Security Frontier: Hacking into Ships

Monday, June 11, 2018 @ 05:06 PM gHale

Whether it is a control system at an industrial plant, a hospital or even a cruise ship, cybersecurity is such a vital aspect that if left unchecked, an attack could cause dire consequences.

Yes, even the shipping industry is facing cyber consequences. Just ask Ken Munro, who operates Pen Test Partners.

RELATED STORIES
Age of Misdirection: Stay Focused, Safe, Secure
Safety, Connectivity and IIoT
Siemens Security Chief: Charter ‘Overcomes Divide’
17 Zero Days Cleared in OPC UA

“At Infosecurity Europe this year, we demonstrated multiple methods to interrupt the shipping industry, several of which haven’t been demonstrated in public before, to our knowledge,” Munro said in a post. “Some of these issues were simply through poor security hygiene on board, but others were linked to the protocols used and systems provided by maritime product vendors.

He was able to use Shodan, which already publishes a ship tracker, and then link satcom terminal version details to live GPS position data.

Munro discovered what he thinks is the first ever vulnerable ship tracker.

“Two public data sets have been linked, so we now have a clickable map where vulnerable ships are highlighted with their real-time position,” he said in a post.

Quite a few satcom terminals on ships are available on the Internet. Many have default credentials, admin/1234 being very common. These passwords were found on a ship just a few weeks ago, he said.

So that’s an easy way to hijack the satellite communications and take admin rights on the terminal on board.

“We applied our expertise in IoT, automotive and SCADA hardware security to a Cobham (Thrane & Thrane) Fleet One satellite terminal, Munro said. “We haven’t seen much evidence in public of anyone looking hard at maritime satcom terminal hardware security before. They’re expensive, which may explain it.”

He then went on to say all of the vulnerabilities he discovered are resolved by setting a strong admin password, as per the manufacturers guidance.

“First, we found that the admin interfaces were over telnet and HTTP. Pulling the firmware, we found a lack of firmware signing – the validation check was simply a CRC.

“Then, we discovered that we could edit the entire web application running on the terminal. That lends itself to attacks.

“Further, there was no rollback protection for the firmware. This means that a hacker with some access could elevate privilege by installing an older more vulnerable firmware version.

“Finally, we found the admin interface passwords were embedded in the configs, hashed with unsalted MD5.

“Hardly ‘defense in depth’! Reminder: these are all fixed by setting a strong admin password. We found lots more, but can’t disclose these yet,” Munro said.

Munro added he often finds a lack of network segregation on a vessel. If you are able to hack into the satcom terminal, then you are on the vessel network.

ECDIS are the electronic chart systems needed to navigate. They can slave directly to the autopilot – most modern vessels are in “track control” mode most of the time, where they follow the ECDIS course.

“Hack the ECDIS and you may be able to crash the ship, particularly in fog,” Munro said. “Younger crews get ‘screen fixated’ all too often, believing the electronic screens instead of looking out of the window.”

The researchers tested over 20 different ECDIS units and found all sorts of security flaws. Most ran old operating systems, including one popular in the military that still runs Windows NT.

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” Munro said. “The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur.”



Leave a Reply

You must be logged in to post a comment.