Updated If there's anything worse than container security, it would appear to be container ship security.
Ken Munro, a researcher for UK-based Pen Test Partners, has been exploring maritime satellite communication systems used to keep ships connected while at sea. His findings don't inspire much confidence. Munro, in a blog post today recounting his research, describes ships as floating industrial control systems that were traditionally isolated but are now always connected to the internet.
Industrial control systems (ICS), which evolved without much thought for network-based attacks, have struggled for decades to adapt to the constant state of siege on the internet.
Munro believes the security of ship IT systems is worse still. "Personally, I think ship security is behind broader ICS security," he said. "The change is as a result of these satcom terminals being online all the time. In the past, just like ICS, ship systems were isolated from the internet."
Munro said there have been plenty of ship security incidents reported. "One that springs to mind is a mobile drilling platform off the coast of Africa that developed a tilt and had to be evacuated," he said. "On investigation, the control system had been ‘hacked’. I use the quotes as I suspect it was simply missing or default creds and an exposed control system GUI."
Using Shodan.io, a search engine for finding devices on the internet, Munro looked for several popular brands of maritime satcom systems, including Cobham, Inmarsat, and Telenor kit, along with older brands that had been acquired, on the assumption they'd be running outdated firmware.
He opted not to test the default user and password configuration for some systems (usually admin/1234), noting that most of the recent maritime hacking reports have involved missing authentication or default creds in comms terminals that allowed someone in. He doesn't really consider such failures hacking, even if the resulting disruption may be the same.
By searching for ‘html:commbox,’ he found various terminal commands for KVH's ship-to-shore network manager CommBox. Pulling up an actual CommBox login page, Munro found the connection was poorly secured with no HTTPS protection. The system presented a link to a queryable user database and it revealed network configuration data merely by mousing over the UI.
With the crew data, Munro was able to quickly find a crew member's social network profile, giving him all the data he'd need to conduct a targeted phishing attack. If he had ties to a ship-hijacking pirates, he could provide the vessel's location, alongside crew data, via the automatic identification system (AIS) used to track ships.
In short, if these security holes were in the ship's hull, the vessel would be resting at the bottom of the sea.
Munro says satcom boxes need to implement TLS, password complexity must be enforced for user accounts, and comms hardware needs secure firmware.
"There are many routes onto a ship, but the satcom box is the one route that is nearly always on the internet," he said. "Start with securing these devices, then move on to securing other ship systems. That’s a whole different story." ®
Updated to add
A spokesperson for KVH has pinged The Register to stress the ship identified by Munro is not a KVH satcom customer, and is not on its network: "The vessel satcom box mentioned was evidently assigned an unrestricted static public IP address associated with another satellite service provider network, not with KVH.
"KVH’s practices for its own airtime services, had it been on our network, are designed to guard against such circumstances by blocking all inbound access from the Internet by default when customers request static public IP addresses."