Tuesday, May 04, 2021

Hacking the Death Star: Imperial Cybersecurity 101

Jokes about brute ‘Force‘ attacks aside, if we were rebel scum how would we hack the galaxies’ most secure data centre?


Today is May 4th, the traditional day for celebrating one of the greatest franchises in movie history. As such, and having a geek streak a parsec wide, we thought (at work) that it’d be fun to set ourselves a challenge. I'm an avid and weekly Star Wars RP player (Savage Worlds system - Pew Pew), so how could we plan and execute an attack against The Death Star, the galaxies’ premier evil planetoid and residential superlaser? Not wanting to get in hassle for publishing this on a company website - cease-and-desist from Disney is never a good way to start the month - I'm publishing it here.

To begin with, we’ve got to exercise our geek muscles and actually look at the Star Wars universe for clues. Hacking is known as ‘slicing’ in the Star Wars universe. Yes, I'm going to do this properly and take this way too seriously.

If there’s one thing that the films Rogue One, New Hope, and RotJ taught us, it’s that Imperial files are woefully unencrypted. No 2FA, no 32-bit encryption, just sitting there on a data stick waiting to get left on a seat in a cantina or on the number 13 transport. The files themselves aren’t going to be a problem. There’s no wi-fi in the Star Wars universe – a concept unimaginable to Mr. Lucas in 1977. Secure messages are run around the Death Star corridors by toaster-looking robots (MSE-series ‘mouse’ droids) and held on ‘code cylinders’ peeking from the top pockets of classically-trained English actors. 

Datacards store and transfer data to and from datapads in the same way floppy disks and USB flash drives are/were used with computers – R2-D2 carried a Datacard with the first Death Star plans on it, given to him by Leia Solo (née: Organa, actually née Leia Amidala Skywalker) at the Battle of Tatooine.

DataCore’s are repositories of bulk information, but there appears to be little connection to them from the outside world – and as such may be air-gapped and therefore the most ‘secure’ element of the Imperial data security policy (though criminally inaccessible to off-site teams). The only cloud in which the Empire work is probably Bespin.

Data can be transmitted, however, to a ship in orbit or to another secure location – though this seems to require aligning transmission dishes, further family appropriate drama, and considerable personal sacrifice that’s best avoided.

There is also the HoloNet, as mentioned in Clone Wars and featured in SW Rebels, which appears to be an Imperial controlled broadcast network that also lets citizens look up information akin to Wikipedia and with websites, etc.

Apart from ‘radio’ communications and transmissions, it appears that everything requires physically plugging into a wall socket. It’s all quite primitive, actually, and does seem to leave the Empire prone to any Datacard or grubby R2-unit with a virus on it.

Now that we’ve set the scene we can lay out a plan, hopefully without the untimely demise of too many Bothans, using the knowledge of cybersecurity (edge, application and data) that I've crammed into my brain as ongoing writer and content creator for one of the world's largest cybersecurity providers.


Approaches:

Most Imperial staff aren’t the sharpest tools in the woodshed. Stormtroopers, the foot soldiers of the Galactic Empire, even less so. Transmitting a ‘secure’ message containing malicious code, waiting for an unsuspecting Imperial trooper to click on the latest specs in an advert for the BT-16 perimeter droid - they say it's quite a thing to see - seems a solid approach to introduce malicious code into the network: “Send us 20,000 Galactic Credits to unlock your files and data!” If only The Empire had anti-phishing training as part of their HR policy.

Imperial offices seem to have a substantially higher IQ, though the path to career progression seems somewhat unforgiving. We can, however, assume that the most intelligent, shrewd, and (possibly) security-conscious make it to Moff without being shot by the plucky proletariat or choked to death by their line manager.

These officers are better trained and unlikely to click on phishing emails. It’s possible any attack could come from within, however. Disgruntled or previous employees, perhaps now seeing the error of their ways, with legacy security codes (”It’s an older code, but it checks out”) and with default access to parts of the DataCore that may contain information inappropriate for their access level. It would be simple for such individuals to leave with classified documents (Mon Mothma herself was a former Galactic Republic Senator) or sabotage important data (like Galen Erso in Rogue One). If only The Empire had data risk analytics.

In any large organization, it’s likely that developers will use 3rd-party code, especially when on a tight deadline like the building of the second Death Star. Sometimes this leaves security teams out-of-the-loop and leaves a blind spot, making it hard for Imperial Security Officers to monitor all dependencies. It’s likely that Imperial dev teams will utilize reusable software components, developed to be either freely distributed or sold by an entity other than the original (Genosian) vendor, to design the likes of landing bay forcefield controls or even planetoid propulsion systems. This means there may be code making calls outside of the secure network – which is a nightmare for regulatory compliance and for possible interference from malicious Rebellion clients. If only The Empire had runtime self-protection. 

Malicious code can do anything any other program can do, like writing a warning message on a screen, stopping a trash compactor program from running, setting off a claxon, or making millions of voices suddenly cry out in terror as their planet is evaporated… Without database security, it may be possible to piggyback malicious code on, for example, supply chain code or outdated security cyphers from a Lambda Shuttle requiring permission to enter the atmosphere of the forest moon of Endor. It may be introduced by an inquisitive Astromech droid, recently arrived from some back-water hive of scum and villainy, careless about where they put their malicious dongle. Malicious code could go undetected on infected Imperial systems, quietly monitoring applications and any outbound connections. Once critical information is stolen, such as personnel information, plans, or passwords, the information could then be transmitted to any attacking ground force (for example).

We can safely assume that the Death Star has a HoloNet presence, for propaganda (and possible recruitment) purposes at least - perhaps with a contractor login area. If it doesn’t it’s a tragically missed opportunity by the Galactic Empire Public Relations department (yes, that’s actually a thing). If it does then it’s going to be a prime target for attack by Rebellion slicers, who could easily use a denial of service attack - utilizing the thousands of droids, vehicles, and apps out there in the Star Wars universe to bombard the Death Star HoloNet pages with thousands of requests. This would overload the HoloNet site, crashing it or making it run slowly so that it becomes unusable and ruins the experience for normal citizens. A bit of DDoS protection wouldn't go amiss here.

One can assume the Empire has a backup plan in place against any malicious attack – unlike the Jedi who managed to lose an entire planet and appear to have no alternative storage or rollback capability. Regardless, any of the above assaults would make for unwanted disruption and embarrassment, legal issues, downtime, and a very angry Sith Lord that could be easily avoided with the right precautions. We had a lot of fun writing this.

Here’s wishing you and yours a very happy May 4th. May the odds be in your favour and may the Force be with you. Always.


Big thanks to Imperva for letting me write this in work time.