CYBERCRIMS WERE ABLE to gain access to NASA systems through a rogue Raspberry Pi that wasn't authorised to be connected to its network.
That's according to a recent audit by the agency's Office of Inspector General, which reveals a number of security weaknesses affecting its Jet Propulsion Laboratory (JPL).
The report claims that multiple IT security control weaknesses "reduce JPL's ability to prevent, detect and mitigate attacks targeting its systems and networks" while "exposing NASA systems and data to exploitation by cybercriminals".
JPL uses a special database for tracking devices and applications on its network, but according to auditors, this was "incomplete and inaccurate". As a result, JPL's ability to monitor, report and mitigate attacks was placed at "risk".
"Moreover, reduced visibility into devices connected to its networks hinders JPL's ability to properly secure those networks," said the auditors in their report.
"Further, we found that JPL's network gateway that controls partner access to a shared IT environment for specific missions and data had not been properly segmented to limit users only to those systems and applications for which they had approved access."
"This shortcoming enabled an attacker to gain unauthorised access to JPL's mission network through a compromised external user system."
They went on to explain that NASA "failed to establish Interconnection Security Agreements (ISA) to document the requirements partners must meet to connect to NASA's IT systems and describe the security controls that will be used to protect the systems and data".
In another incident, security problem log tickets were left open for "extended periods of time" and "sometimes longer than 180 days".
"While system administrators may request a waiver when they cannot resolve such tickets within six months, we found waivers were not reviewed annually as required, resulting in unnecessary waivers," explained the report.
What's more, NASA failed to implement a threat hunting program that had been recommended by IT security experts and relied on an "ad hoc process to search for intruders".
The report also claims that JPL had not "provided role-based security training or funded IT security certifications for its system administrators."
To improve JPL's security controls, the auditors wrote to the Director of the NASA Management Office to instruct the JPL Chief Information Officer (CIO) to implement several recommendations. µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks