Hackers could access a ship's navigation systems to change its direction and throw it off-course, according to security researchers.
In a blog post, Ken Munro of Pen Test Partners demonstrated a proof-of-concept attack that could manipulate a vessel's serial network. Munro said that ships have two distinct networks on board; one IP/ethernet network for business systems, crew mail and web browsing and a serial network for the operational technology (OT) systems, including steering, propulsion, ballast and navigation data, among many.
The attack targets devices that act as a bridge between these two separate networks. Munro said that while it is relatively easy to compromise the IP network, the OT network needs a bit more work.
The weaknesses are found in vulnerable devices acting as “bridging points” on ships, such as the Electronic Chart Display and Information System (ECDIS), Voyage Data Recorder, synthetic radar, and sometimes the Automatic Tracking System (AIS) transponder.
Munro's research looked at serial to IP convertors are used to send serial data over IP/ethernet networks cabling, such as ones manufactured by Moxa and Perle Systems. These devices have a web interface for configuration. These come with default credentials which as published on the manufacturer's websites.
“Once you've got the password, you can administrate the convertor. That means complete compromise and control of the serial data it is sending to the ships engine, steering gear, ballast pumps or whatever,” said Munro.
Sometimes changing the default password is not enough as Munro pointed out that there is a flaw (CVE-2016-9361) in Moxa convertor firmware that enables a hacker to recover the admin password, even if it has been changed.
When armed with admin credentials, a hacker can then mount a man-in-the-middle attack, modifying GPS data.
“By ARP poisoning on the network, the serial traffic is routed through our attack laptop. We're using ettercap for simplicity. We simply inject a filter and modify the GPS location data being fed to the ECDIS,” said Munro.
He added that if the ECDIS is in ‘track control' mode whereby it directs the autopilot, then the hacker can fool it and cause the ship to change direction.
“If the crew are alert, then they should pick it up and take control, but they are being presented with exactly the same tampered position data as the automated systems,” he said.
Jake Moore, security specialist at ESET, told SC Media UK that the issue with these highly technical ships is that they are always on and connected to multiple networks which increases the risk which in this case could be catastrophic.
“Such entry points such as a simple phishing email, unchanged admin passwords and not updating all machines could cause a disaster in this industry and to public confidence,” he said.
“Devices and operating systems must always be up to date and patched plus password complexity is extremely important, particularly with high privilege accounts. Training is also just as imperative to spot phishing attempts as these bad actors won't stop at anything to gain access. Remember to patch and protect or risking paying out.”
Adam Brown, manager of security solutions at Synopsys, told SC Media UK that an adversary who wanted to cause a disaster could use this kind of attack to ground or wreck a ship.
“Anyone who has sailed in open seas knows that large ships have a very long reaction time – often miles and miles. They also know that autopilots steer the vessel most of the time, and that the officer on watch won't necessarily ‘watch' all the time. In fact, last year a Dutch ship ‘Ruyter' was grounded due to a boozy watchman not paying attention! With the navigation system in complete control most of the time, and little attention paid, there is a great opportunity for an adversary to steer the ship into trouble - even remotely,” he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout