We once published an op-ed on why why every tech geek should own a Raspberry Pi. But exploiting an unauthorized Raspberry Pi to hack NASA's Jet Propulsion Laboratory (JPL) was, to put it simply, a bad idea.
The revelation that a Raspberry Pi helped enable an April 2018 hack of JPL arrived courtesy of the U.S. Office of the Inspector General (OIG) on June 18. OIG said in its report that JPL "has experienced several notable cybersecurity incidents that have compromised major segments of its IT network" in the last decade, with the April 2018 hack being "used to steal approximately 500 megabytes of data from one of its major mission systems."
OIG didn't spare any aspect of the lab's security in the report. The report outlined problems with how JPL manages and monitors its network, responds to incidents and shares "lessons learned" from those incidents. It also said that NASA lacks sufficient oversight for JPL's security practices. Reading it probably won't make anyone feel better about the lab tasked with exploring other planets and managing the Deep Space Network.
For the April 2018 hack, this all came to a head, thanks to problems with the way JPL managed the Information Technology Security Database (ITSDB) used to track equipment connected to its network. Or perhaps it's more accurate to say the lab mismanaged the database and that, combined with other lackadaisical security practices, led to a Raspberry Pi being used to hack a NASA research laboratory.
OIG explained in its report:
"Moreover, system administrators did not consistently update the inventory system when they added devices to the network. Specifically, we found that 8 of 11 system administrators responsible for managing the 13 systems in our sample maintain a separate inventory spreadsheet of their systems from which they periodically update the information manually in the ITSDB," the report said.
"One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information. Consequently, assets can be added to the network without being properly identified and vetted by security officials. The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network. The device should not have been permitted on the JPL network without the JPL [Office of the Chief Information Officer]'s review and approval."
Raspberry Pis are popular because they offer a deceptively capable platform in an itty-bitty form factor that's perfect for tinkering. JPL learned the hard way that even a cheap device with a cutesy name can undermine systems used to send robots into space.