News

SpaceX Delivered the Moonlighter Satellite into Orbit, Which Will Need to Be Hacked at DEF CON

During the DEF CON security conference in Las Vegas, which will be held in August 2023, researchers will remotely hack the Moonlighter satellite, which was recently successfully delivered into orbit using the SpaceX Falcon 9. The team that discovers a way to capture the satellite will receive the main prize of $50,000.

Called “the world’s first and only hacker sandbox in space,” the Moonlighter is a small cubesat (PDF) weighing around 5 kilograms.

When folded it measures 34 cm x 11 cm x 11 cm and when fully extended with solar panels it measures 50 cm x 34 cm x 11 cm.

hack moonlighter satellite

The satellite was built by the federally funded The Aerospace Corporation in partnership with the US Space Systems Command and the US Air Force Research Laboratory. It will run software developed by information security and aerospace experts specifically for in-orbit cybersecurity training and exercises.

hack moonlighter satellite

hack moonlighter satellite

Let me remind you that we also wrote that Pwn2Own members made the printer to play AC/DC, and also that Chinese authorities use Tianfu Cup as a source of exploits.

We also warn that Microsoft experts talked about Iranian hackers attacks on security conference participants.

Aaron Myrick
Aaron Myrick

This project is inspired by the Hack-A-Sat competition, which has been held for four years by the US Air Force and US Space Force specialists at the annual security conference DEF CON.

According to project leader Aaron Myrick of Aerospace Corporation, Moonlighter’s goal is to take offensive and defensive cyber exercises for space systems from a laboratory setting on Earth to low Earth orbit. In addition, the satellite is designed to withstand attempts by hacker teams competing to take control of its software without the contestants being able to damage or destroy it.

If you’re running a hacking competition, or any other cyber activity or exercise with a real craft, it’s difficult because you’re potentially compromising the mission of that craft. This is not the best option if you have previously spent a lot of engineering hours and a lot of money to get it up and running. So we decided that if we want to do it right, we have to build everything from scratch.Myrick says.

To this end, the satellite runs software that behaves like a real on-board computer and can be subjected to multiple real attacks, allowing you to capture the satellite without harming its critical subsystems.

All this makes the cyber experiment reproducible, realistic and safe, while maintaining the safety of the satellite.Aerospace Corp. explains.

The first test of the Moonlighter will take place in August, when it will be broken as part of the Hack-A-Sat competition in Las Vegas. The five teams that make it to the DEF CON finals will be eligible to try their hand at this area.

This will be the first time that a real satellite actually in orbit has been targeted in the annual hacking competition. The top three teams will receive cash prizes: $50,000 for first place, $30,000 for second place, and $20,000 for third.

The Register quotes James Pavur, Lead Cyber Security Software Engineer at Istari, who has competed in three previous Hack-A-Sat competitions. Pavur describes himself as a “passionate information security researcher” when it comes to finding holes in satellites and has a PhD from Oxford on securing such systems.

James Pavur
James Pavur

Pavur participated in the qualifying round of the satellite hacking competition this year as well, but did not qualify for the finals. According to him, the qualifying round included “complex astrodynamics tasks related to general mechanics and positioning, figuring out where objects in space will be and where they are going.”

The expert says that the competition requires “very deep mathematics and physics, as well as a lot of experience in embedded systems and reverse engineering.”

The researcher explains that a number of things make protecting space systems unique. In particular, the fact that it’s impossible to just “go and reload” them.

In this regard, space systems are built with many risks in mind and use redundancy to provide various communication methods for system recovery (in case of failure, as well as for debugging faulty equipment). However, this approach gives attackers more opportunities to gain access to the satellite and compromise it.

Another important feature of space systems is that they are constantly exposed to environments that we are not used to [including physical threats such as solar radiation, extreme temperatures and orbital debris]. Therefore, when people design space systems and decide which risks to prioritize, they often view cybersecurity as a lower risk compared to extremely aggressive environmental harm.the expert says.

This, he says, is one of the reasons why space systems are having a hard time keeping up with their terrestrial counterparts when it comes to cybersecurity.

Pavur hopes the Moonlighter will encourage more “adoption of offensive security research” in the aerospace industry.

Companies that offer rewards for discovering vulnerabilities and host hacking competitions, as well as hiring pentesters to stress test their systems, can do this.

Hopefully a project like Moonlighter will make the industry think about how they can use the fact that space is really cool and fun and hackers are interested in it. There are many incredibly talented security professionals who would like to make the space world safer.concludes Pavur.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button