Category: IT Security

The global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners.

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” said Pen Test Partners researcher Ken Munro, in a report on the findings released this week. “The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality.”

As part of its report, Pen Test Partners also released a number of proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems. “We’ve broken new ground by linking satcom terminal version details to live GPS position data,” according to the report.

Munro said that the PoC flaws are the tip of the iceberg. Many more worse issues were uncovered. He said other bugs would be shared privately with vendors.

Forcing Ships Off-Course

In one of the PoCs shared in the report, researchers noted that the electronic charts that are used to navigate, called Electronic Chart Display and Information System (ECDIS), are a ripe target for hackers. They said the ECDIS is not difficult to hack and manipulate once an attacker breaches the vessel’s network. And that’s fairly simple to achieve because of an abundance of outdated OS and poorly protected configuration interfaces, researchers said.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws,” Munro said. “Most ran old operating systems, including one popular in the military that still runs Windows NT.”

As hackable as it is, all too often, the ECDIS is left in charge of steering the ship, researchers said.

“[ECDIS] can slave directly to the autopilot – most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course,” Munro explained. “Hack the ECDIS and you may be able to crash the ship, particularly in fog. Younger crews get ‘screen-fixated’ all too often, believing the electronic screens instead of looking out of the window.”

In one PoC example, once an adversary gained access to the shipboard IT infrastructure, a hacker could fool the ECDIS into thinking that the GPS receiver was in a different location on board. That would effectively spoof the ship’s navigational systems to believe the ship was in a different place on the water. The system could then automatically “correct” the course, thus sending the ship off into the wrong direction.

The team was also able to expand the perceived GPS footprint to make the ECDIS think the ship was a kilometer wide, wreaking havoc with anti-collision systems. The AIS transceiver, responsible for collision alerts, uses ECDIS data to not only send out the ship’s location to other vessels if there’s a perceived danger, but also for receiving the same data back. By tricking the system into thinking a collision is imminent, other ships could alter their own courses, jamming up shipping lanes.

“Other ships’ AIS will alert the ship’s captain to a collision scenario,” Hunt said. “It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding.”

The implications here are profound: “Block the English Channel and you may start to affect our supply chain,” Hunt added.

The researchers also found that it’s possible to hack the systems used to control the steering gear, engines, ballast pumps and more. These communicate using NMEA 0183 messages, which are sent in plaintext, with no message authentication, encryption or validation.

“All we need to do is man-in-the-middle and modify the data,” Hunt said. “This isn’t GPS-spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course.”

Real-World Implications

Barry Greene, principal architect at Akamai, said that a range of actors could make very good use of these kinds of attacks.

“It can be used (and most likely is being used) to track state intelligence interest,” he told Threatpost. “Criminal threat actors would look for ways to ‘monetize.’ If there is money, they will find a way to exploit. Corporate intelligence threat actors would (and most likely are) using these exploits to track competition. Activist threat actors would use it to track illegal shipping: banned animal products, weapons and human trafficking.”

He added that there are other, less obvious consequences.

“The ugly part is logical consequences that are not being considered,” he told us. “Think about the current pirate situation in several parts of the world. These pirates can use this information for their intelligence. What would be the response when someone gets killed in the Straits of Malacca by pirates who are using these exploits to target their hits?”

Further illustrating the real-world implications, Pen Test Partners has managed to link version details for ships’ satcom terminals to live GPS position data, to establish a clickable map where vulnerable ships can be highlighted with their real-time position (it’s not updated however, thus ensuring it remains out of date and useless to hackers).

All Back to Password Hygiene

In order to carry any of the above attack scenarios out, threat actors would need to gain access to the vessel networks in the first place. Unfortunately, that proves to be fair simple as well, given that satcom terminals on ships are available on the public internet. Many have default credentials, Hunt explained, admin/1234 being the most common. And failing to set a strong administrative password opens the door to a raft of security issues.

“It’s an easy way to hijack the satellite communications and take admin rights on the terminal on board,” explained Munro.

Looking into a Cobham (Thrane & Thrane) Fleet One satellite terminal, Munro found a number of exploitable flaws. For starters, the admin interfaces communicate via insecure telnet and HTTP. They also lack firmware signing, making it possible to edit the entire web application running on the terminal. There is also no rollback protection for the firmware, so a hacker could elevate privilege by installing an older, more vulnerable firmware version. Lastly, the administrator interface passwords are embedded in the configurations, hashed with unsalted MD5.

All of these flaws (again, easily fixed with a strong password) offer routes into the vessel’s network; and, thanks to a general lack of network segregation on board most ships, attackers can likely easily pivot to the navigation system, Munro pointed out.

Mitigation

Like all sectors, getting serious about the risk to their industry should be on the to-do list of vendors and shipping companies alike. However, that’s easier said than done.

“Hopefully, these findings will encourage action, but the reality is that most people who need to know about this risk within the shipping/container/port industry may not hear about this report,” said Greene. “They live in their own specialized community…There is a whole industry built around the shipping industry who never thinks about security. They are thinking, ‘how do I build this function to manage the container lift during the time it is pulling the container off the ship.’”

A good place to start, he added, is for shipping companies to pull in vendors for meaningful security conversations. “Their security interest would wake up the vendor to put security on the top of their list,” Greene explained, adding that shipping companies should make use of their existing resources.

“Their number one security talent is the specialist within their organizations,” he said. “They know their industry. They know their business. CxOs should take those teams, pull them off to the side for a couple of days and have them ‘think like hackers.’ They will come back with a list of security priorities that would be better tuned to the shipping/container/port industry.”

About 301,580 consumers reported cyber-fraud and malware attacks to the FBI’s Internet Crime Complaint Center (IC3) last year – with reported losses exceeding a whopping $1.4 billion.

The year’s haul of reports brings the overall total of complaints since the IC3 began recording such things to 4 million.

Top threats for the year include well-worn trends like whaling, phishing and ransomware, but also tech support fraud, confidence games involving romance themes, non-payment scams and also straightforward extortion.

Notable Stats

Whaling, a.k.a. business email compromise, made up the bulk of the complaints for the department, with 15,690 individuals affected and accounting for adjusted losses of more than $675 million. In these cases, criminals masquerade as company executives to request a change in account information for wire transfers in order to siphon off money to their own accounts, or to request for personally identifiable information or W-2 form data for employees. In 2017, the real estate sector was in particular heavily targeted, IC3 said.

Tech-support fraud, where criminals pose as a variety of different security, customer or technical support reps offering to resolve any number of (non-existent) issues, took the crown for growth. Reported incidents spiked to 10,949 complaints and claimed losses reached nearly $15 million, which represents a staggering 90 percent increase from 2016. IC3 received complaints from victims in 85 different countries.

There are of course many variations of this scam, but IC3 said that the bad actors are now changing up their tactics to use phishing emails with malicious links or fraudulent account charges to lure their victims. They’re also offering new “services,” such as income tax assistance, GPS help, printer support, cable company updates or support for virtual currency exchanges. In some variations, criminals are posing as government agents, who (oh the irony!) offer to recover losses related to tech support fraud schemes; or, they may request financial assistance with “apprehending” criminals.

Other stats of note for 2017 include the fact that the IC3 received 1,783 complaints identified as ransomware last year, with adjusted losses of over $2.3 million. It also received 14,938 extortion-related complaints, with adjusted losses of over $15 million.

When it comes to demographics, older Americans seem to be more targeted: There were 49,523 complaints from victims over the age of 60 with adjusted losses in excess of $342 million.

Fraud Gets Elaborate

The IC3 also uncovered a few “long-cons” that indicate the lengths to which fraudsters will go to scam their marks. Consider the case of an international investment scheme involving the impersonation of Branch Banking & Trust (BB&T) and JPMorgan Chase executives, the fabrication of U.S. government documents, the creation of fraudulent investment agreements in the name of the banks, and the purchase of luxury vehicles to launder the proceeds of the scheme. It resulted in losses of more than $7 million from victims in more than 20 countries.

In this case, West African operators essentially duped unwitting victims into believing they would receive millions of dollars of investment funding as part of joint ventures with BB&T or Chase. They set about spoofing bank domains and recruiting U.S. citizens to pose as bank “representatives” at in-person meetings with the victims; and fake U.S. government documents were used to convince the victims that the government was sponsoring the investment agreements. The victims were then asked to pay tens of thousands of dollars (often hundreds of thousands of dollars) to U.S.-based bank accounts on the belief that such payments were necessary to effectuate their investment agreements.

The scam was partially broken up by FBI Houston as a result of the mounting number of complaints and forensic data. Only about $200,000 of the cash has been recouped.