Ethical hacking firm, Pen Test Partners, published a blog earlier this week detailing how simple it is to hack container ships to access the serial ports and networks. The blog discusses three different ways to intercept and modify serial data on ship networks – the serial data that controls steering, engine control and much more.
Adam Brown, Manager of Security Solutions at Synopsys:
“Ships, just like cars, medical devices and business systems, all run on software; and the software producers make common mistakes. Those mistakes can, and do lead to critical security and safety failings. Some industries are more aware of this than others, as we saw in our latest BSIMM report. However, it seems that the maritime industry may be behind.
Ken and his team are adept breakers, and show several ways to break into a navigation system on a ship. While not on an actual ship, he has to assume that two of these attacks are possible (and they likely are). Those attacks are: his man in the middle attack – this requires a physical device placed between the GPS antenna and the navigation system, and his network based breach relying on the navigation system using the normal IP network on the ship.
An adversary who wanted to cause a disaster could use this kind of attack to ground or wreck a ship. Anyone who has sailed in open seas knows that large ships have a very long reaction time – often miles and miles. They also know that autopilots steer the vessel most of the time, and that the officer on watch won’t necessarily ‘watch’ all the time. In fact, last year a Dutch ship ‘Ruyter’ was grounded due to a boozy watchman not paying attention! With the navigation system in complete control most of the time, and little attention paid, there is a great opportunity for an adversary to steer the ship into trouble – even remotely.
The attacks demonstrated are not new and would be prevented with proper security policies and processes aboard. Devices manufacturers and ship IT infrastructure architects can also be held to account to apply better security practices to prevent security bugs and flaws like those exploited by Ken. There is no one product or activity to prevent this, only a deliberate software security initiative would address all of these things properly.”