Behind the Scenes of Hack-A-Sat 2: One Team’s Chronicle of Hacking Space

By: Jason L. Wright, Chief of Cyber Research

This past weekend, I had the privilege of competing with some of my colleagues in the Hack-A-Sat 2 contest.  Jointly presented by the US Air Force and Space Force, Hack-A-Sat 2 (HAS2) is designed to inspire the world’s top cybersecurity talent to develop the skills necessary to help reduce vulnerabilities and build more secure space systems. Though similar to other cyber security capture the flag events (e.g. DEF CON Capture the Flag), the unique problems posed by space travel add an extra challenge for friendly hackers attempting to tackle security risks.

My team included researchers from Idaho National Laboratory, Dragos, Blackmere Consulting, and others. As a team, our first course of action was to fuel up on caffeinated beverages before we  jumped into the 30-hour long fray.

Hack-A-Sat 2: Let the Challenge Begin

The first challenge we encountered in the contest dealt with the unique issues of communicating in space.  Electrical noise and ionizing radiation can mangle and flip bits, obliterating the message.  To cope with this, various encoding and error correction methods can be applied (e.g. Hamming Codes with SECDED). To put it more simply, we can add bits to our data that allow us to detect and fix errors. 

In one problem presented to us, we were given a piece of Python code with error correction bits applied. Our challenge was to modify the code in such a way that it operates out of tolerance by flipping exactly three bits, to simulate ionization. We chose to modify the statement “if temp > 35: turn off the heater” to read “if temp > 75: turn off the heature”. Changing 3 to 7 is flipping one bit. But, we also had to fix the error detection and correction bits. By flipping the correct bits in the error correction byte and modifying the 3 to a 7, we were able to cause the simulated heater to operate outside its tolerance of 70 degrees.

Another challenge presented us with cartesian coordinates and velocity, and asked us to express these as Keplerian elements. Continuing from this problem, we were given the coordinates and velocity of  a spacecraft in geotransfer orbit and asked to determine the maneuver (time and change in velocity) required to put the craft into a particular geostationary orbit. The math is beyond me –but a few of our teammates worked together to solve both of these problems.

My favorite challenge was “Mars or Bust”. The setup: Simulation showed that a satellite is on a trajectory to crash on Mars. Our goal was to reverse engineer the ROM to patch it correctly to prevent the crash. The challenge parameters outlined that we could send modified copies of the ROM to a simulator and observe the behavior. 

The ROM provided was for a MIPS processor, commonly found in Linksys/Netgear access points. Our team used various reverse engineering tools to try to comprehend the logic. In the end, we identified the main control loop and several of the controls (thrust, deploy lander legs, eject lander back shell, etc.).And, as it happens sometimes, just as we were beginning to understand the thrust control logic, the contest ended. 

Throughout the day, we crashed the lander many, many times in the simulator, but never quite got it to touch down. However, we did identify many spectacular ways to crash a lander. (Let me know if you would like any pointers!)

Hack-A-Sat 2 Takeaways

In the end, we had a lot of fun and placed in the top 10%, coming in 68th out of 697 teams. Not too bad in my book! 

Contests like this really show the importance of having team members with diverse backgrounds and having the right communication tools for the task. Although our team was geographically dispersed, (only 3 of us were in the same room for most of the contest on a team of about 10), we were able to effectively and efficiently work together  using tools like Discord chat, voice, and screen sharing – as well as writing up intermediate results on a common wiki.

Many thanks to the organizers of Hack-A-Sat 2! I hope the contest continues next year!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.