This hacker is not ordinary.

By | Linghuo K

When watching sci-fi or crime movies, there are often scenes where skilled hackers type a few lines of code on old black-and-white computers and successfully infiltrate large commercial banks or encrypted servers of X country’s defense department.

Although movies often contain artistic and fictional elements, the plot is not entirely far-fetched. Recently, NASA admitted the fact of “cheap computer hacking high-end servers” to the public.

The NASA Office of Inspector General (OIG) released a report this week stating that in April 2018, hackers infiltrated the agency’s network and stole about 500MB of data.

As an open-source and inexpensive Linux single-board computer device, the Raspberry Pi has been widely introduced into campus computer education systems. The hacker used such a cheap Raspberry Pi device worth $35 (about 240 RMB).

They connected to NASA’s Jet Propulsion Laboratory (JPL) IT network without authorization or by bypassing security checks, stealing 500MB of data from 35 folders.

According to reports from foreign media, information security analyst Mike Thompson analyzed that this hacking incident led to the leakage of confidential information regarding JPL’s construction and operation of planetary robotic spacecraft. Behind the attack, there may be more advanced technology patents at risk of being compromised.

In response, JPL declined to comment. However, NASA officials confirmed the above speculation. They believe that after the attack, hackers could conduct deeper attacks and ultimately infiltrate the mission system to manipulate communications signals for space missions.

The OIG report pointed out that the likely cause of this hacking attack was that the JPL department did not keep its Information Technology Security Database (ITSDB) updated in real-time, leading to potential security vulnerabilities.

Poster for the movie ‘Mars Mission’

It is worth mentioning that NASA revealed that a large portion of the stolen 500MB of data was related to the Mars missions planned by the United States, which indirectly proves that there may be another reason behind this hacking attack.

Investigators stated that hackers not only accessed the JPL mission network but also accessed JPL’s DSN (Deep Space Network). This forced NASA to disconnect the latter from the JPL network to prevent secondary attacks.

This 49-page OIG report mentioned that hackers accessed the JPL network by infiltrating a shared network gateway and using that entry point to delve deeper into the JPL network.

The original text states:

The April 2018 cyberattack exploited this particular weakness when the hacker accessed the JPL network by targeting a Raspberry Pi computer that was not authorized to be attached to the JPL network. The device should not have been permitted on the JPL network without the JPL OCIO’s review and approval.

Translated, it reads:

The April 2018 cyberattack exploited this particular weakness when the hacker accessed a Raspberry Pi computer that was unauthorized to connect to the JPL network, thus entering the JPL network. Without JPL OCIO’s review and approval, this device should not have been allowed on the JPL network.

Indeed, this Raspberry Pi was likely not prepared by the hacker but was probably accessed by someone within NASA before being compromised.

Regarding the above description, security experts speculate that this is a typical case of a man-in-the-middle attack using a Raspberry Pi, using router attacks as an example:

Insert Raspberry Pi Zero into the USB port of MikroTik hAP. At this point, the Raspberry Pi can manage all traffic from all routers and can “help” attackers control the entire network.

The attack principle is as follows:

Starting from MikroTik, many routers from this brand support 3G and 4G USB dongles. Moreover, not only small routers like hAP, but also some larger rack-mounted routers have similar capabilities.

By default, these devices have an auxiliary USB WAN interface (network connection via USB).

Configured Raspberry Pi shows as LTE interface

For the Raspberry Pi, the default network device descriptor of P4wnP1 and a Linksys network adapter’s VID/PID were set, so it would be recognized as a new WAN interface.

Once plugged into the router, the router will send a DHCP request to assign an IP address to this new lte1 interface.

Then, the DHCP response from the Raspberry Pi will include some additional routing instructions meant to “route all internet traffic to the lte1 interface,” which includes the following instructions.

Router’s routing table after accepting Raspberry Pi’s DHCP response

Samy Kamkar, Rob Fuller, P4wnP1, and others have long believed that someone has utilized the DHCP protocol in BadUSB attacks. However, since the target of the attack is the router, all hosts within the local area network will be affected.

Of course, the Raspberry Pi is not a real WAN interface. It cannot provide internet access, and there is also a loopback issue.

USB traffic will loop back

The current solution to this problem is to forward all traffic through a VPN server. In the routing instructions issued by BadUSB, traffic directed to a specific VPN server will not be looped back. Thus, the Raspberry Pi can transmit all data to a remote VPN server, and the VPN server can then forward the data to the internet.

Final architecture

As long as everything goes smoothly, requests and responses within the local area network can flow normally. In the diagram below, the traceroute command shows that the MikroTik router transmits traffic to the Raspberry Pi, which then transmits it to the VPN server, and finally to the public internet.

As mentioned above, it is highly likely that someone within NASA used a Raspberry Pi to connect to the internal network, which was then hacked.

In response, netizens speculated: Is there a mole in NASA? Soon, such speculation was denied by other netizens, who believed it might just be an unfortunate mishap of someone.

Considering that there has not been a similar level of cyber attack in the past year, NASA OIG has classified this as a high-level persistent threat, and more information will be released after NASA’s investigation into this incident concludes.

Netizens believe that the importance of the 500MB of data lost by NASA will directly determine the impact of this APT incident. Given NASA’s candid “confession,” many netizens feel that it seems inconsequential.

References: Zhihu | NOSEC; Chiphell Community; AI Finance Society

Recommended Reading

▎Meizu responds to mobile phones unable to dial 120; Baidu News adjusts search sources; FedEx refuses to deliver Huawei phones

▎Xiaomi’s self-redemption

▎Heavyweight | Alibaba Cloud Chief Scientist Min Wanli leaves after months of communication

▎Apple recalls 63,000 MacBook Pros; Google announces withdrawal from the tablet business; Toutiao responds to infringement lawsuit: Contacts are not private

Are you still watching?