Raspberry Pi Used to Hack NASA

We once published an op-ed on why why every tech geek should own a Raspberry Pi. But exploiting an unauthorized Raspberry Pi to hack NASA's Jet Propulsion Laboratory (JPL) was, to put it simply, a bad idea.

The revelation that a Raspberry Pi helped enable an April 2018 hack of JPL arrived courtesy of the U.S. Office of the Inspector General (OIG) on June 18. OIG said in its report that JPL "has experienced several notable cybersecurity incidents that have compromised major segments of its IT network" in the last decade, with the April 2018 hack being "used to steal approximately 500 megabytes of data from one of its major mission systems."

OIG didn't spare any aspect of the lab's security in the report. The report outlined problems with how JPL manages and monitors its network, responds to incidents and shares "lessons learned" from those incidents. It also said that NASA lacks sufficient oversight for JPL's security practices. Reading it probably won't make anyone feel better about the lab tasked with exploring other planets and managing the Deep Space Network.

For the April 2018 hack, this all came to a head, thanks to problems with the way JPL managed the Information Technology Security Database (ITSDB) used to track equipment connected to its network. Or perhaps it's more accurate to say the lab mismanaged the database and that, combined with other lackadaisical security practices, led to a Raspberry Pi being used to hack a NASA research laboratory.

OIG explained in its report:

"Moreover, system administrators did not consistently update the inventory system when they added devices to the network. Specifically, we found that 8 of 11 system administrators responsible for managing the 13 systems in our sample maintain a separate inventory spreadsheet of their systems from which they periodically update the information manually in the ITSDB," the report said.

"One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information. Consequently, assets can be added to the network without being properly identified and vetted by security officials. The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network. The device should not have been permitted on the JPL network without the JPL [Office of the Chief Information Officer]'s review and approval."

Raspberry Pis are popular because they offer a deceptively capable platform in an itty-bitty form factor that's perfect for tinkering. JPL learned the hard way that even a cheap device with a cutesy name can undermine systems used to send robots into space. 

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • sohowsgoing
    Part of the problem is that JPL plays both sides when it wants. When they don't want to do what NASA wants, they say, "We don't have to listen to you. We're Caltech." Conversely, when it is beneficial, they will say, "We're not Caltech; we're NASA."

    Because of this, they maneuver around whatever they don't like while reaping the benefits of both sides w.r.t. research money/grants, discoveries, etc.

    I know because I have worked with some of these folks and it is sometimes pulling teeth to be able to get what you want/need.
    Reply
  • thegriff
    How does any computer/device connected to their system not automatically get blocked. Our systems are scanned and have to match what is approved or they get blocked. With all the so called genious's at JPL how do they do this manually? They should be banned from gov't funding until they fix this.
    Reply
  • bit_user
    thegriff said:
    How does any computer/device connected to their system not automatically get blocked. Our systems are scanned and have to match what is approved or they get blocked. With all the so called genious's at JPL how do they do this manually? They should be banned from gov't funding until they fix this.
    I dunno, maybe round after round of government budget cuts.

    A lot of government agencies are running on a shoestring budget and struggling even to perform their mandate. So, it's not surprising if their network security isn't top notch.
    Reply
  • USAFRet
    thegriff said:
    How does any computer/device connected to their system not automatically get blocked. Our systems are scanned and have to match what is approved or they get blocked. With all the so called genious's at JPL how do they do this manually? They should be banned from gov't funding until they fix this.
    In any network, no matter how strongly locked down, there is a small group of people with absolute access.
    Probably one of these semi-genuises with access thought he knew better and was above the rules, and...
    Reply