NASA systems dangerously at risk from cyberattack

Network security is not rocket science


An official audit of NASA's network has concluded that the space agency faces a high risk of cyberattack.

Experts from the Office of the Inspector General (OIG) paint a grim picture of the state of the space agency's server infrastructure, warning that vulnerabilities in its systems leave it open to defacement, denial of service or information-stealing attacks.

In particular, six unnamed IT systems were found to be at risk to attacks that might allow hackers to seize remote control of critical systems over the net – which included systems that control spacecraft – as a result of unpatched software vulnerabilities. The OIG's report (24-page PDF/703 KB, extract of conclusions below) also warns that sensitive account information is poorly protected and wide open to extraction for any attackers who make it past NASA's perimeter defences.

We found that computer servers on NASA's Agency-wide mission network had high-risk vulnerabilities that were exploitable from the internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable.

Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks.

Auditors criticised NASA for failing to apply an agency-wide computer security program they recommended following the previous review last May.

As Nature notes, the security vulnerabilities are a concern particularly because NASA has been the frequent victim of cyberattacks in the past. For example, hackers extracted 22 GB of data from the servers of NASA's Jet Propulsion Laboratory in Pasadena, California back in 2009.

The space agency said it had already fixed the vulnerabilities identified by the OIG's auditors. NASA managers promised to apply a consistent security policy across the agency. ®

Similar topics


Other stories you might like

  • NASA to commission independent UFO study
    The truth is out there, and the space agency intends to find it – scientifically

    Over recent years, Uncle Sam has loosened its tight-lipped if not dismissive stance on UFOs, or "unidentified aerial phenomena", lest anyone think we're talking about aliens. Now, NASA is the latest body to get in on the act.

    In a statement released June 9, the space agency announced it would be commissioning a study team, starting work in the fall, to examine unidentified aerial phenomena or UAPs, which it defined as "observations of events in the sky that cannot be identified as aircraft or known natural phenomena."

    NASA emphasized that the study would be from a "scientific perspective" – because "that's what we do" – and focus on "identifying available data, how best to collect future data, and how NASA can use that data to move the scientific understanding of UAPs forward."

    Continue reading
  • Meteoroid hits main mirror on James Webb Space Telescope
    Impact at the end of May bad enough to garble data, but NASA isn't worried

    The James Webb Space Telescope has barely had a chance to get to work, and it's already taken a micrometeoroid to its sensitive primary mirror.

    The NASA-built space observatory reached its final destination, the L2 orbit, a million miles away from Earth, at the end of January.

    In a statement, NASA said the impact happened some time at the end of May. Despite the impact being larger than any that NASA modeled and "beyond what the team could have tested on the ground," the space agency said the telescope continues to perform at higher-than-expected levels. The telescope has been hit on four previous occasions since launch.

    Continue reading
  • Astra fails, sends NASA's Tropics weather satellites back to Earth
    Orbital success counter stuck at 2 as upper stage of rocket shuts down early and CubeSats lost

    The first of NASA's TROPICS constellation launches came to an unscheduled end over the weekend as the Astra launch vehicle it was riding failed to deliver the cubesats to orbit.

    It was all going so well. The two cubesats lifted off atop an Astra Rocket 3 from Space Launch Complex 46 at approximately 1343 EDT on June 12, 2022.

    The initial flight seemed go swimmingly, but things went wrong after the first stage had completed. Viewers of video streaming live from the rocket saw what appeared to be the start of some tumbling before the feed was abruptly cut off. NASA's California-based commercial rocket-making partner Astra confirmed that the upper stage had shut down early, dooming the payload to a considerably earlier than planned rendezvous with Earth.

    Continue reading
  • Former chip research professor jailed for not disclosing Chinese patents
    This is how Beijing illegally accesses US tech, say Feds

    The former director of the University of Arkansas’ High Density Electronics Center, a research facility that specialises in electronic packaging and multichip technology, has been jailed for a year for failing to disclose Chinese patents for his inventions.

    Professor Simon Saw-Teong Ang was in 2020 indicted for wire fraud and passport fraud, with the charges arising from what the US Department of Justice described as a failure to disclose “ties to companies and institutions in China” to the University of Arkansas or to the US government agencies for which the High Density Electronics Center conducted research under contract.

    At the time of the indictment, then assistant attorney general for national security John C. Demers described Ang’s actions as “a hallmark of the China’s targeting of research and academic collaborations within the United States in order to obtain U.S. technology illegally.” The DoJ statement about the indictment said Ang’s actions had negatively impacted NASA and the US Air Force.

    Continue reading
  • Mars helicopter needs patch to fly again after sensor failure
    NASA engineers continue to show Ingenuity as uplinking process begins

    The Mars Ingenuity helicopter is in need of a patch to work around a failed sensor before another flight can be attempted.

    The helicopter's inclinometer failed during a recommissioning effort ahead of the 29th flight. The sensor is critical as it will reposition the craft nearer to the Perseverance rover for communication purposes.

    Although not required during flight, the inclinometer (which consists of two accelerometers) is used to measure gravity prior to spin-up and takeoff. "The direction of the sensed gravity is used to determine how Ingenuity is oriented relative to the downward direction," said Håvard Grip, Ingenuity Mars Helicopter chief pilot.

    Continue reading
  • Algorithm spots 104 asteroids in huge piles of data
    Rocks stood out like a THOR thumb for code

    Researchers at The Asteroid Institute have developed a way to locate previously unknown asteroids in astronomical data, and all it took was a massive amount of cloud computing power to do it.

    Traditionally, asteroid spotters would have to build so-called tracklets of multiple night sky images taken in short succession that show a suspected minor planetoid's movement. If what's observed matches orbital calculations, congratulations: it's an asteroid. 

    Asteroid Institute scientists are finding a way around that time sink with a novel algorithm called Tracklet-less Heliocentric Orbit Recovery, or THOR, that can comb through mountains of data, make orbital predictions, transform sky images, and match it to other data points to establish asteroid identity.

    Continue reading

Biting the hand that feeds IT © 1998–2022