D-Orbit, the space tech scale-up innovating space logistics and orbital transport, announces the completion of CTRL+Space CTF, the first European Capture-the-Flag (CTF) cybersecurity competition in orbit and the first in the world to involve multiple operational satellites. The event was organised in collaboration with Mhackeroni, one of Europe’s leading ethical hacking teams and multiple CTF world champions, with the support of the ESA Security Cyber Centre of Excellence (SCCoE) and the ESA Security Office.
The final of the event took place from 4 to 6 November at ESA ESTEC (European Space Research and Technology Centre) in the Netherlands, during the Security for Space Systems (3S) Conference, where five teams competed in unprecedented cybersecurity scenarios, carried out on board a real operational spacecraft.
A Capture-the-Flag is a cybersecurity competition in which participants must identify and exploit vulnerabilities in systems to capture digital ‘flags’, evidence of the successful breach. CTRL+Space CTF is the first competition to use a real, operational spacecraft in orbit as its target system.
As the first initiative of its kind led by a European private company, CTRL+Space CTF brought together the cybersecurity and space communities to tackle one of the most critical challenges facing the growing space economy: protecting orbital infrastructure from cyber threats.
“Cybersecurity has become a fundamental pillar of the new space economy,” says Grazia Bibiano, Portugal country leader at D-Orbit, in a statement. “At D-Orbit, we integrate it from the very early stages of design, because security cannot be an add-on, but must be incorporated into the DNA of every system we send into orbit.”
“Protecting space infrastructure is one of the most complex engineering challenges of our time,” adds Davide Avanzi, D-Orbit head of space and product security. “By adopting a ‘security by design’ approach, we ensure mission resilience, data integrity and confidence in the space services of the future.”
“The space environment poses unique challenges in the development of engaging hacking exercises,” says Daniele Lain of Mhackeroni. “This one-of-a-kind event helps us understand how more traditional vulnerabilities and exploits can be adapted to satellite environments and their limitations. Participants were faced with complex scenarios that replicated real systems, culminating in ‘full-chain’ attacks that compromised simulated ground stations in order to take control of the satellite software.”
“Protecting space missions through cybersecurity is not an option,” adds Antonios Atlasis, head of the system security section at ESA’s TEC Directorate. . “The successful implementation and execution of CTRL+Space CTF not only offered students across Europe a unique opportunity to tackle cybersecurity challenges implemented on real satellites, but also demonstrated that applying cybersecurity measures to satellites is possible even in the most complex scenarios. We would like to thank D-Orbit, the Mhackeroni team and all the collaborators and participants in this extraordinary event.”
The competition attracted interest within the cybersecurity community. A total of 559 teams registered for the qualifying round, and 299 of them managed to solve at least one of the challenges. During the event, participants submitted 660 correct flags relating to the 25 tests prepared by the Mhackeroni team.
During the final phase, 3 IONs were actively used, 63 passes were completed, 7 IONs provided real-time telemetry, and 15 in-orbit exploits were successfully performed.
The five teams competing were: Enoflag, Superflat, RedRocket, CzechCyberTeam and PoliTech. Superflat took first place after three days of intense competition (pictured is the award ceremony).
During the final, teams faced realistic mission scenarios designed specifically to test their ability to identify and exploit vulnerabilities in space systems. Thanks to the flexible architecture of ION Satellite Carrier, D-Orbit’s satellite platform, and the robust security measures implemented by the company, all scenarios were executed in a secure environment, completely controlled and separate from the satellite’s commercial mission.
Participants competed in: resolving safety-related scenarios such as interpreting real telemetry and sending command sequences to an operational spacecraft; analysing vehicle data to determine attitude and orbital position, which is critical information for control and operational decisions; interacting with onboard software to discover and exploit vulnerabilities.
The unique conditions of the space environment, from autonomous systems operating in extreme conditions to limited computational resources, communication delays and increasing interconnectivity between satellites, make cybersecurity a fundamental pillar of the future space economy. CTRL+Space CTF reflects D-Orbit’s commitment to addressing these challenges and contributing to the creation of a secure and resilient orbital infrastructure, essential for tomorrow’s space services.
ALL RIGHTS RESERVED ©