The Mandalorian in terms of information security

The Empire is defeated (not quite). Power lies in the hands of the New Republic (also not quite). As a result, the galaxy has finally come to resemble a cyberpunk, gun-slinging Western. Here’s how things stand with information security in these troubled times.

Privacy

First, a few words about privacy. Actually, just three: There ain’t any. Bounty hunters are now given a device known as a tracking fob to hunt down their quarries. Although it doesn’t seem to work in outer space, on a planet it clearly shows the direction to the target. The technology behind this device is unknown.

Is a beacon implanted in the target? That explanation seems reasonable when escaped criminals are being tracked. But the bounty hunters’ guild doesn’t limit itself to known criminals. Also, who could have implanted a beacon in a baby of Yoda’s race, and when? And why did no one come up with the idea to remove or at least jam the beacons? And if it’s not a beacon, how does the tracking device home in on the target? Using some kind of biological signature? Whatever the case, if someone can create a fob to track any living creature, there can be no talk of any privacy.

In case you still have any doubts that privacy is dead, consider the optical sight on the Mandalorian’s rifle, which enables him to see infrared radiation through walls and even eavesdrop on conversations occurring in people’s homes (albeit with interference).

Razor Crest

Din Djarin, simply referred to as the Mandalorian most of the time, travels on a fairly old Imperial patrol gunship called the Razor Crest. Some of the security problems aboard the ship are visible even to the naked eye.

First, the gun cabinet uses an electronic lock, but any passerby can open it. On at least two occasions, characters you wouldn’t associate with hotshot hacking or cracking skills opened it simply by poking a few buttons. It looks as though they used the “old intercom” method of identifying which buttons are visibly worn to help them brute force the password. That also means the password was weak and probably hadn’t been changed for years.

Not only that, the on-board computer stores records of holographic messages, and without any special protection to speak of. The droid Zero stumbles upon one of them during a cursory analysis of the ship’s systems, and accesses it without any apparent hacking efforts.

Naturally, both the gun cabinet and the communications system are on board. Their low level of protection might have been offset by the super-security of the ship itself. But no, the Mandalorian is forever leaving the ship unlocked and returning to find an ambush inside. In other words, anyone in theory can access the weapons and data logs.

IG-11

The assassin droid IG-11, which also works as a bounty hunter, is implemented with an interesting protection technology — a self-destruct mechanism. When faced with danger, it declares: “Manufacturer’s protocol dictates I cannot be captured. I must self-destruct,” after which a countdown begins.

Seems like a great feature, but it doesn’t work. If the manufacturer considered it necessary, it would have been more logical to separate it from the operating system. After all, to capture the droid, all you have to do is damage its electronic brain (which is basically what happens: The Mandalorian shoots IG-11 in the head and it simply shuts down, after which Kuiil reprograms it). That is, the self-destruct mechanism was a good idea, but its implementation was downright poor.

A separate question is how just anyone can be allowed to reprogram the droid. But IG-11 is not unique in this regard. We already determined that Star Wars droids, like other IoT devices, should be fitted with a secure operating system that cannot be modified in any way except by those designated by the developers.

The New Republic’s prison ship

In one episode, Din Djarin signs up to rescue a prisoner who is being transported aboard a prison ship. The plan is this: The Razor Crest performs a series of maneuvers to approach the vessel, jams some kind of warning code, masks its signal, and then docks, whereupon the team disembarks, locates the control room, finds out the cell number, breaks in, and frees the target.

Let’s suppose that some unique design features enable the Mandalorian’s old ship to sneak up on the rebel ship undetected. Let’s suppose that Zero knows how to jam and mask the signal so that the prison ship’s systems do not detect the docking of a foreign object. Let’s suppose that he really is able to penetrate the security system (although the very idea of externally connecting to it seems insane). And let’s suppose that, as a result, the security system does not raise the alarm when the external hatch is breached, and that when the alarm is finally raised because of a skirmish with security droids, Zero can direct the reinforcements to another part of the ship.

Assuming all that, why on Earth (or whatever nearby planet) is there a lock in the prison cell that can be opened from the inside? And why is it possible to do that using a security droid’s arm, without any electronic systems at all? And, above all, why does Din Djarin describe this flying madhouse as “max security transport”?! Heaven only knows what a low-security transport would be like.

This episode also features a rather dubious security device in the form of a homing beacon, which summons a patrol unit of Republic starfighters. Okay, so that’ll get them there. Then what? The enemy is on board; are the Republic fighters going to blow up the ship along with all the prisoners? Or will three pilots dock and take the fight inside? At least the device seems to be working.

Other minor details in the series are also a disaster from an information security perspective. For example, in the final episode, the Mandalorian (supposedly an experienced warrior and bounty hunter) communicates with Kuiil over an open channel, which the stormtroopers listen in on and then seize Kuiil. And don’t forget that Star Wars classic: electronic locks that open when fired at.

In short, a long time ago in a galaxy far, far away, cybersecurity was very, very bad.