Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.
In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.
It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.
Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.
While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.
Many of the security holes disclosed this week by Pen Test Partners can be mitigated by setting a strong administrator password on the satcom terminal. Other serious issues discovered by researchers have been reported to Cobham, whose Fleet One terminal was used in experiments, and have not been disclosed.
According to researchers, once an attacker gains access to the terminal, they can replace the firmware due to the lack of proper validation checks or downgrade it to an older and more vulnerable version, and they can edit the web application running on the terminal. Experts also discovered poorly protected admin passwords in configuration files.
An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.
Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.
“We tested over 20 different ECDIS units and found all sorts of crazy security flaws. Most ran old operating systems, including one popular in the military that still runs Windows NT,” explained Pen Test Partners researcher Ken Munro.
In one case, the ECDIS had a poorly protected configuration interface that allowed an attacker to spoof the position of the GPS receiver on the ship and make the vessel “jump” to a slightly different location.
Reconfiguring the ECDIS can also allow an attacker to change the size of the targeted ship as seen by other nearby vessels via the automatic identification system (AIS) tracker.
“So, simply spoof the ECDIS using the vulnerable config interface, ‘grow’ the ship and ‘jump’ it in to the shipping lanes,” Munro explained. “Other ships’ AIS will alert the ship’s captain to a collision scenario. It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain.”
Another attack scenario described by Pen Test Partners targets the operational technology (OT) systems on board a ship. These systems are used to control steering, engines, ballast pumps and other components, and they communicate via the NMEA 0183 protocol.
Since messages sent over NMEA 0183 don’t use any authentication, encryption or validation, a man-in-the-middle (MitM) attacker can modify the data and, for example, inject small errors that would cause the ship to alter its course when autopilot is engaged, researchers warn.
“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality,” Munro concluded.