NASA described the hackers as an “advanced persistent threat,” a term generally used for nation-state hacking groups.
The revelation that a Raspberry Pi helped enable an April 2018 hack of JPL arrived courtesy of the U.S. Office of the Inspector General (OIG) on June 18. OIG said in its report that JPL “has experienced several notable cybersecurity incidents that have compromised major segments of its IT network” in the last decade, with the April 2018 hack being “used to steal approximately 500 megabytes of data from one of its major mission systems.”
OIG didn’t spare any aspect of the lab’s security in the report. The report outlined problems with how JPL manages and monitors its network, responds to incidents and shares “lessons learned” from those incidents. It also said that NASA lacks sufficient oversight for JPL’s security practices. Reading it probably won’t make anyone feel better about the lab tasked with exploring other planets and managing the Deep Space Network.
For the April 2018 hack, this all came to a head, thanks to problems with the way JPL managed the Information Technology Security Database (ITSDB) used to track equipment connected to its network. Or perhaps it’s more accurate to say the lab mismanaged the database and that, combined with other lackadaisical security practices, led to a Raspberry Pi being used to hack a NASA research laboratory.
OIG explained in its report:
“Moreover, system administrators did not consistently update the inventory system when they added devices to the network. Specifically, we found that 8 of 11 system administrators responsible for managing the 13 systems in our sample maintain a separate inventory spreadsheet of their systems from which they periodically update the information manually in the ITSDB,” the report said.
“One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information. Consequently, assets can be added to the network without being properly identified and vetted by security officials. The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network. The device should not have been permitted on the JPL network without the JPL [Office of the Chief Information Officer]’s review and approval.”
Raspberry Pis are popular because they offer a deceptively capable platform in an itty-bitty form factor that’s perfect for tinkering. JPL learned the hard way that even a cheap device with a cutesy name can undermine systems used to send robots into space.
MARS MISSIONS DATA
According to a 49-page OIG report, the hackers used this point of entry to move deeper inside the JPL network by hacking a shared network gateway.
The hackers used this network gateway to pivot inside JPL’s infrastructure, and gained access to the network that was storing information about NASA JPL-managed Mars missions, from where he exfiltrated information.
The OIG report said the hackers used “a compromised external user system” to access the JPL missions network.
“The attacker exfiltrated approximately 500 megabytes of data from 23 files, 2 of which contained International Traffic in Arms Regulations information related to the Mars Science Laboratory mission,” the NASA OIG said.
The Mars Science Laboratory is the JPL program that manages the Curiosity rover on Mars, among other projects.
BREACHED NASA’S SATELLITE DISH NETWORK
NASA’s JPL division primary role is to build and operate planetary robotic spacecraft such as the Curiosity rover, or the various satellites that orbit planets in the solar system.
In addition, the JPL also manages NASA’s Deep Space Network (DSN), a worldwide network of satellite dishes that are used to send and receive information from NASA spacecrafts in active missions.
Investigators said that besides accessing the JPL’s mission network, the April 2018 intruder also accessed the JPL’s DSN IT network. Upon the dicovery of the intrusion, several other NASA facilities disconnected from the JPL and DSN networks, fearing the attacker might pivot to their systems as well.