36 comments

[ 2.6 ms ] story [ 102 ms ] thread
It would be nice to know what this specific "Raspberry Pi" vulnerability is, considering the software stack is almost entirely Debian.
Not impossible to imagine the credentials were the unchanged default pi/raspberry... (I imagine quite a few people who haven't done much w/ a Pi don't even run raspi-config) I assume you can scan for similar exposed RPis with Shodan etc.
> The comprehensive federal review of JPL’s systems stemmed from an April 2018 incident when someone at JPL attached the Raspberry Pi to the network there for an unknown purpose

Basically, someone plugged in a computer to the corporate network that happened to be a Raspberry Pi. Might as well have been a Beaglebone, a Banana Pi or an Intel NUC for that matter.

JPL builds robots and robots are made from SBCs.
If JPL is using a Pi off of Earth, they're doing it wrong. Stability in space requires a little more care (it's hot, cold, particle-y, etc).
No one said anything even remotely close to that.
As TRL progresses, the hardware changes. Nobody buys RAD750 for each of their new ideas.
There is no RPi vulnerability(in this article). The RPi was just used as a bastion into the internal network. It could have been any SBC. Once your already inside the internal network things get stupid lax.

EG. I can't see your Windows shared folders from the internet, but the PC in the next room can. Someone sneaked an RPi into JPL to be that PC in the next room.

See Also; Season 1 Mr Robot had this exact scenario as a plot point.

No, they infiltrated a Rpi already on the network (e.g. a research SBC) which itself was also able to access other machines.
> If, however, they represented an adversarial nation, the data could be extremely valuable.

Yes, heaven knows that data on manned spaceflight shouldn't be shared with all of mankind, only america and it's allies.

Or you know, lobbing ballistic warheads at some other country you've been at war with for literally centuries.
It would probably be more along the lines of altering the re-entry characteristics of a manned space flight, you know, for lulz. Or nationalism. Or it’s Tuesday. Or whatever other Hal-baked rationale they can come up with.

Guaranteed there’s someone out there jackass enough to do that.

The actual OIG report: https://oig.nasa.gov/docs/IG-19-022.pdf I only did the briefest of scans, but the recommendations seem pretty basic best practices stuff.

In my experience, research labs tend to be creative spaces with a focus on collaboration and information security is not foremost on peoples mind. I guess that will have to change.

It's kind of interesting to read in the report how the JPL was not compliant with several NIST guidelines (800-53 and others) what it does not mention is how this situation persisted despite the required audits for federal organizations..
There’s a significant distinction between federal organizations and federally-funded organizations— JPL is the latter.
Recommendations suck, they just write couple of times that administrators should update "Information Technology Security Database" and that they failed to do that. That should be automated. They have all those "CISO", "SAISO", "OCIO" and "CIO" but there is no one who knows how to setup automated nmap scan for a network range? Then trigger someone and add it to some inventory like "hey there is some new raspberry pi in network" should you maybe check it?
It's not like you can easily detect a rogue RPi with just nmap. It's trivial not to respond to anything sent to you. You have to start looking at ARP, but that's not iron-clad either.
But that is not the point, point is they make admins do stuff manually. Getting kids to brush teeth every morning and evening is hard, getting bunch of IT admins to do something, what seems pointless, every day is close to impossible. Setting up something that scans network every day is trivial by comparison.
The article mentions that the hackers stole 500MB? The number seems small given the scale of storage in modern computers but I guess 500MB could account for a large number of documents that contain confidential info.
500MB of leaked credit card information is a lot. 500MB of leaked video is little. It all depends on the contents.
>5,406 unresolved SPLs—about 86 percent of which were rated high or critical >JPL did not effectively address a known software vulnerability, first identified in 2017, with a critical score of 10. This software flaw can be used by cyberattackers to remotely execute malicious code >one of the projects has a waiver of JPL IT security requirements to change passwords every 90 days. Instead, the project relies on a designated application and team accounts to share password files, group files, host tables, and other files over the network

There seems to be a fair amount of filler in the report (review access logs, out of date inventory, etc) but these points seem pretty damning.

If I was a betting man, I'd bet that there are some old dusty areas of NASA facilities where there are open NFS exports, NIS providing security, and Sun workstations doing work.

I bet someone could fire up a SATAN scanning instance with a Mosaic browser and find some open stuff on some of those old and crusty computers. :)

Thanks for making me remember Saint and Satan times! Also Nessus was open source.
I am surprised this doesn't happen more often.
The articles says if the hackers were some jokers on the internet then the data isn’t terribly useful, but if it was an adversarial nation then it is very useful. Why? Can’t the jokers sell it to other nations?
The report doesn't mention how the intrusion was discovered. Someone just noticed the RPi one day? 500mb traffic to a Chinese IP?