Hacking Serial Networks on Ships

Three different ways to intercept and modify serial data on ship networks. The serial data that controls steering, engine control and so much more on board ship…

How-to

Vessels typically have two distinct networks on board; one IP/ethernet network for business systems, crew mail & web browsing and a serial network for the operational technology (OT) systems, including steering, propulsion, ballast and navigation data, among many.

We’ve shown before how it’s relatively straightforward to compromise the business network through the satcom terminal if basic security controls aren’t in place. However, affecting the OT systems requires additional work.

We know serial network security well from our years of experience in utilities; some of our team used to run ICS security at UK power and water companies.

Serial datacomms usually follow RS232, RS422 or RS485. So long as you’re at the right point on the network, it’s usually trivial to intercept and tamper with the data, almost invariably invisible to the crew.

Crossing the streams: bridging the networks

How do you get from the IP network to the serial network? You need to find bridging points where one network device deals with both IP and serial.

There are plenty on board: the ECDIS, Voyage Data Recorder, serial-IP convertors, synthetic radar, sometimes BNWAS, ocasionally the AIS transponder. There are often many more.

Here’s a serial interface inside an ECDIS case. It was simply a Windows PC. Windows XP, so trivial to exploit and take control of the serial COM ports after taking control from the IP network

In the video, we look at exploiting the serial to IP convertors.

Exploiting convertors

Moxa, Perle and other serial to IP convertors are used to send serial data over IP/ethernet networks cabling. This can reduce cabling cost and can also offer better signal strength compared to pure serial networks.

In the video we showed three issues:

Default convertor passwords

Serial to IP convertors usually have a web interface for configuration. The default credentials are usually admin/superuser, superusr/<blank> or admin/<blank> in the case of Perle and usually admin/moxa, admin/admin or admin/<blank> in the case of Moxa convertors. These are published by the manufacturers on their own web sites!

Once you’ve got the password, you can administrate the convertor. That means complete compromise and control of the serial data it is sending to the ships engine, steering gear, ballast pumps or whatever.

Exploitable convertors

There’s an interesting security flaw in some Moxa convertor firmware. An exploit is available in the Metasploit security exploit framework. The vulnerability is referenced as CVE-2016-9361 and allows the hacker to recover the admin password, EVEN IF IT HAS BEEN CHANGED!

Man in the Middle attacks, changing the ships direction

That’s what we show in the video demo. We take the GPS data stream and modify it once it’s on the serial network.

By ARP poisoning on the network, the serial traffic is routed through our attack laptop. We’re using ettercap for simplicity.

We simply inject a filter and modify the GPS location data being fed to the ECDIS.

This is an insidious hack as we aren’t injecting obvious gross errors.

If the ECDIS is in ‘track control’ mode whereby it directs the autopilot, then the hacker can fool it and cause the ship to change direction.

If the crew are alert, then they should pick it up and take control, but they are being presented with exactly the same tampered position data as the automated systems…

The data stream conforms to NMEA0183, which we’ve written about extensively.

Mitigating this attack

First, it’s critical that vessel networks are segregated. This applies to both the IP and serial networks. Serial networks are often overlooked as there are often different teams responsible for IT and OT networks.

My experience from utilities suggests that IT and OT network personnel often don’t work together closely, leading to misunderstandings and allowing security holes to creep in

Then, passwords for serial devices must be changed from default.

Many newer serial to IP convertors support SSH or similar traffic encryption, making MITM much more difficult. Enable and configure encrypted communications

Finally, serial device software must be kept up to date and patched against security flaws.