Join the Navy – Is it really easy to hack a boat?

Introduction

After the publication of the Ship Tracker (data powered by Shodan), Lutech Cyber Threat Intelligence team, with the help of Lutech ThreatOculus™ (also known as Lutech TMS for Cyber Threat Intelligence) and Lutech EyeOnThreat™, performed a research and reported hereby some security analysis and considerations about future possible threats related to the exposure of navy systems directly to the internet.

 

Our Findings

Lutech Cyber Threat Intelligence team started his own research by using both actively and passively information gathered with proprietary Lutech ThreatOculus™ and Lutech EyeOnThreat™ infrastructure in order to define a real perimeter of analysis.

In particular, the perimeter definition have been based on the list of some specific vendors with the mission of distributing mobile connectivity solutions for aerospace, avionics and maritime environments.

This report is based on a total amount of 565 unique IP addresses, wich have been confirmed to be systems hosted on real vessel.

Considering this perimeter as starting point, Lutech Team performed a more in-depth analysis about ports, products and versioning of the exposed services. Moreover, each host found as “alive” has been automatically categorized and enriched with different kinds of information useful for further next analysis.

 

 

The unique geolocation of these ip addresses is shown in the world map below:

 

Exposed Services

Lutech team, with his own capabilities, has been able to proactively scan alive systems in scope, adding to the available dataset useful information about top open ports, products and versionings of the exposed services used by these systems and freely reachable by anyone from the Internet. As results, 1368 exposed services (ports) and products have been found.

Many of the 565 hosts in our perimeter expose different services, which probably, in most of the cases, are not strictly necessary for the scope of the system.

 

 

More in depth, we can see from the list of open ports that about 40% of the 1368 exposed services are webservers, active on different ports such as 80,443,8080,8081, etc. The average count of exposed services for each host is about 2,67.

Also, 26% of the exposed services are related to remote administration like Telnet, FTP and SSH.

 

During our investigation, we noticed that at least 30% of the hosts in our analysis perimeter expose an uncommon port (400X), which is probably used for remote administration of the on board modem.

In the picture below is shown an HTTP GET request to this service on port 4002:

 

EyeOnThreat™ Match

Lutech team checked the presence of the IP addresses in the defined perimeter using Lutech EyeOnThreat™ infrastructure and didn’t find any match. This means that none of the IP analysed are in blacklists and have been used for malicious purposes, or at least, not yet.

 

Service Analysis: Webservers

Considering the starting perimeter of the 565 hosts, Lutech team found that 419 hosts expose a webserver on different ports with a remote admin web panel.

In particular the results shown different product’s web servers directly exposed over the internet. Many of these web panel are exposed over HTTP protocol, which doesn’t offer any cryptographic protection against man in the middle attacks.

Lutech analysed the different product’s documentation and found that all these products are shipped with the same default credential to customers. This means that, if the administrator didn’t change the default configurations, a remote attacker could obtain full privileges on vessel connection systems with a really low effort.

Also, these web panels doesn’t offer any anti-bruteforce mechanism, so, even if the administrator has changed his password, it could be possible for an attacker to retrieve credential by bruteforcing them.

 

Below, are shown different examples of vsat’s administrative panel interface. Products shown were chosed within the perimeter of this analysis.

 

 

 

 

 

Remote Administration

Considering the starting perimeter of the 565 hosts, Lutech team found that 55 hosts also expose a Telnet / SSH server.

Banners of these services shown the same name of the navy (in the same format) as reported in the web server dashboard. This probably means that these exposed services are configured in the same manner, so if a default account is enabled on the web panel, then Telnet/SSH services are probably accessible in the same way.

Also, by referring to the official documentation of these products we know that a default Telnet/SSH service is enabled. As an example, it’s possible to know how and what kind of commands these services can accept:

 

Join The Navy

In order to demonstrate how critical the situation is, Lutech team made a research on a specific vessel that hosts on-board the “Sailor 900 VSAT Ku” product.

Just connecting to the web server of the host from internet, even without logging in with administrator credential, is it possible to retrieve some useful information about the vessel, as shown in the following screenshot.

 

 

From this screenshot it is possible to see the name of the vessel that is JMSutera1, which uses an iDirect Evolution satellite, other than the GPS position and all the radar and modem data sent and received through the network.

A quick research on MarineTraffic gave us evidences of the actual existence of the vessel, giving us important information such as: the typology and the actual photos of the ship, the route, the country membership and the real position (actual and historical Latitude/Longitude) as shown in the following screenshot:

 

 

As we can see from the following picture, we notice that the actual GPS coordinate found on the web panel are almost the same of the one tracked by MarineTraffic, which means that the vessel is moving away from the Brunei coastline.

 

But it’s not over here. The situation is even more dangerous, in fact, Lutech analysed the different product’s documentation and found that all these products are shipped with the same default credential to customers.

As an example, the Sailor 900 VSAT documentation, freely available here report that default credentials are:

  • Username : admin
  • Password : 1234

 

So, considering what we’ve seen in the landscape of IoT platforms in the last months, Lutech team cannot exclude that default administration credentials could work on these web panel, so a remote attacker could obtain full privileges on vessel’s connection systems with a really low effort.

Moreover, these systems often expose the Telnet service which could be accessed in the same way with default credential.

 

Conclusions

A malicious attacker could easily take the complete remote control of the vessel system with extremely dangerous consequences. He could modify the shown radar coordinates or the evidences of the on-board sensors. He could even breaking off the communication signal. It could be possible to disrupt the services or even uploading a new version of the firmware.

 

 

Public and private sector stakeholders, vendors and technical areas of marittime systems must adopt stronger security strategies, now.

 

Next Steps

As next step Lutech Cyber Threat Intelligence team, with the help of Lutech ThreatOculus™ (also known as Lutech TMS for Cyber Threat Intelligence) will further analyze the uncommon exposed services found on the hosts, in order to verify the presence of other possible threats, and extending the perimeter of the analysis with more VSAT vendors and products in the maritime, aerospace and avionics environments.

 

Authors

Luca Dinardo, Luca Sangalli

Leave a Comment

Your email address will not be published.