The cybersecurity of Star Wars: The Rise of Skywalker

A report on attitudes to information security a long time ago in a galaxy far, far away, as exemplified in Star Wars: Episode IX.

A report on attitudes to information security a long time ago in a galaxy far, far away, as exemplified in Star Wars: Episode IX.

The long-awaited Star Wars: The Rise of Skywalker has finally hit the big screen. Not everyone has seen it yet, so we will not give away any spoilers or discuss the Death Star–size holes in the plot, or even the film’s artistic merits and demerits. We are interested in Episode IX solely from the standpoint of information security. So this post will cover cybersecurity-related moments in the movie, and see how well (or otherwise) the characters acted.

Data transfer from ship to ship

In the Star Wars universe, data transfer is a bit of a muddle. Some information can be transmitted quickly across vast distances, other types only on physical media. Regrettably, we do not have a clear understanding of how communication works in the galaxy, or how reliable the data transfer protocols are. But the Resistance infosec team probably does. And it is clearly not keen on wireless methods.

When at one point Resistance pilots have to transmit secret data from one ship to another, they act as follows:

  • The ships hover one above the other;
  • The hatches open;
  • A cable is passed through the hatches;
  • R2D2 downloads information through the cable.

In essence, it’s a null modem connection from the 1980s. Convenient? Nope. Safe? Definitely. The chances of the transferred data being intercepted are minimal.

10 points to the Resistance for cyberawareness!

Star Wars: the Empire state of cybersecurity problems

Droid memory

Star Wars: The Rise of Skywalker goes into a bit more detail than the other episodes when it comes to showing how droids access information (at least for C3PO). It goes like this: C3PO sees a blade with inscriptions in the ancient language of the Sith. Being a professional translator, the droid decrypts the inscriptions — but cannot share the results. The operating system hinders that action — specifically, a pre-Imperial directive in the OS prohibits the Sith language.

To gain access to the information, the operating system must be disabled. The problem is that disabling the OS returns the system to its default settings — that is, the droid loses all the information accumulated over its long existence. Basically, its “personality” is wiped. The hacker connects a third-party system with no restrictions on the Sith language and easily translates the prohibited data records. C3PO then reboots, but with no knowledge of the uprising or the Empire. The droid does not even recognize its comrades.

I must say, the data protection method chosen by the OS creators is far from ideal (yes, I know that Anakin Skywalker assembled the droid, but the OS was clearly off-the-shelf). In modern systems, the strong encryption used in such cases prevents access to data when booting from an external OS (for example, from a USB flash drive). In other words, the creators of this system used too light an encryption algorithm, or none at all.

That would seem to be an obvious problem in terms of cybersecurity. Not this time. The system was written by no one knows who, and in the days of the Republic at that. But before the flight, R2D2 had the gumption to make a backup copy of all of C3PO’s memory — identity included — and without the latter’s knowledge. The way we see it, you can never have too many backups. So, 10 more points to the Resistance.

Digital clutter as business cyberthreat

First Order universal pass

So as not to spoil The Rise of Skywalker, let’s just say that at some point, the protagonists are presented with a device that basically turns out to be a universal authenticator for First Order ship captains. Armed with such a device, your ship will automatically be identified by First Order forces as one of their own.

The heroes use it to land some kind of rust bucket aboard Kylo Ren’s flagship. But why was such a security-lax device made in the first place? Why did its creators not foresee the possibility of it being lost or stolen? Why didn’t they implement two-factor authentication?

That’s 10 points from the Imperial Remnant.

The Rise of Skywalker also contends with the murky business of Sith artifacts and charades that enable the location of an uncharted planet. But we shall not consider this; it’s way beyond the realm of modern information security.

So, to sum up, it seems that the good guys scored 20 points, while the bad guys are left trailing with minus 10. It’s no wonder evil never triumphs in Hollywood.

Tips