A brief time ago in a theater close, close by … I saw a group of heroic rebel hackers infiltrate a protected perimeter to steal dangerous intellectual property from the digital archives of an evil government bent on total domination. Who knew I’d be cheering for the hackers for once!

I think that mixing information security (infosec) with pop culture makes learning about security more interesting. If you’re a geeky Star Wars fan like me, you’ll probably enjoy the three other articles I already did on what these renowned space operas can teach you about infosec. With Rogue One out, it’s time to dust off our mental lightsabers and see what security tips we can learn from the latest movie.

Before getting started, I want to say that usually the rebel hackers breaking into our organizations are bad guys, but in this universe, the rebel hackers are the good guys because the Empire deserves to get overthrown. Since the good guys in this movie use techniques that look more like black hat hacking, my tips will be in the perspective of supporting the Empire. That said, know that in the Star Wars universe, I’d be a rebel through and through.

Finally, a quick spoiler warning. I will be using specific scenes from Rogue One to illustrate my points. If you haven’t watched the movie, come back to this article later.

Anyway, drop your helmet’s blast shield, and get ready to practice some Jedi-level infosec.

Hacking the Internet of Droids

Every rebel spy or saboteur needs a trusty droid sidekick to help them out of a pinch, and it sure doesn’t hurt if that sidekick happens to be an Imperial droid.

In Rogue One, we learn that Cassian Andor, a Rebel intelligence officer, reprogrammed (hacked) an Imperial droid named K-2SO to become his personal assistant and confidant. This Eeyore-like droid is one of my favorite rebel characters, despite the fact he’s essentially a hijacked Imperial goon. Like any robot with a network connection, K-2SO is essentially an “Internet of Thing” (IoT) device in the Star Wars universe. By reprogramming K-2SO, Cassian turned the Empire’s own tool against it, using K-2SO to help infiltrate Empire strongholds.

Unfortunately, hackers can do the same thing to our Internet of Things (IoT) devices. Many of the devices we buy today have wired and wireless Internet connections. Your IoT devices may not look like traditional computers, but unfortunately, they suffer from all the same flaws. Hackers often find vulnerabilities in these devices that allow them to “root” them and take control. Once they load new malicious firmware onto these devices, your digital property becomes a newly reprogrammed droid, ready to do a hacker’s bidding.

A good real-world example of IoT reprogramming was the Mirai botnet. Hackers found insecure routers online, and essentially reprogrammed them to become part of an evil botnet, much like how Cassian reprogrammed his Imperial droid to become a rebel.

To avoid rebel IoT hackers, you need to protect your IoT devices. IoT defense is a multi-faceted subject, but two high-level tips include keeping your firmware up-to-date and firewalling your IoT devices. If the Empire made sure that their droids didn’t suffer from any software flaws, rebel supporters would have trouble finding holes that might allow reprogramming. If they kept their droids behind gates, under lock and key, Cassian may not have gotten his hands onto K-2SO to reprogram him in the first place. If you want to keep your business empire or home kingdom intact, patch your IoT firmware and put your devices behind a firewall.

Every business planet needs a global ‘shield gate’

Late in the movie, the rebel hackers embark on a mission to steal the Death Star plans from a digital archive located on an Empire controlled planet called Scarif. Unfortunately for them, Scarif is protected by a global “shield gate” that generates a force field around the entire planet.

This shield gate presents a major obstacle for anyone trying to get on or off the planet. By offering only one entry point, and scanning anything that goes through, the Empire has full control of who and what they allow onto their planet. This protection isn’t just one-way either. The gate also restricts communications leaving the planet, which makes it much harder for data thieves to steal the Empire’s intellectual property (IP).

Does this shield gate concept sound familiar? It’s very much like a firewall, one of the most basic network defenses.

A firewall can both ingress and egress filter all your network traffic at your organization’s perimeter. Keep in mind, it’s just as important to limit your users’ outgoing traffic (egress filter) as it is to prevent the wrong incoming connections. Furthermore, if you own a more modern firewall, like a unified threat management (UTM) appliance or next-generation firewall (NGFW), you can even deeply scan the traffic going through your “shield gate” to make sure it doesn’t contain anything malicious.

Though no shield gate or firewall is impenetrable, you can’t deny they imposes a very effective defense against most invaders.

Keep internal blast doors for when your shield gates go down

Even though shield gates pose a daunting defense, the rebel hackers sneak past the gates in the movie using simple identity tricks. Later, the Rebel fleet even takes down the shield gate with a brute force attack (two star destroyers should do the trick).

In the same way, the Rebels took out Scarif’s defenses, sophisticated hackers might find ways through your network firewall too. That’s why smart infosec professionals have local defense as well. One of the simple things you can do to protect your internal network is “segmentation.” Why only place that Shield gate or firewall at your perimeter? Why not separate different internal parts of your network with firewalls as well?

In the movie, once Jyn and Cassian snuck past the shield gate, they could easily access the rest of the Empire’s facility. If Scarif had set up a few other internal perimeters, it would have been much harder for the Rebel duo to reach the data center. Segment your internal network, and use authentication to harden your interior as much as your exterior. As Star Wars infosec professionals say, “You don’t want a Tauntaun network, with a tough and protective skin, but soft and gooey center.”

Leverage multifactor authentication to keep Rebels out

Many times during the movie, the Rebel hackers were able to slip by Empire defenses simply by spoofing or masquerading as Imperials. Cassian blended in with Empire soldiers by hanging with an Imperial droid, Rogue One slipped by the Scarif shield gate by stealing an Empire ship and its authentication codes, Jyn and Cassian moved around the Scarif base by wearing Imperial uniforms. Without these disguises, the Imperial troops would have caught them much more quickly.

Today’s hackers also use this sort of masquerading and spoofing to sneak past our defenses as well. They can steal our users’ credentials, they can fake communications that seem like they come from our friends, they can even spoof connections to seem to come from places we trust.

The only defense against these sort of tricks is strong, multifactor authentication. Don’t let just a uniform trick you into thinking a Rebel is your friend. If the Empire also implemented two-factor authentication — requiring uniformed officers to go through a checkpoint to share an additional password or biometric — Krennic may have caught the Rogue One Rebels before they even got close to his data.

Use two-factor authentication in your network to help catch even the trickiest, credential-stealing hackers.

Archiving all communications on Scarif is evil

Ok, this next one isn’t a tip, but more my own personal infosec commentary.

When arriving at Scarif, Director Krennic asks for “every dispatch, every transmission” from Galen Erso, which leads us to believe that the Empire monitors and stores all communications from its officers and citizens. This type of thing is bad news for democracy, privacy, and freedom, and you can see how corrupt, dictator-like figures such as Krennic, Vader, and the Emperor might abuse it.

Unfortunately, real-world governments also want to do this, or at least store all the metadata related to our communications. In fact, the NSA has famously created a Utah Data Center to store exabytes of these sorts of communications. While our governments and intelligence agencies claim they can use all this information for good, the problem is it puts too much power in the hands of a small group. Were an Empire-level dictator to take over, who knows how they might abuse that data. If you care about freedom and privacy, you should fight against any government monitoring and storing all its citizens’ communications.

Force-choke anyone who doesn’t encrypt your Death Star plans

In the end, the Rebel hackers evade all the Empire’s defenses, find and access the “StarDust” drive, and exfiltrate its sensitive contents to unauthorized users. Yet there was still one thing that could have still saved Darth Vader and the Empire… encryption!

If you store sensitive data, for Jedi’s sake, encrypt it! If the Death Star plans had at least been encrypted, the Rebels wouldn’t have learned anything from them, even after stealing them from the archive. If I was Vader, I’d force choke the idiot who stored those plans, and all the other data on Scarif, in clear text.

Simple tip; encrypt any data you care about remaining confidential.

May the Infosec force be with you

Rogue One was a fantastic and unexpected addition to the Star Wars franchise that really ties the old and new installments together. But to me, it’s more. If you look at it with the right lens, it’s a fun and informative way to think about information security. Hopefully, this approach made you think about your own network and computer defenses differently. As Rebel supporters, we should all learn from the Empire’s mistakes, so they can’t use our own tricks against us.