A proof-of-concept attack could cause ships to dangerously veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks.
Researcher Ken Munro, with Pen Test Partners, on Monday showed how the attack could work and how it’s possible to manipulate a ship’s steering, propulsion, ballast and navigation data. The attack focused on targeting the devices that serve as a “bridging point” between the operational technology (OT) and IP networks.
“We’ve shown before how it’s relatively straightforward to compromise the business network through the satcom terminal if basic security controls aren’t in place. However, affecting the OT systems requires additional work,” he said in a post.
The weaknesses Munro found stem from several vulnerable IP network devices on ships – which are used in business systems, crew mail and web browsing. Researchers point out they all exist on the same network behind operational devices.
There are several of these “bridging points” on ships, said Munro – including the Electronic Chart Display and Information System (ECDIS), Voyage Data Recorder, synthetic radar, and sometimes the Automatic Tracking System (AIS) transponder.
For the proof of concept, researchers focused on serial-IP converters, including those made by Moxa and Perle Systems, which are used to send serial data over IP/Ethernet networks’ cabling. Researchers were able to use a ThinkPad running Kali Linux (Debian-derived Linux distribution designed for penetration testing and digital forensics) to look at the data running through the serial-to-IP converters.
These converters have an array of security issues if not updated, he said. The web interface for configuration generally have default credentials – which ironically are published by the manufacturers on their own websites, the researcher said.
“Once you’ve got the password, you can administrate the converter,” wrote Munro. “That means complete compromise and control of the serial data it is sending to the ships engine, steering gear, ballast pumps or whatever.”
Even if the passwords have been changed, the converter is still susceptible to attack. Alarmingly, the Moxa converter firmware also contains a known security flaw (CVE-2016-9361) that enables hackers to use Metasploit modules (a tool for developing and executing exploit code against a remote target machine) to recover the administrator password – even if it has already been changed.
The vulnerability has a CVSS score of 7.5 and impacts an array of Moxa versions, including several versions of the Nport 5100 firmware and the Nport 5200 series firmware.
Once a hacker gains the admin credentials, they are able to launch an insidious man-in-the-middle attack – essentially injecting false GPS data into the various systems on the bridge, said Munro.
Attackers may be able to route serial traffic through their attack laptop and inject a filter, modifying the GPS location data being fed to the ECDIS.
Ultimately, if the the Electronic Chart Display and Information System is in “Track Control’ mode (which is autopilot) then the hacker can fool it and cause the ship to change direction, said Munro.
Researchers have long warned about the vulnerabilities and security issues afflicting the shipping industry. Pen Test Partners earlier this month released a number of other PoC attacks demonstrating an array of methods for disrupting the shipboard navigation systems.
In a similar PoC example, Munro showed how an adversary could access the ship’s IT infrastructure and then fool the ECDIS into thinking that the GPS receiver was in a different location on board – and the system could then essentially “correct” the course, sending the ship in the wrong direction.
Beyond PoC, hackers seem to have set their eyes on the shipping industry – Dell SecureWorks Counter Threat Unit in April identified a hacking group behind several prolific business email compromise attacks gouging the maritime shipping industry millions of dollars since last year, dubbed Gold Galleon.
Attackers were taking advantage of the industry’s lax security and the use of outdated computers, SecureWorks said.
Mitigations for this type of attack include changing passwords from default, keeping serial device software up to date, and, enable and configure encrypted communications.
Many newer serial-to-IP converters support SSH or similar traffic encryption, making man-in-the-middle attacks more difficult, said Munro.
Most importantly, segregating vessel networks is key. “This applies to both the IP and serial networks. Serial networks are often overlooked as there are often different teams responsible for IT and OT networks,” said Munro. “My experience from utilities suggests that IT and OT network personnel often don’t work together closely, leading to misunderstandings and allowing security holes to creep in.”