Unauthorised Raspberry Pi allowed hackers to compromise NASA's systems

A recent audit has unveiled a series of security errors at NASA

An attacker was able to gain access to NASA systems through a Raspberry Pi that wasn't authorised to be connected to its network.

That's according to a recent audit by the agency's Office of Inspector General, which has revealed a number of security weaknesses affecting its Jet Propulsion Laboratory (JPL).

The report claims that multiple IT security control weaknesses "reduce JPL's ability to prevent, detect and mitigate attacks targeting its systems and networks" while "exposing NASA systems and data to exploitation by cyber criminals".

JPL uses a special database for tracking devices and applications on its network, but according to auditors, this was "incomplete and inaccurate". As a result, JPL's ability to monitor, report and mitigate attacks was placed at "risk".

"Moreover, reduced visibility into devices connected to its networks hinders JPL's ability to properly secure those networks," said the auditors in their report.

"Further, we found that JPL's network gateway that controls partner access to a shared IT environment for specific missions and data had not been properly segmented to limit users only to those systems and applications for which they had approved access."

"This shortcoming enabled an attacker to gain unauthorised access to JPL's mission network through a compromised external user system."

They went on to explain that NASA "failed to establish Interconnection Security Agreements (ISA) to document the requirements partners must meet to connect to NASA's IT systems and describe the security controls that will be used to protect the systems and data".

In another incident, security problem log tickets were left open for "extended periods of time" and "sometimes longer than 180 days".

"While system administrators may request a waiver when they cannot resolve such tickets within 6 months, we found waivers were not reviewed annually as required, resulting in unnecessary waivers," explained the report.

What's more, NASA failed to implement a threat hunting program that had been recommended by IT security experts and relied on an "ad hoc process to search for intruders".

The report also claims that JPL had not "provided role-based security training or funded IT security certifications for its system administrators."

To improve JPL's security controls, the auditors wrote to the Director of the NASA Management Office to instruct the JPL Chief Information Officer (CIO) to implement several recommendations.

They include:

  1. Require system administrators to review and update the ITSDB and ensure system components are properly registered.
  2. Segregate shared environments connected to the network gateway and monitor partners accessing the JPL network.
  3. Review and update ISAs for all partners connected to the gateway.
  4. Require the JPL CITO to identify and remediate weaknesses in the security problem log ticket process and provide periodic ageing reports to the JPL CIO.
  5. Require the JPL CITO to validate, update, and perform annual reviews of all open waivers;
  6. Clarify the division of responsibility between the JPL Office of the Chief Information Officer and system administrators for conducting routine log reviews and monitor compliance on a more frequent basis.
  7. Implement the planned role-based training program by July 2019.
  8. Establish a formal, documented threat-hunting process.
  9. Develop and implement a comprehensive strategy for institutional IT knowledge and incident management that includes dissemination of lessons learned.