Information security in the “Bad Batch” | Kaspersky official blog
As usual, for May the 4th (MTFBWY), we’re publishing a report for Star Wars fans, telling how a long time ago in a galaxy far away the Empire was negligent about information security. This year’s report subject is the just-concluded third season of the “Star Wars: The Bad Batch” animated series. As usual, we have to warn that the text below may contain spoilers.
Despite seemingly not the most serious format, the plot twists and overall coherence of the narrative in “The Bad Batch” are much better than in most recent live action series and movies. Ever since in the ninth episode “Palpatine Somehow Returned”, Lucasfilm creative director Dave Filoni has been trying to justify this return logically, at least to some extent. Therefore, the plot of the new animated series revolves around the “Project Necromancer”, conducted at the top-secret Tantiss base. And this is just what we need — a secret scientific institution, with unprecedented (for the Galactic Empire) protective systems, which, nevertheless, regularly fail.
Measures to protect the secrecy of the Tantiss base’s location
Doctor Hemlock, leader of the Tantiss base and head of the “Project Necromancer”, has the full trust of the Emperor and unlimited resources. One of his tasks is to ensure the security and secrecy of the base. And unlike most of the Imperial leaders we’ve seen before, he approaches his task responsibly.
There’s no information about the location of this facility in any imperial database. This, of course, causes certain difficulties with supply-ship flights — Hemlock put safeguards in place to make the coordinates to his base a secret. Any ship heading to Tantiss base must dock with Imperial Station 003 in the orbit of the Coruscant, capital of the Galactic Empire, and undergo a thorough check, which includes an inspection of the entire crew. The access code needed for docking changes once every rotation. Tantiss’s coordinates are downloaded directly into the ship’s navigation computer immediately after takeoff and are somehow not stored there. Obviously, they are downloaded from some isolated computer, since this data isn’t accessible from the base network. Even accessing the station’s manifest, which stores information about ship destinations, requires a separate access card.
Science ships that fly to Tantiss use enhanced safety protocols. In particular, they’re equipped with proximity sensors that detect suspicious objects near the ship’s hull (it’s totally unclear why this technology isn’t used anywhere else in the Empire). In addition, when someone is accessing the flight computer through the connection port for droids, an alarm signal is sent to the pilot’s console. And this is the first case of at least some cyberprotection of this data port.
Why these measures aren’t enough
Unfortunately, all precautions turn out to be completely pointless. The main characters of the series, “Clone Force 99”, dock with the station using a recently stolen shuttle, with a still valid clearance code in its computer. Their unscheduled arrival of course arouses certain suspicions, but a defector in an officer’s uniform who joins the clone squad uses social engineering methods to convince base personal that his arrival at the station is legitimate. He advise some suspicious officers to contact their superiors (and no one wants to contact Admiral Tarkin), and dismisses the door guards from their posts by threatening them with some “article 15 of Imperial Standing Order 10”.
Next, Echo, a clone with a bunch of cybernetic enhancements, connects directly to the base computer through the droid’s port and finds out which ship is heading to the Tantiss base. He gets on board the science vessel through a separate dock for droid loading — for some reason nobody controls it, while the human crew is being thoroughly scanned! On board the shuttle, he connects to a similar droid port and it indeed triggers a signal of “unscheduled droid activity in the cargo hold”, but Echo simply stuns the trooper sent to investigate, and through his communicator assures that everything is fine: it was a malfunction. And then simply turns off the proximity sensors.
How to avoid repeating imperial mistakes:
equip all computer systems that have a droid connection port with an alarm system in case of an unauthorized connection — not just those located in the hold of science ships;
periodically conduct security awareness trainings for the base crew. In particular, teach them to recognize social engineering methods.
Tantiss base defenses
Tantiss base also employs several protection technologies unique to the Imperial facilities. For example, the droids working at the station are capable of remotely triggering an alarm. But the main cybersecurity innovation is that access to a number of key scientific systems and zones is possible only after connecting an employee’s personal datapad through a special cradle. Those datapads are well encrypted; they stop working when taken away from the base, and activation of lockdown mode in the lab makes all datapad cradles inoperable.
The outer perimeter of the base is guarded, among other things, with the help of trained local predators (lurca hounds). There are tunnels leading to their stables at the base, but they are protected by force fields, activated on a signal from the supervisor. Moreover, the tunnels have some presence sensors that sound an alarm when unexpected activity is detected.
The central laboratory in which the experimental subjects are kept is protected not only by security squads and force fields, but also by a door locked with a special key (only Hemlock himself and the chief scientist of the base have copies of the same key). Regular blood samples are taken from the experimental subjects by medical droids and are sent through technological tunnels (opened also by medical droids).
Why these measures aren’t enough
Personal datapads don’t have their own authentication system. If an attacker manages to get hold of the device, he’ll be able not only to open doors and operate elevators, but also gain access to classified information systems (and even drop heavy containers on droids). Yes, datapads are encrypted, but the encryption can be bypassed by connecting one to any Imperial terminal, at any Imperial base.
The motion detectors in the lurca tunnels don’t activate protection mechanisms automatically. The order is given by an officer, and he may not be fast enough.
The technological tunnels for transporting blood samples are large enough for experimental subjects to crawl through. The hatches covering those tunnels can be opened mechanically using stolen medical instruments. They can also be used not only to paralyze a medical droid, but also to reprogram one.
Access to some systems doesn’t require authentication at all. In particular, the field that restrains a dangerous and practically invulnerable animal (Zillo Beast) is turned off from a nearby control panel by pressing several buttons and pulling one lever. And we’re talking about an animal capable of destroying the base entirely.
Unauthorized connections to droid ports that are scattered throughout the base are once again not controlled in any way. However, there’s a system on the shuttle that’s capable of monitoring such activity! Moreover, at some point the attackers try to connect to the blood testing station, but are denied access. And this failed attempt to access classified information doesn’t cause any alarm.
And the final touch: there’s no data backup for research materials on which “the future of the Empire depends”. One grenade exploded in a research laboratory is enough for all the results of Dr. Hemlock’s activities to be irretrievably lost.
How to avoid making the same mistakes:
it makes sense to make backup copies of critical information and store it on media isolated from the network in a separate room;
all systems that provide access to classified information or to secret premises must be equipped with a two-factor authentication system;
strictly speaking, what this scientific base lacks is something like a SIEM system that can manage security data and events. It can analyze cybersecurity events from various information systems, such as loss of signal from droids, access attempts and so on. It can even automate responses to those alerts – turn on isolation mode, force fields and alarms when necessary.
But in general, advancements in defense systems cannot be denied — other Imperial institutions we’ve seen in the Star Wars universe lack such a level of protection. But, as usual, it’s hard to call it progress. After all, this is a kind of prequel: the series takes place 18 years before the Battle of Yavin — the Death Star incident occurred much later. So the screenwriters probably would have to explain this in subsequent movies and animated series.
Kaspersky official blog – Read More