Did log4j, the buggy software utility from hell, get NASA’s experimental Mars helicopter hacked? The answer is: Nope—according to NASA, it doesn’t even use the doomed tool.
The Register originally reported that Ingenuity, one of two Mars-based vehicles operated by America’s space agency, uses log4j. In fact, Apache, the maker of the ubiquitous, vulnerability-ridden tool, apparently tweeted back in June that the space-chopper was “powered by” log4j. (File that under things that haven’t aged particularly well.) Predictably, the tweet has since been deleted but the Wayback Machine shows the evidence.
All that “powered by” business was apparently incorrect, with the company telling Futurism that it was “misinformed.”
Log4j, in case you’ve missed it, is a widely used Apache logging program that was recently discovered to be afflicted with serious security vulnerabilities that could easily get you hacked. It has been used by virtually everyone, from coders at Twitter and Apple to those at Amazon and LinkedIn. But not, apparently, the NASA engineers who built Ingenuity.
Ingenuity, which is the first man-made vehicle to fly on an alien planet, was launched last year and landed on Mars in March along with its partner, the Perseverance rover. The automated chopper recently took its 17th flight over the surface of the planet—breaking its previous record by staying aloft for a little over 30 minutes. However, while the flight was mostly a success, the vehicle temporarily disappeared from NASA’s view after suffering a minor network issue. “The rotorcraft’s status after the Dec. 5 flight was previously unconfirmed due to an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight,” the space agency reported, in a recent press release.
Ingenuity’s use of the unfortunate Apache utility, coupled with its recent unexpected data disruption, led some to wonder: Did Apache’s bug get NASA’s space chopper hacked?
Absolutely not, according to NASA, which told Futurism this in a statement: “NASA’s Ingenuity helicopter does not run Apache or log4j nor is it susceptible to the log4j vulnerability. NASA takes cybersecurity very seriously and, for this reason, we do not discuss specifics regarding the cybersecurity of agency assets.”
We’ve reached out to NASA for additional information and will update when we hear back.
That it was even plausible that Ingenuity could have used log4j (pronounced “log for j,” as in “log for Java,” according to its creator) more speaks to its ubiquity more than it does to some mystical off-world hacking incident. And, while the bug-ridden utility did not, according to NASA, have anything to do with Ingenuity, it’s still a huge problem. As companies throughout the world race to patch their systems, cybercriminals are hot on their heels—and are already beginning to cause substantial damage.
Case in point, ransomware gangs are now targeting log4j like there’s no tomorrow. It was reported earlier this week that a new ransomware family dubbed “Khonsari” had been going after vulnerable Microsoft computers to attempt exploits. Since then, we’ve also seen hackers affiliated with Conti, a well-known ransomware gang, begin targeting vulnerable systems. In fact, the gang may have just attacked McMenamins—the funky brewery/hotel/events franchise based in Portland, Oregon, which reported an attack Friday. Conti is only suspected at this point.
However, ransomware hackers aren’t the only kids on the block taking advantage of this situation. All kinds of exploitation attempts have been seen throughout the internet, with cybercriminals swarming around the vulnerabilities and trying everything from cryptomining to data theft to everything in between. Additionally, reports of state-backed hacking activities have also popped up, with reports that China, North Korea, Iran, and others, are all leveraging the vulnerabilities for their espionage activities.
Meanwhile, the federal government took emergency action on Friday to secure itself, issuing an order from the U.S. Cybersecurity and Infrastructure Security Agency to all federal Civilian Executive Branch agencies that mandates they patch the Apache bug within the next six days. CISA director Jen Easterly urged all relevant agencies to “join us in this essential effort.”
Yes, it’s all pretty bad. Only time will tell how big the mess wrought by log4j is but don’t hold your breath. It’s going to take awhile to find out how screwed we all are.