User avatar
Paul Webster
Posts: 798
Joined: Sat Jul 30, 2011 4:49 am
Location: London, UK
Contact: Twitter

NASA and Raspberry Pi

Thu Jun 20, 2019 3:05 pm

Gets a mention ... although not a great one.
A reminder to always be careful when putting devices onto the corporate network.

https://oig.nasa.gov/docs/IG-19-022.pdf

hippy
Posts: 5623
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: NASA and Raspberry Pi

Thu Jun 20, 2019 3:36 pm

The key point being "Assets can be added to the network without being properly identified and vetted by security officials. The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network".

W. H. Heydt
Posts: 10629
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: NASA and Raspberry Pi

Thu Jun 20, 2019 5:16 pm

One might surmise that the Pi was attached to the network without changing the default password. Given the prominence of CalTech and JPL, one would surmise that changing the default userid should also have been required.

Andyroo
Posts: 3864
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: NASA and Raspberry Pi

Thu Jun 20, 2019 5:28 pm

The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network.32 The device should not have been permitted on the JPL network without the
JPL OCIO’s review and approval
That's not an IT issue - its a HR one.

IT should have flagged this up as an unknown device to the rooms manager and let them deal with it first. Its a real pain to put MAC filtering on networks and having done it I really never plan to do it again.
Need Pi spray - these things are breeding in my house...

Rascas
Posts: 461
Joined: Tue Mar 11, 2014 6:18 pm
Location: Porto, Portugal
Contact: Website

Re: NASA and Raspberry Pi

Thu Jun 20, 2019 5:32 pm

The Raspberry Pi part of that document made me laugh! I didn't read the document, only the Raspberry Pi part, but if I was them, I would be embaraced to reveal such thing. Come on, everybody knows that if you plug any kind of computer to a network (SBC, PC or even a smartphone) there are risks, and that system should be auditored/studied before it was allowed to be on the network. Specially on high risk security networks like NASA should be. For me it was "just" a big flaw from their IT/security/whatever department.

hippy
Posts: 5623
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: NASA and Raspberry Pi

Thu Jun 20, 2019 7:24 pm

Rascas wrote:
Thu Jun 20, 2019 5:32 pm
Come on, everybody knows that if you plug any kind of computer to a network (SBC, PC or even a smartphone) there are risks, and that system should be auditored/studied before it was allowed to be on the network.
In a perfect world. In reality not everyone knows or understands the risk. Not everyone gets the memo as to how things should be done or abides by the rules. And the memo doesn't always cover everything it should.

That's why there should be mitigations in place to detect unauthorised access on a network and to limit harm when it inevitably does happen. Never rely on the weakest link holding strong; fallible individuals are prone to making huge mistakes.

I haven't studied the full sorry report but I get the impression this was a Pi external to the NASA / JPL network allowing an external user 'dial-in' access. It looks like the hacker got into that Pi and then had access to NASA / JPL.

I would guess it's a simple tale. User buys a Pi, plugs it in, sets it up, connects to NASA / JPL, gets on with whatever they do. Never realising along the way that they are open to being hacked, never imagining there could be the consequences there were.

Reading Page 16 of the report it seems the hacker did not attack "through a Pi" only that the hacker had extracted that user's NASA / JPL account details from that Pi.

gordon77
Posts: 4081
Joined: Sun Aug 05, 2012 3:12 pm

Re: NASA and Raspberry Pi

Mon Jun 24, 2019 12:17 pm

BBC News - Raspberry Pi used to steal data from Nasa lab
https://www.bbc.co.uk/news/technology-48743043

gkaiseril
Posts: 628
Joined: Mon Aug 08, 2016 9:27 pm
Location: Chicago, IL

Re: NASA and Raspberry Pi

Mon Jun 24, 2019 3:23 pm

Many private companies do check for unauthorized devices added to a network and go further and check that unused wired connections are not be used even by authorized devices. But with wireless devices this is becoming more difficult to monitor. Also the provide a "guest" account for outside vendors a limited connection to their network.

This also shows the importance of changing the default passwords used on any networked device to a strong password. I have been on systems where a password could not be reused for at least 10 changes. My younger brother was on a system that would not allow a systematic change of a password. I have even seen systems where certain high security users' passwords were automatically changed at midnight every day. The password had a key based on the day of the year.

They should also be checking for key loggers and key injectors. These devices are small enough to be buried within a keyboard and transmit wirelessly to another nearby network either within or outside of the facility.

It goes without saying that USB drives should be banned to verified to be safe before attachment. After all their employer has been known to use a USB device as a program injector.
f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng.

Andyroo
Posts: 3864
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: NASA and Raspberry Pi

Mon Jun 24, 2019 5:49 pm

The issue always becomes one of human frailty vs complexity. I’ve worked with directors who refused to scan their fingerprints on Lenovo / HP computers despite explaining that the data is encrypted and cannot be used for any other thing.

I’ve used two factor authentication for years with random numbers from a dongle to access my bank details but they offer no way of changing your passcode part of the security without visiting the bank to close the on-line account and set a new one up :o

It’s always a balance between making the entry secure vs upsetting users who will write the password down and leave it in a drawer for physical access. I’ve seen senior managers use post it notes in their laptop as ‘no one would use my laptop’ - if they are after access I can guarantee opening a laptop bag for 30 seconds would not stop them :roll: To say nothing of the number of times I’ve seen the post-it fall out of the laptop when being carried :twisted: :o :twisted:

A couple of years ago it was published by one of the AV companies that you do better to create secure complex unique passwords and write them in a book than use simple ones at home as the chance of a break in is significantly less than being hacked...

I guess the person involved just wanted to be able to do their job and this was seen as an easy way without going through authorisation and piles of paperwork.
Need Pi spray - these things are breeding in my house...

Hanicef
Posts: 10
Joined: Thu Apr 18, 2019 5:15 pm

Re: NASA and Raspberry Pi

Sun Jun 30, 2019 7:01 pm

What amuses me with this entire scenario is that someone just nonchalantly hooked up a Raspberry Pi into NASA's network. What was he trying to achieve, anyways? It sure as heck wasn't a hobby project he was working on.

hippy
Posts: 5623
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: NASA and Raspberry Pi

Sun Jun 30, 2019 8:36 pm

Hanicef wrote:
Sun Jun 30, 2019 7:01 pm
What amuses me with this entire scenario is that someone just nonchalantly hooked up a Raspberry Pi into NASA's network.
I am not convinced it's quite how that 'hooked up' would normally be taken as.

The user appears to have been a remote user and it seems to me used a 'dial-in' connection from a remote location, which just happened to have involved a Pi at some point. It may not even have been their Pi; it could have been someone else's.

The report is not very clear on what the full mechanism of the attack was, other than indicating a Pi was somehow involved and a third party obtained the remote user's account details, which the hacker then used to access the system, and to go further into it than they should ever have been allowed to.

It's not even clear why they mention it was a Pi was involved.

Consider this scenario. I drop round to your house and reach for the report you said you would proof-read for me only to find I've left it at work. Never mind; I'll use your Pi and login remotely, print it off on your printer. 20 seconds later, job done. Some time later I find out my account details leaked and some hacker's been using them to hack NASA.

Return to “Off topic discussion”