Blog: Maritime Cyber Security

Hacking 20 different ECDIS units and crashing ships

Ken Munro 19 Jul 2016

ECDIS: Electronic Chart and Display Information Systems.

For those not familiar with the maritime sector, ECDIS are the shipping equivalent of your car’s sat-nav. A highly accurate charting system on the ships bridge that helps direct the autopilot, among many features.

These systems save hours of manual navigation work, and updates to charts are electronic rather than literally sticking paper updates on to old paper charts.

In low visibility conditions, the ECDIS and radar is essential to navigate. Experienced seafarers will use the ECDIS as an aid to navigation, cross checking by looking out of the bridge windows and perhaps even using a sextant. However, newer generations of ships officers are often ‘screen-fixated’ and trust the technology implicitly. This trust can easily be subverted as devices can be hacked leading to navigational disasters.

Ships cannot legally sail without up-to-date charts. Increasingly, paper charts are no longer carried aboard, perhaps relying on dated ‘get you home’ charts for emergencies. If the ECDIS is hacked and unusable, the ship may not be able to sail. Instant, significant financial loss.

However, more insidious would be the introduction of fake changes, such as moving the chart datum or misplacing the ship on the chart. Reef? What reef?

So, with all that in mind we set out to look at the security of nearly every ECDIS on the market. How good or bad were their security?

Short Answer: off the scale bad

That’s not us being alarmist. ATMs are known for running out of date software. By comparison, the ECDIS we tested were >5 years MORE out of date than the average ATM!

Longer answer: nearly every ECDIS we tested ran an out-of-date, unsupported operating system. That means security flaws found will NEVER be fixed by the operating system manufacturer. That led to trivial security exploits that any low-skill hacker could easily exploit. These aren’t high skill vulnerabilities; it would take a few minutes with free tools to hack the ECDIS.

Most of the we ECDIS tested had open, unsecured USB ports. Crew often charge their smartphones from these USB ports. That’s a sure fire way to introduce malware.

The USB ports often had network interfaces available, making compromise easy.

Numerous unnecessary ports and services were available. Many of these were easy to exploit.

Issues we found

Aside from the out of date operating systems and USB issues, we also found some security issues specific to individual ECDIS.

OT and serial networks

Whenever an ECDIS control unit runs serial to IP convertors, there are opportunities to exploit it. Also as serial cabling isn’t as efficient for sending OT data round a vessel as an IP network there will also be other places where serial to IP convertors are used.

The convertor takes in serial data and sends it out over an IP network, a second convertor at the outstation (e.g. the engine control room) then converts it back to serial data. Convertors need to be securely hardened against attacks, but changing the default passwords. However we’ve found many, many default passwords still in place.

Unprotected network interfaces

Several of the ECDIS we tested presented interfaces to the ships network that were easy to compromise. These included undocumented web servers, database services and file transfer mechanisms.

Using a web server interface on one ECDIS, we discovered a configuration interface with an undocumented default password. Reading the vendors manuals, we could find no mention of this password nor any advice to change it.

From this, we could reconfigure the vessel and make it appear to be at a different location:

Another ECDIS presented an database connector service from which one could edit the contents of the digital charts. Fancy removing a reef from a chart?

A different ECDIS had a significant security flaw in the ECDIS application itself. It was trivial to edit or reconfigure any aspect of the ECDIS software and digital charts it displayed.

ECDIS security

An ECDIS is usually just a desktop computer. It may have a rugged case, screen and keyboard, but it is fundamentally just a PC.

Just like any computer, it requires updates to be applied, both to the underlying operating system, to its ECDIS software and to the digital charts. If any of those are omitted for any period of time, cyber security vulnerabilities creep in.

ECDIS are increasingly being connected to vessel networks to facilitate online chart updates, integration with other bridge systems and remote maintenance. Security flaws that did not matter so much in the past through a lack of connectivity are now becoming very important.

Even having dual redundant ECDIS on the bridge is no guarantee of availability: during research we discovered similar security flaws on multiple ECDIS brands. A hacker would have little difficulty in compromising both.

ECDIS USB security

The ECDIS system case must be kept in a robust locked cabinet to which only senior personnel have access. It should not be possible for other personnel to access the system case or any of the USB and network ports on it.

A source of several ECDIS security incidents has been from crew charging smartphones from the USB ports. Phones that have not been kept up to date may already be infected with malware.

Many ECDIS have USB ports present on their keyboards, as shown in the example below. Operators frequently report that, despite multiple ‘safe’ USB charging points being made available on the bridge, crew still charge phones from the ECDIS.

With this in mind, seriously consider installing USB port blockers such as the below. Whilst they are not difficult to remove, they do provide a visual deterrent to casual charging.

If the crew persist in charging from ECDIS USB, you may consider gluing the blocker in to the USB port. Bear in mind that chart updates can still be applied by opening the ECDIS cabinet and inserting clean USB keys directly in to the system case USB ports.

System updates and hardening

It is imperative that the ECDIS computer is subject to regular updates to its operating system. During vessel security audits, we have discovered ECDIS still running Windows NT, an operating system so old that Microsoft stopped supporting it in 2004! That means that any new security flaws in the software will NEVER be fixed.

Windows XP and Windows 7 are also commonly found on bridge systems. Even as recently as April 2018, Microsoft released 22 vulnerabilities rated ‘critical’. These updates must be applied, as hackers will quickly ‘reverse engineer’ the updates and work out how to exploit the security flaw.

Not all ECDIS are based on Microsoft operating systems. A smaller subset of vendors use Linux based operating systems, which require updating in just the same way.

Whilst downloading updates at sea over satellite can be expensive, the operator should determine how critical a new patch is to their systems. Truly urgent patches, such as the ‘Heartbleed’ flaw from 2014 would merit the expense of patching whilst at sea, though most could likely wait until the next port of call and updating over shore Wi-Fi.

All computers should be subject to ‘hardening’ during installation. This describes the process whereby it is configured to be as secure as possible; it should deliver minimum functionality in order to deliver its role as an ECDIS. For example, one would not expect Microsoft games to be present on an ECDIS, nor would one expect administrator passwords to be blank or simple

The Center for Internet Security publishes free CIS Benchmarks which offer good practice guides and checklists for hardening systems. Their web site is at www.cisecurity.org