Hacking into things is a strong addiction; you can’t just refuse to stop doing it if you are a true researcher and passionate cyber geek. So, me too.
You remember that recent story with “Ever Given” container cargo ship stuck somewhere in the middle of Suez Canal and caused over 1,3 billion US dollars loss for companies relied on sea/ocean transport.
For this research, I decided to prove the concept:
If you find only one Internet-connected system on a ship, you can take over a whole control system of it.
What about figure out open-source intelligence (OSINT) capabilities and find something interesting? It is possible without installing anything and without prior knowledge of complex pentesting techniques.
I will use only 3 free online services here, which can give many answers about the security level of specific cargo. This is already enough to identify weakly protected ships and dig deeper into the control system direction. Should I say that the last-mentioned usually has no protection at all?
? Table of contents:
During this research, I didn’t explicitly penetrate any system. I didn’t cause any harm to any system, rather than performing standard scanning and OSINT activities with available online tools.
This research serves not as guidance for any unauthorized activities on the Internet or any private networks but raising awareness about current issues for cybersecurity in the domain.
The final outcome is theoretical cyber-physical consequences based on my own research and recent research of other security experts.
The first time I stumbled upon Maritime security was not something obvious or innocent. It was a NATO conference with emerging topics about the security of military vessels. I hope I don’t need to explain the criticality of such an issue.
But we will omit all those military problems and look closer to our civilian cruise ship fleet. Just imagine a beautiful cruise vessel with about 2000+ passengers, 1200+ crew members, 500+ wireless access points, and potentially few vulnerable satellite global communication facilities. It is yet to mention access control systems, CCTV systems, billing terminals, and other ICT (information and telecommunication technology) all good interconnected onboard…
What are scenarios of potential consequences from the misuse of onboard systems?
- danger to human health – e.g., non-safe maneuvers like acceleration, braking, or sharp turns
- massive people deaths – e.g., collision with other transport means in the sea or off-shore facilities like an oil rig
- harm to nature or ecological catastrophe – e.g., a spill of oil or other chemicals from tankers
- delay of scheduled onshore operations – e.g., DoS on control systems during a planned departure
A good example of potential dramatic consequences could be a relatively recent incident with the collision of two cruise ships near Mexico in 2019. Hopefully, there are no such cases in 2021. I would expect this is impossible in the GPS era at all, but … unfortunately, it is not.
Image source – youtube.com
The statistic in this domain is not really impressive in comparison with the banking sector. But still, the number of targeted attacks has increased from 120 in 2018 up to over 310 in 2020, and we are expecting even more in 2021. And this is only with reported and publicly known cases. I assume this is less than half of the real numbers.
To be honest, this list could be very long and quite bothering for non-focused readers, so I would omit to post it here.
Instead of that, I would like to make the emphasis on those which are responsible for critical functions of the ship – ship’s main organs, if you want:
- radar charts
- ballast systems
- hull stress control
- engine controls
Image source – pentestpartners.com
This is a perfect time to talk about other fascinating cases that happened at different times from 2013 to 2021. It is essential that these cases are not including any Ransomware cases, which are obviously disrupting but can’t take over on control systems per se.
- The brand new dry bulk ship with fully digital Electronic Chart Display and Information System (ECDIS) onboard was infected with malware causing disfunction of ECDIS and commissioning of the vessel. The problem was real because at this time it was paper-charts free ship, meaning no chances of changing to manual navigation.
- Maliciously spoofed GPS signals were able to alter the vessel’s course without any alarm to the crew in 2013.
- In 2016 GPS jamming around South Korea’s Incheon affected navigation of many planes and ships, creating dangerous situations about the affected area.
- UK-flagged tanker vessel entered into Iranian waters in 2019 after Iranian forces manipulating critical satellite-based positioning equipment.
Yes, this is the most exciting part.
To avoid any accidental accusation on my side, I was using precautions ensuring to hide IP address.
- It is relatively easy to find a potential target if you know what you are looking for. In my case, the first assumption was, “How does ship connect to Internet?”. So, after spending some time on Google search, I found that almost any forum topics mention satellite communication systems Cobham VSAT Sailor 800 and 900 series. By the way, the price for one piece is about 50.000 USD. Perhaps, you will identify your own targets.
Image source – cobhamsatcom.com
- Now, I will use my best choice for quick checks – shodan.io to find any Internet-connected device. I will tell you about other options occasionally with new articles.
You can see the part of my search entry (1) and the results found. The first option in output is not clear to define, so I moved myself to the next one IP(2).
- Both IP banners have HTTP code, so we can hope for a web-based interface exposed to anybody. Click on the button to open the web page of the IP address.
- What we see. The web page is indeed available. But we need administrator rights to get more control. A brief look at the official website and documentation provided us magic pair “admin:1234”. Oh, yes, it works!
- Look closer to the upper part of this picture. You will find Port forwarding (1) options, allowing us to ping internal IPs and do further reconnaissance. The second part shows the call’s history (2) with date, time, number, and additional info.
- As a hacker, the logical next step would be to check any publicly known vulnerabilities and available exploits. We will do this using exploit-db.com. I could not find anything for “sailor 800”, but “sailor 900” gave us a really brilliant result. It is a remote vulnerability (1), meaning we can exploit it through the Internet. Remote Overflow (2) gives us an idea about the potential impact. I assume it is remote code execution (RCE), which is a highly critical type of vulnerability.
- I don’t want to perform anything unlawful at this point, so we will turn in the other direction. Let’s try to find out to which vessel this satellite system belongs. For this purpose, VSAT 800 provides us valuable data about its geo position.
- It is a turn of real-time data… I like these online services a lot. I am using, in this case, MarineTraffic to find the known position and check information about any vessels with the exact coordinates. And, Bingo! We found the ship.
- But I still walk around it without getting any kind of attack opportunity on internal systems. We are going to fix this using an online analog of NMAP scanner. It is a little bit limited in functionality but still free, and we don’t need to reveal our IP for this scanning. Open a new Tab and look for suIP.biz.
Our quick scan gives us the following data.
- After few rounds of scanning with different parameters, I was able to find out three critical things:
- This is SMB v.1, which is deprecated and disabled by default for any new Windows version.
- This Windows 7, because other banner shows me Windows 6.1, translated as consumer version 7.
- This share has Authorization disabled, meaning anybody can look through the shared content.
- If I were a real hacker, I would probably try something like a CVE-2017-0143 “Eternal Blue” exploit to run arbitrary code on the victim’s system. Under known circumstances, it should work with a 99% success rate. I would be able to make a reverse shell connection and continue my attack towards the control system.
- This usually takes time to find your target around different systems. Anyway, at the point when we can execute our commands on a remote client, we have an excellent foothold to dig deeper. It is only a matter of time when I find a Jack Pot. Most likely, it will look like this.
Image source – vtscada.com
For a cargo ship, it is game over.
Once found a control system of any critical function, a hacker can cause physical damage to equipment. Or perform an act of sabotage, and put a ship into trouble, creating troubles for other boats on their way as well.
There are usually a prevalent set of actions required to mitigate the low-level and opportunistic attacks.
- Identify informational assets on board. It is very easy to remember the rule – you can’t protect something you don’t know you have to protect.
- Apply top 10 hardening best practices to all identified IT systems. I have explicitly mentioned IT because it is relatively easy to achieve. The problems come later with OT (operational technology) systems, but this is the topic for the following article.
- Raise awareness of your team. Any member of the crew, how has access to any ICT should be aware of risks coming from its use. In this case, specific training and demonstrations of ongoing attacks could be handy for the crew.
- Segregate networks, break trustful network areas into smaller pieces, protect OT. This is obviously not an easy task. But we can’t guarantee the integrity of systems if they have different levels of criticality, different levels of controls applied, but, despite these, communicating as it was a flat network.
- Be ready for an incident. Prepare procedures and business continuity plans for all predictable scenarios… and buy paper maps for your crew too.
This is only one quick example. During the research, I found at least another two ways how to identify vessels and get valuable information about their onboard systems.
The international community and, especially, operators and regulators of maritime operations recognized existing issues connected with non-readiness to combat cyber-piracy and the rise of targeted cyber attacks on ships and onshore facilities.
Regarding this, the regulations “IMO 2021 Cyber Security Compliance for Maritime” were presented at the beginning of the year 2021. They introduce crucial improvement and integration of cybersecurity best practices from other domains. This should serve as a platform for many secure and reliable maritime transport operations for the near future.
But the question here, is it enough? What do you think? Let me know in the comments below.
Stay tuned and watch around!