Shipping Industry Cybersecurity: A Shipwreck Waiting to Happen

Pen Test Partners demonstrates how to send vessels off-course or even onto a path to collision — fairly easily.

The global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners.

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” said Pen Test Partners researcher Ken Munro, in a report on the findings released this week. “The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality.”

As part of its report, Pen Test Partners also released a number of proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems. “We’ve broken new ground by linking satcom terminal version details to live GPS position data,” according to the report.

Munro said that the PoC flaws are the tip of the iceberg. Many more worse issues were uncovered. He said other bugs would be shared privately with vendors.

Forcing Ships Off-Course

In one of the PoCs shared in the report, researchers noted that the electronic charts that are used to navigate, called Electronic Chart Display and Information System (ECDIS), are a ripe target for hackers. They said the ECDIS is not difficult to hack and manipulate once an attacker breaches the vessel’s network. And that’s fairly simple to achieve because of an abundance of outdated OS and poorly protected configuration interfaces, researchers said.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws,” Munro said. “Most ran old operating systems, including one popular in the military that still runs Windows NT.”

As hackable as it is, all too often, the ECDIS is left in charge of steering the ship, researchers said.

“[ECDIS] can slave directly to the autopilot – most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course,” Munro explained. “Hack the ECDIS and you may be able to crash the ship, particularly in fog. Younger crews get ‘screen-fixated’ all too often, believing the electronic screens instead of looking out of the window.”

In one PoC example, once an adversary gained access to the shipboard IT infrastructure, a hacker could fool the ECDIS into thinking that the GPS receiver was in a different location on board. That would effectively spoof the ship’s navigational systems to believe the ship was in a different place on the water. The system could then automatically “correct” the course, thus sending the ship off into the wrong direction.

The team was also able to expand the perceived GPS footprint to make the ECDIS think the ship was a kilometer wide, wreaking havoc with anti-collision systems. The AIS transceiver, responsible for collision alerts, uses ECDIS data to not only send out the ship’s location to other vessels if there’s a perceived danger, but also for receiving the same data back. By tricking the system into thinking a collision is imminent, other ships could alter their own courses, jamming up shipping lanes.

“Other ships’ AIS will alert the ship’s captain to a collision scenario,” Hunt said. “It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding.”

The implications here are profound: “Block the English Channel and you may start to affect our supply chain,” Hunt added.

The researchers also found that it’s possible to hack the systems used to control the steering gear, engines, ballast pumps and more. These communicate using NMEA 0183 messages, which are sent in plaintext, with no message authentication, encryption or validation.

“All we need to do is man-in-the-middle and modify the data,” Hunt said. “This isn’t GPS-spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course.”

Real-World Implications

Barry Greene, principal architect at Akamai, said that a range of actors could make very good use of these kinds of attacks.

“It can be used (and most likely is being used) to track state intelligence interest,” he told Threatpost. “Criminal threat actors would look for ways to ‘monetize.’ If there is money, they will find a way to exploit. Corporate intelligence threat actors would (and most likely are) using these exploits to track competition. Activist threat actors would use it to track illegal shipping: banned animal products, weapons and human trafficking.”

He added that there are other, less obvious consequences.

“The ugly part is logical consequences that are not being considered,” he told us. “Think about the current pirate situation in several parts of the world. These pirates can use this information for their intelligence. What would be the response when someone gets killed in the Straits of Malacca by pirates who are using these exploits to target their hits?”

Further illustrating the real-world implications, Pen Test Partners has managed to link version details for ships’ satcom terminals to live GPS position data, to establish a clickable map where vulnerable ships can be highlighted with their real-time position (it’s not updated however, thus ensuring it remains out of date and useless to hackers).

All Back to Password Hygiene

In order to carry any of the above attack scenarios out, threat actors would need to gain access to the vessel networks in the first place. Unfortunately, that proves to be fair simple as well, given that satcom terminals on ships are available on the public internet. Many have default credentials, Hunt explained, admin/1234 being the most common. And failing to set a strong administrative password opens the door to a raft of security issues.

“It’s an easy way to hijack the satellite communications and take admin rights on the terminal on board,” explained Munro.

Looking into a Cobham (Thrane & Thrane) Fleet One satellite terminal, Munro found a number of exploitable flaws. For starters, the admin interfaces communicate via insecure telnet and HTTP. They also lack firmware signing, making it possible to edit the entire web application running on the terminal. There is also no rollback protection for the firmware, so a hacker could elevate privilege by installing an older, more vulnerable firmware version. Lastly, the administrator interface passwords are embedded in the configurations, hashed with unsalted MD5.

All of these flaws (again, easily fixed with a strong password) offer routes into the vessel’s network; and, thanks to a general lack of network segregation on board most ships, attackers can likely easily pivot to the navigation system, Munro pointed out.

Mitigation

Like all sectors, getting serious about the risk to their industry should be on the to-do list of vendors and shipping companies alike. However, that’s easier said than done.

“Hopefully, these findings will encourage action, but the reality is that most people who need to know about this risk within the shipping/container/port industry may not hear about this report,” said Greene. “They live in their own specialized community…There is a whole industry built around the shipping industry who never thinks about security. They are thinking, ‘how do I build this function to manage the container lift during the time it is pulling the container off the ship.'”

A good place to start, he added, is for shipping companies to pull in vendors for meaningful security conversations. “Their security interest would wake up the vendor to put security on the top of their list,” Greene explained, adding that shipping companies should make use of their existing resources.

“Their number one security talent is the specialist within their organizations,” he said. “They know their industry. They know their business. CxOs should take those teams, pull them off to the side for a couple of days and have them ‘think like hackers.’ They will come back with a list of security priorities that would be better tuned to the shipping/container/port industry.”

Suggested articles