Last month, when the US Air Force went to the Defcon hacker conference, it dragged along an F-15 fighter-jet data system.
The destination: a corner of the conference where the first-ever Aviation Village brought together the aviation industry with the infosec/hacker community. There, vetted security researchers picked that system to pieces.
As in, they literally went at it with screwdrivers and pliers. They filled hotel glasses with screws, nuts and bolts from the Trusted Aircraft Information Download Station. They also remotely inflicted malware on the unit, which collects video and sensor data while the F-15 is in flight.
The attitude of the Air Force to the results: well, that went well. Now, the Air Force has decided to up the ante, as Wired reports. Next year, it’s offering up an orbiting satellite.
Will Roper, the Air Force’s top acquisition official, told the Washington Post that he wasn’t surprised at this year’s results with the F-15 subsystem. He expected the results to be this bad, given decades of neglect of cybersecurity, added to the military’s hitherto, mostly hands-off approach to penetration testing from the private sector – not to mention what the Post calls the “arcane and byzantine” military contracting process, in which companies that build software components won’t let the Air Force pry apart their products for testing.
As Wired has reported, aviation companies have flat-out denied the validity of security researchers’ findings, in spite of some tragic outcomes: faulty controls were implicated in two crashes that killed 346 people in the Lion Air and the Ethiopian Airlines incidents, for example.
Roper told C4ISRNET – a digital magazine focused on military information technology – that these days, the government’s thinking has shifted from its Cold War stance on keeping things close to the vest. It’s essential that it do so, he says:
Historically, we have been very closed about our vulnerabilities. That made sense during the Cold War. When a new technology was developed – whether it was satellites, microprocessors, stealth enhancements – these were big deals and we needed to be very secretive about that technology because to lose it was to lose a decade.
But now technology changes so rapidly, and most of it is driven by software. The idea that closed can make you more secure is a hypothesis we need to question. Industry is going more toward open, being secure by allowing external experts to find vulnerabilities in a way that protects them so that they’re not legally culpable but that provides a safe conduit to make those available to the government.
Vetted researchers’ hacking of an F-15 this year and next year’s hacking of a satellite are just the latest signs of this evolution in the government’s approach to military cyber-, hardware, and supply-chain security.
By the end of the third Hack the Air Force challenge – run as a collaboration between the Department of Defense (DoD) and the HackerOne bug bounty platform – $130,000 had been paid out to hackers in exchange for a total of 120 vulnerabilities, HackerOne announced in December 2018.
How to hack a satellite
According to Wired, the Air Force will put out a call for submissions “sometime soon.” Six months before next year’s Defcon, a number of researchers with viable pitches will be invited to try out their ideas during a “flat-sat” phase: basically, a test build comprising all the eventual components. That group will be further culled, and the Air Force’s vetted picks will be flown to Defcon for a live hacking competition.
What we’re planning on doing is taking a satellite with a camera, have it pointing at the Earth, and then have the teams try to take over control of the camera gimbals and turn toward the moon. So, a literal moon shot.
Which specific satellite will be targeted hasn’t yet been determined, but Wired says that it will likely be one flying in low Earth orbit. Nor has it been determined how many teams will be selected in each round, or how much money will be paid out for a final cash award.
Given that this is military equipment, the researchers will again have to be vetted, same as for the F-15.
Roper is hoping that it’s worth the hassle, though. The Air Force wants the security community to get its hands on these systems as early in the process as possible, so it doesn’t keep building on top of vulnerable systems, he said:
We want to hack in design, not after we’ve built. The right place to do it is when that flat-sat equivalent exists for every system. Let the best and brightest come tear it up, because the vulnerabilities are less sensitive then. It’s not an operational system. It’s easier to fix. There’s no reason not to do it other than the historical fear that we have letting people external to the Air Force in.
How can the Air Force possibly top the invitation to come hack a satellite? Well, Roper says, he’s next working on getting an entire plane to Defcon. The difficulty of pulling that off?
The conference lacks the space.