Month: September 2019

The important operation that never happened: “Operation Planet Doom”

/ Cyber Anakin / Leave a comment

First of all here’s me playing around with StellarStation API command line tool.

Capture

Now speaking about accessing a satellite’s interface and to control it, I have to admit that I was very close in doing that, especially in light that the US Air Force is going to put up an orbiting satellite for hacking at the next year’s DEFCON.

It was a barred shaped cubesat, called “Audacy Zero”. I first encountered its web interface “Quindar” after a long lazy search on Shodan last year; this is the screenshot of the search result that was kept for a long time.

quindar

Immediately I seized an opportunity to present a “sneak peek” but since it hadn’t been launched back then, well it’s just a sneak peek.

Originally Audacy Zero was slated to launch in mid-2018 but after a lot of delays and postponements it was finally launched in December 3, 2018. I still remember the rage ensuing from a delay back in November that caused me to abuse my OP weapons at ROBLOX’s Pinewood Computer Core; sorry for those hurt by that.

Around that time there was still the chance to halt European Union’s Article 13 on its tracks and I plan to do just that by spinning the satellite by a little bit, then first contacting their staff to patch it in a grey hat fashion before finally let my journalist friends to know about it and concurrently raise awareness against Article 13. Until the projected launch and activation of Audacy Zero I just waited and lurked there, without alerting any of them.

Heck I can also remember that the interface was accessible with just a Google account  and once logged in, you’ll be greeted with an option to choose simulations and the real deal to control. In this case there were the “ASim”, “ATest” and likely the Audacy Zero itself (going by names “AZero” and its proper one at various times). Although forgetting to snapshot most of the rest of the Quindar interface which is undoubtedly my bad, I kept a log on the telecommands which the personnel there used in testing the cubesat’s web interface.

 

SFES
TIME
COMMAND
ARGUMENTS
STATUS
DATA
302.23:22:55 UTC
get
0,0,0,0,false,raw
Parameter access sent
302.23:15:42 UTC
get
0,0,0,0,false,raw
Parameter access sent
302.21:51:38 UTC
uplink
264, a0_csl_cam, 0,28580,true
success
a0_csl_cam
302.21:36:56 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:35:17 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:33:39 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:32:40 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:30:42 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:24:48 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:13:26 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:10:28 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.21:10:10 UTC
get
264,0,0,0,false,raw
success
0001FF2640B4000400006590
302.20:59:15 UTC
get
264, 0, 0,2, false,raw
success
0001FF2B40B6000400006590
302.20:58:38 UTC
get
264, 0 0,2, false,taw
Last row must be an integer! java.lang.NumberFormatException: For input string: “false”
302.20:58:09 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.20:57:14 UTC
uplink
264,a0_csl_cam,0,2,true
success
a0_csl_cam
302.20:56:34 UTC
get
264,0,0,0,false,raw
success
0001FF2640B4000400006590
302.20:46:02 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.20:45:25 UTC
uplink
264,a0_csl_cam, 0, 10, true
Invalid row range!
302.20:44:29 UTC
uplink
264,a0_csl_cam,0,100,true
Invalid row range!
302.20:42:49 UTC
uplink
264,a0_csl_cam,0,386,true
Invalid row range!
302.20:42:21 UTC
uplink
264,a0_csl_cam,0,387,true
Invalid row range!
302.20:41:34 UTC
query
264,0,0,0,false
success
{“row”:387,”byte”:4644}
302.20:40:49 UTC
query
265,0,0,0,false
success
{“row”:126,”byte”:32760}
302.20:40:04 UTC
query
264,0,0,0,false
QUERY Parameter accessed successfully
302.20:39:21 UTC
uplink
264,a0_csl_cam,0,100,true
Invalid row range!
302.20:38:28 UTC
get
264,0,0,0,false,raw
success
0001FF2640B4000400006590
302.20:37:02 UTC
uplink
264, a0_csl_cam, 0,2,true
success
a0_csl_cam
302.20:36:34 UTC
uplink
264,a0_csl_cam, 0,3,true
Invalid row range!
302.20:36:04 UTC
uplink
264,a0_csl_cam,0,5,true
Invalid row range!
302.20:34:58 UTC
uplink
264,a0_csl_cam,0,383,true
Invalid row range!
302.20:34:12 UTC
uplink
264, a0_csl_cam, 0,1,true
success
a0_csl_cam
302.20:33:13 UTC
uplink
264,a0_csl_cam,0,10,true
Invalid row range!
302.20:32:15 UTC
uplink
264,a0_csl_cam,0,10,false
Invalid row range!
302.20:31:07 UTC
uplink
264,a0_csl_cam,0,0,false
success
a0_csl_cam
302.19:26:36 UTC
query
264,0,0,0,false
success
{“row”:383,”byte”:4596}
302.19:25:51 UTC
query
262,0,0,0,false
success
{“row”:7,”byte”:28}
302.19:24:40 UTC
query
263,0,0,0,false
access failed: (unknown exception)
299.00:50:15 UTC
get
0,0,0,0,false,raw
295.19:36:10 UTC
uplink
268,a0_csl_primary,0,32585,true
success
a0_csl_primary
295.19:35:56 UTC
setblock
263,channelContent,0,5,false
success
295.19:34:58 UTC
uplink
268,a0_csl_primary,0,32585,true
success
a0_csl_primary
295.19:34:47 UTC
setblock
263,channelContent,0,5,false
success
295.19:20:44 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:19:54 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:19:42 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:19:32 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:19:20 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:19:09 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:18:50 UTC
get
0,0,0,0,false,raw
Parameter access sent
295.19:18:35 UTC
get
0,0,0,0,false,raw
success
02000000
295.19:18:24 UTC
get
0,0,0,0,false,raw
success
02000000
295.18:39:06 UTC
uplink
268,a0_csl_primary,0,32585,true
success
a0_csl_primary
295.18:38:57 UTC
setblock
263,channelContent,0,5,false
success
295.18:10:27 UTC
uplink
268,a0_csl_primary,0,32585,true
success
a0_csl_primary
295.18:10:10 UTC
invoke
256,0005,00,00,false
success
295.18:09:20 UTC
invoke
256,05,00,00,false
failure
295.18:07:58 UTC
get
0,0,0,0,false,raw
success
02000000
295.18:07:46 UTC
get
0,0,0,0,false,raw
success
02000000
295.18:07:26 UTC
get
0,0,0,0,false,raw
success
02000000
295.18:07:07 UTC
get
0,0,0,0,false,raw
Parameter access sent
295.18:05:25 UTC
uplink
268,a0_csl_primary,0,32585,true
success
a0_csl_primary
295.18:05:03 UTC
setblock
263,channelContent,0,5,false
success
295.18:03:52 UTC
uplink
268,a0_csl_primary,0,32585,true
No ID found: java.lang.NullPointerException
295.17:32:37 UTC
get
0,0,0,0,false,raw
success
02000000
295.17:32:24 UTC
get
0,0,0,0,false,raw
success
02000000
295.17:32:06 UTC
get
0,0,0,0,false,raw
success
02000000
295.17:31:50 UTC
get
0,0,0,0,false,raw
success
02000000
295.17:31:35 UTC
get
0,0,0,0,false,raw
success
02000000
293.00:14:09 UTC
get
0,0,0,0,false,raw
success
02000000
292.23:59:06 UTC
get
0,0,0,0,false,raw
292.23:58:53 UTC
get
0,0,0,0,false,raw
292.23:58:40 UTC
get
0,0,0,0,false,raw
success
02000000
292.23:58:31 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.23:57:49 UTC
get
0,0,0,0,false,raw
success
02000000
292.22:00:47 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:57:43 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:57:05 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:56:48 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:56:33 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:56:13 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:55:48 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:55:14 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:55:05 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:54:55 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:54:41 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:54:28 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:54:19 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:54:10 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:54:00 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:53:49 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:53:26 UTC
get
0,0,0,0,false,raw
292.20:53:13 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:53:01 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:52:49 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:52:32 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:52:17 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:52:06 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:51:44 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:51:20 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:51:12 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:51:02 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:50:52 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:50:41 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:50:01 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:49:46 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.20:49:31 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:47:58 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:43:04 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:42:51 UTC
get
0,0,0,0,false,raw
success
02000000
292.20:42:29 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:37:12 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:36:52 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:36:20 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.19:36:07 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.19:35:51 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:35:24 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:35:14 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:34:57 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.19:31:10 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:30:47 UTC
get
0,0,0,0,false,raw
success
02000000
292.19:26:51 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.19:19:22 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.18:05:22 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.18:02:32 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.17:58:52 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.17:58:25 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.17:57:06 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:57:04 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:49:34 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:47:28 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:47:01 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:27:47 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:27:30 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:26:46 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:26:17 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:25:57 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:21:39 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.16:11:06 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.15:48:25 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.15:42:10 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.15:41:47 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.01:32:24 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.01:31:21 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.01:30:45 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.01:24:06 UTC
get
0,0,0,0,false,raw
Parameter access sent
292.01:23:21 UTC
get
0,0,0,0,false,raw
Parameter access sent
291.23:18:10 UTC
get
0,0,0,0,false,raw
Parameter access sent
291.22:47:52 UTC
get
0,0,0,0,false,raw
Parameter access sent
291.22:47:33 UTC
get
0,0,0,0,false,raw
Parameter access sent
291.22:45:13 UTC
get
0,0,0,0,false,raw
success
02000000
291.22:43:43 UTC
get
256,0,0,0,false,raw
TC Failed!
291.22:40:58 UTC
get
256,0,0,0,false,raw
access failed: (unknown exception)
291.22:39:17 UTC
get
256,0,0,0,false,raw
Parameter access sent
291.22:38:03 UTC
get
256,0,0,0,false,raw
Parameter access sent
291.22:36:15 UTC
get
256,0,0,0,false,raw
Parameter access sent

However after the launch as time goes by and by the satellite was unreachable all of the time and eventually they acknowledged that the mission had failed due to a faulty antenna system. Eventually the Quindar web interface as a whole was taken offline and what about Article 13? The rest is history.

I had the recurring thought that had Audacy Zero succeeded and so does my grey-hat mission, the moment could be used to raise awareness against Article 13 in a Ready Player One’s fashion and possibly cause it to die on its tracks. That way things like memes and music remixes would be completely untouched as it should’ve be.

I was going to keep this a secret for a while but when the USAF announced that an actual satellite hacking will be a reality on DEFCON 2020, then I realized that I have to deal with it and move on, and to come clean on it and hoping this will serve as a inspiration for pen-testers looking for ideas to be the front-runner of next year’s DEFCON satellite hacking segment.

After all this is the link to the Github repository holding Quindar’s source code:

https://github.com/AudacySpace/quindar-ux

Before ending this, I wish the best of all lucks for those looking to finish what I couldn’t in DEFCON 2020.

May the force be with you.

 

 

An unpopular opinion regarding the current Hong Kong and North Korea situations

/ Cyber Anakin / 4 Comments

This was posted on Reddit a while ago but I’ve refined it a bit since then. Here’s the updated version.

Shepherd Iverson’s book “Stop North Korea!: A Radical New Approach to the North” talked about a Faustian proposal in giving huge sums of cash and incentives pooled from the “reunification investment fund” to Kim Jong-un and almost everyone else in North Korea in hopes of giving them a “face-saving exit” for denuclearization and possibly even liberalisation. For KJU and his family the author said that they can even obtain immunity and to live in peace although they won’t be able to touch politics again.

However the book also acknowledged the possible chaos that might ensue if the elites over there decide to voluntarily dismantle NK by themselves because of the said incentives. On top of that while US and South Korean forces move in to help dismantle the nukes, China would likely move into the region too and form a 100-km length buffer zone because they feared at the prospects of US troops across Yalu River in terms of geo-strategy which would definitely make US and South Korea feel unhappy.

At one bad scenario involving a new unjust partition of the Korean peninsula following a chaotic collapse he mentioned that the US can ask China to give concessions like cancelling the 9 dash line in South China Sea in exchange for recognition of Chinese presence in Korea like the Taft-Katsura agreement long ago. In short it’s like “if you want to get something, you must lose something”. After all the book implied that as most of the Chinese nowadays actually want to see Kim’s regime gone because the latter is too brash and unhinged if the Yalu river issue are not standing in the way, the CCP would be viewed as the hero if they’re successful in establishing presence there without much fuss and help with the denuclearisation.

Instead of 9 dash line I suddenly think of the five demands of Hong Kong protests as a possible bargaining chip in the approach. If somehow the CCP can be convinced in softening their stances toward Hong Kong such as acceding in all five demands or at least the main part of it, in exchange for the perks as mentioned above that would be very interesting. As all the reasons for supporting US forces in Korea would be pretty much rendered moot after the fall of the current Kim regime, in the long term China can even ask for the withdrawal of US armies from the peninsula in exchange for their own withdrawal should de-jure reunification become fully possible.

However, the “new partition solution” would risk putting the Korean people into another unjust situation, unlike the reunification investment fund solution which wouldn’t likely involve the new partition at all. For the latter the author also optimistically said that China can use their Asian Infrastructure Investment Bank to contribute to the reunification thereby in turn boosting its image home and aboard, while the US can simultaneously assuage both Chinese and Korean fears by leaving only a small part of USFK troops at Jeju Island; I think this too can be a part of bargaining chip to induce China to give concessions like fulfilling all the Hong Kong protesters demands.

Last but not least the book mentioned that the funds necessary for the “reunification investment fund” can be raised at any moment if big companies like Samsung and Hyundai are willing to donate their sums to it, and the “now or never” warning in cautioning the dangers of maintaining the current status quo. Presently I think that there are 3 actions the CCP might take in regards to Hong Kong – all are dead ends:

* Sit idly and drag it out, but risking the protests getting out of control.

* Cave in to protesters, but this alone would make CCP look weak and erode its legitimacy.

* Suppress the protest like the June 4th, but attracting international consternation.

As the CCP is forced into a tight corner right now most of us are fearing that they will lash out by choosing option #3 in order to ‘save their faces’ very soon, although recently one of the demands (retracting the extradition bill) is on the verge in being fulfilled as of now. If the book-derived fourth solution is introduced to the scene suddenly we have a possible route to simultaneously deal with Hong Kong and North Korea issues peacefully, two-in-one and with the outcome being a win-win situation.

Although still the radical Faustian solution is still incomprehensible even for me so it’s perfectly okay should you can’t resist to disagree me for this. Otherwise your feedbacks regarding this are welcomed though.

May the force be with you.