The US Air Force and Space Force have jointly launched Hack-a-Sat 3 — the third iteration of a capture the flag (CTF) challenge focussed on space cybersecurity that is open to all, with 10 X $10,000 cash prizes.
The competition comes after Viasat satellite infrastructure was hacked in February; seemingly in a bid to undermine the communications capabilities of the Ukrainian military. (A “misconfigured” VPN appliance was used to gain remote access to the trusted management segment of the KA-SAT network a post-mortem revealed. The attackers then sent destructive commands to modems that overwrote key data in flash memory, bricking them.)
The competition made its debut in 2020 during hacking conference DEF CON. Participants get to test their skills in the unique competition on satellite emulations built-out with satellite sensors, hardware and software.
Registration for Hack-a-Sat 3 qualifiers is now open. The qualification round starts May 21 at 10:00am EDT.
The organisers have been working on getting a real satellite into space just for hackers to test their skills on and Hack-a-Sat 4 “will be the first-ever on-orbit hacking competition” they confirmed this week. That project has been dubbed “Moonlighter” and at its launch will be the “world’s first purpose-built satellite just for cybersecurity training and research. It’s literally a hacking sandbox in space, that will be launched in 2023” organisers said.
There is a $50,000 first place, a $30,000 second place, and a $20,000 third place cash pot for Hack-a-Sat 3 finalists although they will also need to submit an “acceptable” whitepaper within three weeks of the contest’s end.
Hack-a-Sat 3 — what’s involved?
This year however, for Hack-a-Sat 3, they will have content themselves with attacking a simulated space system that includes a satellite digital twin and virtual ground station. The online contest is open to the public via registration at
hackasat.com and starts with a qualification event that takes the form of a “Jeopardy” style CTF contest running over the course of 24 hours. The final Event will be a mix of “attack/defend” and “king of the hill” CTF styles.
“Like a more traditional attack/defend CTF, teams will have their own vulnerable system to operate and defend, while attacking opposing teams’ identical systems. A number of exploitable vulnerabilities exist in the systems and teams must patch or otherwise mitigate their own vulnerabilities to protect from exploitation attacks, while keeping the system functioning normally” Hackasat’s organisers said of the final event in an update this week.
To those thinking of getting a bit excited and playing dirty, the following rules apply:
- “Utilizing or engaging in non-specific denial-of-service (DoS) attacks, such as packet flooding for network denial of service, against other competitors is strictly forbidden
- “All patches to open-source software must be made available according to open source license guidelines
- “Any vulnerabilities discovered in open-source software must be made available to the public via a public disclosure process
- “No physical coercion or intimidation is allowed
- “Any acts of sabotage, tampering, misuse, attacks, or use without consent of the contest organizers’ property, contest infrastructure, equipment, software, or items that pertain to the contest that are outside of the contest environment are expressly forbidden
Registrations for Hack-a-Sat 3 are open now.