Hacking vessel satcoms
Poorly protected systems still causing concern.
Hack of shipping satcoms – Ken Munro
Shipping is now always-on, connected through VSAT, GSM/LTE and even Wi-Fi. There are numerous systems with crew internet access mashed up with electronic navigation systems, ECDIS, propulsion, load management etc providing multiple touchpoints.
We wanted to explore how susceptible commercial ships are to attack by exploiting information in real time and so began by looking at satcom terminals. If we could use OSINT (Open Source Intelligence) it should be possible to discover targets in realtime (meaning real ships and real crew members).
Big brands in the maritime satcoms space, such as Inmarsat, Telenor and Cobham, can be located using a website database called www.shodan.io. Search for ‘org:”Inmarsat Solutions US”’ and you’ll see plenty of logins for Globe Wireless over plain text HTTP, also an earlier branding as ‘Rydex’. Globe were bought out and rebranded as Inmarsat in 2013, so you can date the comm box by the brand alone. Most of these are very old, undoubtedly running dated firmware.
The Cobham ‘Sailor 900’ system is a bit more interesting from an information disclosure perspective. Search ‘title:”sailor 900″’ and you’ll get the satellite antenna detail unauthenticated. To make changes or do malicious things, one needs to authenticate as an administrative user. The default log in is predictably admin/1234. TLS on the login was missing but it gets worse as we can now see the vessel name and below the login is the following: ‘Show Users’. Clicking this allows us to pull up a list of all the crew onboard who are online in realtime. We could also track the ship from AIS. At that point in time it was in the Malacca Strait, heading for Tubarao in Brazil.
Searching for ‘html:commbox’ allowed us to see a nice collection of KVH CommBox terminals. This is where things got a bit silly. Yes, missing TLS on the login, but it got worse. On the bottom right we could see the vessel name. A moment on Google and we had the Facebook profile of the deck cadet who we had spotted using the commbox. This poor chap is ripe for a phishing attack as we know pretty much everything about him. Simple phish, take control of his laptop, look for a lack of segregation on the ship network and migrate on to other more interesting devices. Or simply scrape his credentials to the commbox and take control that way.
This should be of real concern to the shipping industry as it could potentially see an attacker take control of onboard systems. So what needs to be done?
• TLS needs to be in place on satcom boxes. How can this be still missing on live devices today?
• Password complexity is a must, particularly for high privilege accounts.
• These boxes must be updated as a matter of urgency. It’s simply not acceptable to leave vanilla firmware in place.
• There are many routes on to a ship, but the satcom box is the one route that is nearly always on the internet. Start with securing these devices, then move on to securing other ship systems.
Ken Munro, partner in Pen Test Partners (www.pentestpartners.com), is a respected security researcher who regularly investigates and discloses issues in an attempt to improve security practice. You can follow him on Twitter via @thekenmunroshow.