Space Bits

CLS Helps Rescue Hijacked Fishing Vessel

CLS, a subsidiary of CNES, has a press release reporting how they helped rescuing an hijacked fishing vessel (and its 18 fishermen crew) in the waters of the Ivory Coast thanks to its FishWeb service harvesting localisation data from various satellite systems or payloads.

I have added the press release below.

References Space Bits

Hack-a-sat Library

The US Department of Defense has published a collection of satellite hacking resources on GitHub to support Hack-a-sat: the Hack-a-sat Library.It includes papers, videos, websites, etc.

Well done!

Space Bits

Cyber risks related to ship tracking using satellite communications

A recent Cybermaretique blog’s article “L’ agence spatiale européenne finance la recherche sur les risques liés aux systèmes de positionnement par satellite“(fr), mentions an ESA contract related to cyber risks and solutions to mitigate ship tracking using satellite communications. CYSEC won the bid and has more information on the press release. Olivier‘s article gives more pointers on the subject (like Rivieramm coverage) and previous incidents.

Go read Cybermaretique for all cyber risks related to the maritime world. Thanks Olivier!

Space Bits

Space Force videos

Deux salles, deux ambiances

Pardon my French. I like them both.

Space Bits

HackASat (3/x) has small updates on HackASat challenge : in an article titled “Hundreds of hackers sign up for chance to break into a DoD satellite“, Sandra Erwin reports, quoting Dr. Will Roper from Air Force, that more than 900 participants have registered for the qualification phase.

Space Bits

IAC 71st goes cyber

71st IAC 2020

71st International Astronautical Congress was scheduled this fall in Dubai. Due to COVID-19 outbreak, the event has been replaced by a virtual one and is now called the 71st International Astronautical Congress – The CyberSpace Edition and will take place during 12 – 14 October 2020. Dubai will now how the 72nd International Astronautical Congress.

Program is not yet available but the paper selection has been made according to the original schedule (at least for the cybersecurity session I co-chair). This year, the Cybersecurity session (Cyber-security threats to space missions and countermeasures to address them) will be part of two symposium :


Let’s hope the program will allow presenters to attend.

Space Bits

Space Security Challenge

As a follow up to previous post, the Space Security Challenge or Hack A Sat (HaS) has a website. Although DEFCON 28 will be virtual this year (DEFCON Safe Mode), the Final event / challenge (“Hack a Sat Capture The Flag” hosted by the virtual Aerospace Village) will happen in August and the qualification phase is ongoing (registration closes May 24 and qualification event starts May 22).

Workshops on satellite will also be organized in August.

Rules edited by the Air Force Research Lab are availble (pdf) :

The top 10 teams will be requested to submit a “Qualification Event Technical Paper” describing the solutions for 5 challenges solved during the qualification. Papers will be reviewed by the organizer before a formal invitation to the Final Event (online) is sent to the team. 8 teams will participe, 2 will be on standby.

The Final event is composed of a new CTF (FlatSat) followed by an On-orbit challenge for teams with all the FlatSat challenges solved. A technical papers will also be requested at the end.

Each entrant must include at least one U.S. citizen or permanent resident. Official Government entities are not eligible (that makes two reasons preventing foreign space agencies to participate to this U.S. challenge).

I like the disqualification rules :

– Utilizing or engaging in Denial of service against other competitors is strictly forbidden
– All patches to open-source software must be made available according to open source license guidelines
– Any vulnerabilities discovered in open-source software must be made available to the public via a public disclosure process
– No physical coercion or intimidation is allowed
– Any acts of sabotage, tampering, misuse, attacks, or use without consent of the contest organizers property, contest infrastructure, equipment, software, or items that pertain to the contest that are outside of the contest environment are expressly forbidden

Of course, the usual disclaimer alerting participants of monitoring and interception are in the document. Publicity (disclosure) will also be part of the deal.





Content from HackASat published with permission.

Space Bits

Air Force’s orbiting satellite at DEFCON 2020

This Wired story from 2019, September describes the road taken by Air Force to decide to offer an orbiting satellite for “testing” by hackers at DEFCON 28.

After a F-15 fighter last year, Air Force will enable a select number of researchers to evaluate the security of an orbiting satellite from an attacker perspective. At the time of writing of the article the satellite targeted was unknown.

On December the 12th, released an update but the satellite was yet to be chosen, according to Will Roper, assistant secretary of the Air Force for acquisition, technology, and logistics. Internal Air Force project name is “Hack-A-Sat”, public one will presumably be “Space Security Challenge”.

Space Bits

Cosmos 2542 meeting USA 245

Interesting thread where some ESA‘s 2012 slides containing threats models are commented while “Cosmos 2542, a Russian satellite, has recently synchronized its orbit with USA 245, a NRO KH11” sat”.

By the way, CCSDS’ SEA-SEC Working group is in the process of updating its 2015 Security Threats against Space Missions Green Book. Issue 2. December 2015 – (CCSDS 350.1-g-2 PDF file).

Space Bits

CubeSat Postmortem

HackADay has a “Lessons Learned from a CubeSat Postmortem” article on “KRAKsat Sattellite Mission – Lessons Learned” paper published by the mission team from AGH University of Science and Technology in Cracow, Poland. No crucial error described in the paper is directly linked to cyber, however some are interesting:

  • Problems with clearing the flash memory (testing and implementation issues),
  • Impossibility to download data from the flash memory by radio UHF2 (different implementations and behaviour of two redundant components). This one particularly highlight the issue we may face with safety measures that requires different implementations but are not done properly. I remember datacenters provider implementing different controllers and software for HVAC and power. I wonder if this is still the case.
  • No emergency option to shutdown satellite subsystems permanently. Kind of reverse kill-switch.
  • The lack of an own ground station. Ground stations are costly. I wonder what would be the price comparing to the overall cost of a Cubesat mission. Maybe the solution would be to plan for emergency services.
  • Inaccurate analysis of the missions requirements. No comment, space is hard.

Others errors are listed as well and interesting : file systems issues (or lack-of fs in this case), data encoding, hard coded parameters, etc.