Pen Test Partners (PTP), a penetration testing and security services business, wrote a security blog detailing their findings after penetration testing several different shipping vessels; a Moss Maritime CS55 deep water exploration drilling rig, a seabed survey vessel, and a new cruise ship are some examples. This research stuck out to me and got me thinking: what are the chances of a successful cyber attack against these networks that are possibly in remote locations scattered abroad and what implications would the attacks entail? Thinking about this a bit more, and needless to say but important to keep in mind, Internet-facing systems are available from anywhere there is an Internet connection. Part of the answer is obvious: if an attacker has an IP address, it can be scanned and profiled and it doesn’t matter where the network is located. The second part really depends on what the vessel is used for in the first place.
Considering that each vessels purpose can vary, it’s tough to say which target may be more appealing to an attacker. Seeing money is usually a main driver, I’d assume the main target of interest is whichever vessel can be exploited for a higher return – think ransomware on an oil drilling rig or even a cruise liner. For example, if an oil rig was infected with ransomware and the rig was effectively on pause, stalling oil extraction and inhibiting the workflow process, leading to oil rationing and shortages; how large of a ransom could attackers insist that company pay up in order to restore the ship in a functioning state? Compare this with a cruise liner or a container ship. When making money is halted, especially on a large scale, exploiting this just seems ripe for the picking (no, I am not insinuating attacks on oil rigs or cruise liners).
What’s not surprising about this report is the silly security fallacies that exist anywhere IT infrastructure is deployed. Think passwords posted on a computer terminal, or bridged access points extending the Wi-Fi reach while connected to the main network. Better yet, even default credentials on Internet-facing systems.
High-Level Security Flaws
To expand on the previous paragraph, IT security flaws exist where IT systems are implemented. Poor password practices and a lack of patching are two main points here. Poor passwords consist of using default credentials or worse yet, not using any credentials at all. The post noted that some passwords used the vessel’s names and guessing the password for other vessels was as simple as using the vessel’s name.
As for the patches, or lack thereof, the assessment revealed several code injection vulnerabilities. The post states “We found (more than once) un-patched code injection vulnerabilities in a booking/inventory software suite used in the cruise industry… think FREE food and drinks. Couple this with default login credentials and you could add FREE Wi-Fi and unlimited FREE phone calls. Then add access to any cabin door lock anytime you want.”
One of the most interesting points from the research was that out of the 15 vessels assessed, only a single ship had a genuine air-gapped network. All ship operators were under the impression that they had an air-gapped network. Some vessels had PCs connected to the different networks.
Another interesting find was that there were TeamViewer (TV) installations found running without the knowledge of the ship operators or owners! The TV versions were “vulnerable versions with really ridiculous credential choices.”
Of course, there were also plain text files lying around with IP addresses and usernames and passwords – yikes!
Summary and Takeaways
At this point, it should be obvious that any industry using IT systems will have poor security measures in place. It was surprising to read just how laxed the set-ups were, but I can’t help but wonder if this is due to the staff not thinking there’s any real threat for unauthorized individuals getting onto the ships. Don’t get me wrong, I completely disagree with public-facing systems running outdated and vulnerable software versions with bad password practices. Further, extending Wi-Fi signals to certain parts of the ships wasn’t the best idea, but I get the streaming factor as well. Being in an isolated location (e.g., out on the sea with no one around) may be the cause for these implementations but I still believe core systems need to be segmented for obvious reasons. It’s better to be prepared and take preventative measures just in case. For example, use VLANs to separate networks and make sure appropriate access rules are in place.
The takeaways here are similar to any other network: don’t publicly expose systems that are vulnerable, patch said systems, use strong passwords, and make sure there are no misconfigurations. Past that, security assessments, similar to what PTP did, are a great way to reveal these vulnerabilities. With the rise of cyber attacks against governments and cities, along with MSPs, I believe semi-regular security assessments should be an integral part of the IT deployment process. Get the IT infrastructure set up and then run a security assessment to ensure proper configurations. After some time and usage, run the assessment again and compare notes and changes.