Turns out a tiny Raspberry Pi was at the source of a big headache for NASA. An audit released by the NASA Office of Inspector General on June 18 reveals that an early 2018 cyberattack utilizing one of these mini-computers resulted in a hacker making off with restricted documents.
If you’re not familiar with Raspberry Pi, it’s a small computer about the same size and shape as a credit card. Since it costs about $35, it’s a popular tool for learning the basics of computer programming, robotics, and creating DIY projects. (You may have seen one featured in an episode of Mr. Robot.) As you might guess, its small size and flexible use mean people don’t always employ it for good.
Which brings us to NASA: The “unauthorized” Raspberry Pi created a portal through which the attacker pilfered files from the Jet Propulsion Laboratory (JPL), which handles robotic space and Earth science missions, including the Mars Curiosity rover, according to the agency’s OIG. This particular breach was discovered in April 2018, when JPL found an external user’s account was compromised. The hacker, using an unauthorized Raspberry Pi connected to the system, was able to expand their access once they logged into the network.
Two of the 23 stolen files—about 500MB in total—involved restricted information relating to the International Traffic in Arms Regulation and Mars Science Laboratory mission. Additionally, the hacker accessed two out of three primary JPL networks, leading NASA to temporary disconnect several space-flight-related systems from the JPL network. Perhaps most frightening is that the hack went undetected for 10 months.
Also disturbing: JPL didn’t have a complete or accurate inventory of system components on its network, according to the OIG report. Neither did it have security controls to consistently monitor and detect cyberattacks on its network—so administrators had no idea the Raspberry Pi was there because it wasn’t logged properly. As a result, it wasn’t properly monitored, and taking control over an unsupervised, practically ‘non-existent’ Raspberry Pi is ostensibly a fairly easy task for a hacker. According to the BBC, the audit found several other “unknown” devices on the JPL network, though none were believed malicious.
So far no culprit has been caught or identified, though NASA’s OIG report says the investigation is ongoing. In the meantime, JPL has installed more monitoring agents on its firewalls and says it’s reviewing network access agreements for external partners. Gizmodo reached out to NASA for comment and how the agency plans to improve its lax security going forward but did not immediately receive a response.