NASA cybersecurity report: ISS, Hubble, Shuttle vulnerable when hackers penetrated NASA network


The office of NASA's Inspector General released a report this week titled "Inadequate Security Practices Expose Key NASA Network to Cyberattack," which details pretty much what it says on the tin: the International Space Station, the Hubble telescope, the space shuttle, and other key assets were made vulnerable back in 2009 when hackers penetrated the NASA computer network that controls them.

The vulnerabilities have since been addressed, but NASA still lacks a recommended cybersecurity oversight progam to reduce future risks.

From a related story in the Huntsville Times:

Also in 2009, hackers stole 22 gigabytes of export-controlled data from the Jet Propulsion Laboratory and opened links between the NASA network and 3,000 foreign IP addresses.

NASA has closed the worst holes in its system, according to the audit released Monday, but other risks will remain until NASA establishes IT safeguards for the entire agency. NASA says it will do that by the end of the fiscal year Sept. 30. NASA said in a statement Tuesday that its chief information officer will work with NASA centers, including Huntsville's Marshall Space Flight Center, to make sure computers are secure.

And more about the past intrusions, directly from the NASA Inspector General's report:

We found that computer servers on NASA's Agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA's operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers. These data are sensitive and provide attackers additional ways to gain unauthorized access to NASA networks. These deficiencies occurred because NASA hadnot fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected. In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network.

However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011.

Direct link to the Inspector General's cybersecurity audit here.

(thanks, Miles O'Brien)


  1. The NASA is at no risk : the guys that cracked their network are geeks, and it’s obvious no geek on the planet would do anything to slow down space exploration in any way …
    Problem solved.

    1. @Anon posting #2. You sure about that?

      There is absolutely no such thing as Chinese hackers, right? And China does not have a space program of any kind anyway, so I’m sure that even if there were Chinese hackers, they wouldn’t have any reason to….


  2. I had the good fortune to attend a Hubble Anniversary shindig five or six years ago at the Smithsonian. It was an honor to be able to meet and talk with the engineers and scientists who keep the HST flying; but I must say that when I talked to some of NASA’s IT people about security practices and sustainable program development my opinions were not well received.

    I think they get so caught up in the wonderful things they are able to do that they don’t want to descend into the pessimistic mindset that is necessary for good security. They like Java far too much, also; OO languages are more difficult to secure because the components are so abstracted from raw bits and bytes. But they may be making the right decision by concentrating on doing constructive things rather than spending all their time building walls to keep destructive people at bay. At this point, they are achieving so much that I tend to support their attitude even though I don’t share it.

    As for “why is that stuff accessible from the Internet”, well, I have personally seen a Hubble engineer get an emergency call, whip out his laptop, and take control of the guidance and imaging systems (presumably averting some sort of catastrophe) from his in-laws living room during a holiday. Heavily encrypted VPN, of course. Connectivity is not a bad thing in and of itself, science itself depends on widespread communication.

  3. Everybody knows that Howard Wolowitz is responsible for the 2009 NASA hacking.It’s all been quite well documented.

  4. My crystal ball sees management shifting blame onto the admins.

    Oh screw the ball, its right there on the cover page.

  5. I’m not saying the hacking did not take place but I highly doubt that the system and the info on it was anything close to being truly classified data. Why?

    1 – Assume that the proposed image of government as being dumb or ignorant or a bunch of old guys too dumb to not be hacked by the younger generation is a façade.

    2 – Sun Tzu’s ART OF WAR clearly states that disinformation is key to a victory so you better believe that the military, the government and all related agencies public and private engage in disinformation to keep the public at bay and in particular, the smart would be hackers form trying to hack the real systems

    3 – Does anyone really believe that mission critical systems with truly restricted information would be hooked to the internet? The proposed image of being “Dumb enough to do x” that the government and its agencies project is meant to convince people that the government isn’t smart enough to know better than to do this kind of thing. Again, ART OF WAR – Disinformation

    Assuming that the events outlined really did happen and are not themselves disinformation, the hacked systems are almost certainly decoys designed to be targets for would be hackers. Think of them as the digital equivalent to counter measures used in military naval battles as decoys for missiles and the like.

Comments are closed.