DEF CON 29 Aerospace Village Talks, Workshops, CTF Schedule
Aerospace Village will be hybrid this year from August 6 (Friday) – August 7 (Saturday) 10:00AM-4:00PM in-person @Las Vegas.
- All talks will be streamed online Friday & Saturday between 9:00AM – 4:30PM PDT.
- Workshops & CTFs will operate at specific times and format listed in the schedule.
FRIDAY, AUG. 6 Talks (Virtual, 9:00AM – 4:30PM PST)
Security of Electronic Flight Bags: avoiding tailstrikes and runway excursions
9:00AM – 9:25AM
- Ken Munro
Why letting your kids watch Netflix on your electronic flight bag probably isn’t a good idea. EFBs are safety critical devices, yet security guidance is limited and few operators lock down devices sufficiently to prevent a determined attacker from gaining access. We’ll look at example vulnerabilities we’ve found in EFBs and apps, how they can affect flight safety and dispatch, then how EFBs can be secured without introducing new flight safety issues!
Bio: Aviation security researcher, accident-prone pilot, safer on the ground
The Antenny Board Design and Fabrication Saga: Sweat and Tears Along the Supply Chain
9:30AM – 10:20AM
- Ang Cui
Over the past few months, Red Balloon Security has been developing and manufacturing the Antenny v5 board, and like anyone else who is putting together hardware, we ran headlong into the famous chip shortage. Listen to our story of how we overcame the shortage, found the most treasured of surprises in the most unlikely of places, and distilled all the drama into the little purple boards over in the Aerospace Village area.
Bio: Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. Ang has focused on developing technologies to defend embedded systems. He has also uncovered vulnerabilities within embedded devices like Cisco routers and HP printers.
Hack-A-Sat 2: The Good, The Bad and the Cyber-Secure
10:30AM – 11:20AM
- Capt Aaron Bolen, Frank Pound, Bryce Kerley, Steve Wood
Take a deep dive into the last frontier of cybersecurity: Space. We take an inside look at the Hack-A-Sat prize competition, a joint effort of the Air Force and Space Force, in collaboration with the Aerospace Village, aimed at educating and inspiring a new generation of hackers to tackle this ever-important domain. In this talk, we will discuss: Satellite hacking 101, recap HAS1 insights, provide HAS2 Quals challenge explainers, and preview the HAS2 Finals…and beyond
Steal This Drone: High-Assurance Cyber Military Systems
11:30AM – 11:55AM
- Darren Cofer
As part of DARPA’s High Assurance Cyber Military Systems program, Collins Aerospace led a team of researchers developing new tools for building aircraft software that is provably secure against many classes of cyber attack. We developed system architecture models, software components, and operating system software which have been mathematically analyzed to ensure key security properties. This talk describes the research results and demonstration in-flight on a military helicopter.
Bio: Darren Cofer is a Fellow at Collins Aerospace. He earned his PhD in Electrical and Computer Engineering from The University of Texas at Austin. He has worked in the aerospace industry for 26 years, applying formal methods for verification and certification of high-integrity systems.
Threat Modeling for Space Hitchhikers
12:00PM – 12:25PM
- James Pavur
When you strap someone else’s satellite to your rocket, how much should you trust them? In this talk, we’ll explore threats relating to launch integration and the role of secondary payloads, such as CubeSats, in modern missions. The briefing combines strategic and policy perspectives with dynamic simulations exploring space-to-space radio attacks from compromise or malicious payloads. While it includes technical components, it assumes no prior experience with radio communications or aerospace.
Bio: James Pavur is a Rhodes Scholar and DPhil Student at Oxford University where he researches satellite cyber-security in the Department of Computer Science’s System Security Lab.
Evaluating Wireless Attacks on Real-World Avionics Hardware
12:30PM – 12:55PM
- Leeloo Granger
In a nutshell, in this project we prove the critical vulnerabilities of GPS and ADS-B technologies which only had been theoretically discussed in the literature. To do so, we investigated the feasibility and accessibility of GPS and Mode S spoofing on an avionics lab – the Garmin’s Navigator GTN750 – and using two types of transmitters: the USRP B210 and Raceologic’s LabSat Wideband 3. We successfully spoofed the GPS position of the GTN750, as well as intruders on the Traffic detection system. Unfortunately, we were not able to attack the TCAS II. Our work shows the vulnerabilities of communication technologies that have a major role in the safety of an aircraft, hence attacks are a severe threat and all the more so if they are conducted using as few resources as we did.
Bio: Leeloo is a Swiss-French undergraduate student in Communication Systems at EPFL, currently in exchange at ETH Zürich. She is currently learning to become a private pilot and has an interest in avionics security avionics. Besides her studies, she is an athlete in archery currently training for the 2024 Olympics.
Unboxing the Spacecraft Software BlackBox – Hunting for Vulnerabilities
1:00PM – 1:50PM
- Brandon Bailey
As the commercialization of space increases or access to source code is not feasible, it is getting more common that spacecraft/embedded binaries are a black box. There needs to be a way automate code inspection in a cost effective, fast, repeatable manner which can be constantly enhanced to have the latest capability to build secure spacecraft SW. Synthetic vulnerabilities were created and analyzed with varying results.
Bio: Brandon Bailey has more than 15 years of experience supporting intelligence and civil space customers. Brandon’s specialties include vulnerability assessments and penetration testing for space systems. Brandon was awarded NASA’s Exceptional Service Medal for his landmark cybersecurity work in 2019.
Don’t fear the BUS, it won’t run you over.
2:00PM – 2:25PM
- Nicholas Childs
This talk is a basic introduction to aircraft avionics comm/nav bus systems and the expansion of the network to more vulnerable areas than have seen before. It is more of a primer and 101 for stepping into a the larger world of aerospace networks.
Bio: Nicholas Childs Is a USAF aircraft maintainer with experience with mechanical, electronic, hydraulic, and avionics systems with both military and civilian aerospace platforms. He has worked on C-5, C-17, KC-135, B-1, 737, 747, and L10-11 platforms. With a focus on security he scrutinizes them.
CPDLC: Man-in-the-middle attacks and how to defend against them
2:30PM – 2:55PM
- Joshua Smailes
The Controller Pilot Data Link Communications (CPDLC) protocol replaces voice-based air traffic control with a text-based protocol. With no real security protections, this system is open to a wide range of message injection attacks. It has long been assumed that air traffic controllers and flight crew should be able to detect such attacks, but this is not always the case.
We construct a realistic threat model for CPDLC and introduce attacks on the underlying protocol, taking advantage of automated components of the system to make attacks which are difficult for human operators to detect. We also propose a number of improvements to CPDLC to mitigate these threats.
Developing Aerospace Security Training 3D Models
3:00PM – 3:25PM
- Kevin Hood
The challenge for students interested in aerospace cybersecurity is how to jump-start their learning and prepare themselves for this career path. Developing models and simulated aerospace infrastructure can enhance critical skills needed in aerospace cybersecurity. From a student’s perspective, learn how to get started in aerospace cybersecurity and the future developments of a hackable, large-scale model airport at the Aerospace Village.
Bio: Kevin Hood is a Software Security Engineering Intern at Collins Aerospace, Project Manager for the Aviation ISAC Cyber Competition, and student at Embry-Riddle Aeronautical university. Kevin has focused his career in aerospace cybersecurity and develops events to bring more people into the industry.
Collecting CANs: a Bridge Less Traveled
3:30PM – 3:55PM
- Pearce Barry
We’ll step back a few years to early 2017, when @zombieCraig released the Metasploit Hardware Bridge as a mechanism to allow Metasploit Framework to reach into networks beyond Ethernet. While the now-defunct HWBridge initially focused on automotive targets, some of that tech, including CAN buses and RF transceivers, has commonality in aviation targets. In this talk, we’ll cover basic design and use of the HWBridge, how one can use it with CAN and RF transceivers, and what it takes to set it up.
Bio: Having worked as a Metasploit developer and later as a manager of Metasploit development at Rapid7, Pearce currently keeps busy doing security research at Rumble, Inc. and following advances in space technologies.
Holistic View of a Flight with Crowd Sourced Data
4:00PM – 4:25PM
- Allan Tart
During the talk an overview will be given about how one can use crowd sourced data for creating a holistic view of flight. The data used for the purpose will include both ADS-B and VHF voice communications.
Bio:Allan Tart has worked in the field of Air Traffic Management over a decade, where he has had several roles. His latest position in OpenSky Network, has included air-ground VHF communications to his list of interests, which previously mainly concentrated only on surveillance systems.
SATURDAY, AUG. 7 Talks (Virtual, 9:25AM – 4:30PM PST)
VDP in aviation: Experiences and lessons learnt as a researcher
9:25AM – 10:50AM
- Matt Gaffney
Following a Vulnerability Disclosure to an aircraft manufacturer in 2019 little did Gaffers know that he was about to start on a journey in to a world where vulnerabilities are considered features and unless you can argue a safety impact you are not taken seriously. Without divulging the details, this talk will discuss the steps taken, what worked, what failed and some advice for anyone else who finds themselves in a similar situation.
Bio: Following his career in the British Army, Matt has been working with clients in various industries. However, his best years were spent working in aviation, specifically systems found in the Aircraft Information Systems Domain. More recently he has turned his attention to security in UAS.
Defending the Unmanned Aerial Vehicle: Advancements in UAV Intrusion Detection
11:30AM – 11:55AM
- Jason Whelan
Many attacks against the UAV are becoming commonplace as they are simple to conduct with inexpensive hardware, such as spoofing and jamming. Unfortunately, many of the vulnerabilities UAVs suffer from are based on security flaws in the underlying technologies, including GPS and ADS-B. An intrusion detection system (IDS) for UAVs can increase security rapidly without the need to re-engineer underlying technologies. UAVs are cyber-physical systems which introduce a number of challenges for IDS development as they utilize a wide variety of sensors, communication protocols, platforms, and control configurations. Commercial off-the-shelf IDS solutions can be strategically implemented within the Unmanned aerial system (UAS) to detect threats to the underlying traditional IT infrastructure, however, the UAV itself requires specialized detection techniques. This talk discusses advancements in UAV intrusion detection, including proposed solutions in academics, pitfalls of these solutions, and how a practical technique using machine learning can be used to detect attacks across UAV platforms. A fully developed IDS is presented which makes use of flight logs and an onboard agent for autonomous detection and mitigation. The topics covered come from lessons learned in UAS penetration testing, live experiments, and academic research in the UAV security space.
Bio: Jason (OSCP, OSCE, CCNP) holds a Bachelor of IT and is currently working towards a MSc in Computer Science from Ontario Tech University. He has presented at international conferences on UAV security, and has experience in both practical security research and penetration testing of operational UAS.
Federal Perspective on Aerospace Cybersecurity
12:00PM – 12:25PM
- Steve Luczynski interviews Larry Grossman
As the Federal Aviation Administration’s Chief Information Security Officer, Larry Grossman has a unique perspective on the challenges associated with building and sustaining adequate security for IT systems within a government agency and across the aerospace sector. Join us to learn more about his experiences and gain insight into the FAA’s current efforts to sustain the public’s trust in safe air travel.
Bio: Larry Grossman is the Federal Aviation Administration’s Director of the Office of Information Security and Privacy and Chief Information Security Officer. In this role, he provides strategic leadership of FAA’s information security and privacy programs. He chairs FAA’s Executive Cybersecurity Steering Committee which provides oversight to cybersecurity activities across the FAA enterprise. Larry leads the FAA’s security operations, compliance, governance, and risk management functions. Looking externally, he oversees the FAA’s Aviation Ecosystem and Stakeholder Engagement Office whose role is to promote awareness and improve cyber resiliency across the aviation ecosystem. He also leads the evolution of FAA’s cybersecurity strategy, Security Operations Center modernization, new program deployments, and cyber incident response activities. Additionally, he represents FAA’s cybersecurity and programs at the Department of Transportation and other agencies; he participates in government-wide and international cybersecurity initiatives and exercises; and regularly briefs Congress on FAA and aviation cybersecurity. Larry has been with the FAA for over 25 years and prior to his current role, led the deployment of Air Traffic Control and Aviation Safety systems, as well as data modernization and external data distribution efforts.
An avid aviation enthusiast, Larry holds commercial pilot and flight instructor certificates in both land and sea, and travels in his own aircraft whenever possible.
Lost In Space: No-one Can Hear Your Breach (Choose Wisely)
12:30PM – 1:20PM
- Elizabeth Wharton
Navigating the space race is difficult enough with privately sponsored flights, internationally owned stations, and interplanetary destinations. Supply-chain vulnerabilities, ransomware threats, and other cybersecurity challenges are magnified when the galactic rules are still being written. Join an interactive adventure dodging malicious attackers, signal and software glitches, and potential liabilities trekking to Mars, highlighting cybersecurity pitfalls and pending policy issues.
Bio: Liz, a cybersecurity-focused business and public policy attorney, has advised researchers, startups, and policymakers at the federal, state, and local level. Currently SCYTHE’s Chief of Staff, she was the World’s (second) Busiest Airport’s technology attorney and hosts the CISO Stressed podcast.
Pathways into Product Security
1:30PM – 2:20PM
- Daniel Nguyen, Patrick Cordell
The presentation will be in a Q/A panel format with a set of early career engineers answering questions about their entry into embedded systems product security. The engineers are from around the United States representing a diverse technical background.
Bios: Daniel and Patrick are security engineers with experience in avionics and embedded systems.
True Story: Hackers in the Aerospace Sector
2:30PM – 2:55PM
- Moderator: Steve Luczynski, Panelists: Thomas Bristow, Declyn, Ginny Spicer, Olivia Stella
What’s it like to be a hacker working in government, for an airline, or pursuing a degree?
When you read that question did you think, ew, why would I ever do that?! Or did you think, wow, that sounds great tell me more!
This isn’t your typical workforce talk!
Join a diverse panel of folks working in the aerospace sector who are just like you! Learn how they got into their roles, why they chose to work there, what motivates them, and how they gained their skills and experience.
Bios: Thomas Bristow is a Cyber Security Certification Specialist for the UK Civil Aviation Authority where he works on a whole range of things, from cyber threat modeling to running the CyberFirst summer placement scheme. He’s a recent graduate from Royal Holloway with a degree in computer science and two back to back wins of society of the year. While his role is in cyber security he always tries to help others: whether this is educating colleagues on the LGBTQIA+ flags (and their meanings), performing careers talks at schools or just helping to make their team wiki easy to use.
Declyn is a cybersecurity specialist for the Aviation ISAC. He taught himself basic security principles and after finding aviation related vulnerabilities and reported them to the A-ISAC. He now works in the intel team at the A-ISAC specialising in threat intelligence and vulnerability disclosure management.
Ginny Spicer is a master’s student studying information security at Royal Holloway University of London. She is a packet nerd and likes to focus on network analysis, Wireshark, new protocols, and interplanetary communications. Ginny is a member of the technical documentation working group in the Interplanetary Networking SIG and an advisor for the California Cyber Innovation Challenge. Her particular areas of interest are DTN and encrypted DNS. This is her second year helping out with the DEF CON Aerospace Village.
Olivia Stella is a cybersecurity engineer for Los Alamos National Laboratory. In her current role, she focuses on agile space cybersecurity. With over twelve years of experience, she’s worked for multiple companies in the aerospace industry including an in-flight entertainment company, major US airline, and government contractors. Olivia has supported incident response, vulnerability management, pen testing, bug bounty & coordinated disclosure, risk & compliance activities. Her academic background includes degrees in computer science and software engineering, along with an alphabet soup of security certifications. When she’s not wearing her security hat, she loves to curl and is an avid toastmaster. (That’s right, ice curling.)
Drone Security Research Series – Ep6 Hacking with drones
3:00PM – 3:50PM
- Matt Gaffney
In this series we have uncovered weaknesses in the MAVLink protocol, now we attempt to overcome physical security controls by getting within range of WiFi networks with a drone. In this episode we use a drone to get close to our target by taking the tools airborne and flying over our target. Let’s rewrite the physical security model!
Bio: Following his retirement from the British Army, Matt has been working in various institutions including industrial, government and financial. However, his best years were spent working in aviation and directly on systems found in the Aircraft Information Systems Domain.
Fuzzing NASA Core Flight System Software
4:00PM – 4:25PM
- Ronald Broberg
NASA Core Flight System (cFS) provides an open source software framework used in multiple NASA missions including the Lunar Reconnaissance Orbiter, the Parker Solar Probe, and the protoype Mighty Eagle robotic lunar lander. The cFS suite includes Command Ingest (CI_Lab) and Telemetry Output (TO_Lab) applications which are only representative of similar applications in actual mission software. Fuzzing techniques applied to cFS reveal issues in the Command Ingest application (CI_Lab).
Workshops (Friday & Saturday10:00AM-4:00PM, UON)
[Virtual] AIAA CubeSat Hacking Workshop
- AIAA, Sci_Zone
DEF CON participants will be able to interact with CubeSat hardware and ground equipment in cybersecurity sandbox environment.
[Hybrid] ARINC 429 Lab
- Boeing Testing & Evaluation
Sessions will be held for small audience 15-20 users to demonstrate the structure and use of avionic-specific communication protocol (ARINC 429). This is an opportunity for hands-on experience in a controlled setting.
[In-person] Decoding NOAA Weather Sat Signals
*Saturday 11:00AM – 12:00PM in-person. You’ll need a laptop with internet connection for this workshop
- Eric Escobar
My goal for this workshop is to introduce receiving and decoding NOAA weather satellite signals. I’ll demonstrate this first with a commercially available radio, and then I’ll demonstrate how to listen to to NOAA satellites for free using publicly accessible and internet connected radios scattered across the globe.
[Virtual] Deep Space Networking
- Chappell University
Deep space communications utilize TCP/IP protocols with some added assistance from a TCP Convergence Layer and the Bundle Protocol. In this workshop, participants will contrast data transmission on the Earth terrestrial Internet to the Deep Space Network and then delve into the latest version of the Bundle protocol and the TCP Convergence Layer. We will examine key fields in the headers, locate the first packet of a bundle and the first and second legs of the relay process, as reassembled by Wireshark. Participants will learn to build a custom Wireshark profile to quickly identify key fields of the Bundle Protocol, including fields that define priority, destination type, endpoint IDs, and reporting of bundle delivery.
[Hybrid] Hack-A-Sat2 Satellite Platform
- Hack-A-Sat2, Cromulence
Come and gets hands on with Hack-a-Sat 2 hardware and learn about the unique problems presented by cybersecurity in the space realm. The Air Force and Space Force will be presenting the HAS2 flatsat – the primary platform hosting the hacking challenges for HAS2, comprised of a variety of software and processor architectures commonly used in space vehicles. Visitors can command various settings changes in the flatsat and see the resulting changes in the telemetry from the device as well as visual attitude changes in the NASA 42 simulation. Visitors will also be introduced to the HAS2 Digital Twin, an emulated version of all the flight software running on the flatsat, and will have a chance to capture and analyze an exploit being thrown against the flight software. Lastly, the Aerospace Corporation will demonstrate cyber defense onboard a satellite by using machine learning and signatures to detect anomalous command sequences and onboard cyber events.
For virtual attendees, the Digital twin demonstration will also be accessible via VNC to an instance running inside Docker containers in Amazon AWS (remote viewers will need to have a VNC client on their own computer).
[In-person] HACMS Live Demo
- Collins Aerospace
As part of DARPA-s High-Assurance Cyber Military Systems program, Collins Aerospace led a team of researchers using formal methods tools to construct aircraft software that was provably secure against many classes of cyber attack. We will have an operational (but non-flying) version of our secure quadcopter present whose mission and telemetry software runs on the formally verified seL4 kernel. We will provide wifi access to an isolated virtual machine running on its mission computer. DEF CON participants will be challenged to break out of the VM environment to read or write the encryption keys used for vehicle telemetry.
[In-person] In Space, No One Can Hear You Hack
- Kaitlyn Handelmann
In Space, No One Can Hear You Hack: DEF CON participants will learn the basics of space hacking and space vehicle security. This is the perfect point of entry for those interested in space hacking.
[In-person] Lego Spike Hub
Participants will be given the opportunity to program a Lego Spike Hub to perform a space mission of transporting and sorting valuable minerals. The workshop is intended to be an introductory workshop to give participants an appreciation for the operation of autonomous space vehicles and an understanding of finite state machines and hardware limitations. There will be 4 prebuilt Lego robots, 2 will be for tracing a line while the other 2 will be for color sorting. The scenario presented to the participant is that they are on a foreign planet and need to transport minerals along a predefined path to safely arrive at the sorting facility and as such will program in Scratch code code for the transport shuttle to execute. Participants will also have a chance to program in Scratch the code to execute on the color sorting robot, thus demonstrating the ability to correctly sort the minerals in appropriate colors.
[Virtual] Nyansat v2
- Red Balloon, Hack-A-Sat2
Come together to build on Antenny boards and NYAN-SAT. Make things that can talk to the sky with very very very affordable hardware. What becomes possible when we have 1000 ground stations? I have a few ideas, I’m sure participants will have many others. Let’s build it and find out together!
[Virtual] Understanding Space in the Cyber Domain
*2 online sessions: Friday 1:00PM-4:00PM, Saturday 10:00AM-1:00PM
- TSTI sponsored by AFRL, Griffiss Institute
This half-day course examines the practical issues of developing and sustaining a secure cyber environment through all phases of the space mission lifecycle. The course is organized around the SPAce Domain Cybersecurity (SpaDoCs) Framework. The SpaDoCs Framework provides a comprehensive and systematic model for understanding and tackling all critical issues of cybersecurity in the space domain. An examination of the Key objectives— confidentiality, integrity, availability—provides the
[In-person] ADSB Demo and Paper Airplanes
- Jim Ross
Interactive ADS-B demonstration and paper airplane activity. Educational and fun
[In-person] The Hangar – Cocktail Making Event
- Spanky L.
CTF (Friday & Saturday)
[Virtual] A-ISAC CTF
- A-ISAC, ERAU with support from IntelliGenesis (CybatiWorks)
Day 1: Aug. 6th, 2021 9:00AM – 6:00PM PDT (UTC-7)
Day 2: Aug. 7th, 2021 9:00AM – 6:00PM PDT (UTC-7)
Registration available at https://aisac.cyberskyline.com/defcon
Aviation ISAC is hosting a competition at DC29 Aerospace Village! This competition represents a simulated airport hosted on the Cyber Skyline platform and is developed by the Department of Cyber Intelligence and Security at Embry-Riddle Aeronautical University (Prescott) and Matthew E. Luallen, Chief Executive Inventor at CybatiWorks powered by IntelliGenesis. The ethical design of the competition is achieved through investigative themes that provides a focus in blue team while still offering red team aspects.
Storyline for CTF: On 8/6, an employee from ERAU Airline noticed a USB stick inside one of their kiosks. After further investigation, airport security suspects someone is carrying out an attack against the airport. You have been brought in to retrace the steps of the attackers, determine where security needs to be hardened, regain control of compromised systems, and prevent a successful attack at the airport. Identify the criminals by retracing their steps and utilizing OSINT to identify which suspects need to be arrested. Investigators have not ruled out insider threats which means you must remain undetected by airport staff while you attempt to regain control of the airport’s infrastructure. Good Luck and remember to register ahead of time!
CybatiWorks part of the CTF Stage 7: Runway Lighting System: The Runway Lighting System (RLS) was taken over by the attackers and the lights are operating erratically. Identify what the attackers have changed causing the RLS HMI systems to work improperly and regain access to the remote logic controller operating the runway lights. Update the logic on the HMI system, regain control of the remote logic controller and successfully operate the RLS.
Architecture Design: The competitors are provided with a CybatiWorks custom docker image that they use to gain access to the operator and maintenance HMI logic. The competitors will review and update the logic to match the documentation provided in stage 4. Once the local components are successfully completed the competitors will request access to the remote RLS logic controller (i.e. a Raspberry PI with a 3d printed/LED runway lighting system accessible via a VPN). The competitors will complete additional challenges to confirm the logic program and then remotely control the RLS. All remote RLS stations will be visible
[Virtual] California Cyber Innovation Challenge CTF
- Cal Poly
Starts August 7, 2021@ 9 AM PST,
Ends Aug 8, 2021 5 PM PST
Registration available at https://www.cognitoforms.com/CCI17/CaliforniaCyberInnovationChallengeAEROSPACEVILLAGEDEFCON2021