Hacking Floaty Things
In July 2019 the U.S. Coast Guard issued a safety alert
urging civilian mariners to get their cyber-poop in a group, encouraging the most basic of cyber-opsec on ships and supporting computer systems. Apparently a large international freighter ship heading for New York and New Jersey experienced “degraded” computer systems due to “significant malware attack.” The alert indicated that only standard IT systems were affected, and no control systems had been compromised. More on that in a minute.
The recommendations are positive and should be followed by all. They even point out that “most crewmembers didn’t use onboard computers to check personal email, make online purchases or check their bank accounts…” Well I guess it’s good that most crewmembers didn’t. I would expect otherwise, so let’s celebrate the small stuff.
(Image borrowed from TSA.gov)
Attacking with a Purpose
When taking control of computer systems, we talk a lot about end-goals, attack vectors, gained access, and impacts. End-goals are the things we are trying to achieve, such as vehicular control, UI compromise (for hacking the human), or perhaps sensitive data access. Attack vectors are the ways we (as attackers) are able to influence and/or interact with the target systems, such as Wireless attacks, Physical attacks, or Internet-based attacks. Gained access is any additional value we have obtained from a successful attack; some examples include code-executing on a computer system we did not previously control, and credentials/ssh private keys, and source code to a target application. These can be considered “small victories” or intermediate steps in the larger attack plan. Impacts are the weighted meaning of the access gained from an attack, in the context of the system and our end-goals.
When attacking vehicular control systems, we at GRIMM evaluate many combinations of attacks which could result in our end-goals (eg. control-system compromise). For instance, we ask ourselves, “how do we gain control of the rudder, ballasts, engines, clutch/gearbox?” For engagements where vehicular control is not in scope, we look at other systems with value; sometimes the HVAC or other connected control systems prove worthy target, because they influence mission objectives. We call those end-goals “impacts.”
(on-ship upgrades. Thanks to ship-technology.com)
The methods of attack which get us to those end goals vary greatly, based on what makes sense for a given engagement. The safety alert from the Coast Guard calls out that USB drives are routinely used to share cargo data, picked up at the pier and plugged directly into the ship’s computers. Targeting a freighter like the one which was hampered in February 2019, we may choose a malicious USB drive as our initial attack vector. Exploiting this flawed practice could be as simple as using a specially crafted USB Rubber Ducky ( https://shop.hak5.org/collections/usb-rubber-ducky ), or a custom-made USB device with “special features” to exploit the computer in unexpected ways. In other cases, we may provide an innocuous-looking “attack” USB cable with ( http://mg.lol/blog/omg-cable/ , https://www.crowdsupply.com/rfid-research-group/usbninja ) through supply-chain flaws. Getting our malicious USB drive worked into the rotation for cargo data transmission, our tool will eventually be plugged directly into the primary ship’s computers, gaining us some form of access to them.
That’s only one attack vector, where the gained access is whatever computer the ship uses to track the cargo data. From there, we pivot, and discover what new access/information that computer provides us… often a direct hop to our primary end-goal: vehicular control systems which live on the same flat network with no security in between. The computer may also have a shared trust relationship (or passwords, or unpatched computer) with the computer that actually controls the propulsion and direction-control (and other things), allowing us to simply take over the ship without control-system hacking. However, control systems of almost all types have a bad history of poor-security, worse deployment (security-wise), and exploitable flaws. Moving from that first compromised computer system to full control of the boat is not typically difficult, whether by compromising further traditional computer systems or directly interfacing to the control systems. Some pundits will argue that as soon as the ship changes course or otherwise behaves abnormally the crew will immediately take over manual control, but that is an optimistic viewpoint. Unfortunately, subtle changes (the kind skilled attackers are likely to make) are difficult to determine and respond to in a timely fashion. Conversely, some control system attacks can make regaining manual control in time to avoid catastrophic damage difficult to impossible.
ICS Forensics and the Importance of Being Right
So that brings me back to the Coast Guard’s comment “The team concluded … essential vessel control systems had not been impacted.” How certain are they and why? How much time and skills and resources did they invest in the investigation? I realize these details aren’t something you publish in a “safety alert” from the Coast Guard to this audience. However, I know the level to which I would go to attack these systems, and what’s possible. I also know the level of support most control systems offer for forensics discovery (whether it’s PCS, ICS, ECUs, Avionics or otherwise)… and it’s not a lot. Most of these systems are purpose-built computers that don’t let DFIR folks get a good look under the covers… you basically need to hack them to perform real forensics. In order to be certain no control systems were compromised, the analysis team would have to expend significant forensic effort, potentially including low-level hardware- and/or firmware-hacking. Without further details, I’m inclined to believe that they simply ran into a point where forensic efforts were too difficult and they called it good and went for a beer. Validating the efficacy and integrity of ship-board control systems is vital to continued trust in the compromised ship.
Many Attack Vectors
So far we’ve only been discussing one attack scenario. Attack Vectors include any number of ways to influence or compromise that first level of computers, and then the next level, etc… until the end-goal is reached. Having a direct Internet connection comes with a great number of attack vectors, including sailors surfing porn (did you know that porn sites have been found to have an incredible amount of malware embedded, and browser-exploitation to take over a computer system is a primary way of getting onto an otherwise secure network?
Any other digital RF signals the ship participates in (peer-to-peer RF “mesh” network, ship-to-shore digital, short-range RF, etc…) can be an attack vector. Any data cables or other physical connections/transmissions which can transfer malicious code from the outside world to the ship’s network can be a way for an attacker to gain initial access from which to pivot, to gain control of other connected systems….
And People. Manipulating people is one of the easiest ways to compromise a computer system. We humans are the roaming vulnerabilities who sometimes seem too numerous to patch. In addition to sharing potentially sensitive information over social media, we typically click untrusted web-links, allowing vulnerabilities in our system software to be exploited. This software can include web browsers like Internet Explorer, Chrome, and FireFox, VLC video software, Adobe Acrobat, and any number of other software packages which are used to process content from the Internet. Often times we install software without thinking about where it came from and how much we can trust the source. And that’s all assuming we haven’t installed remote control software on our computers using a very poor passphrase (because accessing my boat from my home computer seemed important at the time).
The Bigger Picture
But let’s imagine for just a moment that I’m not a hacker overlord who runs an elite team of embedded exploitation experts….
Most computer users (in this case, mariners) simply don’t contemplate the complex system they and their computers are a part of. Take, for instance, Tweeting your status updates… with GPS enabled… on a ship…. This lack of operations security (OPSEC) makes it fairly easy for attackers to track the movements of ships with potentially highly valuable merchandise. In some cases, tweets provide specific information not easily available elsewhere, such as personnel, mood, etc… Piracy on the high seas is not lore from of old, but a current, real, threat to freighters and tankers alike.
Sadly, there are many ways to track ships. That’s not the point. Best practices for OPSEC is to affect the things we can, and be aware of (and plan accordingly for) the ones we cannot.
The key point is to be aware of the nontraditional way the information and access you give away can be used against you or others.
When GRIMM undertakes an assessment, whether it is to find weaknesses in a company’s deployed computer and control systems, or performing deep vulnerability research on a particular system/device(s), we strive to partner with our customers, to help convey more than just the findings of our work. We deliver consistently world-class reverse-engineering and security assessments, sure. But we strive for more for our customers… Ensuring they’re practicing good OPSEC, patching, and other customer-specific considerations we know will provide value to our customers (ie. the soft-side of cybersecurity) often play into our discussions. Asset-owners (fleet managers, captains, etc…) need to understand how to think about the potential problems if they are to manage and mitigate the risks.
The SCYTHE platform is exceptional for showing how easy pivoting can be and the impacts an attacker can have once they’ve gained initial access. Full Disclosure: SCYTHE is GRIMM’s product-focused sister company.
(from the U.S. Coast Guard’s alert)
Conclusion: Understanding Our Connected World
Which leads us full circle to the point: Mariners, know your vessels. While that has never been a question, mariners have long been the masters of understanding how their ship will behave, the introduction of computer systems and digital computer communication both within the ship and with the outside world have introduced a great deal of unknowns. This post can’t teach all of the necessary details required to bring good understanding, so I’ll summarize with these points:
- Any programmable computer system can be hacked
- Attack vectors can primarily be reduced to:
- Physical Attacks (touching a given computer device)
- Wired Attacks (over a local network)
- Proximity Attacks (over a local wireless protocol, like WiFi, Bluetooth, or Zigbee)
- Remote Attacks (over the Internet)
- Segmentation can provide delays of compromise reaching critical impact (ie. firewalling)
- Eg. Keep the email computers from accessing anything that connects to control systems
- Monitoring (intrusion/anomaly detection) can provide insight to what’s going on with computer networks
- Knowing Normal helps identify anomalies and potential attacks faster
- Understanding how systems connect can help you “know your vessel” from a cybersecurity standpoint.
- Red-Teaming and Penetration Testing can help identify weaknesses you’ve missed (or other people have introduced, inadvertently or intentionally)
The article indicates several good best-practices, and calls upon mariners (vessel owners/operators and facility owners) to work with trusted entities to conduct cybersecurity assessments to determine the extent of their vulnerabilities. It calls out freely available resources which can help, provided by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and points to other cybersecurity guidance provided by the Coast Guard.
If you would like additional assistance determining your vulnerability, the GRIMM team is highly skilled in assessing vulnerability in complex and varied systems used in shipping (and other transportation) systems. Let us know if we can help.