Ships are Basically Big Floating Security Nightmares

2180

Ken Munro, a researcher for UK-based Pen Test Partners, has been exploring maritime satellite communication systems used to keep ships connected while at sea. His findings don’t inspire much confidence. Munro, in a blog post recounting his research, describes ships as floating industrial control systems that were traditionally isolated but are now always connected to the internet.

ICS affected by Internet:

Industrial control systems (ICS), which evolved without much thought for network-based attacks, have struggled for decades to adapt to the constant state of siege on the internet.

Munro believes the security of ship IT systems is worse still. “Personally, I think ship security is behind broader ICS security,” he said. “The change is as a result of these satcom terminals being online all the time. In the past, just like ICS, ship systems were isolated from the internet.”

Number of incidents on the rise:

Munro said there have been plenty of ship security incidents reported. “One that springs to mind is a mobile drilling platform off the coast of Africa that developed a tilt and had to be evacuated,” he said. “On investigation, the control system had been ‘hacked’. I use the quotes as I suspect it was simply missing or default creds and an exposed control system GUI.”

Ships using outdated firmware:

Using Shodan.io, a search engine for finding devices on the internet, Munro looked for several popular brands of maritime satcom systems, including Cobham, Inmarsat, and Telenor kit, along with older brands that had been acquired, on the assumption they’d be running outdated firmware.

He opted not to test the default user and password configuration for some systems (usually admin/1234), noting that most of the recent maritime hacking reports have involved missing authentication or default creds in comms terminals that allowed someone in. He doesn’t really consider such failures hacking, even if the resulting disruption may be the same.

Lack of HTTPS protection:

By searching for ‘html:commbox,’ he found various terminal commands for KVH’s ship-to-shore network manager CommBox. Pulling up an actual CommBox login page, Munro found the connection was poorly secured with no HTTPS protection. The system presented a link to a queryable user database and it revealed network configuration data merely by mousing over the UI.

With the crew data, Munro was able to quickly find a crew member’s social network profile, giving him all the data he’d need to conduct a targeted phishing attack. If he had ties to a ship-hijacking pirates, he could provide the vessel’s location, alongside crew data, via the automatic identification system (AIS) used to track ships.

Security threats can comprise ship data:

In short, if these security holes were in the ship’s hull, the vessel would be resting at the bottom of the sea.

Munro says satcom boxes need to implement TLS, password complexity must be enforced for user accounts, and comms hardware needs secure firmware.

“There are many routes onto a ship, but the satcom box is the one route that is nearly always on the internet,” he said. “Start with securing these devices, then move on to securing other ship systems. That’s a whole different story”.

Did you subscribe for our daily newsletter?

It’s Free! Click here to Subscribe!

Source: The Register