The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite

Some specifics are still in the offing, like which satellite will be involved—regardless, it will likely be flying in low Earth orbit—how many teams will be selected in each round, and the size of the final cash award. But still, it’s not every day that you get to hack a celestial body, much less legally so.

“If you want to get into a satellite, you can either go through the ground station or you can try to find a way into the satellite directly, with your own emitter. We will have opportunities for contestants to do both,” says Roper. “But what they’re going to do is try to take over the satellite by any means they find.”

Air Force to offer up a satellite to hackers at Defcon 2020

Last month the USAF took a F-15 data system to the Defcon hacker conference in Las Vegas. They let a few select hackers tear it down to see what they could find and serious vulnerabilities were uncovered in third party components of the data system.

So next year at the Defcon hacker conference the Air force is going to offer up a satellite. The plan is to only let them hack the camera gimbals and point the camera at the moon.

What if I move the moon, into the camera frame? Do I win?

a reply to: Archivalist

Lets hope you can't do that because the camera is going to be pointed at Earth to begin with.

I didn't get a chance to make it to Defcon this year myself, but I have seen a little chatter about this at the company I work for. I wouldn't even begin to put it out of the realm of possibility that our red team folks could do it. I dabble a bit based on my interests and more strategic focused role, but we have some people that are downright scary in their capabilities.

a reply to: LookingAtMars

Better to test it with people who will provide feedback than advisaries who'll sit on it till "the day" comes.

Seems smart.

I like this, look to your own backyard for weak spots.

Good job AF

in theory sounds like a good idea.

as arnie123 stated

but the reality is much different.

One how do you know the person(s) you are asking to do this will tell you EVERYTHING they found out about this?
even with the best vetting your relying on civilians who are not part of your community and all your "secrecy documents" are just worth the cost of the paper its on..
where your internal people are much closer watched and much easier to influence (not totally to be fair not absolute).

two... if your job/department is cyber security shouldnt you be already able to take the very defenses you have and tear them apart to look for weaknesses?
hell even a different part of the government so no conflict of interests by only relying on your own people?

three...already people (be foreign entities or hacker groups, be just because or malicious intent) already are trying this.

four...when has an open challenge ever gone well? remember the life lock debacle? Or the famous challenge by apple for someone to break their fingerprint scanner and within 24 hours (I thought it was within 6 but may be wrong) done?

look I think having someone else test the security is a good idea...
but this public challenge is a bad idea.

do it quietly along with good old fashion investigation , spying, ect (aka monitoring) is the better way.

that way the enemy doesnt know what you know ..

just an idea

scrounger

a reply to: scrounger

The reason you bring in third parties is the different perspective. I've worked with clients previously that when a certain attack vector was brought up, they had never even considered it a possibility. For example: Interesting Engineering Article.

For the short version of that article, it's about a casino being hacked via a fish tank in their lobby. Even people in information security are just now coming up to speed on IoT security and the inherent attack vectors present there. It's part of my particular area of focus so I've been speaking with clients about it for years, and can count on one hand the number of CISO's, engineers, etc. that have even considered the attack vector.

Also your point about being able to look at your defenses and break them down, not always the case. Defense mindset is very different from attack mindset. On top of that, the best infosec folks in the world do not work for governments, there's no pay and upward mobility.

As for your fourth point about it not going well, that's what the Air Force hopes, they want them to be able to break into it because it will show where they are lacking. No system designer thinks of everything, if they did, I would be out a job...well aside from the human component which is usually the easiest to exploit.

Do some reading on APT groups to find out what governments and companies are up against these days, it may scare you just a bit. Defense has to be right 100% of the time, offense only has to get lucky once.

originally posted by: Archivalist
What if I move the moon, into the camera frame? Do I win?

Partial credit.

Every move they make and each action or command they do will be monitored and recorded, so it can later be reverse engineered, if assuming they might try to keep some things from their overseer.