Crappy IoT on the High Seas: Holes Punched in Hull of Maritime Security

1773

A demo at the Infosecurity Europe conference in London by Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods to interrupt and disrupt the shipping industry.

Poor system credentials

Weak default passwords, failure to apply software updates, and a lack of encryption – all reminding us of crappy IoT kit – enable a variety of attacks against shipping vessels and related operations, the conference’s audience was told.

Staff at the UK-based security consultancy include former ship crew so their observations were particularly astute.

PTP ship hack demo

Shodan, the Internet of Things search engine, publishes a ship tracker. PTP used this to put together a system linking satcom terminal version details to live GPS position data – a vulnerable ship tracker.

Outdated firmware

Knowing the version of software on terminals could tell miscreants what security weaknesses it has and how it might be hacked.

PTP created a clickable map where exposed ships are highlighted with their real-time position. The tracker omits any data refresh and shows only the historic data, making sure it isn’t of any utility to hackers.

Hijack take advantage of weak and default passwords, if admin rights on a ship’s satellite communications terminal is considered too much effort by attackers.

Ship’s bridge password fail

The team found that the admin interfaces were over telnet and HTTP, under which was a lack of firmware signing – validation was simply by a cyclic redundancy check (CRC). The researchers were also able to edit the entire web application running on the terminal. Even worse, there was no rollback protection for the firmware.

All of which can simply be fixed by a strong admin password.

Vulnerable Open ship network

Network segregation on ships is rare. This means anyone able to hack the satcom terminal gains access to the vessel network.

Electronic Chart Display and Information Systems (ECDIS) are used for navigation and can be linked directly to the autopilot. Most modern vessels simply follow the ECDIS course.

The researchers tested more than 20 different ECDIS units and found multiple security flaws. “Most ran old operating systems, including one popular in the military that still runs Windows NT.”

One ECDIS unit had a poorly protected configuration interface. “Using this, we could ‘jump’ the boat by spoofing the position of the GPS receiver on the ship,” PTP said. “This is not GPS spoofing, this is telling the ECDIS that the GPS receiver is in a different position on the ship. It’s similar to introducing a GPS offset.”

PTP also found it could reconfigure the ECDIS to make the ship appear to be a square kilometre in size

Other exploits

A different technique can also exploit Operation Technology (OT) systems on merchant ships using the NMEA 0183 specification, which control the steering gear, engines, ballast pumps and more.

These messages are in plain text – no authentication, encryption or validation. “All we need to do is man in the middle and modify the data,” PTP warned.

Ship’s rudder hack

“This isn’t GPS spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course.”

PTP’s demo showed that an attacker could change the rudder command by modifying a GPS autopilot command .

“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur,” the researchers concluded.

Did you subscribe for our daily newsletter?

It’s Free! Click here to Subscribe!

Source: The Register