Part 4 – The Security Failures Of Star Wars: Rogue One
The next chronological chapter in the Star Wars saga is Rogue One. This movie takes place roughly 4 years after Revenge of the Sith and advances forward about 15 years right up to the start of A New Hope. This time span has the Empire growing and expanding across the universe but also allows them to construct the Death Star.
The first three movies lays the ground work on how Emperor Palpatine, through work as his alter ego, played both sides and put in a plan of action for the Empire to be born. Removing regulations, political obstacles and able to obtain an army to allow him to maintain that control. At the end of Revenge of the Sith we saw the plans and early stages of the Death Star’s construction as Darth Vader and General Tarkin looked on.
Rogue One shows us the world with a fully operational Empire. It also shows that the lack of focus on cybersecurity, physical security and operational governance in the early stages of the company’s growth have ballooned into a real problem.
We start with an empire weapons officer named Krennic arriving on a planet to take scientist Galen Erso for the Death Star project. Galen refuses, the empire murders his wife, and we see his young daughter hide and end up under the protection of a rebel Saw Gerrera.
The movie jumps head 15 years to show the defection of an imperial cargo ship pilot Bohdi Rook carrying a holographic message from Galen to Saw Gerrera.
Here are a few simple security controls that were lacking to allow this to happen
- Data leak
- Galen used the equivalent of a USB drive to smuggle out a sensitive message. Ironically Galen had more security sense than the Empire as his message eludes to a hidden weakness but never discloses it in case the message is intercepted or seen by unintended parties.
- Inventory Mangement
- We aren’t sure how Rook defected but we have to assume he used imperial equipment somewhere along the way. Pilots should be checking out, filing flight plans, manifests of cargo and passengers, etc…
- Missing Employee
- With the sensitive nature of a cargo pilot in the Empire you would think if a pilot went missing they would be able to track to communicate out to the troopers.
- Agile Method
- It’s clear that the Empire used the Agile method to get the Death Star built. Continuous development, testing in all areas and the downside of agile, disconnected teams to understand interconnectivity issues.
- This is how Galen was able to put in a central flaw and not have anyone put it all together this was a problem.
- No security architecture reviews or scrutiny. They assumed their biggest threats were big ships. (More on that in A New Hope)
- No risk assessments conducted. If there were the results were ignored as any delays would put the Emperor’s timelines at risk.
- A management team that managed through fear, discouraged feedback. Who would speak up on any flaws when the risk is getting force choked to death by Vader?
Jyn, Galen’s daughter, is in an imperial labor camp where she’s rescued and brought to Mon Mothma of the Rebels. Mon gets Jyn to go rescue her father to help them destroy this rumored planet killer the Empire is building. (Data leak)
Jyn and a crew go to Jedah to see Saw Gerrera. In the crew is an imperial droid K-2S0 who was reprogrammed.
- Inventory Management
- A droid as strong as the K-S20 model goes missing. Perhaps droids are so common they treat them like staplers?
- No “GPS” like tracking of the droids.
- Everyone that sees K-S20 assumes he’s a valid imperial droid.
- IoT controls lacking
- K-S20 was able to be reprogrammed yet presumably able to keep knowledge of imperial systems.
- No encryption or protection of the firmware.
- Open source coding to allow the rebels to able to reprogram.
- No kill switch in the device if the core programming changed, “brick the droid”
The rebels go and try to rescue Galen. After a firefight he and his team of Death Star scientists die. After the rebels escape their only option now is to retrieve the plans from the planet Scarif.
Scarif is an imperial base that truly shows the security mentality of the Empire. They build big and think big. In the Empire perimeter defenses are big. Scarif is no different. The entire planet is protected by an energy shield that encompasses it. The only entrance is through a heavily armed doorway that opens a “port” to the inner “network” below. Strong enough to hold back a large scale attack but smaller ships pose an assumed risk.
Jyn’s initial plan was to use the Rebel fleet in a massive DDoS attack on the planet. She did not get approval. Instead she and a small band of rebel volunteers took a stolen imperial ship, that Rook dubbed “Rogue One”, to goto Scarif themselves to steal the plans from the databank.
- Inventory Management
- An imperial ship was stolen. That ship should have had a unique imperial identifier, an assigned crew, flight plans filed so that if they ship ended up in a place it wasn’t with a crew that doesn’t match it would be stopped.
- Authorization Assumptions
- The Empire assumes across the company that if the ship and code match, it’s valid. There is no secondary authentication or personnel validation for imperial ships. Especially at highly secured locations.
- Arrival Validation
- Once through the security checkpoint there is no validation on arrival. The ships land and the empire employees assume they are authorized personnel. No questions.
- Internal Physical Security Controls
- All the doors in the base require no additional security authorizations.
Jyn, Cassian and K-S20 jump two imperial officers, steal their uniforms and enter the base. Again, K-S20 looks like an imperial droid and everyone assumes it’s valid. Cassian looks like a scrub with his unshaven face and messy hair but he’s wearing a uniform, Jyn too. Must be valid and they walk around freely.
As a distraction the other rebels attack the other side of the island to keep the pressure inside off Jyn’s team.
The Rebels intercept communications about the attack on Scarif and send in the fleet.
- Unencrypted Communications
- The Empire does not encrypt their communications or uses a compromised encryption method the rebels can decrypt.
The Rebel fleet arrives and beings a DDoS attack on the perimeter hoping to brute force open the ports to allow for transmission out from the internal network. K-S20 sacrifices himself to allow Jyn and Cassian to proceed to physically get the plans and get them off planet to the Rebels in orbit.
Jyn and Cassian reach the databank and we see that the Empire’s storage method is tapes. Physical tapes. In order to find the tapes Jyn needs to know the project name. As they are looking through the project names they don’t stumble across the obvious “Big Planet Killing Ship”. Jyn revert to the next easiest security breach method, social engineering, and looks for a name that her and her father would know. Since she hadn’t seen her father basically her whole life they look for the only common name they shared and what he whispered to her as he died, “Stardust”, the childhood nickname daddy called her.
Side though bubble – I can see Galen sitting in a project planning meeting giving this project that name in jest. “Get it, Stardust. That’s what we’ll turn the planets into with this. Ha ha ha.”
Using the robotic arms they find the location of the tape and through more fights have to eventually climb up and get it. Now, Jyn has to assume that Stardust is the correct tape. For all she knew it was either the plans or a collection of memories her daddy kept. Roll of the dice.
Jyn gets the tape and makes it to the roof of the tower to begin transmission to the Rebels.
- Physical Security
- K-S20, reprogrammed, still was able to use the imperial computers. Most likely it’s because the imperial computer systems do not use any kind of local authentication to operation a terminal.
- The robot arms required no authentication to operate.
- There is no check out process on a tape to get the physical locks to release. Take whatever one you want.
- The tapes are not named with obscure catalog identifiers to make retrieval more difficult.
- The transmission system is wide open and unsecure on the roof.
- No encryption on the tape. No password protection.
- The transmission system doesn’t use imperial encryption by default.
- The entire schematic for the Death Star is stored in one location. Everything you need to know is there. No defense in depth or compartmentalized security approaches used.
At the end the Empire uses the Death Star and wipes out the infrastructure on Scarif. This is similar to a zero-tolerance approach to getting infected with Ransomware, just wipe out the system and start over. We can assume the Empire had a well defined backup process to eliminate a storage facility without hesitation.
The Empire skipped on simple security controls that at the time were seen as obstacles, annoyances, things that would ‘slow things down’. Yet those simple omissions allowed for a state sponsored faction to infiltrate a corporation and steal proprietary information for future use.
To stop the rebels all the Empire needed to do up to this point was have the following:
- Front line authentication for terminal access on all systems. One step further, multi-factor.
- Encryption on communications and storage.
- Stronger authorization on personnel and ship arrivals.
- Inventory check-out/check-in process.
If they did those four things, Death Star vulnerability or not, the rebels would not have been able to infiltrate, retrieve or read.
Up next A New Hope. How a state sponsored faction uses compromised information to exploit un-patched vulnerabilities.
End of line.