{"id":18289,"date":"2021-05-04T11:22:41","date_gmt":"2021-05-04T07:22:41","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/mandalorian-season-2-cybersecurity\/18289\/"},"modified":"2021-05-04T11:22:41","modified_gmt":"2021-05-04T07:22:41","slug":"mandalorian-season-2-cybersecurity","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/mandalorian-season-2-cybersecurity\/18289\/","title":{"rendered":"Cybersecurity in season 2 of The Mandalorian"},"content":{"rendered":"

You may remember that the Galactic Empire\u2019s cybersecurity situation was far from healthy. The theft of the Death Star<\/a> plans from a highly classified storage facility and a failure of oversight causing the loss of a critical infrastructure facility<\/a> are just some of the recorded incidents. We watched season 2 of The Mandalorian<\/em>, eager to find out whether the Empire had learned from its mistakes \u2014 for that seemed to be the subject of the new season \u2014 and because, after all, we think of Moff Gideon, the story\u2019s main antagonist and a former officer of the Imperial Security Bureau (ISB), as a colleague of sorts.<\/p>\n

Chapter 11. The Heiress<\/h2>\n

Incident: Raid on Imperial cargo ship at takeoff<\/p>\n

This incident is more relevant to physical security than to information security, but being a computer-controlled vehicle, any spaceship qualifies as a cyberphysical system. The one in question used to haul arms but still lacked the most obvious safety feature: locking doors and elevators from the cockpit. As a result, the Mandalorians penetrated the security like a hot knife through butter, quickly taking the ship\u2019s controls. The professional competence of the defending party deserves a mention, too, managing to lock the assailants in the cargo compartment\u2019s control room \u2014 the very one with the controls to unlock the doors or even depressurize the compartment. Furthermore, those critical systems are accessible without any authentication. These guys could really use a modern cybersecurity awareness<\/a> class.<\/p>\n\n

Chapter 12. The Siege<\/h2>\n

Incident: Raid on the Imperial research base on Nevarro<\/p>\n

Nevarro\u2019s Imperial facility looks like any other half-derelict forward operating base, but it is a research lab. Whether the defenders relied too heavily on the deserted look or no decent security pros remained with the Empire is anyone\u2019s guess. The Mandalorian and his comrades neutralize security and penetrate the base without raising any alarm. Moreover, they surge into the control room and take possession of the code cylinder, which appears to be the master key for all the doors.<\/p>\n

Using it, they open the doors to the base\u2019s power reactor room, conveniently located in the same place as the reactor\u2019s cooling system shutoff. In theory, equipping the base with an specialized security solution<\/a> made to monitor industrial sensors and alert engineers or operators of overheating, might have averted the resulting explosion.<\/p>\n

In the labs, the Empire subjects demonstrate sparks of reason, hastening to delete data to keep it from being captured in the attack. Yet they lack time to delete everything before being put to sudden death; the Mandalorian steals a look at Dr. Pershing\u2019s secret video report, which is addressed to Moff Gideon. That\u2019s a simple enough demonstration of how lacking a quality data encryption solution<\/a> affects security. If the lab\u2019s data were encrypted, the defenders would be able to focus on evacuation instead of having to delete files in a panic, and the Mandalorian would not learn that Moff Gideon was still alive.<\/p>\n\n

Chapter 15. The Believer<\/h2>\n

Incident: Raid on the Empire\u2019s secret refinery on the planet Morak<\/p>\n

The Mandalorian is after the coordinates of Moff Gideon\u2019s ship, so he sets free Migs Mayfeld, a former Imperial soldier turned prisoner who may still remember the Imperial protocols. To acquire the coordinates, he needs to find his way to a terminal on a secret base used by the Empire for mining and processing of rhydonium, a highly unstable and explosive mineral.<\/p>\n

Former officers of the Imperial Security Bureau manage the facility, and they take security seriously. Thus, according to Mayfeld, the base is equipped with a biometric system that checks genetic signatures against databases. As a result, former rebel fighter Cara Dune cannot raid the base, and neither can wanted criminal Fennec Shand or Boba Fett, who is wearing the face of an Imperial clone.<\/p>\n

Some issues remain unclear. Does the system control access to the information terminal alone or check the identity of everyone arriving at the base? In the former case, it is unclear why none of the persons mentioned above can accompany Mayfeld (they do not have to meddle with the terminal). If it\u2019s the latter, then why would the systems let runaway soldier Mayfeld pass? For that matter, what about the Mandalorian, who does not appear in any database? A system like that should operate in default deny<\/a> mode. And the key question is, why is this third-rate mining facility the only one equipped with such an advanced system?<\/p>\n

The Mandalorian and Mayfeld end up hijacking a cargo vehicle (by jumping aboard in flight). That done, they change into Stormtroopers\u2019 outfits, fend off a ship from some local enemies of the Empire, and arrive at the base as heroes. Well, there is no question about the arrival part \u2014 who would deny their own cargo ship entry when it under enemy fire? But why didn\u2019t the much-praised biometric system figure out that the signatures of the pilots back from the mission didn\u2019t match those of the original crew? Letting arriving staff move about the base freely without any further authentication is a big mistake.<\/p>\n

The information terminal\u2019s protection system also seems a bit weird. Accessing the data requires a face-scan, but the face not being in the database seems not to matter. What is the point? Is the scanning not followed by a database check? Or is the scanner, too, set up to operate in default allow mode?<\/p>\n

Chapter 16. The Rescue<\/h2>\n

Incident: Attack on Moff Gideon\u2019s cruiser<\/p>\n

The Mandalorian and his friends attack Dr. Pershing\u2019s shuttle, take his code cylinder, and obtain the secret info about Gideon\u2019s ship compartments. Next, they pull off an attack using a method based essentially on social engineering: Posing as the shuttle being chased by Boba Fett\u2019s ship, they request an emergency landing on the cruiser. The cruiser\u2019s garrison does not give them clearance to land, but, having fallen for the emergency trick, also doesn\u2019t open fire on the shuttle.<\/p>\n

With the help of Pershing\u2019s code cylinder, the Mandalorian opens the airlock of a compartment containing Imperial combat droids (Dark Troopers) and kicks them out into open space. What does that tell us? Nothing except that the Empire set up staff rights management badly. Why would a doctor and a clone specialist be authorized to operate the combat droids\u2019 compartment airlock? In a critical infrastructure facility (and Moff Gideon\u2019s cruiser certainly falls into that category), staff access rights must follow a policy of Least Privilege Access policy, granting only the permissions needed for the tasks at hand.<\/p>\n

But there is still hope! The ship\u2019s doors are finally lockable from the captain\u2019s bridge! Not that that helped the struggling bits of the Empire; it\u2019s the Mandalorian\u2019s friends who captured the bridge, not the Imperials protecting it, who used the function.<\/p>\n

Conclusion<\/h2>\n

The remnants of the Empire have inherited a lot of cybersecurity problems, and all of their innovations \u2014 such as the biometric system \u2014 are very poorly set up. We recommend shortening the interval between security system audits and not being squeamish about penetration tests.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

The Galactic Empire’s heirs analyzed for cybersecurity. <\/p>\n","protected":false},"author":700,"featured_media":18290,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[1765,1767,2047],"class_list":{"0":"post-18289","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-mtfbwy","10":"tag-star-wars","11":"tag-truth"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/mandalorian-season-2-cybersecurity\/18289\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/mandalorian-season-2-cybersecurity\/22807\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/mandalorian-season-2-cybersecurity\/24693\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/mandalorian-season-2-cybersecurity\/22684\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/mandalorian-season-2-cybersecurity\/21826\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/mandalorian-season-2-cybersecurity\/25215\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/mandalorian-season-2-cybersecurity\/24571\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/mandalorian-season-2-cybersecurity\/30641\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/mandalorian-season-2-cybersecurity\/9621\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/mandalorian-season-2-cybersecurity\/39714\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/mandalorian-season-2-cybersecurity\/16881\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/mandalorian-season-2-cybersecurity\/17425\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/mandalorian-season-2-cybersecurity\/26698\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/mandalorian-season-2-cybersecurity\/30670\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/mandalorian-season-2-cybersecurity\/26998\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/mandalorian-season-2-cybersecurity\/23850\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/mandalorian-season-2-cybersecurity\/29183\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/mandalorian-season-2-cybersecurity\/28980\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/mtfbwy\/","name":"MTFBWY"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18289"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18289\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18290"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}