Hacking floating hotels. Cruise ship compromise on the high seas

Modern cruise ships have all the amenities of a large resort hotel. Prior to entering the infosec space, I spent 5 years working in hotels. My experience of the security of both hotels and shipping indicates that the mix is not a good one for security.

What’s the difference between a hotel and a cruise ship? Well, firstly it moves, which affects the physical security model significantly: Cruise ships use industrial control systems for propulsion, navigation, generation etc. This provides a different dimension to a hack: turn the power off on a hotel and you have a irritation. Turn the power off on a cruise ship and it will float uncontrolled until it hits something or a tug arrives. Or it runs out of fresh water, or sewage treatment, or air cooling.

Cruise ships, unlike most hotels, have very complicated networks: passenger Wi-Fi, crew, bridge ICS, bridge IT, corporate IT, PMS, entertainment, satcom etc. Network ports are often found in exposed areas, giving potential for accidental or rogue compromise of sensitive networks.

But how does all that affect the ability to hack it?

Having worked in hotels for many years I know that hotel staff typically don’t have a strong technical understanding and are naturally focused on guest relations. This can lead to staff bending rules to either help the customer or even in some isolated cases benefit themselves. We see crew selling or giving away their own wireless internet access to guests.

I was recently staying at a hotel and the guest wireless wouldn’t work, the phone signal was poor and so I spoke to reception and they simply gave me the password for the staff wireless, with all the billing systems attached to it. On ships it is common for staff to run out of data allowance and so share credentials or (worse still) try to access to unmetered internet  connections such as the bridge networks!

Tracking and hacking ships

We know we can use Automatic Identification System (AIS) to provide realtime location information. If it is travelling between ports we can even see destination details and ETA.

We can find the location of the ship, but what we want is GPS and Satcom, we have talked about that extensively in the container ship world. The important point to stress here is that just because the ship carries people rather than cargo, does not mean the pressures on the captain to keep services running rather than wasting time to perform an upgrade that could break navigation systems are any less. It is perhaps more likely there is even less time at port to perform upgrades to security!

We know we can use Shodan to find vulnerable ships, but what is interesting about cruise ships as opposed to container ships is the need for customer based communications. The clients demand access to the internet, they demand wireless on board and this is combined with so many more potential attackers on board. Most cruise ships have thousands of customers onboard, then hundreds of staff. Compare this to a container ship where there are less than 40 staff onboard and you can start to see the likelihood of compromise increase.

This means internal networks need to be even more secure than your average ship. Customers have time and opportunity to try to compromise your wireless. How secure is your network separation? Is there much to stop your customers or staff from accessing the networks running the telemetry and navigation then performing serial to IP attacks to crash the ship? Who is responsible when the cruise ship crashes if the captain is using the tools provided by you in the correct way, but they are wrong?

Mixing the security of complicated and sensitive networks with a floating hotel full of guests with time on their hands is a challenge.

Access security

Hotel rooms are protected by door access cards, whether mag stripe or RFID. My colleague Ken Munro investigated mag stripe keycard security back in 2006, presenting his work at GCHQ where he showed how easy it was to bypass some keycard systems to access rooms and clone PMS billing cards. More recently, F-Secure showed different techniques to compromise RFID key cards can be compromised using easily obtained cloners; either a mag stripe read/writer or a Proxmark RFID cloning devices.

However, it gets much worse when considering cruise ships. Cruise ships are usually cashless environments; you top up your account at reception and the very same card you use to open the door also charges to your room account. Free beers all round! And customers rooms broken in to and valuables stolen?

To combat the risk of customers losing valuables cruise operators provide in room safes, the very same types that hotels install. With the same vulnerabilities: default PINs, commonly 999999 or 000000 among others, accessible reset buttons to unlock, etc. 10 seconds of YouTube searches and you will find thousands of videos on how to defeat the safe locks. I remember having to override smart safe PINs in my days working front-of-house in hotels. I also remember having to have older key-operated safe locks drilled!

Cruise ships dock at ports for day tours and virtually all the guests leave, leaving their rooms empty and vulnerable. One simply needs to clone a master key (or use an attack like Ken or F-Secure demonstrated), gain access to all the rooms, open the safes and steal all the valuables then make off when the customers are boarding. Just how confident are you in your gangplank security measures? Are you certain that everyone boarding is a legitimate guest? How about you actually try to board one of your vessels unauthorised? Put on a hi vis jacket and hardhat and a forged ID badge – you might be surprised how easy it is for you to bluff your way in.

The future – smart cabin lighting & kids trackers?

Finally, have you considered what smart technology you are deploying to the suites, smart TVs, smart cabin room control, voice recognition assistants etc. Have you considered the impacts to your wider network from this?

Even room lighting can be an attack vector – modern LED light fittings can be powered over shared ethernet network cabling. That usually routes back to centralised control systems, to the light switches, to smart room controls. Did anyone ever check if a rogue passenger could connect to a cabin light & cabin control network to be certain it didn’t link in to more critical vessel control systems?

Newer ships also have the ability to track your children with Bluetooth trackers embedded in to the access token (in this case an RFID band) such as the MSC for Me, which allows you to track your children with the Bluetooth sensors around the ship, but also open the rooms, make payments and navigate your around the shop. It’s worth reading our work on compromising smart GPS trackers for kids – who exactly are you allowing to view the location of passengers children?

All of these systems use sensors around the ship to identify users, these are connected to corporate networks, but are converging end user mobile devices on to these networks, potentially creating vulnerable points of access. Smart TVs in suites allow customers to play their own content and yet the TV is usually connected to a wider entertainment network. As you move to providing more and more end user controllable features are you actually increasing the risk that passengers may compromise your critical networks?

Advice

Unlike hotels, cruise ships have two distinct risks that need to be understood and mitigated. Compromise of the ships navigation systems and services and compromise of the clients information and valuables. Neither is particularly palatable but both can be mitigated fairly easily.

Cruise operators should look to segregate their networks and verify this segregation. Keep systems and services up to date, use strong passwords that aren’t reused or are easily recovered. This will need to extend to the hotel elements, door card and bracelet systems should be updated to run the latest software and risks should be identified and verified, charges should be validated with customers and safes should have all default PINs changed. Keep it simple!