First of all here’s me playing around with StellarStation API command line tool.
Now speaking about accessing a satellite’s interface and to control it, I have to admit that I was very close in doing that, especially in light that the US Air Force is going to put up an orbiting satellite for hacking at the next year’s DEFCON.
It was a barred shaped cubesat, called “Audacy Zero”. I first encountered its web interface “Quindar” after a long lazy search on Shodan last year; this is the screenshot of the search result that was kept for a long time.
Immediately I seized an opportunity to present a “sneak peek” but since it hadn’t been launched back then, well it’s just a sneak peek.
Originally Audacy Zero was slated to launch in mid-2018 but after a lot of delays and postponements it was finally launched in December 3, 2018. I still remember the rage ensuing from a delay back in November that caused me to abuse my OP weapons at ROBLOX’s Pinewood Computer Core; sorry for those hurt by that.
Around that time there was still the chance to halt European Union’s Article 13 on its tracks and I plan to do just that by spinning the satellite by a little bit, then first contacting their staff to patch it in a grey hat fashion before finally let my journalist friends to know about it and concurrently raise awareness against Article 13. Until the projected launch and activation of Audacy Zero I just waited and lurked there, without alerting any of them.
Heck I can also remember that the interface was accessible with just a Google account and once logged in, you’ll be greeted with an option to choose simulations and the real deal to control. In this case there were the “ASim”, “ATest” and likely the Audacy Zero itself (going by names “AZero” and its proper one at various times). Although forgetting to snapshot most of the rest of the Quindar interface which is undoubtedly my bad, I kept a log on the telecommands which the personnel there used in testing the cubesat’s web interface.
SFESTIMECOMMANDARGUMENTSSTATUSDATA302.23:22:55 UTCget0,0,0,0,false,rawParameter access sent302.23:15:42 UTCget0,0,0,0,false,rawParameter access sent302.21:51:38 UTCuplink264, a0_csl_cam, 0,28580,truesuccessa0_csl_cam302.21:36:56 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:35:17 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:33:39 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:32:40 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:30:42 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:24:48 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:13:26 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:10:28 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.21:10:10 UTCget264,0,0,0,false,rawsuccess0001FF2640B4000400006590302.20:59:15 UTCget264, 0, 0,2, false,rawsuccess0001FF2B40B6000400006590302.20:58:38 UTCget264, 0 0,2, false,tawLast row must be an integer! java.lang.NumberFormatException: For input string: “false”302.20:58:09 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.20:57:14 UTCuplink264,a0_csl_cam,0,2,truesuccessa0_csl_cam302.20:56:34 UTCget264,0,0,0,false,rawsuccess0001FF2640B4000400006590302.20:46:02 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.20:45:25 UTCuplink264,a0_csl_cam, 0, 10, trueInvalid row range!302.20:44:29 UTCuplink264,a0_csl_cam,0,100,trueInvalid row range!302.20:42:49 UTCuplink264,a0_csl_cam,0,386,trueInvalid row range!302.20:42:21 UTCuplink264,a0_csl_cam,0,387,trueInvalid row range!302.20:41:34 UTCquery264,0,0,0,falsesuccess{“row”:387,”byte”:4644}302.20:40:49 UTCquery265,0,0,0,falsesuccess{“row”:126,”byte”:32760}302.20:40:04 UTCquery264,0,0,0,falseQUERY Parameter accessed successfully302.20:39:21 UTCuplink264,a0_csl_cam,0,100,trueInvalid row range!302.20:38:28 UTCget264,0,0,0,false,rawsuccess0001FF2640B4000400006590302.20:37:02 UTCuplink264, a0_csl_cam, 0,2,truesuccessa0_csl_cam302.20:36:34 UTCuplink264,a0_csl_cam, 0,3,trueInvalid row range!302.20:36:04 UTCuplink264,a0_csl_cam,0,5,trueInvalid row range!302.20:34:58 UTCuplink264,a0_csl_cam,0,383,trueInvalid row range!302.20:34:12 UTCuplink264, a0_csl_cam, 0,1,truesuccessa0_csl_cam302.20:33:13 UTCuplink264,a0_csl_cam,0,10,trueInvalid row range!302.20:32:15 UTCuplink264,a0_csl_cam,0,10,falseInvalid row range!302.20:31:07 UTCuplink264,a0_csl_cam,0,0,falsesuccessa0_csl_cam302.19:26:36 UTCquery264,0,0,0,falsesuccess{“row”:383,”byte”:4596}302.19:25:51 UTCquery262,0,0,0,falsesuccess{“row”:7,”byte”:28}302.19:24:40 UTCquery263,0,0,0,falseaccess failed: (unknown exception)299.00:50:15 UTCget0,0,0,0,false,raw295.19:36:10 UTCuplink268,a0_csl_primary,0,32585,truesuccessa0_csl_primary295.19:35:56 UTCsetblock263,channelContent,0,5,falsesuccess295.19:34:58 UTCuplink268,a0_csl_primary,0,32585,truesuccessa0_csl_primary295.19:34:47 UTCsetblock263,channelContent,0,5,falsesuccess295.19:20:44 UTCget0,0,0,0,false,rawsuccess02000000295.19:19:54 UTCget0,0,0,0,false,rawsuccess02000000295.19:19:42 UTCget0,0,0,0,false,rawsuccess02000000295.19:19:32 UTCget0,0,0,0,false,rawsuccess02000000295.19:19:20 UTCget0,0,0,0,false,rawsuccess02000000295.19:19:09 UTCget0,0,0,0,false,rawsuccess02000000295.19:18:50 UTCget0,0,0,0,false,rawParameter access sent295.19:18:35 UTCget0,0,0,0,false,rawsuccess02000000295.19:18:24 UTCget0,0,0,0,false,rawsuccess02000000295.18:39:06 UTCuplink268,a0_csl_primary,0,32585,truesuccessa0_csl_primary295.18:38:57 UTCsetblock263,channelContent,0,5,falsesuccess295.18:10:27 UTCuplink268,a0_csl_primary,0,32585,truesuccessa0_csl_primary295.18:10:10 UTCinvoke256,0005,00,00,falsesuccess295.18:09:20 UTCinvoke256,05,00,00,falsefailure295.18:07:58 UTCget0,0,0,0,false,rawsuccess02000000295.18:07:46 UTCget0,0,0,0,false,rawsuccess02000000295.18:07:26 UTCget0,0,0,0,false,rawsuccess02000000295.18:07:07 UTCget0,0,0,0,false,rawParameter access sent295.18:05:25 UTCuplink268,a0_csl_primary,0,32585,truesuccessa0_csl_primary295.18:05:03 UTCsetblock263,channelContent,0,5,falsesuccess295.18:03:52 UTCuplink268,a0_csl_primary,0,32585,trueNo ID found: java.lang.NullPointerException295.17:32:37 UTCget0,0,0,0,false,rawsuccess02000000295.17:32:24 UTCget0,0,0,0,false,rawsuccess02000000295.17:32:06 UTCget0,0,0,0,false,rawsuccess02000000295.17:31:50 UTCget0,0,0,0,false,rawsuccess02000000295.17:31:35 UTCget0,0,0,0,false,rawsuccess02000000293.00:14:09 UTCget0,0,0,0,false,rawsuccess02000000292.23:59:06 UTCget0,0,0,0,false,raw292.23:58:53 UTCget0,0,0,0,false,raw292.23:58:40 UTCget0,0,0,0,false,rawsuccess02000000292.23:58:31 UTCget0,0,0,0,false,rawParameter access sent292.23:57:49 UTCget0,0,0,0,false,rawsuccess02000000292.22:00:47 UTCget0,0,0,0,false,rawsuccess02000000292.20:57:43 UTCget0,0,0,0,false,rawParameter access sent292.20:57:05 UTCget0,0,0,0,false,rawsuccess02000000292.20:56:48 UTCget0,0,0,0,false,rawsuccess02000000292.20:56:33 UTCget0,0,0,0,false,rawsuccess02000000292.20:56:13 UTCget0,0,0,0,false,rawParameter access sent292.20:55:48 UTCget0,0,0,0,false,rawParameter access sent292.20:55:14 UTCget0,0,0,0,false,rawParameter access sent292.20:55:05 UTCget0,0,0,0,false,rawsuccess02000000292.20:54:55 UTCget0,0,0,0,false,rawsuccess02000000292.20:54:41 UTCget0,0,0,0,false,rawsuccess02000000292.20:54:28 UTCget0,0,0,0,false,rawsuccess02000000292.20:54:19 UTCget0,0,0,0,false,rawsuccess02000000292.20:54:10 UTCget0,0,0,0,false,rawsuccess02000000292.20:54:00 UTCget0,0,0,0,false,rawsuccess02000000292.20:53:49 UTCget0,0,0,0,false,rawsuccess02000000292.20:53:26 UTCget0,0,0,0,false,raw292.20:53:13 UTCget0,0,0,0,false,rawsuccess02000000292.20:53:01 UTCget0,0,0,0,false,rawsuccess02000000292.20:52:49 UTCget0,0,0,0,false,rawsuccess02000000292.20:52:32 UTCget0,0,0,0,false,rawParameter access sent292.20:52:17 UTCget0,0,0,0,false,rawParameter access sent292.20:52:06 UTCget0,0,0,0,false,rawsuccess02000000292.20:51:44 UTCget0,0,0,0,false,rawParameter access sent292.20:51:20 UTCget0,0,0,0,false,rawParameter access sent292.20:51:12 UTCget0,0,0,0,false,rawsuccess02000000292.20:51:02 UTCget0,0,0,0,false,rawsuccess02000000292.20:50:52 UTCget0,0,0,0,false,rawsuccess02000000292.20:50:41 UTCget0,0,0,0,false,rawsuccess02000000292.20:50:01 UTCget0,0,0,0,false,rawsuccess02000000292.20:49:46 UTCget0,0,0,0,false,rawParameter access sent292.20:49:31 UTCget0,0,0,0,false,rawsuccess02000000292.20:47:58 UTCget0,0,0,0,false,rawsuccess02000000292.20:43:04 UTCget0,0,0,0,false,rawsuccess02000000292.20:42:51 UTCget0,0,0,0,false,rawsuccess02000000292.20:42:29 UTCget0,0,0,0,false,rawsuccess02000000292.19:37:12 UTCget0,0,0,0,false,rawsuccess02000000292.19:36:52 UTCget0,0,0,0,false,rawsuccess02000000292.19:36:20 UTCget0,0,0,0,false,rawParameter access sent292.19:36:07 UTCget0,0,0,0,false,rawParameter access sent292.19:35:51 UTCget0,0,0,0,false,rawsuccess02000000292.19:35:24 UTCget0,0,0,0,false,rawsuccess02000000292.19:35:14 UTCget0,0,0,0,false,rawsuccess02000000292.19:34:57 UTCget0,0,0,0,false,rawParameter access sent292.19:31:10 UTCget0,0,0,0,false,rawsuccess02000000292.19:30:47 UTCget0,0,0,0,false,rawsuccess02000000292.19:26:51 UTCget0,0,0,0,false,rawParameter access sent292.19:19:22 UTCget0,0,0,0,false,rawParameter access sent292.18:05:22 UTCget0,0,0,0,false,rawParameter access sent292.18:02:32 UTCget0,0,0,0,false,rawParameter access sent292.17:58:52 UTCget0,0,0,0,false,rawParameter access sent292.17:58:25 UTCget0,0,0,0,false,rawParameter access sent292.17:57:06 UTCget0,0,0,0,false,rawParameter access sent292.16:57:04 UTCget0,0,0,0,false,rawParameter access sent292.16:49:34 UTCget0,0,0,0,false,rawParameter access sent292.16:47:28 UTCget0,0,0,0,false,rawParameter access sent292.16:47:01 UTCget0,0,0,0,false,rawParameter access sent292.16:27:47 UTCget0,0,0,0,false,rawParameter access sent292.16:27:30 UTCget0,0,0,0,false,rawParameter access sent292.16:26:46 UTCget0,0,0,0,false,rawParameter access sent292.16:26:17 UTCget0,0,0,0,false,rawParameter access sent292.16:25:57 UTCget0,0,0,0,false,rawParameter access sent292.16:21:39 UTCget0,0,0,0,false,rawParameter access sent292.16:11:06 UTCget0,0,0,0,false,rawParameter access sent292.15:48:25 UTCget0,0,0,0,false,rawParameter access sent292.15:42:10 UTCget0,0,0,0,false,rawParameter access sent292.15:41:47 UTCget0,0,0,0,false,rawParameter access sent292.01:32:24 UTCget0,0,0,0,false,rawParameter access sent292.01:31:21 UTCget0,0,0,0,false,rawParameter access sent292.01:30:45 UTCget0,0,0,0,false,rawParameter access sent292.01:24:06 UTCget0,0,0,0,false,rawParameter access sent292.01:23:21 UTCget0,0,0,0,false,rawParameter access sent291.23:18:10 UTCget0,0,0,0,false,rawParameter access sent291.22:47:52 UTCget0,0,0,0,false,rawParameter access sent291.22:47:33 UTCget0,0,0,0,false,rawParameter access sent291.22:45:13 UTCget0,0,0,0,false,rawsuccess02000000291.22:43:43 UTCget256,0,0,0,false,rawTC Failed!291.22:40:58 UTCget256,0,0,0,false,rawaccess failed: (unknown exception)291.22:39:17 UTCget256,0,0,0,false,rawParameter access sent291.22:38:03 UTCget256,0,0,0,false,rawParameter access sent291.22:36:15 UTCget256,0,0,0,false,rawParameter access sent
However after the launch as time goes by and by the satellite was unreachable all of the time and eventually they acknowledged that the mission had failed due to a faulty antenna system. Eventually the Quindar web interface as a whole was taken offline and what about Article 13? The rest is history.
I had the recurring thought that had Audacy Zero succeeded and so does my grey-hat mission, the moment could be used to raise awareness against Article 13 in a Ready Player One’s fashion and possibly cause it to die on its tracks. That way things like memes and music remixes would be completely untouched as it should’ve be.
I was going to keep this a secret for a while but when the USAF announced that an actual satellite hacking will be a reality on DEFCON 2020, then I realized that I have to deal with it and move on, and to come clean on it and hoping this will serve as a inspiration for pen-testers looking for ideas to be the front-runner of next year’s DEFCON satellite hacking segment.
After all this is the link to the Github repository holding Quindar’s source code:
https://github.com/AudacySpace/quindar-ux
Before ending this, I wish the best of all lucks for those looking to finish what I couldn’t in DEFCON 2020.
May the force be with you.