Swimming IoT: Hacking Yachts and Maritime Systems

[Applause] this is not my car the microphone is yeah it's on let me check the sound control we need the computer sound thank you it's the second slide and then then it's okay okay okay here we go okay yeah so it's now up to me to enjoy you a little bit about hacking yachts and what can go wrong with that so yeah I call it Jen swimming IOT because well it's just like an IOT device and to get in small overview about it that's always the clicker is not working now it's not switched on I I use it by hand it's okay this one is better yes okay thank you Karen yeah because I know Karen loves it

yeah the sound is missing come on replicates till it overloads a file than it spreads like cancer cancer you have to get parent

[Music] it's the Gibson it's finding us too fast [Music]

[Music] there's too many garbage files I need more time

yeah I think we should watch the complete movie but yeah we want to hear a little bit more about chips so yeah hack the planet who am i and we hear something about yachts and ships we have to start with a marina one by one so that you'd get an idea about what kind of systems are on an ship or in yacht and how they interact between and then you get an understanding about what attack vectors you have on the boat and we see already here and the different attack vectors then how you can look up your targets which kind of security bugs you can find in some of those routers we make a sneak preview in SATCOM boxes

where are found also some nice stuff and then at the end yes okay so as you already know my name is Kevin Kelly also on Twitter oh we won 666 loud enough I'm older than the Internet certified yeah I have many of those I'm an electronic specialist worked several years for the German army a army has a navigation system specialists for helicopters I'm now 31 years of fire fighter in Germany a volunteer firefighter I do it in my spare time I'm a security evangelist in our company taking care about all those stuffs something about security also so we work in the oil and gas industry and making normally pipeline services so we inspecting oil and gas pipelines and in

our newest branch the cert evasion there we do also some pen testing security audits and so on of course also for vessels yes avoid guarantees member of Gaddafi and I'm the cavalry here we are what happened last year so so many newspapers about attacks against yachts and systems and GPS and so on made it in the news and that West was also some kind of their idea to look a little bit more on that stuff the initial idea about that was I was building up an Internet router into an into a yacht so it was three weeks working on in your to build up some stuff there built up the internet router the cabling the antennas on the monkey

island and and so on and after everything was finished I was introducing the captain how the system was working and at the same time we're drinking a bottle of wine and I started my Wireshark and to looking what the applications are doing while I was in teaching and after we finished I had a faith pound because I can't believe what the application was doing and we will see it later so these are only some newspapers here are a short overview about it so in February last year we had in container vessel some area in a pirate area they had no access to their navigation system anymore for ten hours so they had to shut down their systems

and rebooted that the navigation system was working again in September last year we had GPS jamming from the eastern direction so in Norway they reported some jamming in a GPS by planes and then they started with an helicopter was in with a beacon antenna and then they localized from which direction the jamming came it came so and then they figured out okay it comes from the eastern direction could be Russian could be Ukraine somewhere in that area so just only know it's a eastern direction and the US Navy had last year for accidents with their warships and when you think about hey a warship should have the best people on board the best navigator on board and so on but

they crashed with a there was also a big container vessels and so on and yeah that happens so in some reports ivory cam they claimed that all the time it was a human error because they did not follow the instruction about how to navigate also in night hours so they are not enough people on the bridge and they not following the rules about navigation but after these crashes after they had four of them the room was caming up could it be a cyber attack if it was a cyber track we don't know the official statement is not the official the official statement was a human error okay now we go into the terms of vessels yachts and ships a

yacht is an a small boat or ship and it comes from the Dutch word yacht and yeah in Dutch means something like hunting so it's an antique boat for pirates in the shallow water of the Dutch countries in the past so that terms then the yeah that created now the terms for yeah and nowadays a yacht is an recreational boat or sporting boat or something like that and of course size matters as always we're talking about a boat when we have smaller than seven meters when we have already a more than 10 meters we haven't yacht we have an super yacht when we going above 24 meters and we're talking about a mega yacht when we have more

than 50 meters so here is a sample of them it's a picture of the German trash TV serious the guys ins it's there IndyGo star boat it's in 1996 one model 30 meters about that it's a super yacht and yeah it looks nice it works I have not enough money for that but it's those class of now when we're talking about yachts above 30 meters and you have already very very nice one even if there are old what I have on board everything so this is a complete list about stuff that is what I have on board there so we have vessel traffic services so it's like like air traffic services where they a traffic controller is

giving position to the aircraft and says ok you have to fly level 300 in that direction the same system you have for ships mostly in harbors so that the vessel traffic services provider then saying okay this is your cross this is your speed that you have to drive and then everyone in the harbor are maneuvering in a right direction they provided by this automatic identification system also out pilots GPS rada cameras including also thermal-imaging cameras we have engine control and monitoring systems nowadays some of them are also cloud-based we hear it later we have internet access on board in different ways and we have some kind of entertainment systems with smart TVs and whatever all those devices of

that you need for the navigation or for the boat controlling it's connected over an enemy a bus so it's in serial bus standards eyes under the National Marine associated as a so Asian it's an enemy zero one eight three that's the term for that and this is a serial bus so the speeders are about 4,800 bout so you cannot transmit so many information over that you they are connecting mostly echo Sounders sonars animators gyrocompass autopilot GPS receivers and some other instruments like temperature or whatever then because of they need some faster things they have introduced the enemy a 2000 here we are already in the bandwidth of one megabit it's not a serial protocol anymore in this case we

have now an technology like in the car industry so it's in canvas so they losing also the same cabling standards so we have a can low can die and the power over the bus and that's it and it's everything is standardized under the enemy are 2000 and you can buy those standardization of reports about and how it works in from the enemy association so this is how it looks like so it's incomplete bus I think here is Eliza it's incomplete bus from front to the end of the ship and all the devices are connected here together so here we have an enemy r1 near 0 a 1 a 3 device ends connected with an Gateway that's

converting the serial bus to enemy on bus and we have also here gateways that connecting to other these devices here like displays or computers and so on this is how it looks in real so it looks more like a cheaper net in the older days where some of them as here already worked with here we have an another term for that the enemy are 2000 is also available as si tog ng and this is 10 now in a brand name of Raymarine so it's rain marinas one Wender of these marine stuff and as you can hear see you see all those devices that you can see on ships on the bridge on anywhere there and you and network

that I have this is some kind of ether Network and they call it an see talk ha ha ha HS it's a high speed so it's a we're about 10 megabit that they have on traffic and you can already see that horizon multimedia display where you can also display videos and those stuff when we tear down now the network how it looks like then we see all those stuffs here like we have here the internet router the internet internet router here this is a how they connected here's some access points we have some mobile devices we have computers on the normal network then we have some converters that converting the enemy and network to the tcp/ip Network it could be oven USB

device with a laptop it could also be a native device that's directly connected to lead to the computer network and here below we have all the systems connected over this canvas so this we have to remember that all those devices are connected via this bus and they have connections over those gateways to normal ones we will see later why why it is important so the marine electronic in the overview we had already these vessel traffic services the AIS system the actus electronic chart display an information system and autopilot and internet access so the vessel traffic services it is yeah like this air traffic controller system by our and port authorities and using radar CCTV VHF travel

telephony and the AIS system so this we have to remember the vgs is using the a is the a is is the automatic identification system and it's for tracking those devices and it's transmitting the you had a ship named the course the speed the heading and so on and it's mostly over VHF radio it could also be over satellite so the vgs is using the a is so das information using gps for the positioning yeah and it also supporting the the movie nevada so the the that's coming now in the next one so the electronic chap display an information system the actors this one is displaying like navigation system in the car here you have two waterways and here you then

will see all the ships that a is information are submitted remember that the a is is getting the information from the GPS system and and so on so everything tears down back to the gps system and all the devices are interconnected over those canvas so just keep in mind it integrates positioning information the position the heading and the speed and it's submitting also the information to other devices and the last thing that we have on board is then the IT equipment so IT equipment we have also at home in this case we have yeah internet access any how it could be over GSM it could be over Wi-Fi it could pull over in Mossad VZ iridium or whatever and on

board we have also entertainment systems we have Wi-Fi we have voice over IP and what else whatever so this is a picture of it was a 40 meter yacht where I was working on and that is complete 19-inch rack a full high completely equipped with IT staff so here we have the internet router very small one we have here three servers a three 19 inch rack servers mounted to the system we have here - voiceover IP gateways we see later why we haven't fully equipped switch and we have a new PS power supply and when we then look what else is on the board you see that there are 10 smart TVs and satellite receivers and we have one char PC for

the for the navigation system we have 14 voice over IP telephones we have an Internet router we have rack mounted switch ups for Wi-Fi access points etcetera etcetera so many IT staff and all load staff is used to connect those devices together so you can stream audio and video from the multimedia entertainment system you can use your iPod iPhone or your computer to stream videos and sound you can control the light scenes of the ship you can close the electric curtains of the ship and you can also control the engine motor or display the engine status here on this display so these are all screenshots from from an iPad where you can do all those things for us so this is the

current control this is the light scene this is the engine control system and yeah multimedia so if we see now this stuff all together and we come into the different attack vectors so we can attack it over the internet so if it is connected to the Internet it could be attacked we can also try when it is connected to the internet try some social engineering attacks against the crew members against the captain or against the own authorship if we know who the owner is we can also try to weaponize the mobile devices that I am using and we can also try if we get access over one of those devices here to search for those

gateways to have access to the underlying network and of course when we have that achievement solved then we have access to the complete network here below so in overview is he we have an attack vector for GPS we have a is that we can attack we see attacks against auto pilots the IT equipment on board and the internet connection and cloud-based services that are coming more and more so let's take a deeper look on those attacks what we can see so GNSS this global network satellite services or in a shorter way just GPS called so in the GPS we can have spoofing attacks or we can have a denial of solving attacks jamming so therefore you

have to know that there are five differences there are four different systems are so they all call GPS systems but we have the u.s. the US version it's enough star GPS that most of the mobile phones using we have an GLONASS version it's from the Russians we have Galileo that the Europeans using and we have the Baidu version from the Chinese ones all those working on different frequencies and here is a frequency map about which kind of I mean they're using so mostly they're using the l1 band but some of them also in the l2 and l5 band so but all those systems are using only a few frequencies so it's easy to jam those things so to

make it analysis about the GPS so you can easily look at Wikipedia that you have the exact frequency making GEMA for that and you didn't hear anything about or they didn't receive an correct positioning about that by the way the l1 bandits around 1500 megahertz 1542 up to 1500 44 megahertz so it's only 2 megahertz between it yeah so the truth is scenarios that we have here is a we can have jamming or we can have spoofing Jemmy is quite simple you can use an HEC RF was in big container and then you have your goal achieved for the spoofing attacks you need a little bit more you can buy those stuff also on the

internet for testing devices so when someone has to develop GPS applications so how they test it so you can buy boxes for that how you can where you can change or test GPS equipment and it's available for a 1,000 euros something like that but for really spoofing it's quite harder because you have to manipulate or the receiver with three different booth 2 signals because on valid valid GPS positioning is calculated from three different satellite signals and then from the difference and the signal timing then in the receivers then calculating how how the positioning is so you have to spoof scree signals and you have to know which three signals are inside of the receiver at that point at

that time it's possible but it's a little bit more work so it could be maybe easier to fake the enemy a data on off the GPS sensors as we keep in mind the GPS receiver is receiving a valid GPS signal and sending it back over the enemy a network to all other devices so when we can have control over this gateway and fake annemiek data on the bus then it doesn't matter what the GPS sensor is receiving so we can just inject our own GPS signals ok GPS jamming it happens quite often so mostly in bigger maneuvers we can see that so in June last year we had more than 20 reports and at that time some NATO

troops where we're maneuvering in the northeast Black Sea and yeah has already said in the Norway report also something like that how we can protect from net so currently there is an research project by the DLR and they trying to make an some kind of yeah detection system to only bypass valid GPS signals and filter out all those fake signals so how they doing it so they're having a 2 by 2 antenna array here is a signal about the receiving and here you see it it's a flat panel and here you have a 2 by 2 GPS antennas and by calculating the signals from which angel it coming in they can filter out ok this must be in

wrong one and if it comes from the right angel it must be a right one so they they filter out the wrong ones and amplifying the right ones so it is working but it's still under testing phase but I'm sure we can see it in the future yeah now we come a little bit more to a is system so the AES system is interchange exchanging so many information about the ships and you also can look up that easily maybe someone of you and knowing about the flight radar flightradar24 tracker where you can look up aircraft the same system is available for ships it's called Marvin it hang on your penis marina traffic.com yeah you can look up

all the ships I can just I show you Tim to dinner didn't I have it here so this is the web it's not a web site I have to shift it here we go

this is here now Tel Aviv the harbor and here we see some ships that are here so you can look up on one of those ships and then see their details about that command okay here it is a sailing boat the name of the ship and so on yeah let's go further with that why my presentation is not coming back

here we are okay you can look up all the informations so you get information about the mobile service identify us so it's like an unique unique number like your mobile phone number then like two indeed you can have information about it's a ship under Ankara or underway under not under command or something like that the rate of turn the speed the speed over ground positioning occasionally the course over ground the true heading and some time informations and these are the information that you can see then on the webpage so here you have P I am oh the mm I the MMS II the original callsign the ship is under the flag of Malta it's a pleasure craft

it has 310 gross tonnage it's a 38 meter yacht from 1995 this is the yeah the guy since yacht and this is the actual position about that and it's under the status of word and making no speed so it's laying anywhere in the harbor and that's it and all those informations are sent every 10 to 10 seconds with all those things that we can see here yeah up to every 6 minutes it's sending a couple of more information about that so the dimension of the ship the name is a de cargo or whatever ship and so on so this a is system is really quite often speaking and spreading the information through the world and how it is working it's just

only a VHF radio channel that are using two channels they're using and you can listen to that when you have a receiver that's working under 161 and 162 megawatts so it's a little bit modulated it's an gsm k gmsk modulated and it's only 9,600 bits today transmitting and of course there is an HEC RF project for that so our new radio project when you go to the webpage you can download the new radio chart this is under chart how it look like just using some of your RTL SDR devices and then you can listen to the AIS informations if you want to spoof those informations just change some of the settings here making transmitter about it and send whatever

you want but remember it's illegal I think okay another one that I mentioned was out of pilots so some ships have autopilot systems onboard so this was a picture that I've made by build up some stuff and sale a friend of me directly recognized a they have an autopilot system onboard I said what yeah they have a holder pilot so yeah what can you do with that yeah you have a remote control unit where you can put in the speed and the heading where you want to navigate to so okay you're standing under deck and having like the clicker here you're saying okay a cross three three two zero with a speed of 10 knots

okay this is how a resample receiver looks like it's a small wireless device okay now I wanted to know how those wireless devices are working so I didn't know anything about that so I looked up some up for that and then I'm looking for okay where I can start I go to the web page of Raymarine looking for the autopilot systems and then I found yeah one of those systems then I looked a little bit deeper so FCC ID because everything what has wireless transmission anywhere and it's allowed in the market of the US must be yeah must be on the webpage of the FCC web site and where you can get informations so I looked up the information for that

and then you can see okay it's those system it operates on two point four or five gigahertz it's not a Wi-Fi device it's something else so luckily the schematics and detailed information about those systems are also on the webpage so this is also a also from the FCC ID website where you can easily see them okay it's an it's an ml a wireless device the the em2 fourth to zero and it's an atmega 64 processor and it has an own network stack called amber stack so at that point I could not go further because lack of having those devices in place so I'm I think in September I'm again on a yacht so that I

can't go further was those devices to check again what is transmitted over that how the frequency signals are looking how the modulation schemes are and so on so I think in to the end of the year I I know more about the autopilot system and I believe there is something possible but I cannot comply now yeah beginning and they're coming back to the beginning of my story I've built up those system because the owner has bought it so it's an device from local marine it's yeah the left one it's looking like propery chair and the right one looking like the micro tech metal thing that you can buy on the webpage from Michael mikrotik router and

it is one of those models they claiming to have a booster module and with the right antennas you can have up to 50 nautical miles Wi-Fi I'm not sure I've calculated they have 1.6 in what electrical energy under Wi-Fi with the 12 DB antenna I had 25 20 why what erp oh I have to hurry up and [Music] yeah okay we looked up I looked up to do it to the software the software was then like dresses from the tablet now or from the computer looks like the same so what I found out then what they make every time you use the software they make an FTP connect to the router the software then downloading an XML file when you

change something in the application it writes is back in the XML file and uploaded it again to the router and as you know FTP is clear text they're using hard-coded credentials and in the XML files you find all other informations so the username you see and I love the password because CQ connecting user is a really nice one and also yeah by the way local isn't Spanish word format we're not crazy crazy yes so I I don't know if it has something to do with the software but yeah okay then yeah that's paid my attention then I looked up the software more and more so the Windows executables we're in development net so when you then use the

tool like il spire you see some juicy informations like user names or developer names and also the yacht router engine where the configuration everything is in ok the next one is the system has no firewall configured yeah it's a router but on the internet side it should be protected too anyhow yeah from the internet you see all those ports are open also the FTP one remember there is an hard-coded credentials what could possibly go wrong yeah then they have another function it's called remote support the remote support is yeah you give them a ring say ok you can support me at that time and then they connect to your device but they didn't ask for an IP address how

they know they only want to know the serial number of your device yeah every time when you start is a remote support thing they're making a ping to their service and the service the IP address belongs into their systems and then they know ok this is the IP address from that device with that serial number yeah and what they're using then is then the wind box firemen and the wind box management software it's an management software that you can use for mikrotik router to administra everything on the and with these wind box management software you can also look up then other informations like the user loco the password is not displayed here but the developer has his own back pass user so

the developer has always access with his password and just user name to the boxes when they are online so why should they have that and you cannot change it on the normal way if you don't know the password you can also use a tool for mikrotik router called em Kabuto so you can try to brute force those things yeah so now we have that done so we have to find those yachts I looked up on the webpage they have also some information where they build up those systems then go to Marina traffic comm there you can look up those devices again and yeah you can see where they are and then you go to show down just look for them when you're

done using show done you can see okay years and ship that I looked up it's on the tender and so on by the way show done has now an ship tracker in own ship tracker service so ship tracker dot showed on dot IO okay you can look up all the systems like marina traffic comm not so good but you can look up those things yeah okay then I reported it back to the vendor they fixed directly something then in November they finally bring out a final release I got a permission to present that stuff I've my CV Eid for that and so on then I looked up to software what I have patched okay they're using now SSH

instead of FTP but obfuscated these things in the software so I'll spy always jumped out was an error so hmm okay what I can do so I ask it a friend who is better in reverse engineering so he was able to do something but at the same time I was looking okay I had the Windows executable but here is also iOS version and there is an Android version so what I've done then I take the Android app and app decompiled it and here you can see to use a local as anywhere they have a new password it's no more secure now and and this is the old one day what they are replacing but they changed not really something else

so here is here again and what also was nice there is another one gate a leakage prevention they own a patch backbone data leak so I don't know where the class is good for yeah maybe you can look up downloading via software as yourself obfuscating is not really protecting if you do obvious gating don't forget the Android and iOS apks application hard-coded credentials there's no good solutions for that and yeah SSH is already a good one but don't forget the other ones and yeah now I have to live hurry up a little bit I just want to show only the SATCOM things in a quick way so internet access vs calm it's also possible these are already known

showdown search terms that you can use to look up already known vulnerable versions that are in the Internet yeah the ship Trek has things I also mentioned and the ship tracker one is only using the devii that so in Mossad and so on are also there so I was searching at showdown for some other stuff and then I yeah I dangled over this digital antenna systems so and I looked up what it is and then it comes clear that it was an copan mxp web server for internet access for those big satellite dishes so this is and clearly index on showdown where you can see okay this is one of those things and when you use the search term

micro digital webserver you find those boxes okay yeah the demo I quit because I have it as a picture also so when you use the showdown search for those terms you find those things this is how the dishes are looking like so they have an web interface and so on the interesting thing is when you have two web page in front there's an a JavaScript loaded in the JavaScript it's in the JSF slash user lock in Java there are some nice stuff if locked on as dealer then use the menu dealer GX dot HTML if admin use this one if this one use this one okay when you know just putting the URL string in the URL complete then you have

access to the system without login so then you are locked in as a dealer and have full access also the nice thing is you have ten now access to in command line interface with this command line interface you can do some other nice for like reconfiguring those satellite boxes and you can also do some few more upgrade file uploads downloads and so on so when you want to play with those stuff feel free up to you I don't know I I don't do it by the way if you don't have a password I just read the manual yeah okay then I looked up is there already a CV report for that yeah someone was yeah

quicker than I but he reported only one version so I can comply for for other versions that are also vulnerable yeah and by the way these are all other URLs that you can use where you can access the system without authentication so interesting thing is you can configuring i/o ports for other devices the command-line interface change antenna configuration download upload blah blah blah so what is the risk now for that more or less denial of service that's a bad thing or you can increase the cost for the system due to the high expensive data plans that they have and yeah so now we are going to the finish of that a quick future look up so the future is

now that I connecting this is only a sample cloud services with cloud devices to all the systems and then access to the complete backbone network so we have to look at those devices in future the cloud services with those things you have access to the complete engine control systems and so on and yeah finishing with that made [Music]

the last minutes I had to pick up a little bit so if there are any questions yes yeah yeah yeah I expected nothing to see and yeah as I have seen it down so yeah okay what I was expecting it was by accident so the computer may be by accident now and then yeah with that information then I just have to dig deeper and append that okay in that loss available so yeah anything else or you can ask me later outside yeah thank you [Applause]