D-Orbit, a leader in space logistics and orbital transportation, announced the successful conclusion of CTRL+Space CTF, Europe’s first in-orbit Capture-the-Flag (CTF) cybersecurity competition, and the world’s first live CTF involving multiple satellites. The event was organized in collaboration with mhackeroni, one of Europe’s leading ethical hacking teams and multiple-time world CTF champions, with the support of the ESA Security Cyber Centre of Excellence (SCCoE) and the ESA Security Office.
The event’s grand finale took place on November 4-6, at ESA ESTEC (European Space Research and Technology Centre) in the Netherlands, during the Security for Space Systems (3S) Conference, where five teams competed in unprecedented live cybersecurity scenarios aboard a real operational spacecraft.
Capture-the-Flag is a cybersecurity competition where participants attempt to identify and exploit vulnerabilities in computer systems to capture digital “flags,” which serve as proof of successful exploitation. CTRL+Space CTF is the first to use a real spacecraft operating in orbit as the target system.
As the first initiative of its kind led by a private European company, CTRL+Space CTF brought together the cybersecurity and space communities to address one of the most critical challenges facing the growing space economy: protecting orbital infrastructure from cyber threats. “Cybersecurity has become a fundamental pillar of the new space economy,” said Grazia Bibiano, D-Orbit’s Portugal Country Leader. “At D-Orbit, we integrate it from the very first design stages because security cannot be an add-on; it must be built into the DNA of every system we send into orbit.”
“Protecting space infrastructure is one of the most complex engineering challenges of our time,” said Davide Avanzi, D-Orbit Head of Space and Product Security. “By adopting a ‘security-by-design’ approach, we ensure mission resilience, data integrity, and trust in the space services of the future.”
“The space environment poses unique issues to the development of engaging challenges,” said Daniele Lain at mhackeroni. “This one-of-a-kind event helps us understand how more conventional vulnerabilities and exploits can translate to satellite environments and their limitations. Players were faced with complex scenarios mirroring real-world systems, up to “full-chain” attacks compromising simulated ground stations to reach and take control of the software of the satellite.”
“Cybersecurity protection of space missions is not an option,” said Antonios Atlasis, Head of System Security Section at TEC Directorate of ESA. “The successful implementation and execution of Ctrl+Space CTF not only provided the unique opportunity to students from all over Europe to compete on cybersecurity challenges implemented in real satellites, but it also proved that the implementation of cybersecurity protection measures in satellites is possible, even for the most challenging security scenarios. We would like to thank D-Orbit, the mhackeroni team, and all the contributors and participants in this great event.”
The competition attracted significant interest from the cybersecurity community. 559 teams registered for the qualifiers, 299 teams solved at least one challenge, and 660 correct flags were submitted across the 25 qualifier challenges prepared by the mhackeroni team.
The final event saw the following figures:
- 3 IONs actively used
- 63 passages used during the event
- 7 IONs provided telemetry
- 15 in-orbit exploits were executed
The teams faced realistic mission scenarios specifically designed to test their ability to identify and exploit vulnerabilities in space systems. Thanks to the flexible architecture of D-Orbit’s ION Satellite Carrier and the robust security measures implemented by the company, all scenarios were executed in a secure, fully controlled environment, completely isolated from the satellite’s commercial mission.
The five teams competing were: ENOFLAG, Superflat, RedRocket, CzechCyberTeam, and PoliTech. Superflat secured first place after three days of intense competition.
Participants competed in challenges involving:
- Solving security-related scenarios, such as interpreting real telemetry data and sending command sequences to an actual spacecraft.
- Using the spacecraft data to understand the spacecraft’s attitude and orbital position, which is information critical for satellite control and operational decisions.
- Interacting with onboard software to uncover and exploit potential vulnerabilities.
The unique challenges of the space environment, from autonomous systems operating in extreme conditions to limited computational resources, communication delays, and increasingly interconnected spacecraft, make cybersecurity a foundational pillar of the future space economy. CTRL+Space CTF reflects D-Orbit’s commitment to tackling these challenges and contributing to the creation of a secure, resilient orbital infrastructure essential for tomorrow’s space services.
