NASA Breach Follow Up
Last year’s breach of NASA’s Jet Propulsion Laboratory (JPL) networks led to a thorough audit. The final report of the audit was released to the public this week. While it contains many important details on network separation, incident response and other areas of unpreparedness, in this briefing we will focus on one element of the report and its implications: The fact that the network was compromised through a small and inexpensive Raspberry Pi computer was illicitly connected to the network.
What is a Raspberry Pi?
A Raspberry Pi is a small computer designed for development and production use. It’s standardized hardware, low cost (around $30), low power consumption and support for standard Linux operating systems makes the Raspberry Pi extremely popular. Common use cases include hardware prototyping or even production runs for hardware, small educational systems, home servers, or media centers. Metaphorically speaking, it is the swiss army knife of current computer hardware.
How was it used in the hack?
According to the audit report, a Raspberry Pi computer was connected to the JPL’s network by an unknown person. The attacker(s) then connected to the device and used it’s network connection to attack other targetes, ultimately leading to the breach.
Why is this important?
This incident is a great example of how real world attacks happen. While media portrayals usually focus on high-complexity all technical attacks, real world breaches usually happen due to a combination of sloppy policies and relatively low-tech techniques.
The fact that this attack worked tells us several important things, some of which are outlined in the audit report.
For one, either an employee or a consultant was complicit in the attack, or outsiders / guests were able to walk into a location where they had physical access to the network. While the former scenario is an insider threat and extremely hard to mitigate, the latter is equally common and a symptom of poor physical security policies.
Secondly, the fact that the Raspberry Pi was able to connect to the network at all implies that no layers of security were added on top of the physical network connection. Normally, devices connecting to corporate or organizational networks must authenticate themselves. The most common mechanism for doing so is 802.1x. Since the person who placed the device could not be identified, such a security layer was either not in place or poorly configured.
Despite common media depictions, most cyber attacks are relatively simple and use a combination of human attack vectors and poor security practices to succeed. The JPL breach is an illustrative example for this statement. We highly encourage any person involved in cyber security and especially in incident response to read the entire JPL audit report.