Hackers attacked NASA's Jet Propulsion Lab via a Raspberry Pi, stole 500 MB of mission data
The Jet Propulsion Laboratory (JPL) at NASA is consistently on the cutting edge of technology, so it’s surprising that an April 2018 hack into the department’s systems was made possible by accessing a simple single board computer.
In a review published earlier this week, the U.S. Office of the Inspector General (OIG) stated that lax cybersecurity practices and policies “[reduced] JPL’s ability to prevent, detect, and mitigate attacks targeting its systems and networks.” The report determined that in April 2018, hackers were able to access JPL’s system by targeting an unauthorized Raspberry Pi that had been connected to the lab’s network. After accessing JPL’s network via the Pi, the attackers were able to navigate to other NASA computer systems, including NASA’s Deep Space Network (DSN), which is responsible for managing the infrastructure used for interplanetary missions.
In response to the attack, the Johnson Space Center in Houston segregated their network from JPL’s, meaning that NASA’s various departments did not have segmented networks. This lack of segmentation allowed the attackers to bounce from network to network, accessing multiple classified and highly sensitive databases and systems.
Another factor exploited in the attack was poor regulation of physical hardware. The Raspberry Pi used to access the network was not approved and had not been documented in JPL’s security database. In other words, someone simply hooked the Pi into a network terminal and left it running.
The report has resulted in a major embarrassment for JPL system administrators, who (according to the OIG’s report) “misunderstood” their roles in securing sensitive systems and data. Ultimately, the attackers stole 500 MB of data. That may seem inconsequential, but keep in mind that any amount of classified data should have been properly secured. Additionally, the hackers’ access to deep space systems is particularly concerning, especially since some of these missions involve human astronauts that could have been placed in extreme danger.
This isn’t the only time NASA’s IT security team has dropped the ball. Last December, the agency admitted that their HR systems had been hacked in October, resulting in the theft of thousands of employees’ personal data, including Social Security numbers.