DEFCON, one of the most famous hacking conventions, plays host to ethical hacking competitions, which challenge security researchers to break into and manipulate technologies. These include popular consumer devices, websites and public infrastructure, such as voting machines. Identifying these vulnerabilities reaps monetary rewards for the hackers and allows for the vulnerabilities to be fixed before they can be exploited by malicious actors.
At this year’s DEFCON, held in Las Vegas last month, the Air Force offered up an F-15 fighter jet data system – which collects video and sensor data in flight – to hackers at the first ‘Aviation Village’ section, which brought together security researchers and the aviation industry. Approved security researchers were able to identify serious vulnerabilities which could have compromised the system; they demonstrated their findings by remotely infecting it with malware.
Following the success of the challenge, the US Air Force is preparing to up the ante by putting forward an orbiting satellite for next year’s DEFCON gathering. The Air Force’s engagement with security researchers at DEFCON reflects the military’s tentative but budding engagement with the broader cyber-security community. In 2016, the Pentagon and the US Army opened up their first bug bounty program, followed by the US Air Force in 2017 with the ‘Hack the Air Force’ challenge. This challenge has resulted in over 120 vulnerabilities being identified and $120,000 being paid out to ethical hackers for their work, according to HackerOne.
Initial reports for the satellite challenge suggest that the Air Force will soon put out a call for submissions for ideas on how its satellites may be exploited by hackers. A number of security researchers will be invited to test out their ideas six months before the conference and the number of contenders will then be narrowed down further. The final groups of researchers will participate in a live competition to hack a real, orbiting satellite at DEFCON 2020.
It is not known what type of satellite will be used, although it is reasonable to expect that it will be a surveillance satellite in low-Earth orbit.
Will Roper, Air Force assistant secretary for acquisition, told the Washington Post that the defeat of the F-15 data system did not surprise him, given that cyber security had been neglected in the military for decades.
Roper explained that next year’s competition would involve challenging security researchers to take control of a satellite with a camera pointing towards the Earth and rotating the camera such that it faced the Moon instead.