A hacker illegally accessed NASA’s Jet Propulsion Laboratory in 2018 by targeting an off-the-shelf micro-computer called a Raspberry Pi.
The breach was discovered in 2018, but just disclosed to the public in a June 18 report. In it, NASA details an “unauthorized” Raspberry Pi that created a portal that allowed the unknown attacker access to the network for months, until it was ultimately discovered and patched.
For those unfamiliar, a Raspberry Pi is a $35 micro-computer made popular by any number of school science projects (mostly involving a blinking light) or its occasional appearance in hacker movies or TV shows. Its size and price make it an attractive piece of hardware for the DIY crowd. And though it’s cheap and tiny, there are few limits to what it can do when placed in the right, or wrong, hands.
In this case, the Raspberry Pi wasn’t the culprit, but the victim. A hacker using an external user account moved stealthily through NASA’s network for about 10 months, according to a June cybersecurity report from the Office of the Inspector General. While there, he or she searched 23 files, two of which contained information about the current Mars mission. All told, the hacker made off with approximately 500 megabytes worth of data, according to the report.
The Raspberry Pi was never meant to be connected to the network, according to NASA — at least not without prior authorization.
This underlies a bigger issue, that a non-vetted device connected to the network of one of our most secretive organizations, remained there for months, and walked off with half a gigabyte of data before being discovered. Allowing these devices to connect to the network without being properly identified or vetted is a major failure in terms of operational security.
For system administrators, the men and women tasked with protecting these networks and identifying threats that could wreak havoc, the lapse isn’t inconsequential. Still, the problem could have been much worse. In fact, it’s a bit of a kick in the pants knowing that NASA’s best cybersecurity efforts were thwarted by a $35 device anyone could purchase on Amazon.
It’s yet another reminder that networks are only as strong as the humans who use them. And we clearly have a long way to go.