14 DAY TRIAL // A microchip aboard the Orion spacecraft and containing over 1.3 million names may be carrying bogus information injected by a researcher through an online service provided by NASA for people to register for a boarding pass for the test flight of the spacecraft.
NASA allowed people to register for a boarding pass through a web application, which had a content-filtering vulnerability that permitted entering arbitrary code in the first and last name fields, Benjamin Kunz Mejri from Germany-based Vulnerability Lab says in an advisory published on Friday.
Researcher abuses name fields on three occasions
After an approval process carried out by NASA, the names would be “written” onto a microchip placed aboard the Orion, scheduled for a flight test on December 5 at Cape Canaveral Air Force Station in Florida.
The researcher says that he managed to inject rogue code through the digital boarding pass name fields. He made three attempts in total, and two of them were spotted during the verification process from NASA.
As a result, the researcher’s virtual ticket on the spacecraft was rejected and put on the “No Fly List.”
US CERT (Computer Emergency Readiness Team) was notified about the glitch in the data filtering mechanism and the issue was closed.
The third attempt, however, consisted in entering “Payload 1” and “Payload 2” in the name fields. This time, the bogus information passed the verification process and a boarding pass was created.
The researcher alleges that in lack of proper filtering of the information introduced through the boarding pass web application, someone might be able to slip in a piece of code that would place them ahead of others in the event of a real spacecraft journey to a different planet; or it could be used for malicious purposes.
Abuse presented no danger
On the other hand, NASA has enough brilliant minds to check, double check and triple check that there is nothing to jeopardize a mission.
In this case, all the name data was placed on the chip using e-beam lithography, a process that required converting the info into a different format.
Moreover, the chip itself was not connected to any computer system, so even if there was the slightest chance of an attack, it could not have received any commands. Not to mention that communication to a spacecraft is carried out through special channels.
A spokesperson for the agency replied to our request for comments via email and confirmed that there was no risk resulting from the abuse on the boarding pass registration system.
“There is no issue with the chip. All entries were exported and reviewed by a team of people. Approved names were then converted into a form for putting on the chip through e-beam lithography - not only is there no issue of corrupting the chip, but there is no computer-based or other use of the chip so there is no risk in any case. The Orion spacecraft performed flawlessly during its flight test and is safely back on Earth after traveling farther than any spacecraft designed for humans has traveled in space in more than 40 years,” the NASA spokesperson said.
Check out the video with Orion's launch:
