I’m a cybersecurity consultant, tech writer, and a regular columnist for InfoSec Insights.
Better late than never seems to be the motto being followed by the International Maritime Organization (IMO), which issued a deadline of January 2021 to shipowners and operators to address cyber risks in existing safety management systems (SMS). In 2013, Trend Micro, a cybersecurity firm in Japan, demonstrated how the automatic identification system (AIS) used by ships to broadcast their identity and position, could be manipulated and compromised. Besides AIS, which continues to be unencrypted and loaded with security flaws, even the rest of the OT infrastructure used in the maritime industry hasn’t kept up with evolving cyber risks. Let’s take a closer look at some of the systems that can potentially come under attack.
Cyber Risks in the Maritime Industry
When we’re talking about cyber risks in the maritime industry, we need to consider not only information security risks that compromise the confidentiality of data, its integrity, and availability but also risks to operation technology (ICS/SCADA) systems. Some of the systems that might get impacted are as follows:
- Navigation systems (ECDIS, Radar, GPS, etc.) can be manipulated using jamming and spoofing techniques.
- Communication systems (sat link, AIS, GSM, etc.) can be targeted by attacking the wireless link.
- Loading and stability of the ship can be modified by manipulating the EDIFACT messages to destabilize ships, cause delays at ports, change price details, etc.
- Global Maritime Distress and Safety System (GMDSS) sends or receives distress alerts from ship-to-shore, shore-to-ship, and ship-to-ship. According to IOActive, terminals running on the insecure ThraneLink protocol are prone to attacks.
- Ship and crew networks are often not properly segregated and can be compromised via email, social engineering attacks, malware downloads, etc.
- Sensors (temperature, pressure, level, current, anemometer, etc.) connected to the shipboard LAN, if compromised, can lead to misrepresented data on the ship’s Electronic Chart Display and Information Systems (ECDIS).
- Third-party updates and remote access to service providers on the shoreside can also be one of the attack vectors.
Figure 1: Working principle of AIS; Image Source: https://aulanautica.org/wp-content/uploads/2015/03/TEMARIO-PY-140.jpg
Even without manipulating signals, sending phishing emails, or hacking into these systems using various channels, an attacker can collect a lot of information about their target merely by searching the internet. This information can be put to good use in the later stages of an attack.
Leveraging OSINT to Gather Ship Data
Shodan is a powerful search engine for IoT devices. It can not only find VSATs, comm boxes, etc. but also list open ports on these devices and
vulnerabilities based on their technology stack. The screenshots below are from a Very Small Aperture Terminal (VSAT) device that discloses information such as the exact location of the ship, the vessel’s name, etc. Entering the latitude and longitude information on Google Maps pulls up the image of the ship on sea, nearby ports, etc.
Figure 2: VSAT Dashboard of a Ship
The user login and administration screens can also be accessed. A simple google search can be used to find the default credentials (admin/1234, in this case). Considering that most of these devices do not use SSL certificates, do not update their software versions or run on outdated hardware components, there is a fair chance that many of them would not have changed the default login credentials.
Figure 3: Login Screen
Figure 4: A CommBox with network config information revealed by hovering over the VSAT tab.
Figure 5: Vulnerability list and open ports from a VSAT on Shodan
Figure 6: Ship Details
Figure 8: MyShip Portal
Figure 7: Crew member listing