![](\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/31\/2018\/06\/07123832\/container-ship.jpg\" "\\"Shipping")
<\/p>\nThe global shipping industry is vulnerable to a range of hacks, including one that\u00a0can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners.<\/p>\n
\u201cShip security is in its infancy \u2013 most of these types of issues were fixed years ago in mainstream IT systems,\u201d said Pen Test Partners researcher Ken Munro, in a report on the findings<\/a> released\u00a0this week. \u201cThe advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we\u2019ve only seen in the movies will quickly become reality.\u201d<\/p>\n \n\t\t\t\t\t\t\tMay 25, 2018 , 3:25 pm<\/span>\n\t\t\t\t\t\t<\/p>\n<\/article>\n \n\t\t\t\t\t\t\tOctober 12, 2017 , 12:32 pm<\/span>\n\t\t\t\t\t\t<\/p>\n<\/article>\n \n\t\t\t\t\t\t\tJuly 25, 2017 , 9:00 am<\/span>\n\t\t\t\t\t\t<\/p>\n<\/article><\/div>\n As part of its report,\u00a0Pen Test Partners also released a number of proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems. \u201cWe\u2019ve broken new ground by linking satcom terminal version details to live GPS position data,\u201d according to the report.<\/p>\n Munro said that the PoC flaws are the tip of the iceberg. Many more worse issues were uncovered. He said other bugs would be shared privately with vendors.<\/p>\n Forcing Ships Off-Course<\/strong><\/p>\n In one of the PoCs shared in the report, researchers noted that the electronic charts that are used to navigate, called\u00a0Electronic Chart Display and Information System (ECDIS), are a ripe target for hackers. They said the ECDIS is not difficult to hack and manipulate once an attacker breaches the vessel\u2019s network. And that\u2019s fairly simple to achieve because of an abundance of outdated OS and poorly protected configuration interfaces, researchers said.<\/p>\n \u201cWe tested over 20 different ECDIS units and found all sorts of crazy security flaws,\u201d Munro said. \u201cMost ran old operating systems, including one popular in the military that still runs Windows NT.\u201d<\/p>\n As hackable as it is, all too often, the ECDIS is left in charge of steering the ship, researchers said.<\/p>\n \u201c[ECDIS] can slave directly to the autopilot \u2013 most modern vessels are in \u2018track control\u2019 mode most of the time, where they follow the ECDIS course,\u201d Munro explained. \u201cHack the ECDIS and you may be able to crash the ship, particularly in fog. Younger crews get \u2018screen-fixated\u2019 all too often, believing the electronic screens instead of looking out of the window.\u201d<\/p>\n In one PoC example, once an adversary gained access to the shipboard IT infrastructure, a hacker could fool the ECDIS into thinking that the GPS receiver was in a different location on board. That would effectively spoof the ship\u2019s navigational systems\u00a0to believe the ship was in a different place on the water. The system could then automatically \u201ccorrect\u201d the course, thus sending the ship off into the wrong direction.<\/p>\n The team was also able to expand the perceived GPS footprint to make the ECDIS think the ship was a kilometer wide, wreaking havoc with anti-collision systems. The AIS transceiver, responsible for collision alerts, uses ECDIS data to not only send out the ship\u2019s location to other vessels if there\u2019s a perceived danger, but also for receiving the same data back. By tricking the system into thinking a collision is imminent, other ships could alter their own courses, jamming up shipping lanes.<\/p>\n \u201cOther ships\u2019 AIS will alert the ship\u2019s captain to a collision scenario,\u201d Hunt said. \u201cIt would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding.\u201d<\/p>\n The implications here are profound: \u201cBlock the English Channel and you may start to affect our supply chain,\u201d Hunt added.<\/p>\n The researchers also found that it\u2019s possible to hack the systems used to control the steering gear, engines, ballast pumps and more. These communicate using NMEA 0183 messages, which are sent in plaintext, with no message authentication, encryption or validation.<\/p>\n \u201cAll we need to do is man-in-the-middle and modify the data,\u201d Hunt said. \u201cThis isn\u2019t GPS-spoofing, which is well known and easy to detect, this is injecting small errors to slowly and insidiously force a ship off course.\u201d<\/p>\n Real-World Implications<\/strong><\/p>\n Barry Greene, principal architect at Akamai, said that a range of actors could make very good use of these kinds of attacks.<\/p>\n \u201cIt can be used (and most likely is being used) to track state intelligence interest,\u201d he told Threatpost. \u201cCriminal threat actors would look for ways to \u2018monetize.\u2019 If there is money, they will find a way to exploit. Corporate intelligence threat actors would (and most likely are) using these exploits to track competition. Activist threat actors would use it to track illegal shipping: banned animal products, weapons and human trafficking.\u201d<\/p>\n He added that there are other, less obvious consequences.<\/p>\n \u201cThe ugly part is logical consequences that are not being considered,\u201d he told us. \u201cThink about the current pirate situation in several parts of the world. These pirates can use this information for their intelligence. What would be the response when someone gets killed in the Straits of Malacca by pirates who are using these exploits to target their hits?\u201d<\/p>\n Further illustrating the real-world implications, Pen Test Partners has managed to link version details for ships\u2019 satcom terminals to live GPS position data, to establish a clickable map<\/a> where vulnerable ships can be highlighted with their real-time position (it\u2019s not updated however, thus ensuring it remains out of date and useless to hackers).<\/p>\n All Back to Password Hygiene<\/strong><\/p>\n In order to carry any of the above attack scenarios out, threat actors would need to gain access to the vessel networks in the first place. Unfortunately, that proves to be fair simple as well, given that satcom terminals on ships are available on the public internet. Many have default credentials, Hunt explained, admin\/1234 being the most common. And failing to set a strong administrative password opens the door to a raft of security issues.<\/p>\n \u201cIt\u2019s an easy way to hijack the satellite communications and take admin rights on the terminal on board,\u201d explained Munro.<\/p>\n Looking into a Cobham (Thrane & Thrane) Fleet One satellite terminal, Munro found a number of exploitable flaws. For starters,\u00a0the admin interfaces communicate via insecure telnet and HTTP. They also lack firmware signing, making it possible to edit the entire web application running on the terminal.\u00a0There is also no rollback protection for the firmware, so a hacker could elevate privilege by installing an older, more vulnerable firmware version. Lastly, the administrator interface passwords are embedded in the configurations, hashed with unsalted MD5.<\/p>\n All of these flaws (again, easily fixed with a strong password) offer routes into the vessel\u2019s network; and, thanks to a general lack of network segregation on board most ships, attackers can likely easily pivot to the navigation system, Munro pointed out.<\/p>\n Mitigation<\/strong><\/p>\n Like all sectors, getting serious about the risk to their industry should be on the to-do list of vendors and shipping companies alike. However, that\u2019s easier said than done.<\/p>\n \u201cHopefully, these findings will encourage action, but the reality is that most people who need to know about this risk within the shipping\/container\/port industry may not hear about this report,\u201d said Greene. \u201cThey live in their own specialized community\u2026There is a whole industry built around the shipping industry who never thinks about security<\/a>. They are thinking, \u2018how do I build this function to manage the container lift during the time it is pulling the container off the\u00a0ship.’\u201d<\/p>\n A good place to start, he added, is for shipping companies to pull in vendors for meaningful security conversations. \u201cTheir security interest would wake up the vendor to put security on the top of their list,\u201d Greene explained, adding that shipping companies should make use of their existing resources.<\/p>\n \u201cTheir number one security talent is the specialist within their organizations,\u201d he said. \u201cThey know their industry. They know their business. CxOs should take those teams, pull them off to the side for a couple of days and have them \u2018think like hackers.\u2019 They will come back with a list of security priorities that would be better tuned to the shipping\/container\/port industry.\u201d<\/p>\n<\/div><\/div>\nRelated Posts<\/h3>\n