Internet of Ships falling down on security basics

We may not think of ships as industrial control systems (ICS). But, according to Ken Munro, a security researcher with the UK-based Pen Test Partners, we should.

Those who operate them should as well, he said in a blog post summarizing a talk he gave at a conference in Athens, Greece on how easy it is to hack ships’ communication systems. While they may not have physical leaks, they are catastrophically porous when it comes to cybersecurity.

The same history that has led to poor security in land-based ICSs applies to ships, he wrote – they used to run on “dedicated, isolated networks,” and therefore were not at risk from online attacks. But no more:

Now ships: complex industrial controls, but floating. Traditionally isolated, now always-on, connected through VSAT, GSM/LTE and even Wi-Fi. Crew internet access, mashed up with electronic navigation systems, ECDIS, propulsion, load management and numerous other complex, custom systems. A recipe for disaster.

And there are multiple ways for disaster to happen – most of them due to a failure to practice what regular Naked Security readers will recognise as security basics.

Simply by using Shodan, the search engine that indexes internet connected devices, Munro found marine equipment all over the world. For one of the major maritime satcom (satellite communication) vendors, Inmarsat, he found, “plenty of logins for the Globe Wireless over plaintext HTTP,” along with evidence that the firmware of many of their older comm boxes was, as he put it, “dated.”

Another example, the Cobham Sailor 900 satellite antenna, was “protected” from a malicious attacker by the unique, complex username and password combo of: admin/1234.

As Catalin Cimpanu of Bleeping Computer noted, a public exploit already exists for that antenna, “that makes hacking it child’s play for any knowledgeable attacker.” He added that such antennas are not only found on container and passenger ships, “but also on navy and private security boats,” plus helicopters and airplanes.

But, where things “got a bit silly” for Munro was when he discovered a collection of KVH terminals that not only lacked TLS encryption on the login, but also included the name of the vessel plus an option to “show users.” Munro’s reaction: “WTF??”

That option gave up a list of the members of the crew online at that point. He added that spending a moment on Google yielded the Facebook profile of the deck cadet who he had spotted using the commbox.

Simple phish, take control of his laptop, look for a lack of segregation on the ship network and migrate on to other more interesting devices.

Or simply scrape his creds to the commbox and take control that way.

It shouldn’t be this easy!

These flaws are not just now being discovered. They have been noted for years. More than four years ago, in April 2013, security firm Rapid7 reported that in just 12 hours they were able to track more than 34,000 ships worldwide using the maritime protocol Automatic Identification System (AIS).

Using those AIS receivers, it reckoned:

…we would probably be able to isolate and continuously track any given vessel provided with an MSSI number. Considering that a lot of military, law enforcement, cargo and passenger ships do broadcast their positions, we feel that this is a security risk.

And Munro’s research found that things have only gone downhill since – in the past four and a half years, the number of exposed ships has increased.

But Munro has some (rather depressingly familiar) recommendations for both civilian and military mariners: Start practicing the basics.

  • Update satcom boxes immediately.
  • Implement TLS on all satcom boxes.
  • Increase password complexity, especially for high-privilege accounts.

He concluded:

There are many routes on to a ship, but the satcom box is the one route that is nearly always on the internet. Start with securing these devices, then move on to securing other ship systems.