The BBC reported yesterday that a computer virus has been found on a laptop in the International Space Station. Normally I wouldn’t think twice about such a headline; computer viruses are found everywhere, so it was only a matter of time before one would show up in space. No vital systems were infected, so it’s business as usual for the astronauts. 

What caught my eye in the article was not the fact that a laptop was infected, but that:

  1. The laptops on the ISS are apparently not running anti-virus software
  2. More importantly, the NASA has no idea how the virus got on board the ISS. That might be because:
  3. It seems that astronauts are allowed to bring USB sticks that are, apparently, not scanned for viruses.

For an organization that takes security so seriously, this is a remarkable oversight. You’d think they should have learnt some valuable lessons from the “NASA Hacker” episode, where the alleged hacker didn’t actually hack anything:

In an interview televised on the BBC’s Click programme, he claimed that he was able to get into the military’s networks simply by using a Perl script that searched for blank passwords; in other words his report suggests that there were computers on these networks with the default passwords active.

I wonder how well all that newly networked computer equipment on the ISS is protected, and how long it will take for a virus to get into a more important system.