What You’ll Learn in This Episode:

• Intro to the Galaxy's Worst InfoSec Practices:Imagine being chased at hyperspeed because you stole planet-killing weapon blueprints. Oh, and you stored them on a droid with zero encryption.

• Cyber Flaw #1 – Poor Data Handling:The Empire literally stored Death Star blueprints on a physical disk. No encryption. No protection. No excuses.

• Cyber Flaw #2 – Insecure Endpoints (Hello, R2-D2):R2-D2 accepts unverified external data and walks around with it like a clueless USB stick. No MFA, no hardware encryption.

• Cyber Flaw #3 – Lack of Asset Tracking:Droids (aka walking computers) get picked up and resold by desert junk traders. There’s no inventory tracking. Asset management? What asset management?

• Cyber Flaw #4 – Zero Trust Doesn't Exist:Obi-Wan gives Luke full access to Jedi secrets based on one desert rescue. It’s like giving admin rights after one Zoom call.

• Cyber Flaw #5 – No Flight Plan Logging:The Millennium Falcon flies blind, and the galaxy has no idea Alderaan got vaporized until someone physically shows up.

• Cyber Flaw #6 – Lack of Infrastructure Monitoring:Entire planets disappear and nobody’s monitoring critical infrastructure. Think of it as your server room going up in smoke—without an alert.

• Cyber Flaw #7 – Social Engineering Bypass:Han and Luke fake Stormtrooper identities. Classic pretexting attack. No badge, no biometric, no problem.

• Cyber Flaw #8 – Unpatched Backdoors:R2-D2 hacks a trash compactor because, apparently, no one updates their systems or closes legacy access points.

• Cyber Flaw #9 – No Threat Detection:The Falcon gets beaconed by the Empire. No IDS, no malware detection. APTs love this kind of vulnerability.

• Cyber Flaw #10 – Reckless Network Access:R2-D2, fresh off the enemy’s system, gets plugged directly into the Rebel network. USB security training clearly skipped that droid.

• Cyber Flaw #11 – No Insider Threat Monitoring:Han Solo hears sensitive Rebel plans and just walks off. No background checks, no DLP, no exit interviews.

• Cyber Flaw #12 – Single Point of Failure:One unprotected thermal exhaust port takes down the Death Star. No redundancy. No mitigation. Just boom.

Why It Matters:This episode is a masterclass in applying cybersecurity principles to pop culture. Whether you're a Star Wars diehard or a cyber rookie, you'll come away understanding how easily fictional galactic empires—and real-world enterprises—can fall due to poor security posture.

Listener Call to Action:Like what you heard? Support CyberSpeak Labs by subscribing, rating, and leaving a comment. All show notes (with the full list of findings) are available for free on the CyberSpeak Labs website. Stay curious, stay secure.

Imagine, in your hands, you’re holding an artifact, in detail, can show you the design of a weapon that could literally destroy the planet you live on before you can even eat your lunch.  

What you have is important and you can’t let anyone you don’t trust have access to it.  

In fact, you’re being chased right now and you’re going through high-speed chases because you don’t know what is going to happen to you if you got caught. You just know you would rather risk the safety of your life than let anyone have these plans.  

But… you didn’t make these plans for this weapon… you stole them. Because you need them to protect your plant. The people that own this weapon, they are after you and they are hunting you down.  

Then your vehicle stops. The force throws you down. You’re stopped. You cannot go. You look out the window and realized you’re being pulled into the infamous Imperial Star Destroyer.  

A spaceship that is a mile long and holds over 37,000 crew members and passengers in addition to 60 turbolasers. Your high-speed chase isn’t on a highway but in a hyper-space lane, and you’re about to uncover the biggest vulnerability that saves planets and species.  

Hi and welcome cyber defenders. My name is Reanna Schultz and I’ll be your aid today as I guide you through different learning opportunities within CyberSpeak Labs. To help keep our lab growing and being able to provide educational content to you all, please make sure to like, subscribe, and comment on the podcast’s episodes. Your views and interactions with the show aids financial support towards providing education materials to you all.  

Nooooow without further adooo, you all voted on it, you asked for it, even one of my discord admins requested this… we are going to go over cybersecurity flaws in Star Wars. If celebrate May 4th… well enjoy the early celebration with this episode.  

I won’t keep you all waiting for this one… let’s enter the lab to collaborate and to learn! 

Okay, so Star Wars. Where to begin on this. If you’re a person who hasn’t watched Star Wars yet, no worries, I’m not judging. Some of the other viewers and listeners might, sooo I’m not responsible for the reactions and responses you get if you decide to disclose that in the comment section.  

Star Wars universe is huge. Even with Disney owning the rights to it… it’s huge. There are 11-live action movies, 1 animated movie, and 13 tv series which include both live-action and animated. In 2024, it was estimated that Star Wars has roughly made over $12 billion USD. This includes streaming, books, merchandise, and anything else I missed.  

In other words, Star Wars is a very successful franchise. I do apologize if anyone is a Star Trek fan… I’m not hating, but there is only so much time we have in the lab for one space themed episode this month. With that also being said, since there are SOOO many Star War episodes and movies to choose from, we will be sticking with the colt classic, Star Wars Episode 4 – A New Hope! Which.. fun fact if you aren’t an Edgelord with Star Wars, this movie was originally released in 1977 as Star Wars but was renamed in 1981 as Episode 4 – A New Hope when the next movie was released.  

As a quick disclaimer, if you have not watched Episode 4, there will be spoilers since… I’m talking about major scenes and plot points. Additionally, all show notes are available on the CyberSpeak Labs website. I do enjoy your feedback, so show notes will be free for all!  

Now… let’s begin. I will say, one of my favorites and is one of the iconic parts of Star Wars is the first 30 seconds to minute, the yellow text scrolling through the screen giving context or background to film you’re about to watch. Now, because I know there are some hardcore fans that are like, “well you should have technically started with Rogue 1 instead of Episode 4.” Calm down, we will have PLENTY of opportunities to do either filmography if you all wanted. I’m doing Episode 4, so deal with it.  

Now, PRINCESS LEIA is on a super tiny ship called Tantive 4. This isn’t a warship or designed to go into battle but is mostly used to travel for political events. Basically, this would be treated like a limo for a president or dictator… but basically more of space sedan.  

At this point and time, Princesses Leia and her crew have the empire’s plans for the well-crafted Death Star. A giant space weapon that can destroy planets in minutes. The empire at this point in the series has been getting the reputation for planetary takeover.  

So, in other words, the Empire had physical blueprints of one of the most chaotic weapons on a data disk. Where there is very much technology to .. Idk protect it somewhat better? Like there are literal lasers in this movie, but Princess Leia was like “bet” basically did a physical pentest to steal these plans then make a quick getaway. This is the equivalent if an entire company put all their employee’s information on a USB and didn’t lock it away. So, we will call this failure point number 1. If you’re curious, all the failure points are documented in the show notes on CyberSpeak Labs website. 

Now, Leia’s spaceship isn’t known to be … the fastest. It’s literally a diplomatic cruiser. Not going to lie, I would highly enjoy watching a bunch of limos race each other on a F1 or NASCAR track, but you get the gist her getaway wasn’t the speediest.  

Which means, eventually the empire did catch up to her and used their tractor beam to pull Rebel’s into the Star Destroyer. If you are like “what the heck is a tractor beam?” Think of it as a fishing rod for spaceships. If crossing paths into a tractor beam, spaceships will halt and can be pulled into the gravitation pull of the beam. Super helpful if your spaceship breaks down but extremely inconvenient for situations like the Rebel is in.   

Once the Rebel’s ship is in the Star Destroyer, there is a whole scene of explosions and lasers between the Empire’s Storm Troopers and the Rebels. Obviously, the Rebels are outnumbered and are dropping like flies. This is one of science fiction’s most iconic moment of Darth Vader emerging from smoke with his heavy breathing and cape flowing through... I guess space wind. However, this intense scene also paints a picture of the type of character Leia’s is. Leia is a forward thinker, meaning she is one to think ahead. Especially in high-stake scenarios like this. Leia goes to her droids, C3-PO; a humanoid robot, and R2-D2. A cute droid who has a small cylindrical body, stubby legs, and a domed head. When speaking, R2-D2 speaks in whistles and beeps. Which makes him a very comedic character throughout the Star Wars series.  

Leia inserts the Death Stars Data Disc into R2-D2, moments before being caught by the Empire. During the scenes of chaos, both R2-D2 and C3-PO leave the chaos by sneaking off into an escape pod, where they will be launched toward Tatooine. Which this scene leads us to cyber failure point number 2. R2-D2 is a literal walking computer that apparently will accept any time of external memory disk. Especially if R2-D2 is with the Rebel the entire time, the Empire could easily corrupt or steal the memory of R2-D2. There is no password verification or physical pin needed to retrieve or upload memory to the droid.  

Keep this in mind with what data is uploaded to R2-D2 because, once the two droids make it to Tatooine, they are walking through a giant desert. The two droids bicker like an old married couple, decide to split and take what they believe is their own path. Eventually the droids are picked up by Jawas and their Sandcrawlers. Jawas are basically scrap metal collectors that pick up wondering droids or other machines and put them in their Sandcrawlers where they are sold for what they consider a fair price. Imagine... R2-D2 is walking around with plans of mass destruction with no passkey, no pin, like literally no protection on his hardware, to be picked up by scrap collectors and is sold to a random entity on Tatooine. Since there is no protection on R2-D2's data, as stated in cyber flaw number 2, R2-D2 and C-3PO are sold to a person by the name of Uncle Owen, who lives with Aunt Beru and one of the main characters, Luke Skywalker.  

When bringing the Droids back to his homestead, Luke is cleaning the droids and accidentally plays a holographic recording that Leia left with R2-D2. The message is “help me Obi-wan Kenobi. You’re my only hope.” A pretty weird cryptic message for a person to find but again... are we surprised that Luke could access random messages left by renown political figure? No. We shouldn’t be because for some reason physical security does not exist in this universe. Then when Luke confronts R2-D2 about the message and asks who that was and R2-D2 is like... nope no idea what you are talking about and gaslights Luke.  

 Honestly, I love R2-D2 in this movie because I think he forgets he is not the main character, but he gives off Main character vibes. I say this because this is the THIRD TIME in this movie where R2-D2 goes off and tries to have his own side quest. First was to the escape pod, second is in the desert, and now a third time to go back into the desert to try to find obi-wan-Kenobi. Honestly, if there was a mobile device management policy in Star Wars, clearly R2-D2 doesn’t follow it because he has no concept of geo-fencing or notifying his owners as to where he is.  

Which honestly, for a droid with such ... I guess stubborn persistence... you would think there would be some form of tracking on an asset with such high visibility. Especially for a droid that worked closely with political officials such as Leia. Which leads us to the third finding in our space security audit. There is literally no asset inventory tracking. None, it’s basically the wild wild west except in space as to where all these walking memory sticks are and who owns them. In this universe it’s basically like, “oh there isn’t a creature with you so you are now my property.” it be no different than going to an Apple Store and just picking up phones and laptops and being like “yeah no this is mine now because nobody was walking with it.”   

Soooo anyways... we have Rogue2-D2 having their own main quest to find Obi-Wan-Kenobi. Luke and C3-PO notice the droid to be missing and go search for him in a Landspeeder. They eventually track Rogue2-D2 but get ambushed by Tusken Raiders. R2-D2 and C3-PO manage to escape but they knock Luke unconscious. With Luke not able to defend himself, the raiders ... well ... raid the landspeeder until a mysterious hooded figure appears and scars off the raiders.  

Luke gains consciousness and thanks the man who he calls Ben Kenobi. Luke then mentions to Ben about how R2-D2 is looking for his old owner named Obi-Wan-Kenobi, which Luke’s uncle had mention to no longer be alive. This is where Ben discloses to Luke that he is Obi-Wan-Kenobi. This eventually leads to everyone going to Obi-Wan-Kenobi's hut, where he gives Luke his father’s lightsaber. Then proceeds to disclose every confidential information about Jedi History, the order 66, and how to use the force. Annnnnnnnnnd this is where security flaw #4 comes in. Zero trust is not a thing in this universe. Imagine, you know this guy, who is basically a neighbor or a trust elderly in your community, he saves you from someone trying to bust into your car or house, then proceeds to give you this confession of how he is in a secret society, how he knows who your real parents are, then proceeds to tell you all the secrets of this society he is in which by telling you. So yeah, zero trust and in my opinion probably crosses the line of soooo many Jedi NDAs. Oh well Obi-Wan gives as many cares as Rogue2-D2 over there.  

Here, Obi-Wan invites Luke to be part of the mission to save Leia. Luke basically was like, “yeaaah appreciate the offer but I’m going to hit the dusty trail and go live my simple life back on the farm.” He leaves and does just that. However, instead of the simple life that Luke remembered and knew, he returned too... well... for content sensoring.. We will say he returned to a giant bbq and there was nothing left of so said bbq. This is because the Empire decided to pay a visit and have no boundaries with fire safety. This is an emotional trigger for Luke because his aunt and uncle were the only family he knew and trusted. Without much choice he decides to join Obi-Wan's mission.  

The next few scenes become some of the most iconic references in the Star Wars universe. There is Obi-Wan using Jedi mind tricks on Storm Troopers. Then there is the visit of the Cantina where Luke gets into a fight with an alien and Obi-wan just casually defuses the situation... by .. removing the dude’s arm with his lightsaber. Of course, there is also meeting Chewy and Hans Solo about passage to Alderaan. Then there is the whole scene of Hans with bounty hunters. The one takeaway from these scenes is that Disney softened Hans in all the newer movies and shows. Hans was one heck of a dude in the original movie series. After a few pew pews and cool action moments, the crew had rushed aboard the famous Millennium Falcon to head to Alderaan.... which they will soon realize and discover to have been destroyed by the Death Star.  

I have no aviation security background, but I recommend watching the episode of Defenders in Lab Coats with Lillian Baker if you do want to learn more of that ... yes I will put it in the description.. But I feel like there is a huge violation of no flight plans being tracked or recorded by the Millenium Falcon... and also the fact there is no real time update of .. idk.. An entire planet not existing? Again.. Could be me, but I feel as if that falls under the zero trust and lack of inventory findings. How can a spaceship plan an entire trip to a planet and then it just doesn’t exist. It is like if someone walked into a Data Center and just destroyed a server then nobody knowing it is offline until they physically went into the data center themselves to see the server gone.  We will call these findings #5 for lack of flight plans resulting to safety issues with space traffic control and #6 with no real-time infrastructure visibility and monitoring. 

Moving on with the review!  

Just like earlier in the movie, a tractor beam pulls the Millennium Falcon towards... dun dun duuuuuuun... the Death Star. Which at this point is no secret of the power it holds. The crew hide under the floorboards of the ship and wait until the Storm Troopers become neutralized with the ship and leave.  

To explore the Death Star and in hopes to find and rescue Princess Leia, Han and Luke Dressup as a stormtrooper and pretend to have Chewie as their prisoner. Honestly, this is one of the OLDEST tricks in a pentester’s playbook to get access to an organization. It’s like faking a company badge and pretending it doesn’t scan or to just show it and walk through the building to see how far they can get with their access. Soooo BOOM security finding number 7. Social Engineering and going undetected. Also, lucky for the crew. R2-D2 has the layout of the Death Star already uploaded into his system.. Because... again.. Nobody in this universe believes in encrypted drives.  

Hans and Obi-Wan split responsibilities to plan their escape. Hans bluffs his way into the detention area while Luke locates Leia’s cell to break her free. Obi-Wan leaves the group to find a way to disable the tractor beam. The group discovers Leia and their plan goes sideways as they accidentally fall into a trash compactor about to be squished.... just until at the last moment R2 and 3PO save them by hacking into the compactor... which let’s just go ahead and make that finding number 8. Unpatched open back door to a device. As the crew escape the trash compactor and are dealing with Storm Troopers, Obi-Wan reaches the tractor beam and disables it. Darth Vader crosses path with Obi-Wan.. Has an epic lightsaber duel.. But as the crew fights off the Stormtroopers and gets aboard the Millenium Falcon, Obi sacrifices himself by getting slashed by Darth Vader’s lightsaber. The Falcon escaped without Obi being aboard.  

As they fly into space, Leia mentions that the escape was too easy and fears they are being tracked. Which, she is not wrong because the empire slipped a beaconing device on the Falcon. Which brings us to finding number 9. The Falcon having no protection against an advance persistent threat, also known as an APT. There are no IDS in place to prevent intruders from breaking into the Falcon and setting up a beaconing back to a command-and-control center.  

Regardless, the Falcon flew the crew back to the not-so-hidden Rebel base now. Where they hooked R2-D2 onto the Rebel network to retrieve the Death Star plans. Which.. I am slapping finding number 10 here. I don’t know how many cyber awareness videos I watch where they tell you to not put a random USB into your corporate network. R2-D2 was LITERALLY in the Empire’s network to .. idk.. Hack a trash compactor? Probably not the cleanest network, let’s be real. Anyways, finding number 10. Bad security practices.  

Once the Rebels scanned the prints of the Death Star, they were able to find an entry point to destroy this weapon. Then right after they came up with a plan and how to execute it, Hans Solo basically said “cool story bro, I’m out of here.” Which honestly.. Nobody stopped him and nobody questioned him leaving. To me, red flags. So slapping finding number 11 of no insider threat program. Hans is a great guy (cough cough until Disney), but still.. We are talking about a secret operative plan and then someone goes “yeaaaahhhhh I have a conflict going on around that time but thanks for all the information. Oh by the way the Imperial ship is cool. Toodles.” So yeah, finding 11.  

Anyways, the Rebels go into battle to destroy the death star. The catch is, someone has to destroy the thermal exhaust port. Which FINE I know you all have been waiting for THIS ONE EXACT FINDING. Slap, there is finding number 12. A single-point-of-failure for an entire infrastructure that isn’t even protected in a different way compared to the rest of the Death Star. At this point, it is an epic space fighter scene and a lot of pew pews, where Luke’s wingman get hit and cannot protected him. Darth Vader is closing in on Luke and then BOOM Han Solo appears! He blasts all of Darth Vader’s escorts sending vader into space like a beyblade and says, “You’re all clear kid.”  

Using the force, luke exploited the weak part of the Darth Star and blows it up. 

At the end of the movie, Leia gives medals to Luke and Han. NOT CHEWIE which we all can be upset about. Now you might think “oh no more findings.” WRONG. Slap. Finding number 13. There was no hot wash or lessons learn. Literally people were like “yeah cool bad incident cool medals, let’s go to the cantina.” And not think about “well what if this happens again!?” yes that is foreshadowing.  

So Defenders in lab coats, we are closing in on this May the 4th special. I do apologize this once did take longer to drop, but hey hopefully it was worth the wait. I do want to hear what you all thought about this episode and if you can think of any other potential cyber findings. If you are curious, all my findings are put in the show notes located on cyberspeaklabs.com and in the description. Additionally, I had requested ChatGPT to create an entire pentest report for this movie with findings that IT thought it had. Soo good luck reading that if you want to read some good, the bad, and the terrible.  I look forward to seeing you all in the lab again soon... byyyyyyyyeeeeeeeeeeeeeeeeeeeeeee. 

Failure Points

1. The Empire had physical blueprints of one of the most chaotic weapons on a piece of paper that was easily accessible.

2. There is no password verification or physical pin needed to retrieve or upload memory to R2-D2.

3. No asset inventory tracking

4. Zero trust and violating NDAs with sensitive information disclosure.

5. Lack of flight plans resulting to safety issues with space traffic control

6. No real-time infrastructure visibility and monitoring

7. Social Engineering and going undetected.

8. Unpatched open back door to a device.

9. Lack of IDS protection on the Falcon.

10. Plugging in external media into a protected network

11. No insider threat program.

🛡️ Full Penetration Test Report – Star Wars Episode IV: A New Hope

Target: Death Star v1.0Conducted by: Rebel Security Audit Corps (RSAC)Total Vulnerabilities Identified: 40Overall Risk Score: 🤯

🔍 TOP CRITICAL VULNERABILITIES (CVSS 9.0–10.0)

🔥 HIGH SEVERITY VULNERABILITIES (CVSS 7.0–8.9)

⚠️ MEDIUM SEVERITY VULNERABILITIES (CVSS 4.0–6.9)

🧊 LOW SEVERITY VULNERABILITIES (CVSS ≤ 3.9)

🧠 Final Thoughts

This audit proves that the Death Star was less a technological marvel and more a cosmic example of what happens when cybersecurity is an afterthought. The Rebels didn’t just bring the Force — they brought a threat model and a really good red team.