Raspberry Flavored Sploits and the Internet of Threats
While some like to talk about the Internet of Things – which is the wonderful web of everything from jet engines to vending machines all using the internet to communicate, I have a bit of a dark bent and like to use the term Internet of Threats. Of course that term isn’t even accurate, because it is probably better to call it the Internet of Vulnerabilities.
In 2018 NASA was the latest high profile hacking victim in an incident where attackers compromised a $35 Raspberry Pi single board micro-PC. While the Raspberry Pi was an unauthorized, rogue device, it was nonetheless on the network. Once exploited, the attacker was able to gain access to NASA’s JPL Labs network for about 10 months, undetected, and abscond with about 500mb of data.
For those wanting to dig down, NASA Office of Inspector General Report IG-19-022 has the details.
Some things to consider:
- Cyber attacks are more likely a matter of when rather than if. You should plan accordingly.
- Defense in depth can help greatly. If you assume that something on your network is going to be breached, you should then make it as hard as possible for intruders to traverse your network. Network segmentation is your friend.
- The fact that an intruder was at large in this network for 10 months, while disappointing, is hardly surprising. Ponemon found that US companies took an average of 206 days to detect a breach.
- While you probably have security and visibility systems and processes in place, are they working the way you think they are? Do you have blind spots in your network? Are you ready for TLS 1.3 traffic? Could you get more out of your monitoring tools?
- The human factor – are people following process and procedures correctly or have they implemented convenient but dangerous workarounds?
- Do you have ways of controlling what devices have access to the network? How confident are you that there are no rogue devices on your network? How confident are you that non-rogue devices are properly patched?
Anyway, security is a journey, not a destination. Regardless of where you are now, it might be a good time to step back and take an honest look at where you are. Even if you have inherited a dire situation, you can always start taking steps to improve. In the meantime, the new Raspberry Pi 4 looks pretty cool! Just don’t go rogue with it.