Security of “Internet of Ships” fails at basic level, analyst claims

Ships are a kind of industrial control system (ICS) according to Ken Munro , a security researcher with UK-based Pen Test Partners. In a blog post summarizing a talk he gave at a conference in Athens, Greece, Munro detailed how easy it was to hack into ships’ communication systems. Ships used to run on “dedicated, isolated networks,” which was an excellent defence against online attacks. But today ships were increasingly connected to the global Internet of things, and therefore were at serious risk from online attacks, Munro said.

He claimed that a combination of VSAT, GSM/LTE, ordinary Wi-Fi, crew’s internet access, combined with electronic navigation systems, ECDIS, propulsion, load management and numerous other complex, custom systems, constituted “a recipe for disaster”.

Using Shodan, a search engine that indexes internet connected devices, Munro found marine equipment all over the world. For one major company he said that he found, “plenty of logins for the Globe Wireless over plaintext HTTP,” along with evidence that the firmware of many of their older comm boxes was “dated”. He claimed that the Cobham Sailor 900 satellite antenna was protected from a malicious attacker by nothing more than the username and password combination “admin” and “1234” respectively.

Munro said that some KVH terminals not only lacked TLS encryption on the login, but also included the name of the vessel plus an option to “show users”, which provided a list of the members of the crew online. He added that it was no more than a moment on Google to find the Facebook profile of a deck cadet he saw was using the commbox. It would be a “simple phish” to take control of his laptop, look for a lack of segregation on the ship network and migrate from there to other “more interesting” devices.

Munro said that ships should start with the basics. There were many electronic routes into a ship’s systems, but the satcom box was the one route that was nearly always online. Start with securing these devices, and then move on to securing other ship systems, Munro concluded.

https://www.pentestpartners.com/security-blog/osint-from-ship-satcoms/