NASA Lab was hacked using $25 Raspberry Pi computer
NASA’s Jet Propulsion Laboratory (JPL) department was compromised in April 2018 using an unsecured and unauthorized Raspberry Pi device, confirms an audit document from NASA’s Office of Inspector General (OIG).
According to OIG’s report, JPL “has experienced several notable cybersecurity incidents that have compromised major segments of its IT network” in the last decade, and more recently “in April 2018, JPL discovered an account belonging to an external user had been compromised and used to steal approximately 500 megabytes of data from one of its major mission systems.”
The report also points out that back in 2011, the same JPL department had suffered another data breach where cyber intruders had gained full access to 18 servers supporting key JPL missions and stole 87 gigabytes of data.
Coming to the April 2018 breach, OIG’s review states that the hack was carried out by targeting an unauthorized Raspberry Pi attached to the JPL network. The hackers used this to their advantage and exploited the Pi to gain access to the network, compromised JPL systems as well as the Deep Space Network (DSN).
The audit revealed how poor the overall system security is within the space agency. Apparently, the network was not always being identified and reviewed by a security official while adding new devices to the network.
“JPL uses its Information Technology Security Database (ITSDB) to track and manage physical assets and applications on its network; however, we found the database inventory incomplete and inaccurate, placing at risk JPL’s ability to effectively monitor, report, and respond to security incidents. Moreover, reduced visibility into devices connected to its networks hinders JPL’s ability to properly secure those networks,” reads the OIG report.
As a result, hackers were able to move freely between the different systems within the network because the network is a shared one rather than a segmented environment. This allowed hackers to potentially gain access and initiate “malicious signals to human space flight missions.”
The report also pointed out added that when tickets created by the ITSDB database regarding a potential or actual IT system vulnerability was identified, it went unresolved for extended periods of time, in some cases more than 180 days. JPL system administrators also misunderstood their responsibilities regarding management and review of logs for identifying malicious activity occurring on the network. Additionally, the report also contained several other issues keeping in interest in the safekeeping of the organization’s network.
OIG has addressed ten recommendations made in the audit report, of which NASA has agreed to all but one: to establish a formal and documented threat-hunting process, stating that NASA’s position being, “that this is not the responsibility of Caltech as a NASA contractor.”