Ride the Lightning

Air Force Will Offer Up a Satellite to Hackers at Defcon 2020

October 9, 2019

As Naked Security reported last month, when the US Air Force went to the Defcon hacker conference this year, it took along an F-15 fighter-jet data system. The destination was a corner of the conference where the first-ever Aviation Village brought together the aviation industry with the infosec/hacker community. Vetted security researchers picked that system to pieces. And I mean that literally.

They went at it with screwdrivers and pliers. They filled hotel glasses with screws, nuts and bolts from the Trusted Aircraft Information Download Station. They also remotely placed malware on the unit, which collects video and sensor data while the F-15 is in flight.

The Air Force took the results pretty well – I think they expected to get clobbered.

Now the Air Force has decided to up the ante. Next year, it's offering up an orbiting satellite.

Will Roper, the Air Force's top acquisition official, said that he wasn't surprised at this year's results with the F-15 subsystem. He expected the results to be bad, given decades of neglect of cybersecurity, added to the military's hitherto, mostly hands-off approach to penetration testing from the private sector – not to mention what the antiquated military contracting process, in which companies that build software components won't let the Air Force pry apart their products for testing.

This is of course a recipe for failure.

Roper told C4ISRNET, a digital magazine focused on military information technology, that these days, the government's thinking has shifted from its Cold War stance on keeping things close to the vest. It's essential that it do so, he says:

"Historically, we have been very closed about our vulnerabilities. That made sense during the Cold War. When a new technology was developed – whether it was satellites, microprocessors, stealth enhancements – these were big deals and we needed to be very secretive about that technology because to lose it was to lose a decade.

But now technology changes so rapidly, and most of it is driven by software. The idea that closed can make you more secure is a hypothesis we need to question. Industry is going more toward open, being secure by allowing external experts to find vulnerabilities in a way that protects them so that they're not legally culpable but that provides a safe conduit to make those available to the government."

Vetted researchers' hacking of an F-15 this year and next year's hacking of a satellite are just the latest signs of evolution in the government's approach to military cyber-hardware, and supply-chain security.

In 2017, we saw the Air Force offer its first-ever bug bounty program, Hack the Air Force. The Pentagon did the same thing the year before, as did the US Army.

That's a pretty big deal – a very level-headed.

By the end of the third Hack the Air Force challenge – run as a collaboration between the Department of Defense (DoD) and the HackerOne bug bounty platform – $130,000 had been paid out to hackers in exchange for a total of 120 vulnerabilities, HackerOne announced in December 2018.

The Air Force will put out a call for submissions "sometime soon." Six months before next year's Defcon, researchers with viable pitches will be invited to try out their ideas during a "flat-sat" phase, which is basically a test build comprising all the eventual components. That group will be further culled, and the Air Force's vetted picks will be flown to Defcon for a live hacking competition.

As Roper said, "What we're planning on doing is taking a satellite with a camera, have it pointing at the Earth, and then have the teams try to take over control of the camera gimbals and turn toward the moon. So, a literal moon shot."

Which specific satellite will be targeted hasn't yet been determined, it will likely be one flying in low Earth orbit. Nor has it been determined how many teams will be selected in each round, or how much money will be paid out for a final cash award.

Roper is hoping that it's worth the hassle, though. The Air Force wants the security community to get its hands on these systems as early in the process as possible, so it doesn't keep building on top of vulnerable systems, he said:

"We want to hack in design, not after we've built. The right place to do it is when that flat-sat equivalent exists for every system. Let the best and brightest come tear it up, because the vulnerabilities are less sensitive then. It's not an operational system. It's easier to fix. There's no reason not to do it other than the historical fear that we have letting people external to the Air Force in."

This makes so much sense that I can't believe our government is doing it.

Roper, who sounds like a great guy to have a beer with, says he's going to work on getting an entire plane to Defcon. Space might be a constraint Mr. Roper, but good luck to you!

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson