New Space and Tech

Cybersecurity Researchers Sent a “Sandbox” Satellite into Space to Hack into It

By Natalia Mesa
SpaceRef
June 28, 2023
Filed under
Cybersecurity Researchers Sent a “Sandbox” Satellite into Space to Hack into It
Rendering of the Moonlighter satellite.
image credit: The Aerospace Corporation.

For the first time, researchers launched a satellite into space with the expressed hope that hackers will find and exploit weaknesses in its security defenses. Dubbed Moonlighter, the satellite will be the core of Hack-a-Sat, an annual space security competition hosted at DEF CON, the world’s largest hacking conference. 

The project is a collaboration between the Aerospace Corporation, the Air Force Research Laboratory, and US Space Systems Command. In a so-called bug bounty program to be held at this year’s DEF CON, which will begin on August 10, five teams of hackers will face off to identify vulnerabilities and breach the satellite’s cybersecurity system so that the government can learn more about how hackers go about satellite cyberattacks. The first team to hack the satellite will receive a $50,000 grand prize.

The satellite hitched a ride into low earth orbit on a SpaceX rocket on June 5, along with several other CubeSats for a resupply mission to the International Space Station, where it’s currently awaiting deployment. The satellite will finally go into orbit in July in preparation for DEF CON.

The Hack-a-Sat competition started in 2020, after the secretary of acquisitions for the Air Force attended DEF CON. Since then, the Air Force has used the annual competition an information-gathering project. But so far, all the competitions have been simulations — Moonlighter will be the first actual satellite involved.

James Turgal, vice president of cyber risk, strategy, and board relations at the cybersecurity consulting firm Optiv, and a former executive assistant director for the FBI Information and Technology Branch told SpaceRef that Hack-A-Sat is “a tremendous program,” and “the necessary next step, because we’ve not had the ability to create a sandbox that’s actually in space.”

Finding the weak spots

Humans interact with space technology each day, yet there are ample vulnerabilities that hackers could use to bring these systems down. “There are a lot of different ways to hack into a satellite,” Myrick added. And the contest may reveal novel approaches to the industry: The techniques hackers use to break into Moonlighter’s cybersecurity systems will be mapped onto the SPARTA matrix, a framework intended to provide information to the space sector about how satellites can be compromised.

At the same time, designing security systems for satellites is challenging. “We don’t have direct access to our systems. We can’t just go up there and replace the hard drive in a cyber event,” explains Myrick. Satellites are also not in communication with the ground for the majority of their life. “You don’t necessarily know what’s going on with your system at all times,” he explains.

Moonlighter is equipped with cybersecurity software with known synthetic vulnerabilities (no cybersecurity software is foolproof). Via the Hack-A-Sat competition, researchers can look “at how these teams … analyze this system, how they would then go and exploit that synthetic vulnerability,” Aaron Myrick, a project coordinator at The Aerospace Corporation and the lead of the Moonlighter project, told SpaceRef.

At DEF CON, the hackers will be able to change where the satellite is pointing, but its orbit will remain fixed. That way, the competitors won’t be able to create an actual hazard in orbit — they’ll just demonstrate how a more malicious hacker might do so.

Real-world risks

Cybersecurity attacks on satellites remain rare but could have severe consequences. Most recently, during the start of the Russian invasion of Ukraine, Russian state-backed hackers bricked US-based Viasat’s satellite modems. The attack was meant to knock out Ukrainian communications during the start of the invasion, but also disrupted satellite internet connections throughout Europe.

After DEF CON, Moonlighter will be used for private events similar to Hack-A-Sat as a test bed for trying out security technologies. “It’s oftentimes hard for cybersecurity companies to find avenues to test and iterate on these things,” Myrick said. “We want to be able to iterate and run through those exercises again so that we can improve on them.”

Turgal added that it’s “absolutely essential” that commercial industries also adopt similar programs. “It doesn’t matter what industry if they’re an organization that likes to design their own [space] technology.”

Natalia Mesa

Natalia Mesa is a neuroscientist turned journalist based out of Seattle, Washington. She writes stories on all aspects of science and health. Her work has appeared in The Atlantic, The Scientist, Science, Scientific American, and others.