Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Here’s something hackers don’t get every day: an open invite to crack a military satellite.
On June 5, the Aerospace Corporation, Space Systems Command, and the Air Force launched Moonlighter, a roughly 11-pound CubeSat, into low Earth orbit on board a SpaceX rocket. Moonlighter’s mission, the Register reported, is simple: taking offensive and defensive cyber exercises for space systems into the actual environment those systems will be based in. At DEF CON 2023 in August, five teams of hackers will compete for a grand total of $100,000 in prize money to breach Moonlighter’s defenses.
Cyberdefense for space assets is notoriously underdeveloped, if only because they haven’t historically been targets for hackers. That changed in 2022, when hackers working for the Russian military targeted Viasat’s KA-SAT network amid its invasion of Ukraine. While the attack was aimed at ground assets rather than the satellites themselves, the incident served as a wake-up call for the space sector.
While Moonlighter is an actual satellite, the hackers will actually be targeting a simulated flight computer hosted in an onboard sandbox alongside the real one. That’s because screwing with any of the satellite’s actual control systems could lead to catastrophe for Moonlighter.
“If you’re doing a hacking competition, or any sort of cyber activity or exercise with a live vehicle, it’s difficult because you’re potentially putting that vehicle’s mission at risk,” Aaron Myrick, the project leader at Aerospace Corporation, told the Register. “And that’s not a good option when you’ve spent a lot of engineering hours and a lot of money to get this launched. So we said if we want to do this right, we have to build this from the ground up.”
The competition in August builds on the Air Force and Space Force’s annual Hack-a-Sat content, which previously involved purely simulated satellites.
Myrick told CyberScoop the project is intended to broaden the space industry’s awareness and acceptance of the need for offensive cybersecurity research. One challenge is that satellites often spend large amounts of time isolated from their operators and relying on automated systems.
Istari’s lead cybersecurity software engineer, James Pavur, who participated in qualifying rounds for the competition, told the Register the exercise involved “wicked-hard astrodynamics problems related to overall mechanics and positioning.” Pavur added that the risk of losing contact with a satellite also presents unique opportunities, as operators often build in redundant communications pathways that can “become attack surfaces that an attacker might target.”
While the DEF CON contestants will have mostly free rein to attack Moonlighter’s sandbox payload, there are hard limits: They won’t be able to affect its orbital trajectory.
“We are designing the flight software for the cyber payload to basically be able to operate the vehicle fully,” Myrick told Cyberscoop. “So it will be able to change how the vehicle is pointed.”