Posted on September 18, 2019 at 2:56 AM
The Defcon hacking conference, held in Las Vegas in August, was full of surprises. The United States Air Force (USAF) brought an F-15 fighter jet data system and let experts and specialists in the matter dismantle it. As it turns out, they found several exploits and flaws in the process.
The USAF was happy with how the events unfolded and said that for next year’s conference, it will take yet another big piece: a satellite. The promise was made by the department’s assistant secretary for acquisition, technology, and logistics matters Will Roper.
The branch has made a priority to improve the way it goes after online security threats and situations and sending cybercriminals to try to hack an orbiting satellite, and its respective station makes sure that an effort is made to do just that.
Help is Needed
Roper observed that the Air Force is afraid of asking for help from outside, and it needs to do so in order for them to achieve satisfactory levels of online security. He detailed that the branch is still using obsolete cybersecurity procedures that are at least 20 years old.
Roper says that the Air Force has a closed model and that means it thinks that denying any outside help and doing everything behind the scenes will make it safer, and that is not true, at least not in the digital platform. He outlined that in the digital world, everything comes with software included.
Regarding the plan for next year’s Defcon gathering, Roper explained that the hackers would use all of their expertise, skill, and resources to take over the satellite.
Implementing software means that there will be, almost inevitably, potential vulnerabilities that hackers could take advantage of, be it in a smart fridge or a state-of-the-art flight network or system. And as it turns out, Roper is very familiarized with the situation, having endured the Air Force hack initiative, in which a strategic alliance between HackerOne and the Pentagon’s Defense Digital Service unveiled 120 flaws and cybercriminals received $130,000 in bounties last December.
The Air Force could establish a connection to the Aviation Village of the Defcon via DDS. That’s where a group of seasoned hackers successfully took down a Trusted Aircraft Information Download Station under the watch of USAF’s staffers.
The Trusted Information Download Station is the one in charge of sending information back and forth on an F-15. The security flaws that were unveiled were enough to shut the whole system down. The Air Force has a dedicated cybersecurity team, but its resources are limited, and they could use some contributions.
Roper said that the F-15, as it is expected, has high-security procedures, but the industry often overlooks developments achieved by smaller enterprises with not so abundant resources. And he stated, as expected that many of these small-scale firms usually can’t contend with prominent rivals, such as China.
For the Air Force to take the next step and write stronger and more reliable security requirements in its legal documents, it needs to understand the usual security pitfalls that affect external parts. It will toughen up the whole supply chain, and it will ultimately improve the security of all aircraft.
The work wouldn’t be done, as the broader aviation community is currently facing notorious opacity. Independent investigators and researchers usually don’t have easy access to airplane parts, and manufacturers don’t want to deal with the fact that their products are likely to have severe vulnerabilities. Similar tensions in the vehicle and medical device fields have been left behind, but according to the director of the Aviation Village Pete Cooper, there haven’t been positive developments in the relationships regarding the aviation industry.
If the United States Air Force continues to get involved, there could be improvements in that area. Hacking a satellite is an enticing enough challenge and a good start.
For now, there is a plan put in place: in the short-term, the USAF will let the public know about the project, and people will be able to sign up if they think they have what it takes to hack a satellite or its ground station.
The USAF will pick between the applicants, judging by their pitches, and invite them to try out their plans in the “flat-sat” stage, which is a test with all the necessary components. It will all happen six months before 2020’s Defcon. The group will be again reduced, and the winners will go to the event for a live competition in which they will put their best hacking skills at work.