problem was “unlikely to be solved in the anticipated way.” No one found an unanticipated way during the competition, but one team did after the fact.

Still, ADDVulcan solved 23 other challenges, including one Prieto netted called “Where’s the Sat?” The instructions were short: “I tell you where I’m looking at a satellite, you tell me where to look for it later.” Another one he figured out was called “Digital Filters, Meh.” It asked competitors to parse the code controlling a satellite’s orientation, looking for a bug. In the end, ADDVulcan came in fourth by nabbing enough flags worth lots of points.

On August 7, when the next stage of the competition starts, they’ll work problems on a tabletop satellite called a FlatSat, which is basically a terrestrial replica of the hardware and software you’d find on a real orbiter. Then, if they succeed, they’ll get to try to type their way into an actual space satellite.

Most of that is important to you too. The modern American world can’t run without satellites. And yet sats are not nearly as safe and secure as our still-functioning world seems to indicate. Their cybersecurity has been weighed in the balance, and has, in general, been found wanting. As cyber-conflict scholar Will Akoto of the University of Denver pointed out in a February op-ed for Undark, “there are currently no cybersecurity standards for satellites and no governing body to regulate and ensure their cybersecurity,” and no organization to enforce standards anyway. (Two of the more egregious instances he points out: In 1998, hackers got to an astronomical satellite called ROSAT and pointed its solar panels directly at the sun, ruining it. And in 2007 and 2008, hackers gained access to NASA and US Geological Survey sats.)