A report on attitudes to information security a long time ago in a galaxy far, far away, as exemplified in Star Wars: Episode IX.
The long-awaited Star Wars: The Rise of Skywalker has finally hit the big screen. Not everyone has seen it yet, so we will not give away any spoilers or discuss the Death Star–size holes in the plot, or even the film’s artistic merits and demerits. We are interested in Episode IX solely from the standpoint of information security. So this post will cover cybersecurity-related moments in the movie, and see how well (or otherwise) the characters acted.
Data transfer from ship to ship
In the Star Wars universe, data transfer is a bit of a muddle. Some information can be transmitted quickly across vast distances, other types only on physical media. Regrettably, we do not have a clear understanding of how communication works in the galaxy, or how reliable the data transfer protocols are. But the Resistance infosec team probably does. And it is clearly not keen on wireless methods.
When at one point Resistance pilots have to transmit secret data from one ship to another, they act as follows:
- The ships hover one above the other;
- The hatches open;
- A cable is passed through the hatches;
- R2D2 downloads information through the cable.
In essence, it’s a null modem connection from the 1980s. Convenient? Nope. Safe? Definitely. The chances of the transferred data being intercepted are minimal.
10 points to the Resistance for cyberawareness!
Star Wars: The Rise of Skywalker goes into a bit more detail than the other episodes when it comes to showing how droids access information (at least for C3PO). It goes like this: C3PO sees a blade with inscriptions in the ancient language of the Sith. Being a professional translator, the droid decrypts the inscriptions — but cannot share the results. The operating system hinders that action — specifically, a pre-Imperial directive in the OS prohibits the Sith language.
To gain access to the information, the operating system must be disabled. The problem is that disabling the OS returns the system to its default settings — that is, the droid loses all the information accumulated over its long existence. Basically, its “personality” is wiped. The hacker connects a third-party system with no restrictions on the Sith language and easily translates the prohibited data records. C3PO then reboots, but with no knowledge of the uprising or the Empire. The droid does not even recognize its comrades.
I must say, the data protection method chosen by the OS creators is far from ideal (yes, I know that Anakin Skywalker assembled the droid, but the OS was clearly off-the-shelf). In modern systems, the strong encryption used in such cases prevents access to data when booting from an external OS (for example, from a USB flash drive). In other words, the creators of this system used too light an encryption algorithm, or none at all.
That would seem to be an obvious problem in terms of cybersecurity. Not this time. The system was written by no one knows who, and in the days of the Republic at that. But before the flight, R2D2 had the gumption to make a backup copy of all of C3PO’s memory — identity included — and without the latter’s knowledge. The way we see it, you can never have too many backups. So, 10 more points to the Resistance.