Crappy IoT on the high seas: Holes punched in hull of maritime security
Researchers: We can nudge ships off course
Infosec Europe Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking, and worse.
A demo at the Infosecurity Europe conference in London by Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods to interrupt and disrupt the shipping industry.
Weak default passwords, failure to apply software updates, and a lack of encryption – all reminding us of crappy IoT kit – enable a variety of attacks against shipping vessels and related operations, the conference's audience was told.
Fresh from previous Infosec demos showing how to hack a Mitsubishi Outlander and an electric kettle, the team turned their attention towards satellite comms and other seagoing systems. Staff at the UK-based security consultancy include former ship crew so their observations were particularly astute.
Shodan, the Internet of Things search engine, publishes a ship tracker. PTP used this to put together a system linking satcom terminal version details to live GPS position data – a vulnerable ship tracker. Knowing the version of software on terminals could tell miscreants what security weaknesses it has and how it might be hacked.
PTP created a clickable map where exposed ships are highlighted with their real-time position. Week-old data was demonstrated at Infosec. The tracker – available here – deliberately omits any data refresh and features only historic data, making sure it isn't of any utility to hackers.
If exploiting vulnerabilities to hijack admin rights on a ship's satellite communications terminal is considered too much effort, attackers can take advantage of weak and default passwords.
"Many satcom terminals on ships are available on the public internet. Many have default credentials, admin/1234 being very common," PTP reported.
PTP looked at a Cobham Fleet One satellite terminal, an expensive piece of kit, and discovered some vulnerabilities that can be resolved by setting a strong admin password, as per the manufacturer's guidance. PTP is holding back the details of other flaws pending fixes from Cobham.
The team found that the admin interfaces were over telnet and HTTP, under which was a lack of firmware signing – validation was simply by a cyclic redundancy check (CRC). The researchers were also able to edit the entire web application running on the terminal. Even worse, there was no rollback protection for the firmware.
"This means that a hacker with some access could elevate privilege by installing an older more vulnerable firmware version," PTP said. "Finally, we found the admin interface passwords were embedded in the configs, hashed with unsalted MD5."
All of which is fixed by a strong admin password.
Up sh*t creek
Network segregation on ships is rare. This means anyone able to hack the satcom terminal gains access to the vessel network.
Electronic Chart Display and Information Systems (ECDIS) are used for navigation and can be linked directly to the autopilot. Most modern vessels simply follow the ECDIS course.
"Hack the ECDIS and you may be able to crash the ship, particularly in fog," PTP warned. "Younger crews get 'screen fixated' all too often, believing the electronic screens instead of looking out of the window."
The researchers tested more than 20 different ECDIS units and found multiple security flaws. "Most ran old operating systems, including one popular in the military that still runs Windows NT."
One ECDIS unit had a poorly protected configuration interface. "Using this, we could 'jump' the boat by spoofing the position of the GPS receiver on the ship," PTP said. "This is not GPS spoofing, this is telling the ECDIS that the GPS receiver is in a different position on the ship. It's similar to introducing a GPS offset."
The team showed how this might be abused to jump a ship from one side of Dover Harbour to the other.
PTP also found it could reconfigure the ECDIS to make the ship appear to be a square kilometre in size. Since the ECDIS often feeds the automatic identification system transceiver, which ships use to avoid colliding with each other, it might be possible to block a shipping lane with the trick.
"It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding," PTP noted. "Block the English Channel and you may start to affect our supply chain."
This isn't Felixstowe...
A different technique can exploit Operation Technology (OT) systems on merchant ships which control the steering gear, engines, ballast pumps and more. They communicate using the NMEA 0183 specification.
These messages are in plain text – no authentication, encryption or validation. "All we need to do is man in the middle and modify the data," PTP warned.
"This isn't GPS spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course."
PTP's demo showed that an attacker could change the rudder command by modifying a GPS autopilot command (above).
It's still early days for ship security, PTP warned, since most of these sort of issues were fixed years ago in mainstream IT systems.
"The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur," the researchers concluded. ®