DEF CON 32: Space Systems CTF Recap

A weaponized satellite burning up as it deorbits over Earth

The mission: deorbit a weaponized satellite before it can fire.

At DEF CON 32, in the Aerospace Village, we ran a Space Systems Capture the Flag built on a hardware-in-the-loop demonstrator spanning the ground, space, and link segments. Hundreds of people played, and 107 walked away with a SAO for finishing. Alongside it sat the small unmanned aerial system demonstrator from the previous year. This is a recap of what the challenge asked players to do, and why.

The IRON GALAXY hardware-in-the-loop Space Systems Demonstrator in a rugged case

The hardware-in-the-loop Space Systems Demonstrator the CTF ran on.

The scenario

Players joined the fictional Aurora Alliance to stop the Nebula Syndicate from weaponizing a laser-equipped satellite.

A laser-equipped satellite firing a green beam toward Earth

The Nebula Syndicate's laser-equipped satellite, the target of the challenge.

To get there, players worked through a chain that looked a lot like a real engagement:

Find and exploit a publicly accessible GitHub repository full of sensitive configs
Decrypt wireless traffic from a sUAS operating near the adversary's ground station
Reach a misconfigured Nexus repository that allowed anonymous read access
Exploit unencrypted FTP and TELNET
Disable an automated antenna rotator
Decode CCSDS Space Packet Protocol communications
Send the deorbit command to neutralize the threat

A Wireshark capture of CCSDS packets revealing a kill-switch flag

Decoding CCSDS Space Packet Protocol traffic to find the path to the kill switch.

Every step maps to a real weakness we see in real systems. The fiction is the laser satellite. The mistakes are not.

Five lessons it was built to teach

Segregate your networks. Operational and business networks need to be isolated. A foothold in one should not be a foothold in the other.
Encrypt and authenticate. Without both, traffic can be intercepted and commands can be injected. These are not optional on a command path.
Track command sequences. Sequence tracking catches both communication errors and malicious attempts to take control.
Know your open protocols. Space protocols like CCSDS run unencrypted by default. Protections such as the Space Data Link Security Protocol exist for a reason, and you have to turn them on.
Treat ground-station automation as attack surface. Automated satellite tracking is operationally useful, but it needs least-privilege access and multi-factor authentication around it.

The SPARTA framework matrix from The Aerospace Corporation

We designed the challenge against SPARTA, so every attack traces back to a shared map.

We designed the challenge against the SPARTA (Space Attack Research and Tactic Analysis) framework from The Aerospace Corporation, so the attacks players ran trace back to a shared, documented map of how space systems actually get hit.

The CTF is the fun version. The rigorous version is our Cybersecurity Fundamentals for Space program, where the same ground, link, and space segment threats are taught hands-on and capstoned on our IRON GALAXY range.

References (from the original article)

The scenario

Players joined the fictional Aurora Alliance to stop the Nebula Syndicate from weaponizing a laser-equipped satellite.

A laser-equipped satellite firing a green beam toward Earth

The Nebula Syndicate's laser-equipped satellite, the target of the challenge.

To get there, players worked through a chain that looked a lot like a real engagement:

Find and exploit a publicly accessible GitHub repository full of sensitive configs

Decrypt wireless traffic from a sUAS operating near the adversary's ground station

Reach a misconfigured Nexus repository that allowed anonymous read access

Exploit unencrypted FTP and TELNET

Disable an automated antenna rotator

Decode CCSDS Space Packet Protocol communications

Send the deorbit command to neutralize the threat

A Wireshark capture of CCSDS packets revealing a kill-switch flag

Decoding CCSDS Space Packet Protocol traffic to find the path to the kill switch.

Every step maps to a real weakness we see in real systems. The fiction is the laser satellite. The mistakes are not.

Five lessons it was built to teach

Segregate your networks. Operational and business networks need to be isolated. A foothold in one should not be a foothold in the other.

Encrypt and authenticate. Without both, traffic can be intercepted and commands can be injected. These are not optional on a command path.

Track command sequences. Sequence tracking catches both communication errors and malicious attempts to take control.

Know your open protocols. Space protocols like CCSDS run unencrypted by default. Protections such as the Space Data Link Security Protocol exist for a reason, and you have to turn them on.

Treat ground-station automation as attack surface. Automated satellite tracking is operationally useful, but it needs least-privilege access and multi-factor authentication around it.

The SPARTA framework matrix from The Aerospace Corporation

We designed the challenge against SPARTA, so every attack traces back to a shared map.