Hackers compete to break into the Space Force’s Moonlighter satellite

Cyberspace, meet actual space: The US government recently sponsored its first off-world hacking competition at DEF CON 31 in Las Vegas.

From Aug. 11 to 14, five teams of hackers competed to score points by breaking into Moonlighter, a Space Force CubeSat launched for the express purpose of testing the limits of cybersecurity in space. Those teams had beat out over 700 others in a qualifying round held in April for the right to compete in the first ever capture-the-flag (CTF) exercise in low Earth orbit (or anywhere higher).

Competitors were scored on various tasks, such as establishing a data link with Moonlighter’s onboard hacking sandbox, breaking past its restrictions on taking photos of certain regions of Earth, and downloading the photo to a ground station. Another challenge involved tricking Moonlighter—which does not have a propulsion system—into reporting it was over the North Pole by injecting bogus scripts into its GPS receiver. The teams also had to defend their own vulnerable operating system while attempting to sabotage their competitors.

“What’s important for us is bridging the gap between the cyber and space communities,” Rachel Mann, a deputy technology transfer program manager with the Air Force Research Laboratory, told IT Brew. “We feel that to have vulnerable systems going up into orbit is, of course, not ideal.”

First place went to an Italian group named “mHACKeroni,” which scored the top prize of $50,000. Smaller cash prizes of $30,000 and $20,000 went to Polish team “Poland Can Into Space” and British-US team “jmp fs:[rcx]” for their respective second- and third-place showings.

Holding a CTF in space has unique challenges. For example, limited contact windows affected both the organizers and the competitors, Kevin Bernert, a captain in the Space Force, told IT Brew.

“Since Moonlighter’s in low Earth orbit, once it passes over a ground station, you only have about 10 minutes of line of sight,” Bernert said. That window acts as a throttle on the amount of time those on the ground can actually communicate with the satellite as well as how much data can be transferred.

While the finalists finished their work on Saturday, the team couldn’t determine mHACKeroni had won until the next day.

“Just because the competition hours ended doesn’t mean that our work was done,” Bernert told IT Brew. “We still had to make sure all the data was extracted on downlinks from Moonlighter, just to make sure that we received all of the team’s inputs and see whether they worked and what challenges they were able to solve.”

Cybersecurity for space assets is notoriously poor, a weakness that was exploited by Russian military-linked hackers who targeted Viasat’s KA-SAT network during the invasion of Ukraine. That incident involved ground stations only, but it followed numerous warning signs in the decade prior that space assets and infrastructure are insufficiently secure, and there may have been little preventing the hackers from attacking the satellites themselves. State actors may also consider civilian satellites supporting military operations to be legitimate targets.

Besides learning more about how hackers might approach attacking space assets, one of the ultimate goals of the Hack-A-Sat program is to encourage aerospace designers to adopt secure-by-design principles, Mann told IT Brew. She added satellites and space infrastructure have become far too important to everyday communications for their operators to launch first and worry about patches later.

“Every human on this planet uses GPS, ATMs, cell phones, you name it,” Mann said. “Some of the general public really doesn’t understand how many people rely on space in their everyday lives…It’s all space-based.”