SpaceX Delivered the Moonlighter Satellite into Orbit, Which Will Need to Be Hacked at DEF CON

During the DEF CON security conference in Las Vegas, which will be held in August 2023, researchers will remotely hack the Moonlighter satellite, which was recently successfully delivered into orbit using the SpaceX Falcon 9. The team that discovers a way to capture the satellite will receive the main prize of $50,000.

When folded it measures 34 cm x 11 cm x 11 cm and when fully extended with solar panels it measures 50 cm x 34 cm x 11 cm.

The satellite was built by the federally funded The Aerospace Corporation in partnership with the US Space Systems Command and the US Air Force Research Laboratory. It will run software developed by information security and aerospace experts specifically for in-orbit cybersecurity training and exercises.

Let me remind you that we also wrote that Pwn2Own members made the printer to play AC/DC, and also that Chinese authorities use Tianfu Cup as a source of exploits.

We also warn that Microsoft experts talked about Iranian hackers attacks on security conference participants.

This project is inspired by the Hack-A-Sat competition, which has been held for four years by the US Air Force and US Space Force specialists at the annual security conference DEF CON.

According to project leader Aaron Myrick of Aerospace Corporation, Moonlighter’s goal is to take offensive and defensive cyber exercises for space systems from a laboratory setting on Earth to low Earth orbit. In addition, the satellite is designed to withstand attempts by hacker teams competing to take control of its software without the contestants being able to damage or destroy it.

To this end, the satellite runs software that behaves like a real on-board computer and can be subjected to multiple real attacks, allowing you to capture the satellite without harming its critical subsystems.

The first test of the Moonlighter will take place in August, when it will be broken as part of the Hack-A-Sat competition in Las Vegas. The five teams that make it to the DEF CON finals will be eligible to try their hand at this area.

This will be the first time that a real satellite actually in orbit has been targeted in the annual hacking competition. The top three teams will receive cash prizes: $50,000 for first place, $30,000 for second place, and $20,000 for third.

The Register quotes James Pavur, Lead Cyber Security Software Engineer at Istari, who has competed in three previous Hack-A-Sat competitions. Pavur describes himself as a “passionate information security researcher” when it comes to finding holes in satellites and has a PhD from Oxford on securing such systems.

Pavur participated in the qualifying round of the satellite hacking competition this year as well, but did not qualify for the finals. According to him, the qualifying round included “complex astrodynamics tasks related to general mechanics and positioning, figuring out where objects in space will be and where they are going.”

The expert says that the competition requires “very deep mathematics and physics, as well as a lot of experience in embedded systems and reverse engineering.”

The researcher explains that a number of things make protecting space systems unique. In particular, the fact that it’s impossible to just “go and reload” them.

In this regard, space systems are built with many risks in mind and use redundancy to provide various communication methods for system recovery (in case of failure, as well as for debugging faulty equipment). However, this approach gives attackers more opportunities to gain access to the satellite and compromise it.

This, he says, is one of the reasons why space systems are having a hard time keeping up with their terrestrial counterparts when it comes to cybersecurity.

Pavur hopes the Moonlighter will encourage more “adoption of offensive security research” in the aerospace industry.

Companies that offer rewards for discovering vulnerabilities and host hacking competitions, as well as hiring pentesters to stress test their systems, can do this.