This Anti-Cast was originally published on November 13, 2024.
In this video, Tim Fowler discusses outer space hacking for beginners, focusing on space cybersecurity. He explains the importance of understanding the fundamental concepts of hacking and how they apply to space systems, emphasizing the need for a beginner-friendly approach to get started in this field. Tim provides insights into various educational tools and resources available to explore space systems, including CubeSats, and encourages viewers to engage in hands-on experiences to understand the complexities of space cybersecurity.
- The webinar focuses on introducing beginners to the concept of space cybersecurity, emphasizing the accessibility of space systems and the potential for cybersecurity professionals to get involved.
- Space systems are fundamentally flying computers connected with high latency networks, highlighting the need for cybersecurity measures similar to those in traditional IT environments.
- There are various educational tools and kits, such as Cubesats, that provide hands-on learning opportunities for those interested in space systems and cybersecurity.
Highlights
Full Video
Transcript
Tim Fowler
So today we’re going to be talking about outer space hacking for beginners. Obviously, this is virtual. You can’t exactly raise your hand and stuff. But I don’t think there’s too many of us present right now that actually are working in the space industry from a cybersecurity perspective.
This is a relatively new concept. The technical term is space cybersecurity. I don’t particularly like that phrase, because it’s, I’m not sure why space has to have its own version of cybersecurity.
But that’s what it is, that’s what everybody is kind of accepted on. And so this is kind of what we’re talking about. But when we talk about outer space hacking for beginners and stuff, this is not going to be a very technical presentation by any means.
It is designed to be very beginner friendly. It is designed to help you get started. Because this is oftentimes the hardest thing to do is how do we get started?
It doesn’t matter whether it’s you’re wanting to learn about space, space cyber security or if you’re wanting to learn about embedded hardware or post exploitation or whatever like that.
Pick a, pick a topic. the hard part is just kind of how to get started. And one of the goals for today’s webcast is to kind of give you a jumping off point.
And this is based off of a lot of the time that I’ve put into it. One of the things that we were kind of talking about in the pre show banter, if were able to be there, was as instructors and things like that, we want to make sure that we’re like expressing our, our experience in things, giving it to our, our students and stuff so that they can kind of pick up from where we are right now.
I did the grind. You shouldn’t have to do the grind. Now you’re more than welcome to do the grind, but if I can help you not have to grind as hard or be able to figure out where exactly to grind, that’s kind of the objective here.
And so we’re going to be taking, typically we talk about this like this would be like a 30,000 view, this would be a 10,000 foot view. We’re going to flip that on its head. This is going to be a ten foot view. and the reason why this is a ten foot view is we’re starting from the ground up.
There will be some space puns in this conversation. They are completely intentional. I expect you to laugh and enjoy them. but if you don’t, that’s fine. but we really do want to start from the ground up.
So with that we’ve got to deal with a little bit of nomenclature here. when we look at the title of this Outer Space Hacking for Beginners, the word hacking is going to automatically produce some kind of response. Depending on how you were raised, your culture, various things like that.
A friend, I say a friend, he’s a friend of BHS and stuff. Jason E. Street, a very well known personality in the infosec community. He did, a few years ago, maybe even 10 years ago, I don’t actually remember, he did a presentation, kind of talking about the history of hacking and various things like that.
Trying to like beat down this like negative connotation that we typically see from like the media, news organizations, things like that. It’s like hacking bad.
And that’s really not, that’s not true. Like if we look at it from a historical perspective, even if we look at like it from like the realistic perspective, yeah, it’s a spectrum. There’s people that are doing things nefariously and bad, but there’s also people like the amazing people that I work here at BHS and Steph.
Like we’re, we’re doing it the right way. We’re trying to better the people around us, the people that we work for, our clients and everything like that. but let’s define hacking.
And today though, I’m going to say this a couple of times. The goal is to try to get down to the least common denominator. that way everybody can kind of get on board. Doesn’t matter what your perspective is.
Like this is what we’re trying to do. So essentially hacking is the application of technical skills to solve problems at the lowest level.
This is what it is. Okay, It’s I’ve got a problem, I need to solve it. How can I use my skills to solve that problem? It’s fair. It’s. Is it an oversimplification?
Probably. But it’s not accurate or not inaccurate. It’s technically accurate. And we all know technically accurate is the best kind of accurate. And so therefore if we, if we sit here and say that hacking is the application of technical skills to solve a problem, then that means a hacker is someone who uses their technical skills to solve a problem.
this is a, we can use the transitive property here to kind of understand that. So therefore, if you are applying skills to solve a problem in space, it makes you a space hacker or a hacking space.
Right? This is a pretty easy concept here. now again, it’s a generalization kind of, in some cases, a over simplification, of the process, here.
But this is kind of what we want to. We’re wanting to break it down to digestible components that everybody can go like, hey, this is way more approachable than I actually thought it was.
and so let’s get through some of the kind of misconceptions, about space and stuff. Like, isn’t space really, really hard? The answer is yes, like definitively yes.
operating in space is very difficult. There are challenges out there, that we just don’t face here. in our normal organizations, enterprises and stuff like that, we don’t really care or concerned about ionizing radiation.
We’re not so much concerned about dynamic thermal cycling when solar, panel production, and all of this other stuff and, and orbits and all this stuff that makes space incredibly, incredibly difficult.
But the reality is those challenges can be overcome. We’ve seen it like, we’ve done it like since the 1960s. We’ve been overcoming these challenges every single day, from an operational standpoint of like existing in space, operating in space.
so naturally we’ve done that from a security perspective, right? No, not, even close. historically, and I talk about this, and I’ve talked about this in other webcasts, and talk about in my training classes.
For the longest time it was kind of a ostrich with its head in the sand kind of approach, that it’s just like, hey, we’re not going to talk about it. It’s security through obscurity.
it’s us and only us. We’re the only ones that have the capability of doing this space stuff. So, we’re not super concerned with, but the reality is like, as technology has improved, as more and more players have entered the game of space and what I call The Space Race 2.0 and stuff we’re finding out that’s like, hey, everything’s not as, the better roses that we typically would like to paint it, we have some deficiencies, we have some problems.
and so the question is like, how do we fix this? How do we change this moving forward? How do we take the narrative going like, yeah, we don’t want to talk about it. This is security through obscurity.
Let’s and then go like, yeah, let’s actually, let’s just see if we can do something about this. let’s see if we can get involved. and this is going to be the absolute most controversial slide of the entire day.
But the thing that we need to remember when we’re talking about space and space systems specifically is they are just flying computers connected with high latency networks.
and that is a quote by me. and a lot of people I love, I love saying this in front of like government types and DoD and stuff like that because they’re like, it’s more complicated than.
Yeah, it is more complicated that. But at the lowest common denominator we’re talking about flying computers connected with high latency networks. you could also add low bandwidth networks as well.
And so one of the things that we have to understand, okay, most people think of space as being this like, kind of rarefied, like just out there, like it’s not accessible.
And that’s just not true. And this is one of the things that I’m the, the, the number one goal of this webcast today, and I’m super excited to be doing this is it is accessible.
There are aspects of space that you can go and do today that you can start learning, you can start applying your knowledge from one area, your experience from one area to a different sector.
and specifically. So when I started looking at space systems, I started looking at what we do at BHIS specifically. for those of you that don’t know me, I am a full consultant offensive security analyst with Black Hills Information Security.
On top of being an anti siphon instructor and course author. And this is the stuff that we deal with every day. this is the basic breakdown of our product offering.
We have web testing, API testing, network testing, Cloud hardware, RF, IoT, ICS, SCADA.
most likely you fall into, you have some kind of purview over something in this slide. Whether it’s from an offensive side or a defensive side doesn’t matter, because we’re looking at it holistically and stuff.
most people use networks to do their jobs. a lot of organizations use this fancy technology called the Internet and websites and various things like that.
and APIs and we all have hardware that we run. Things like that. This is the, this is the landscape of like offensive security testing right now are hacking focus.
When somebody’s hacking, these are the types of things that they’re looking at and there’s going to be subsets of this stuff. Like in hardware you could have medical devices, also in IoT you can have medical devices like.
And there’s going to be a lot of crossover. But when I started doing this research and going like I’m going to, I’m going to hit this topic hard with my research and my efforts of looking at space systems, what I realized was it’s the exact same.
There’s nothing special here. it’s still using the same components that we use at your Fortune 500 company or your small to medium business.
The technologies, the general classifications of things are going to be the exact same. And because of that there should be a path forward where we can utilize our knowledge and our experience from the, that stuff and apply it within the space system, or the space sector or domain, however you want to classify this.
and there are countless examples of where each of these kind of domain technical domains exist within various spaces. And we’re seeing a bunch of migrations from one to another one that’s actually not on here and it wasn’t on the other one and I apologize is physical, physical security is also definitely, definitely an element and it plays a big role in like securing our space systems and various things.
So this is how I want to, I want you to keep this in mind. This is exactly what you do. Okay? If you’re on the, if you’re on the defensive side, you are responsible for defending this stuff.
If you’re on the offensive side you are responsible for attacking this stuff regardless of whether it’s in space, regardless of whether it’s in a hole in the ground, a data center, it doesn’t really matter.
It’s, it’s technology. And again I do apologize if it seems like I’m oversimplifying it and because it is. But we want to get down to this least common denominator, get people to understand that this is, it’s not as foreign of a concept as we think about.
Next. I found this a couple months ago and I’ve got to put it into basically every slide deck from here on out.
This is actually a screenshot from a white paper produced by PhD, with NASA, talking about soft software vulnerabilities and various things like that.
And I think this is just one of the absolute quintessential like nail on the head things. With that we deal with insecurity. So on, on the left side here we have a flight computer that has no software errors.
On the right Side we have a flight computer that has software errors. We could call this Schrodinger’s flight computer if we will. This specifically, if I recall was flight computers from one of the STS space shuttle missions.
I can’t remember the exact one specifically and stuff. my guess is in figure one they literally don’t even have any software installed on it at all. Like it’s just bare metal. I think that’s the only way to get from figure one to figure two.
but I don’t know and I say this and I put this in here for, to help you realize okay that despite what you may think about space and its accessibility and everything like that, it’s just flying computers on high latency networks and it’s code written by humans in most cases, that could be changing fairly quickly with AI and stuff like that.
But so the things that we would impact that we’d see impact from, from a enterprise environment for stuff like that. The same risk, the same vulnerabilities, the same threats may exist within a space system but it could be some different context and context does matter.
So. All right, but we know like that the things are similar, are close to the same. there’s definitely nuances and those nuances can be extremely difficult to overcome and understand.
And you’re not going to learn those. You’re not going to learn those in a one hour webcast. You’re not going to learn them in a, and a two day class or a five day class. It’s going to take many, many, many days, weeks, months of research and stuff like that.
But we don’t necessarily have to understand all of this. and so today for the rest of this we’re going to kind of take a, what I call a journey to orbit.
and how you can possibly get started, some things that you can do to get go hands on, and just some resources and we’re going to talk about this concept that I call learning backwards.
but first we’ll look at this journey to orbit. and so when, when we’re looking at designing or wanting to develop a mission for space, it doesn’t start in space, it starts here on Earth.
I, we were, we were in the anti siphon AMA yesterday which by the way if you are a member of the Anti siphon Discord, I want to plug that Tuesdays at 12pm M.
Eastern Time, a group of anti siphon staff members, instructors and community leaders all jump into discord and we just open it up for student questions and it’s a, it’s one of the highlights of my week.
and I definitely encourage you guys to check that out. So yesterday somebody made the comment, it’s like you don’t learn to drive a car by jumping into nascar, and you don’t learn space by jumping into space.
We got to start something a little bit more grounded here. and so typically you would, you’re going to look at, from some conceptual stuff, you’re going to look at some design, you’re going to look at some theory, you’re going to learn a whole bunch of the educational stuff.
But like if we’re wanting to get into space, it starts at your desk, it starts there with designing and thinking and planning and testing and various things like that.
And then we will incrementally go through these various different processes, and we’ll talk about some of these in a little bit. So, specifically like, this is a, this is actually, this is the journey that I am on right now, with my company, with some plans that I have gearing up for launch 2029, where the goal of actually putting a satellite in space, is, there’s this iterative process that we want to go through.
And so once we’ve kind of vetted some things out and tested some stuff, we want to ramp up the, ramp up the risk, ramp up the reality of the situation.
So the next approach, once we’ve migrated from our desk and have some general concepts and stuff, we’re going to want to test some of this stuff. And one of the ways that we can test this, space systems, is we, especially at small scale is we throw it on a rocket.
Not a SpaceX Falcon 9 rocket or a Blue Origin New Glenn or anything like that. But no, we could utilize something like a high powered rocket, to be able to test our systems, our configurations.
We can learn a lot about how they’re going to behave and various things like that. Once we graduate from that stage, we’re going to go to a high altitude balloon launch where it’s literally we’re going to put it a suborbital satellite on a weather balloon, release it up into the stratosphere to be able to test it, to be able to look at different aspects of how it performs and various things that are weaknesses and then ultimately we want to go to orbit.
But that’s all well and good, but some of this probably doesn’t mean anything to people. So starting with your desk, one of the things that we do from a scientific perspective, from a development perspective, we start off with this thing called a flat satisfaction.
and for the next little bit we are specifically focusing on satellites, within the, the entire realm of space and space systems. just because that’s, that’s where the fund’s at essentially.
everything in orbit is a satellite. and so we can just break it down to that perspective. The International Space Station. Yep, it’s a space station, but it’s also a satellite. but most of us don’t have the resources or the funds or the capabilities to go build their own International Space Station equivalent.
I don’t, if you do lemo, I’d love to partner with you. and so we have to do things a little bit more simplistic. And so everything starts on paper, pen and paper and design software and various like these concepts of stuff.
And we typically would build something called a flat sat. And it’s literally what it says. It’s, it’s just a flat version of the satellite. It doesn’t have it’s not in its launch, structure or anything like that, but it’s a, it’s a platform in which we could test, develop, our code, test it, go through all these various configuration, options and stuff like that.
When we’re talking about hacking, space and stuff like that. This is where it really, truly, truly starts is because I don’t need to test a fully fledged deployed satellite.
If I can get in at the ground stage here at the ground level and be like, oh yeah, this is, this is a really bad configuration. A little, little, to insider secret here, it’s really easier to patch a satellite on the ground than it is in space.
it’s really expensive to hire somebody to fly up there and plug in a USB drive and update it and stuff. So no, we want to be able to catch this stuff on the ground. And this is one of the approaches that we do now.
Typically flat sets have a lot larger implication in terms of the overall design and process and stuff. But when we’re thinking about like how to, how we want to start to hack things, and the approach that we want to take this is, this is where you want, you kind of want to start.
and the reality is you can go and actually start to acquire this up and we’re going to talk about that here in a little bit. Once you’ve gone through the kind of flat set stage off your desk and stuff, then we can get into this format called can sats.
and they’re very much what they sound like. They are can shaped satellites. they’re suborbital satellites. So they’re not actually designed to go into space but they’re great testing, improving grounds for both operationally but also means of like hey, is our stuff secure?
One of the things that I’m planning to do with my Cans app development is it’s very short flight but it’s like we want to see can we potentially hack it in that short flight.
Is there something that we can do in that timeframe and stuff? and then once you get through this, through this proving ground, as you will and this is really popular at the high school, university levels and stuff.
But I’m an adult, I still love this stuff. This stuff is amazing. You’re never too old to start playing with this stuff and getting involved with it. this would, this would go on a high powered rocket, so that we could launch it, 10, 15, maybe even 20,000ft up in the air in some cases, and being able to really test our systems and introduce some of the complexities that space has, both from temperature, variations but also just like the vibrations of launch, making sure that things are not going to shake themselves apart even though a high powered rocket is not going to come even close scale to what an actual commercial launch vehicle would do experience.
this gives us a way to test. I want to emphasize this is done predominantly at the university, level, the high school and stuff like that.
And there are programs that as professionals, as cybersecurity, there are ways we can get involved in these and start looking at it from like a cyber security. Because let me tell you, nobody is looking at cyber security.
Nobody is looking at because like they’re like, they’re engineering students, they’re trying to get off the ground. Like they’re trying to achieve their mission and stuff. Nobody’s like, I mean going like well can this, radio link be commandeered?
I don’t know, like we’ll just deal with that if it happens, and so these are ways that we can get involved even tangentially of being like hey, pointing this stuff out and, and working on collaborating.
But once you’re done, once you get through this kind of can sat flat sat stuff, this is where the fun for at least for me really gets started. And my obsession with cubesats, if anybody knows me and knows anything about me, I truly do have an obsession with cubesats.
I probably have one of the largest private collections of educational cubesats in, in the world. and that’s thank you to all of the students and anti siphon that have taken my classes that have afforded me the opportunity to buy these, to learn about these, to teach these things.
but and so one of the reasons that I focus on cubesats is for a couple of reasons and this is why we’re going to spend a good portion of the next few minutes talking about them is the fact that they are low cost, relative low cost in space terms.
And we’ll talk about some of the actual numbers here in a minute. but also they’re cost effective, they’re cheaper to launch, and they’re typically made with parts that are more or less accessible to us as mere mortals without having to have all of the super space grade components and various things like that.
We don’t need to have that to learn. And so the first one I think we’re going to go through like six cubesats or so here in the next one. The first one that I want to want to talk about is one that’s produced by hexstar.
this is a an Indian organization, that they have this one, you cubesat, that it is the cheapest option as far as I know on the market anywhere.
it retails for $179 plus there’s some additional add ons that you can have after shipping to the United States and stuff. It’s about $234 I believe and stuff.
But this is, this is the, the most accessible way to get into one of these things. Now this is not my favorite cube set of all the ones because there are definitely some sacrifices that were made to keep those price points lower and various things.
But what it does, it does very well is it teaches you some of the basic concepts of like various sensors and different types of technologies and stuff that might be on a cubesat.
And this is like I said it’s very affordable relative. not everybody’s going to be able to afford it and I understand that. But when we, when we talk about other options this is, this is quite, quite affordable here.
it, this is a great introduction. If you’ve never Worked with electronics before. If you’ve never done breadboarding or circuit design or anything like that, this is probably the best option for you.
and the reason why is because it is all based off a breadboard. They walk you through how to hook up the sensors and how to connect all the jumper wires and all of this other stuff.
So not only are you getting to build something really cool in a cubesat, but you’re actually picking up some ancillary knowledge and skill sets that are, that are really valuable for you.
So at $179, like I said, this is not my favorite one. because it’s not hyper realistic and I’m obsessed with the hyper realistic. But you can’t go wrong here. You really can’t.
it has a, it has a ground station or a receiver, and custom software that you can actually be able to interact with a satellite, be able to read the various sensor data and various things like that.
But it is a very basic design and what you’re going to see is they’re all very basic designs. And that’s for a reason.
because again it’s just flying computers. In this case, it’s a flying microcontroller is what it be. I say flight. This is not, this is not flight worthy at all.
I mean you can like pick it up and throw it up in the air or something like that. but it would not survive a rocket launch. It would not survive in space. So definitely not going to want to look at that option. But the next one that I’m going to talk about is the AMSAT cubesat simulator.
this one here is I’ve got a, the most history with this particular solution here. I started with the version 1.2 last year and I modified for my own purposes.
If you’re at Wild West Hacking Fest 2023, you may have gotten to play around with one of these. this one here is fantastic for a lot of different reasons.
but this is really geared towards one specific element of an entire space system that we don’t see a lot of emphasis put on with all the other ones. And this is specifically the radio side of stuff.
Now if you’re not familiar with amsat, it is the Amateur Satellite Radio organization, that’s basically focused on having amateur radio in space.
and they do a lot of fantastic stuff including this cubesats in. Now the thing about this, this will run you about three to $400. and it is very much a DIY setup.
there’s a fantastic Wiki and GitHub. it’s linked here in the slides including the entire bill of materials, walk through guides of how to build this.
it’s a lot of soldering, and various things like that. So it’s not something for the faint of heart. Like if you’re not, if, if you’re not technically inclined and not comfortable with a soldering iron, this is probably not the best approach.
I do know that they are going to have some, some remade kits available sometime, hopefully by the end of the year or sometime in the near future. And those I think are going to retail for like 400 bucks.
but this uses a Raspberry PI Zero as its onboard computer which go. Oh, that’s not very realistic. Actually you’d be wrong because the Raspberry PI zero does have flight heritage, and has flown successfully as the onboard computer for multiple missions now, which is awesome.
here again this is, the space is getting cheaper, it’s getting more accessible to us. We’re starting to be able to use things that we know and we’re experienced with and apply this within space system.
but like I said this is a very radio centric approach to this which makes sense for what they’re doing. in fact the original 1.2 version, it did not support any kind of bidirectional communications.
It was just a Sputnik, meaning it just transmitted data only about its various sensors and various stuff like that. With this new version they do have the ability to add on some hardware to do rudimentary command and control, which is a big improvement.
But if you’re interested in the radio side of stuff, if you got your HAM Radio license or something like that, this would be a great place for you to start your journey on hacking outer space.
So learning how these things com, these components go together, what they, how they function and various things like that and the purposes that they serve, cannot speak highly enough of Alan Johnston, and the entire AMSAT crew for putting this on completely open source.
Absolutely fantastic. from version 1.2 to the new beta 1.3.2 or it may be mainline now, they’ve improved it so much, much easier, a little bit smaller, bill of materials, a lot easier to get and stuff.
Just be aware depending on where you order your parts from, it could take anywhere from two to six weeks to get all the components in Depending on where you’re ordering from and stuff like that.
But definitely encourage you guys to check this out especially if you’re interested in the radio that RF side of stuff. Whereas as I said a lot we don’t get a lot of emphasis on that with other solutions.
another one that I makes that I bought and I found early in January of this year is from a company called Edge flight.
They have a one UCubesat that’s here they take some drastically different approaches to way they have their cubesats designed. It’s designed for educational purposes through and through where specifically like the boards as you can kind of see they’re actually sliding on rails so you can pull them in and out instead of having to take and disassemble the whole cubesat and various things like that.
I had the pleasure of going and m meeting the CEO Tate Schrock a few months ago up in Wyoming. This is a US based company. Talk to them.
Absolutely fantastic product. They also do high altitude balloon stuff as well. So they have an entire program to take you from basically the classroom m up to the stratosphere which is awesome.
These, they have two different versions of this cubesap. they have the no solder and the solder version and the no solder is about $385 now and I think the solder is $358 so it’s a little bit cheaper.
and it’s, it’s, it’s just that it’s, there’s a lot of pre populated components and stuff on, on headers and stuff. And it’s just a matter of whether you actually want to take, take the time to solder stuff.
But if you’re looking for hyper realistic in terms of the, the amount of sensors, the various things that are on board this thing you this is the best bang for the buck hands down.
he they did such a fantastic job. It has more sensors than any other a cubesat out there. that I know it’s using a Raspberry PI. Pico is the, is the primary M MCU.
it has GPS, it has 9 axis accelerometer or IMU. so accelerometer, gyroscope, magnetometer, pressure temperature, humidity sensors, air quality sensor, CO2, all of these atmospheric things which is really beneficial if you’re wanting to look at things from like a high altitude Balloon launch or something like that where you would actually observe different atmospheric conditions, conditions and stuff like that.
But again what you’re going to see is this common theme here is there is no, there’s no concept of security here. nobody’s baked it in, nobody’s kind of thought about it.
It’s like hey, we’re just wanting to produce something that’s realistic which producing something that’s not, doesn’t have security baked in unfortunately is hyper realistic. but we’re trying to drive some changes and, and stuff like that.
and this is a company that you’re going to want to pay attention to pretty heavily. They’ve got some stuff that’s coming down the pipeline that is just, it’s going to be absolutely awesome. Love the fact that they’re us based out of Wyoming.
Really really cool stuff. and so this would, this would be, this is like if you’re gonna like go like I want to play with cubesats, this is where I would start if I’m being completely honest.
With one exception. We’ll talk about that in a minute. So going up significantly in price. there is this cubesat from Arctic Astronautics out of Finland called the Kitsat.
if you’re wanting hyper realistic flight near flight ready, this is the best option that’s out there. This is one of my favorite cubesats that I have and have been able to acquire and stuff.
It’s using all flight proven components. it is in the appropriate. It is the appropriate is matching every specification.
it technically could be launched with just a few modifications and stuff. This is not cheap by any means and what you’re going to start to see is it’s just this massive scale up here.
this runs €1450, are about 1550 US dollar. Sorry. not cheap by any stretch of the imagination.
But if you’re wanting to get into like an actual like how something would be designed in the real world. This is based off of a actual cubesat that they have launched in space.
And then I think they’re doing a second one here. This is, this is as real as it gets. they have a fantastic, they probably have the best ground station software solution I.
It’s a C, Windows executable. but it is amazing. Like they’ve done a fantastic job with. It is so, so realistic. You can actually manage multiple satellites from one ground station.
which is cool if you’re looking. They have a classroom pack of like five satellites and stuff and it allows you to just manage it. It’s. It’s so incredibly cool. But as you’re going to see, when you’re talking like 1500 bucks that’s not accessible to most people.
It’s just like, some people are fortunate. I am, I am fortunate enough that I’ve been able to teach enough to be able to buy these, to research these, and various things.
Because one of the things that I like to do is look at the commonalities between all of them. because what you’ll find is there’s a lot of the same components, there’s a lot of various things that are available.
and the reason why is because they work, they’re accessible, they’re reliable and in some cases they actually have flight heritage. so that one’s from Finland. This one here, is a very special one, in my opinion, because they have a couple of different offerings and stuff.
But this is the MySat kit. This is a Ukrainian company. they offer the mysat in both a 3D printed enclosure as well as an actual full metal enclosure that has deployable solar panels.
I don’t recommend the full metal. It looks good but it’s kind of finicky on the assembly and various things like that.
But this is a, this is a well put together kit. The non 3D print or the non metal version I think runs about 399 and stuff.
It has a whole host of sensors, and various things like that to, to. To be able to really simulate what these space systems are really doing and stuff. And, and here again the, the common theme is like what you’re going to see is if, like if you took all of.
All of mine and I own all of these that we’re talking about and looked at them and turned them all on, you’re going to start to see the same problems that we’re having. It’s like, it’s the same, okay, we’ve got the same hardware and stuff like that, but it’s like this lack of cyber security.
F. First first perspective such as I’ve got a, I’ve got a friend who ended up buying one of the, the hit sats and like the first thing he was trying to do is like do a replay attack with a flipper zero and it worked.
Like why did that work? Why did a replay attack work against this satellite? Because we Never designed it to not work that way. We didn’t design it and stuff. And so this is part of the.
The. When I talked about learning backwards, this is what I’m talking about here is oftentimes we want to approach a subject that we don’t understand or that we don’t necessarily have any stuff.
It’s like, we’ll go see a blog post, we’ll go see a webcast or something like that. And it’s like, oh, I want to do that. And then you go, you set up your environment, you replicate exactly what they did, you get the results that they did.
Cool. What did you learn? Well, you learned how to do that thing, but do why you do that thing? Do the context in which that’s the right thing to do at that time?
And in most cases, the answer is no. We actually talked about this a little bit in the AMA yesterday. It’s like, sometimes as, instructors and stuff, we forget about or we gloss over some of the foundations and the fundamental elements that you actually need to know to fully understand this concept.
And so what we have to do is take something we don’t know know, it’s like, oh, this is really cool, like a cubesat or whatever, and start picking it apart piece by piece. And learning backwards.
The fundamentals was like, this is where the issues actually lie. Like, from a cybersecurity perspective. I asked this in my class. How do you patch a satellite and not crowdstrike it?
Sorry, is that still too soon? and the answer is you plan to pass your satellite in the design phase. That’s the easiest way to patch a satellite is to plan for it at the beginning.
If you don’t, you’re going to have to overcome a lot of difficulties, a lot of challenges, and oftentimes you may not be able to do this. and so these are things that, if you take this hacker mindset, because it’s not just about, oh, we’re going to hack a satellite.
No, that’s not what this is fundamentally about. It is about hacking. The process for learning how to hack a satellite is. This is the important thing here that I want you to understand is it’s.
Yeah. Like, we. Do you want to get, code, execution on a satellite? Yes, I do. Like, I. Absolutely. But it. For me, it’s more about understanding that all of the processes that would lead up to that and understanding conditions and the context.
And these are the tools that can help you do this. Even if you don’t realize it. Last couple of ones Robin. the RAS cube, this is from Robinson Aerospace Systems out of Australia.
this is also a, not a very cheap one. it runs to about $2,000 Australian dollars. So 1367, here in the U.S.
I actually have, I just got it, it’s over my shoulder right there. I haven’t even unboxed it yet. Version one, M. And they’ve also got a version two that is coming out.
and I was really excited to be able to support the these guys because here again this is this now is probably the most realistic cubesat that you can buy at this price point.
Because once you get above this price here it’s $10,000 or more and you’re actually getting into legitimate satellites and stuff like that. So this is a very cool educator kit.
It comes as a flat SAP that you have to build everything from the ground up. I mean all the, all the pcbs are pre populated and various things like that. But you do all the assembly, all of this stuff.
in fact if you guys are interested, let me know in discord. Let me stuff. I am planning to do a not an unboxing but like a build video on this particular one.
and then retroactively if you guys like that, go through all of the other ones that I have. and just kind of doing a compare contrast and various things like that. Because these are, these are cool. Cool. One of the things I hope you realize is none of this is about me, none of this is about Tim.
I want to like these are amazing things that other people are doing and we should be able to take advantage and we should be able to praise them for doing such a good job of making this stuff accessible.
And I know he’s not listening but Edward Robinson, he’s the CEO of Robinson Aerospace Systems, they are flying in 2025, which is absolutely awesome.
This is a, this is a young man, I think he’s about 21 now, 21, 22 years, that has developed this from the ground up. And they are going to space in 2025.
and so this is, this is what’s possible. This is just, is so cool. but there’s one more, there is one more option. and we’re going to talk about Tempest. when I did say it’s not all about me, this is going to be a little bit of a caveat to that and stuff.
I do want to introduce you to Tempest Tempest is a one you cubesat that I developed from the ground up, for the purposes of teaching cybersecurity in space systems or more specifically space cybersecurity.
there are the. Right now the only way to get your hands on one of these is to take my hardware version of my class and we’ll talk about this at the end.
there’s ultimately the goal. I would love to be able to sell these as a kit. M But the manufacturing process right now is just, it’s too it doesn’t scale well.
this is one of the challenges. I could do an entire webcast of like learning to fail. And one of the things is like if I, if I have a set of 25 of these for a class that I’m building and I have a four minute process for each of those, that’s a hundred minutes just for one process times 30 processes, it gets it.
The time doesn’t scale. So I’m working to improve the manufacturing process and stuff. But this cubesat here is as far as I know, the only one in the world that is intentionally vulnerable.
Now there’s some unintentional vulnerabilities I’m sure because I wrote the software and it serves its purpose, but it’s not great. But it is actually designed to be hacked and it’s designed to be hacked in a way that mimics how things have actually happened from a historical perspective.
And the reason that we’ve, that I’ve done that is to be able to showcase this stuff. there’s some other special stuff about this particular cube set that does make it stand out.
but like I said, this is a little bit of teaser. If you want to go hands on with this, you’re gonna have to take the actual class for now. but if, if this is not hands on enough for you, and you still have money left in your wallet by the end of this webcast, there are some other options that you can look at.
and this is a, this is something that’s very brand new to me. I don’t know how I missed this in my years of research, but it was pointed out to me in a Discord channel just a couple weeks ago.
this organization, called Pros, and they have the Pros Kit. This is a blend of open source hardware and software.
and they have a Fanta, they have fantastic documentation. All of their Repos are on GitHub, and various things. These are this, this Pros cubesat, is, has flight heritage.
They’re actually getting ready to launch their V2UM of. And you can go and buy the actual hardware. You could do a pre order on it.
It’s about $3,000 to get the flight ready version that you could just splat, slap on a rocket. there’s a little more technical processes in that but pretty cool.
But the reason why I’m wanting to share this for you is because this is the type of stuff that I just, I, I love and this is the thing that we can do, especially cyber security professionals and stuff getting into it is like everything is there everything.
All of their flight software, all of their engineering designs, everything, the issues and stuff, reading the design decisions and stuff like that. This helps us understand these systems inside and out and it allows us to be able to go like hey, here’s a potential vulnerability, here’s something that’s not quite right, here’s how this satellite could be hacked once it actually launches and stuff.
And this is just, it’s on GitHub. All you gotta do is go look at it. You don’t have to go buy hardware, you don’t have to spend money. You just literally have to open up your Browser, go to GitHub, go to this URL and start just researching, looking at this stuff.
Like you can like there are all kinds of things you’re going to get introduced just in this slide here. on the, on the left hand side you’ve got their Pico SDK flight, software.
So this is a Raspberry PI Pico. and then if you go down about five levels or something, you’re going to see F Prime. F, Prime is an open source flight software produced by NASA.
This is legitimate stuff that you have access to and you go find a vulnerability in this. Like you’re gonna have some, like you’re, you’re gonna get some serious clout. You’re gonna get some nice letters from NASA signed by the head, the, the, the head of NASA and you’re gonna get all this other stuff.
because this is the type of stuff that’s out there. It’s open source. We can go and look at it and we should be looking at it. We’re just not. It’s kind of, it’s the I forgot the actual bystander syndrome where it’s like oh, somebody else will do it.
H. we’re not going to look at it. No. Let’s be the people that Actually start to look at this stuff and identify this stuff and work with these people. You can go and join this project. This is a this actually I, I want to say came out of Boise.
Boise, State University. I may be wrong but it’s basically a bunch of graduates like hey, we want to continue doing this and we want to do this better. sorry, I, I said Boise. It’s California, Polytechnica that did this.
I don’t know why I said Boise. I’m probably Broncos is what got me messed up. But they’re like hey we want to keep doing this and stuff like that. And the fact that you can go and pre order flight hardware for $3,000 is insanity.
And yes, I did do that. So only for you guys though. so something else that you would want to look at is if you’re wanting to kind of understand the ins and outs of this, there is a YouTube series called the 1K, cubesat.
Unfortunately the gentleman who runs this did not finish the project and it just got completely overwhelmed and worth work and stuff like that.
But this is a gold mine of understanding, learning how to kind of learn backwards. Understanding. You’re not, you’re going to go watch these videos and you’re like I don’t know what any of this stuff means.
And then if you keep diving into this six months later you’re going to watch it again. You’re like yep, I got it. I know exactly what that means. And this all starts to make sense and stuff. Why? Because we kind of have to peel back the layers of the onion to develop this understanding and this knowledge that we have.
and then also orisat is a, this is a project from or Portland, State University in collaboration with a bunch of other universities in Oregon and also some outside of that such as umbc, and Cal Poly Pomona.
they again they’ve open sourced everything including their hardware files, their schematics, their software and stuff. And like this is where we can start to look at specifically from a vulnerabilities perspective.
And why do we want to look for vulnerabilities? Because this is a list of CVEs for space specific CVEs just in the last 18 months identified by a single company, Vision Space out of Germany.
That’s not all the companies that are looking at, all the individuals that are looking at. This is just one organization. Last 18 months 18. This encompasses NASA, various projects such as Yamex just all kind, all kinds of different issues.
Why we’re not, we’re not doing the best job here. Okay. And the reason we’re not doing the best job is this right here. This is a from a Register article that I’ve referenced in the past.
Johannes Vilbold, PhD student, @ the time out of Germany, did a research paper and this is ultimately what he said. He said that the problem as he opine was that space science is such a verified field that the developers just didn’t have the security skills to do a rigorous shakedown of a satellite in the first place.
They don’t. We do and we can do better and we can help them do better. How are we going to do that? so some resources that you’re going to definitely want to look at.
these are a book called Cybersecurity for Space. there’s actually two versions of it are the second edition now I’d recommend you just go straight to the second edition. This was written by Dr. Jacob Ogley.
Love this guy. This is the absolute quintessential place to start if you’re wanting to learn this. It breaks it down very very succinctly. in some cases it’s oversimplification but it’s at the perfect level.
it’s not too technical, it’s not too simplified. It’s just like hey here’s the problems and it’s really can be a jumping board for you. if you want to go into the deep end, a deep deep deep end.
Take a look at Hackasat. Hackasat is a annual CTF competition. Although it did not run this past year. They took a little bit of break. that it’s, it’s as a sign it’s designed, it’s an Aerospace CTF and stuff that ultimately to 2013 they actually launched in conjunction with DOD a 3U cubesat called Moonliner that was hacked as part of the conf competition at defcon.
All of their challenges and write ups and all this stuff is free on GitHub. You can go and download it, you can look at it. You’re not going to understand it not to start with.
And you might find one or two is like oh this is stuff. Go through those walkthroughs, start to digest it. When you come back in six months, a year later, it’s amazing. It’s like oh yeah, I got this another.
It just, it’s so amazing how we can learn Backwards. also two, two things that. Two, two organizations or two events that you would want to. I cannot talk.
if you’re really interested in stuff. The Aerospace Village. This is a fantastic group of volunteers and organizers from all across the country, that do a bunch of different events.
and this was from DEFCON this year. And I know we’re running out of time here. so I’m going to wrap this up real quick. this is, this is myself with a good friend, Henry Danielson.
this is actually a cubesat, from Cal Poly that you can go, go hands on and various things like that. These are things Hackspace Con. they just announced their 2025 dates.
If you’re interested in security and space, this is probably the best event that you can go to, hands, down. Zach was there last year. I was there. Fantastic. Not sure that I’m gonna make it back this year, but we’re gonna, we’re gonna try to, try to make it work out.
and then lastly, I’m just, I’m not gonna really talk about these. they’re in the slides and stuff. These are some training resources, some individuals that I would highly recommend you talk about Angelina Saboy.
Okay, we’ll talk about them. We got time. Angelina Saboy, is just one of the absolute sweetest, most amazing, young women I’ve ever met. she is producing content like nobody’s business.
she has a aerospace cybersecurity satellite hacking bundle through Pen Test magazine that you can go. She’s got a ton of stuff on GitHub and various different projects.
Love her stuff. Please go support her if you’re, if you’re interested. This, that satellite hacking class is like 3.99, and it’s like 30 something hours of content. Really, really good.
also if you have a chance, Jacob Oakley I mentioned and Michael Butler, they have a core class, 2020, four, hacking Space Odyssey. They’ll update it probably for 2025.
They’re not offering this a whole lot. This was last year at Black Hat and stuff like. But if you can get into this. This is incredible. They did a small demonstration, a small section of it at the Aerospace Village this past year and it was incredible.
Connecticut, Cubed. I’ve got some good friends over there. they’re doing some incredible cyber security trainings, specifically cybersecurity fundamentals for space, that I would encourage you guys to check out again.
Links are all down in the Bottom and then lastly, I have two classes that are scheduled right now. the next one is going to be my, introduction to cybersecurity and space systems.
and then also I realize the image is wrong. it is not the hardware edition. It is just the regular virtual edition as part of the Secure Code Summit. That’s going to be December 5th and 6th.
And then if you want the hardware there, you’ve got to sign up, for Mile High. There’s only a handful of slots that are still available. and that’ll be in February 2025 links of those there.
But last one, if you want to go and start to play around with your stuff, I do have an online lab called BIOS Ethos Labs. space. This is a workshop that I taught at Hack spacecon as well as Worldwide Second Fest.
this is a completely virtual, you can go through, through and actually deploy, a legitimate mission control and ground control solution, NASA’s core flight system, as well as start to play around with your own custom satellites and various things like that.
And with that I’m going to wrap it up. I’m going to hang up. Thank you, Zach. Let’s go.
Zach Hill
Awesome, man. Always appreciate you coming on, sharing your knowledge. It is very, very, very appreciated, man. and you’re always entertaining too. You’re such a nice guy.
I could just get, sit here and give you compliments all day, but honestly I just, I love being able to, to work with you and just watch you share, share this knowledge to everybody. Dude, it’s just phenomenal.
It’s just so cool too because I just love space. So maybe I just geek out about it on that front all the time.
Tim Fowler
I’m, I’m, yeah, I’m, I like it too. I’m, I’m pretty, pretty big, pretty big fan.
Zach Hill
Yeah, I would say so.
Tim Fowler
I’m, I’m going through and seeing if there’s any.
Zach Hill
I just shared the slides on Zoom. for you. I saw a question that came through and slides.
Tim Fowler
Yeah, Cactus asks you keep saying 1U. how is this different from a, rack mount 1U. Great question. Fundamentally they’re the same, except they’re different.
So in the rack mount, U, the U is the specification for one rack mount. and so in the CubeSat world, it’s the same exact thing. We have a 1U, which is a 10 by 10 by 10 centimeter cube weighing less than 2 kilograms, and stuff.
And so, you could have a 1U, a 2U, a 3U, 6U, stuff like that. So it works the same way as a server rack does, obviously with just different dimensions.
Awesome.
Zach Hill
Thank you, man.
Tim Fowler
I’m, looking back and seeing if.
Zach Hill
A link to the Moonlighter up.
Tim Fowler
Nope, but I can get it.
Zach Hill
Thank you, sir. Yeah. If y’all have any questions, I think you got a couple minutes. Tim, still or no?
Tim Fowler
Oh, yeah, I’m over.
Zach Hill
Okay. And then a, reminder at the end of this, we do a breakout room. So if you have the Zoom, application installed on your device, we do our, weekly AMA after all of these webcasts, so everybody is free to join.
We’ll start the breakout room here in a few moments once Tim gets wrapped up. And from there you’ll see, where you can join our AMA session. Everybody’s welcome. All questions are welcome.
We are there to help you and hang out with you. So if you guys are interested, come join us, ask questions about anti siphon security, whatever, we’ll be there to help you. And we look forward to that.
And thank you, Tim, for sharing that link.
Tim Fowler
Oh, no problem.
Zach Hill
How often? I saw this question come in earlier too. Haircut Fish asks, how often do the cubes, sets get damaged by space debris?
Tim Fowler
so that’s gonna be a hard like to, to pinpoint like a specific number and stuff. it, it definitely happens. I’m gonna say it’s not that common, simply because of the sheer, like the, the diminutive size of them makes it a little bit harder, and stuff.
I will tell you that in most cases, if a cubesat is hit by any kind of debris, it’s done. It’s not, it will not survive. because you’re talking in low, Earth order orbit, 28, 000 miles an hour, that it’s traveling plus whatever the speed of the debris is.
they’re not, they’re not, it’s not, it’s just not going to happen, and stuff. So it is definitely possible. but it’s, it’s not. I, I don’t.
It’s hard to put an exact number on it, on what that would happen. Tim, somebody in the Zoom Chat.
Zach Hill
Is asking, do the satellites have a real world use other than like temperature measurements?
Tim Fowler
How are people using these things, things in real life application? yeah. So, yes. So the, the number one way that cubesats are used is actually as a test bed.
typically we’re testing new technology, new capabilities, technology demonstrations. and so instead of like doing these monolithic projects where you launch could blow up and stuff like that.
Hundreds of millions of dollars. It’s like hey, we can spend like $100,000 and, and test this out and stuff. So a lot of technology dem. But they also have other things such as distributed capabilities.
like the example is if you want to look at like geostationary Internet versus Starlink, where Starlink is a constellation of satellites.
They’re all low cost, low cost, low power, various things. They’re disposable cubesats give us the ability to do that. where it’s like instead of having, you could think of it like Docker containers for space.
Instead of having one giant monolithic server. Server. Nope. We’re gonna have a bunch of different Docker containers that are doing our various different things. lots with Earth observation. A lot of the imagery that you’ll see from companies like Planet Labs and various things like that, even like Google Earth and stuff is actually coming from cubesats.
for that reasons.
Zach Hill
Thank you sir. do you combine this passion with ham radio, contacts, they do something similar as well.
Tim Fowler
Yeah, yeah. So, so I, I do have my. I actually when like I start when I started on this. Eleven days later I got my ham radio technician’s license. and so I don’t unfortunately haven’t done a ton with it and stuff.
just because I’ve been so focused on the actual cyber security aspect of it and stuff. But yeah there’s definitely a strong correlations.
Zach Hill
Awesome. Thank you sir. Did you see another question?
Tim Fowler
What is the life expected lifespan of these cubes? it’s gonna, it, it is someone. It’s gonna very own price because typically the, the more expensive components are gonna, you’re gonna have more radiation tolerance and stuff like that.
Radiation is real the big issue there, and stuff. And so anywhere from typically one month to three to five years depending on like actual what its capabilities are and various things like that.
just because it’s more expensive doesn’t mean it survive. it just means that it has more capabilities to potentially survive. But anything like ionizing radiation hitting it in the right place or whatever can have the same, same results.
Tim, Kevin Sahota asks. Sounds like the edge flight is the.
Zach Hill
Most cost effective way of getting hands.
Tim Fowler
On with a sat. Is there a community that is dedicated.
Zach Hill
To talking and learning about these devices?
Tim Fowler
You’re in it right now. No. so yes, I I do think, I do think edge flight is, is the best option. and so go, go check that out. Like don’t, don’t dos the website.
But like I, I told Tate the other day, I was like hey, I’m talking about you guys. and so hopefully, hopefully drive some traffic and, and things like that. this is actually something that like I’m trying, I’m trying to do is help build a community.
There’s actually a cubesat discord channel that I found, found out randomly a couple weeks ago that I would definitely recommend being in. there’s also a sub, a couple of subreddits and various things like that.
It’s, there’s really not a big community and we’re like. One of the things I’m trying to do is kind of build more interest in, in that.
Vishal has a great question. Are CubeSats generally standalone or do multiple CubeSats get attached to a single flight? the answer is yes and no. a lot of them are kind of more standalone.
but there are also kind of ride share programs and stuff where you would have multiple cubesats on the same space vehicle instead.
So they wouldn’t actually necessarily get deployed out into space. They would stay mounted on something else so they don’t have to worry about solar power or power generation, various things like that.
They can only focus on their mission. so you’ll see a little bit of both. just depending on the actual mission and objectives. Actives.
Zach Hill
FF asks do you spend most of your research on the ground like looking at the software or do you actually try to communicate to active satellites in orbit?
Tim Fowler
so most of it is, is on the ground just because there’s some well frankly there’s some legal issues around FCC and various things like that.
like being able to just arbitrarily sit, send traffic to a satellite is probably not the best idea and stuff. And so most of the actual brute force work can actually be done on the ground.
and then you would, you would test in production if you will. I don’t condone that at all. Make sure you have a signed contract from the actual satellite operator and manufacturer and various things like that.
But yeah most of most of it is from a ground up perspective. Perspective.
Zach Hill
Thank you sir. Going through some different questions here. I think that’s not all of them but otherwise if people want to get a hold of you, what’s the best Way to get a hold of you, Tim.
Tim Fowler
the best way to reach out to me is I am on x. I’m on LinkedIn. Blue sky, Mastodon. Pretty much all of. All of them.
Them. it’s I’ll put my username in, in. In Discord. It’s just Rubiks. R O O B I X X. and yeah, reach out.
Love, love to talk. I got, I gotta give a shout out to Henry. I saw him pop up in Discord. He. He was the one I took the picture with. Absolutely awesome. Dude.
Go read. They did a report back in June, novel, concepts for our Cyber Security. like, scenarios and stuff, using the icas, matrix.
Go check that out. I’ll find a link, drop it in, in chat. Is, is really, really cool how they did that.
Zach Hill
Awesome. Thank you sir. Appreciate you being here, sharing your knowledge as always. we are going to be back here same time, same place next week if you want to stay tuned with what’s going on.
I’ll put the link in the chat for powered by bhis.com. they’ll show you all the different events that we have going on. And then of course be sure to sign up for our Secure Code Summit in December and maybe we’ll see you in Denver at Wild West Hacking Fest where you can see Tim in his class maybe.
So, go check that out and thank you again, Tim. Appreciate you have any, parting pleasures.
Tim Fowler
No, just, thank. Thank you guys for. Thank everybody for, for being a part and hopefully, we’ll come back next year and be like, here’s how, here’s. Here’s how we did it better.
This. Here’s what we’ve learned in the last year and honestly, hopefully, soon somebody else will be able to give the same webcast.
Zach Hill
Yeah, thank you. Sorry, I was setting up our AMA session. So if you have the Zoom application installed on your device at the bottom of your screen you should see breakout rooms.
And I just got that, Just got that opened up there. So, so I will see you all over in the AMA. otherwise, see you next week. Take care everybody.
Tim Fowler
Have a good one.