Hack-A-Sat 2022 Finals: Teams on the attack
At the end of October, we hosted the 2022 Hack-A-Sat Finals competition. Finals was structured as an attack-defend CTF where each team was given control of their own satellite. Teams earned points by maintaining control of it, defending it from attacks while attacking other satellites, and solving a series of hacking challenges. Challenges varied widely, including ground station crypto vulnerabilities, flight software bugs, RISC-V ROP chains, webserver attacks, data mining, on-orbit science missions, scheduling ground station contacts, pointing antennas, and safeguarding radio links. In this chaotic environment, teams needed to balance their offensive and defensive tactics to disrupt the satellite operations of others while optimizing their own.
At around six and a half hours into the game, teams launched their first strikes against each other’s spacecraft. In this post, we dig into the attack itself, the effects it had on the satellite Attitude Determination and Control System (ADCS), and how defenders could mitigate it.
Understanding the attack
The most successful attack rested on two key pillars: leaking radio configurations used by other teams and sending malicious commands aimed at abusing an on-board ADCS control algorithm.
The radio configuration for all ground stations were leaked
The ‘403 Denied’ challenge presented teams with a webserver vulnerability which when exploited, provided not only a flag and points, but also access to a treasure trove of data being collected. Teams were able to scrape this database and leak data from all 27 ground station in the game. Critically, in this data was the configuration for the ground station radio, which was updated at a 30 second interval.
By continuously collecting this data, an offensively minded team could deduce the radio settings being used by other teams. Once the other teams radio settings were known they could be used to send malicious commands at their satellite.
The ADCS algorithm doesn’t check if control constants are stable
The initial ADCS settings provided were poorly optimized and teams were expected to modify control constants to improve their satellites performance and gain more points via SLA. This mechanism, however, implements weak bounds checking and allows for malicious, unstable control constants to be used. In real systems, this occurs when designers assume that "only valid commands will ever reach the satellite.” Assumptions like this invite would-be attackers and were included in the Hack-A-Sat flight software to create an attack vector for teams against the spacecraft ADCS of their opponents. This invitation was accepted.
Occurances
To see the attack in action, you can watch the game visualization at game time 2023-01-01 06:39:00 UTC. In this scenario, Poland Can Into Space takes control of the Mauritius ground station and uses it to attack both Single Event Upset and Welt ALLES!.
These two instances of the attack are the first occurrences of it in the game. After this, the attack was used frequently by multiple teams.
Effects of the attack
Command: Unstable Control Constants
The malicious control constants cause the satellite to lose stability and begin tumbling. The rate of tumble increases until the reaction wheels no longer have any command authority.
The reaction wheels lose command authority when they reach their max spin rate (saturation). This means that full 3 axis control of the satellite is no longer possible until the wheels have been de-spun via magnetorquers or a space tug request to the admins. Since de-spinning the wheels takes approximately 40 minutes, this leaves the satellite without attitude control for quite a while.
Command: Safe Mode Off
Turning off the safe mode app compounds the effects of this attack.
In normal operation, once the satellite is tumbling or the wheels reach a certain percentage of saturation, safe mode would activate. This would immediately do the following:
Reset the control constants to their defaults
Begin desaturation of the reaction wheels
Set the radio to the default parameters
With safe mode disabled, the satellite is allowed to continue gaining angular momentum until the wheels reach saturation.
After enough time, the wheels saturate and eventually numerical integration in the control loop encounters a floating-point error from unstable growth. This results in crashing the flight software.
Combined
To summarize the combined effects of these malicious commands are devastating:
Loss of SLA in 2/4 categories
Loss of contact with satellite
Crashed flight software
Time required to recover
Defending against the attack
While attacking the ADCS can cause frustration and confusion, there are strategies to mitigate or even avoid the attack altogether.
Mitigate the Attack
While the attack against the ADCS can be devastating, there is an opportunity to detect the attack and take corrective action. Once the attack lands it takes approximately 6 minutes for the reaction wheels to spin up and reach saturation. It takes additional time after that for the flight software to hit a floating-point error and crash.
The wheel speed and angular velocity of the satellite are available through telemetry. This time window provides defenders an opportunity to detect that an attack has occurred.
The simplest strategy to recover from this attack would be:
1. Set ADCS to the ‘uncontrolled’ state. This will stop all positive control of the satellite and prevent the attack from causing further damage.
2. Re-enable the safe mode app. This will immediately begin to de-spin the reaction wheels.
This strategy was not observed in practice.
The following strategy is simpler and mostly effective.
Protect Your Radio Settings
As previously discussed, this attack relies on knowing the configuration parameters of a specific satellite’s radio. However, this information was never leaked directly. Only ground station radio parameters are leaked and only once every 30 seconds.
This means that when defenders are using a ground station to communicate with their satellite, they are potentially vulnerable. This is particularly true at the polar locations where many ground stations (controlled by other teams) are in view at the same time.
Once communication is complete, the final step a team should take is to change the settings of their spacecraft radio to something different than the parameters leaked by the ground station.
Leverage the Network of Competitive Ground Satellites
Every team was given dedicated ground stations located at Svalbard and McMurdo Station. Given the near polar orbit of the satellite, these ground stations were convenient and available every half orbit.
Using these ground stations was risky, however. An offensively minded team can wait for you to start communicating with your satellite and then attack using their polar ground station.
The remaining ground stations were more sparely distributed and limit users to 6 minutes of communication.
Maximizing use of these ground stations limits exposure to other teams looking to steal your radio settings and connect to your satellite.
Make Contact at Higher Elevation Angles During a Contact
Completely avoiding the ground stations at McMurdo and Svalbard is an unrealistic strategy as it is too costly in terms of missed opportunities. During the beginning and end of each pass (i.e., at low elevation angles), many satellites fit within one antenna ground beam. This provides an easy opportunity to attack multiple satellites at once by looping through all known radio settings without the need to steer the antenna. Defenders can deter communication until closer to the zenith of each pass, forcing attackers to specifically point their antenna at the defenders satellite.
Analysis
First Teams to Act on Offence had an Advantage
Poland Can Into Space was the first team to deploy this attack and it gave them a competitive advantage. While other teams were dealing with the effects of this attack, Poland Can Into Space was able to continue operating their satellite, gain SLA points and work on other challenges. They also waited to release this attack until they had successfully implemented at least one defensive strategy against it.
Attacking Prevents Other Teams from Completing Satellite Operations
Satellite contact with the ground is limited by the available ground stations and the orbit mechanics of the satellite. Most teams had plans for how they wanted to use each contact window with a ground station. Attacking forces another team to abandon their plans and instead focus on recovery of their satellite.
A successful attack interrupts another team's decision loop and forces them to reallocate their resources to defense.
Attacking Stops Other Teams from Attacking You
When other teams are busy recovering their satellite, they have less time and resources to mount retaliatory attacks.
Understanding the Attack Surface is Critical
Poland Can Into Space and Spacebits R Us realized that leaked radio settings were the keystone of any attack. Both teams were able to devise a scheme to rotate their radio settings and avoid detection.
This scheme protected them and as a result it was rare that they were successfully attacked.
Situational Awareness is Extremely Important
It was possible to detect an attack and correct it before it results in significant cost. This requires either automated validation checking of incoming telemetry or an alerting system.
Even with Perfect Data, it’s Hard to Understand what is Happening
The admin team for this game had access to "truth level" information throughout the entire game. Even with a large amount of information, it took the admin team time, and a lot of caffeine (look at my desk!!!) to fully understand the attacks as they occurred.