Star Wars: The Last Jedi – the security review

Last week I went to “go see a Star War,” and the Naked Security team asked me to write about it…

Trekkie though I am, I’ll try to put my franchise allegiance to one side for this piece and take an objective look at the security angles in Star Wars: The Last Jedi. And yes, there actually is something to discuss here. It’s all at a very generalized level of course – I don’t think we’ll ever see the day when we’ll watch Kylo Ren loading up Kali Linux – so take this with many grains of salt.

Akin to my Mr. Robot reviews, I’m not going to review the whole movie, just the security bits (you’re on NakedSecurity, after all) – and yes, there will be spoilers!




Opening scene red teaming (just never mind how it ends)

When I sat down to watch this movie, I wasn’t sure if there’d be anything for me to write about. Security? In Star Wars? Finding an apparently-put-there-on-purpose vulnerability in the giant Death Star and exploiting it with lasers, okay sure. But that’s been done… a long time ago in a galaxy far far away. (Sorry.) Thankfully the very first scene of The Last Jedi is, in a weird way, such a great advertisement for red teaming that I fully expect to see it included in future job descriptions. Never mind that it has sad, catastrophic consequences! That’s a big thing to disregard, I know, but bear with me.

We have Poe, being a hotshot, distracting the First Order by being as conspicuous as possible while trying to do something much more underhanded. Reminiscent of every VoiP conference call ever, the communication line cuts out and nobody knows what anyone’s actually saying. What’s the harm, right? He’s just one guy after all. Of course, the bad guys eventually realize they’ve been had and that they should have shot Poe down five minutes ago. Hijinks and plot developments ensue.

This whole scene reminded me so much of the war stories I’ve heard exchanged by pen testers over the years. These are red team professionals that are hired by companies to expose their weaknesses, and we’re not just talking software. They use a vast arsenal of social engineering methods to gain entry into offices or get employees to compromise their company’s security, sometimes by pretending to be someone they’re not, sometimes by creating confusion and taking advantage of the chaos. Usually by the time a pen tester is discovered, they’ve already got the information or hit the target they needed to complete their engagement.

Of course, the massive difference between what we see in the movie’s opening scene and what pen testers do professionally is that pen testers are hired by the organization they’re infiltrating so the company can find out where their weaknesses are and work to address them. The First Order did not hire Poe… as far as we know anyway – now that would be a massive plot twist. But from the outside looking in, when a pen tester is trying to infiltrate their target and not trying to be particularly subtle about it, the interaction might look just a little bit like this scene.

Infosec didn’t invent this kind of thing of course; subterfuge has been going on as long as there have been spies and soldiers, which is to say, since forever. Never mind that the end result of this particular “engagement” is disastrous for the Resistance, and not so great for Poe either really – but you can’t win them all. Still, taken out of context, if I was looking for a quick and easy allegory to show what it looks like when a pen tester is at work, this wouldn’t be a terrible clip to call on.

DJ, the Greyhat

At one point in the film, there’s a whole side plot introduced about the need to crack the encryption of something-or-other, requiring the services of one master codebreaker named DJ. The encryption of the something-or-other doesn’t really matter here (arguably it’s a completely unnecessary plotline anyway), but DJ is worth a mention.

Firstly, let’s take a look at how codebreaker DJ is introduced. We find out he likes to gamble at casinos, and can be frequently found in, and I quote here: “A terrible place filled with the worst people in the galaxy.” Basically, it’s space-Vegas. If they had shown DJ at a hacker conference and not merely in a casino, I’d be writing about Defcon Star Wars. (Rose nailed it when she said “I wish I could put my fist through this whole lousy beautiful town,” I think she speaks for many of us who make the trek to Vegas every year for “hacker summer camp.”)

As we get to know DJ through his actions, we see that he’s amazingly resourceful – of course he knows how to lockpick! – and he knows how to use seemingly innocent things for unusual purposes, like using Rose’s pendant as a conductor.

Like any good hacker, he has a considerable skillset that can be used for good or evil, and DJ has no qualms about working for either “side” depending on who’s paying. In modern parlance, you could call DJ a greyhat: He’s up for working with “good guys,” but in the end his motivation is cash and not some moral high ground. (This does become a bit of a semantic argument about how you define blackhat hacking: You could certainly argue that if you’re not explicitly working for “good,” there’s no grey there and you’re a blackhat. But only siths deal in absolutes, right?)

When DJ, Rose and Finn get caught by the First Order, DJ doesn’t hesitate to cut a deal in return for clemency – not unlike criminal hackers who get caught by law enforcement and then make a career out of educating the feds. This phenomenon happens enough in the computer security world that there are even memes about it:

I’m just glad we didn’t see DJ in a black hoodie, otherwise I’d be getting Mr. Robot flashbacks mixed up in my Star Wars and I’m a confused enough Trekkie as it is.

One of the best lines in the movie, predictably, came from Yoda: “The greatest teacher, failure is.” I’ll be damned if I don’t see that on a slide deck at a conference within the next year.

What did you think? Did The Last Jedi live up to the hype for you? And are there any other security angles I may have missed? Let me know in the comments below.