Cruise Line Security Assessment OR Hacking the High Seas - Chad Dewey (Adam Brand)

all right good afternoon everyone welcome to Proving Grounds uh I'd like to start out by thanking our sponsors in the Stellar Stellar level fa Sprite privity tenable Amazon and source of knowledge uh they're all out in the chill out area so please thank them so this track is being recorded and streamed so at the end when we do Q&A we're going to be running mics and there's also a mic up here in the front um so our next talk is on hacking the high seas cruise line security assessment by Chad Dewey let's please welcome

Chad good afternoon everybody uh thanks for coming I appreciate it thank you bsides for having me uh thank you Adam bran for being my mentor and actually making this presentation what it is today um okay so uh we're going to be discussing hacking the high seas it's originally started out with just Cruise Line uh but ended up going a little bit further as you'll see here in a minute all right so who am I my name is Chad Dey I'm computer science and information systems instructor at sagov Valley State University Small University in uh Michigan I have degrees in stuff uh I do pen testing from time to time and uh I'm curious about weird stuff like cruise

ship all right so this is not the intention of this talk I'm you know obviously I don't want this to happen uh cruising uh just just a little bit of background my my favorite way of uh vacationing is on cruise ships I've taken several cruises and we'll go over that here in a little bit uh but uh this was human err by the way all right so disclaimer this is the cover your ass part okay um no unauthorized access to cruise ships or cruise ship systems were obtained or even attempted okay all righty then uh uh most these observations are inperson observations especially when I was on the cruise ship uh cruise ships uh and uh review of

publicly available resources they're out there any everything I've done here today any of you can do okay uh using showan uh showen showan potato potato Aaron who is uh and the manuals of some of these systems okay um I'm not releasing any of the names of the cruise ships uh or cruise lines at this time um I've done my due diligence to try and uh share this information with them and only a couple of responded so far right now some of them are pretty probably thinking oh [ __ ] or something anyway uh so uh I've obviously done a lot of cruising over the years uh starting in May 2005 and uh had a little

bit of a Hiatus and then 2011 I Ram to back up again so all right so overview of the presentation uh before the cruise hooking yourself up with goodies and uh little perks here and there uh during the cruise kind of taking a little look at their Wi-Fi and the physical security of the ship and then after the cruise where probably the more interesting stuff is internet connectivity system vulnerabilities forward- facing services that sort of thing okay all right so starting out hooking yourself up now before you start a cruise you usually have to sign up on a cruise uh for a cruise and this is usually done online you make reservations you give them your credit

card and a lot of money and everything's supposed to be good to go um some of these Cruise Lines do not have um good sanitization of the uh the information that's given to them for example this is my uh profile on one of the one of the cruise ships here um and uh this is the things you can do within your account okay for example update missing information such as ship or dates uh that you traveled in the past in case they might have missed something okay now uh again this is my real profile I blacked out some of the stuff and you know if you've cruised before then you know you might be able

to guess who this is but anyway um so this according to this it shows that I've cruised uh on seven different cruises each of them a 7-Day Cruise um it looks like I've done seven cruises not really um I've only actually cruised four times with this Compu uh this particular Cruise Line and those are the four real ones okay um I never Cru or I did Cruise in 2011 okay um but only one time okay um now the the purpose of showing you this is uh um you get perks okay each Cruise Line has its own little tier system you start out with blue maybe go to Gold Platinum so on and so forth with these perks you

get uh I don't know free Wi-Fi you know so you get internet connection on the ship um sometimes they give you other perks like have a drink with a captain that sort of thing some of them even give you tours of the ship okay so um as far as uh starting up in uh uh signing up for your cruises here again uh there's a double there okay so I wanted to go a little bit further well let's see I never cruised in 2009 so I could see this okay maybe they they're doubling it up because I actually did Cruise then well they didn't check to see if I checked or uh if I cruised in 2009 I did not okay I

did Cruise in 2005 on this particular ship the Caribbean ship but I did not cruise on the crown ship why well because it was still being built okay it didn't have its maiden voyage until June of 2006 okay so again they didn't check anything um not a whole lot of harm is done here um you know I just get my crew status elevated a little bit okay other uh perks on some of these cruise ships beforehand before the uh the cruise you can tell them uh you've had an anniversary a birthday You' graduated uh you got married what whatever the case may be and you give you're given certain perks uh for these things couple of these perks well I got

all three of these because it was my anniversary again um and uh I got a $25 gift card for wine very overpriced wine but hey it's a free bottle right and uh I got a photo and it was very nice of them and they do this sort of stuff um just as a perk for you know thanking you for cruising with us so on and so forth um I've had anniversaries in uh December February March and may all right there's my bottle of wine all right so now we're on the cruise so this is during the cruise so you definitely want to be careful all right wireless security okay um this is this is uh slowly gotten

better over time the first cruise I went on in 2005 uh was protected with WP encryption okay it's 2005 things could have been better whatever anyway uh so internet access on these cruise ships can be very expensive okay $25 a day on the last cruise that I went on okay that that's that's ridiculous and the internet is not all that fast either it's satellite internet okay uh so anyway moving right along here so Wi-Fi is expensive if you start looking around and poking and prodding at the Wi-Fi you'll know noticed that uh if you're in the room there's not a whole lot of traffic down there you're in the belly of the Beast so you you know if you're

going to start looking around you're going to want to look at a I don't know a more uh active place like by the pool okay and I really didn't have a whole lot of luck I I was on vacation okay I'm not really going to sit there and you know uh do all sorts of stuff just trying to get free Wi-Fi because there's other ways of doing that which I'll get to here in a second okay now remember that Plum status earned you some free Wi-Fi okay uh fortunately you don't necessarily have to be platinum in order to gain free WiFi how well some of these cruise ships uh give away some personal information by posting your information outside of

your cabin so you have a cabin number first name last name and one and all the cruise ships are nice enough to say oh you're a gold member you're a platinum member all that's required and you get 150 free minutes on one particular Cruise Line in order to get those 150 free minutes what do you have to know first name last name cabin number and you have to know that they you know your platinum of course so you could technically piler somebody else's free Wi-Fi minutes okay all right um and encryption has gotten better so on and so forth okay so other physical security issues safe is they all of them have safes in the room

some are numerical some of them use a magnetic Strip Card uh the magnetic Strip Card was an odd one because they said you should either use a credit card or your driver's license no you don't need to do that I used I think I used a gift card to LongHorns or something like that but uh anyway so staff doors are almost never locked some had no locks uh and as you'll see in the next slide some even worse uh doors to ship internals were almost never locked uh many had again had no locks so you could technically wal right in there if you wanted to staff laundry so I've Been Told staff laundry uh could be found along

with forgotten name tags on them so you could technically act as if you were uh you know one of them okay there's uh you know anywhere from a th000 to 2,000 crew members so they don't know everybody so you could get away with something like that um I found a total of six passenger B badges sitting by the pool with those they're associated with a credit card that's where it gets a little bit scary because you could take it charge up a bunch of drinks and put it right back and uh yeah they might not know until the very last day of the cruise when they get built so there's you know that's not necessarily the cruise Line's

Fault by the way that's that's just people being people uh picture verification of Passenger when a card is swiped the employees are supposed to take a look uh when they swipe their card for a drink it shows a picture of the person okay uh the problem is they they don't look at it you know they just they're just they're just busy cheering out the drinks okay so there is a safeguard in place it's just not very well utilized by the employees okay all right so again uh a lot of crew areas are don't necessarily have locks and some are not very well guarded there a little bit of a closer view on that kind of looks like freezer

curtains so you know that's going to keep a lot of people out all right so uh here we are engine control room okay I have never been in an engine control room I have never been in uh uh the bridge some cruise ships allow this depending on your member status uh on certain Cruise Lines not all of them okay so I found this on the internet okay so this is the engine control room obviously heavily computerized this is the bridge okay um again I just found this on the internet if you look a little closer you can see the uh well you can't really see it here but the navigation system is a sper marine Vision m m ft the issue with

this is it runs Windows XP they all do okay and they're still all utilized uh and the ships there's not really any upgrades going on there okay so you can see a problem there so after the cruise oops went too far sorry all right so the inter yeah inter ships so public IP addresses each ship has a IP address range associated with it we'll get into that in a second they're all on something called The Maritime telecommunications Network okay the MTN uh basically handles uh well I'll get to it here in a second I'll actually go into more detail uh and there's several internet facing vulnerabilities and we'll discuss those here in a second um again all I had to do is use an Aaron

who is and uh showan to do all this so like I say any of you could do it okay looking at things from the outside the maritime telecommunications Network uses this IP address range so all of the ships or I can't say all most of the ships whether it be Cruise Lines or military vessels so on and so forth uh are normally connected to the maritime telecommunications Network okay so the internet of ships okay this just explains what the MTN is and what it does um see if I forget anything luxury GS oil rigs government military vessels and cruise lines use the MTN for internet service providers when out at se okay so again all these ships have IP

address ranges that are actually specific to each of these ships tahan princess Diamond Princess Island Princess Emerald Princess so on and so forth okay and there believe me there's many many more I just kind of let it slide I'm going to skip right passes here okay uh this one is my trust fund uh again luxury Yachts those are the jokes people that's that's that's all I got this one you might want to be a little bit careful of you can probably guess what's in this range hopefully right there's also another one called like uh was it uh uh Carnival HQ wonder what that is okay that speaks for itself okay so anyway uh a few statistics here using

some uh old encryption methods here um obviously they have uh vulnerabilities associated with them some of the services running on these These are again these are forward- facing Services isues there PC anywhere uh windows Windows Remote Management and the most clever thing I think I've seen tell not on Port 2323 they they were the first to figure that one out all right so this is where it gets a little creepy that top one though okay Debbie and for uh lost support back in what 2010 I don't remember what month but obviously it's a little old um some like a you can read them uh voice over I systems on a ship with remote access using the default username and

password um several ships containing old Linux kernals a Microsoft Exchange Server 2003 okay um this just goes into cdes and stuff like that several ships running drop bears so another again a lot of issues these aren't even all of them these are just some of the ones that kind of were the creepiest to me all right and much much more um enough vulnerability to

create all righty then all right so some Cruise Lines don't bother to fix some of these issues for example the free stuff right a bottle of wine a massage a you know whatever the case may be they'll give it away because you're spending you know anywhere from $500 on up per person to go on a cruise okay um so I actually contacted that particular Cruise Line and they're like we're okay with that I'm okay with that too but you know um okay yeah right so uh anyway uh some of the other issues I haven't heard replies on you know they maybe they're thinking oh [ __ ] and they're kind of doing what they got

to do now I understand that some of these things take time imagine these navigation systems trying to upgrade those Windows XP uh they're going to have to take the ship out of service for at least a little while uh so you just to try and upgrade that so on and so forth uh over the last 10 years though each Cruise Line has steadily increased their wireless security with better encryption we hope so uh their internet KSS have gone from PCS with Windows XP now this is 2005 so you know uh but now they're using Windows Vista using Chrome and incognito mode with deep free so at least they're trying okay um anyway uh okay that's all I got I'd like to

thank Adam brand again uh for being the B my bsides Las Vegas Mentor he's been a huge help I still would have been working on this if it wasn't for him so he helped me find some efficiencies here uh Dr Lonnie Decker and Dr Scott James for uh guiding me through this whole process not necessarily with his presentation but I guess in life uh Chris Roberts obviously you know I kind of uh followed his lead on some of this stuff uh Christina lay and my mother for their inspiration and support through this entire thing all right if you have questions uh I have an email address here for you feel free to contact did you cut

out yeah I was just gonna say feel free to contact me um I'll send you the slides uh but that's about it I'm not going to send you a bunch of stuff that I found so you can you guys can look that up for yourself any questions yes hi thank you for the talk um could you go into a little more detail about how you uh got the free you know the Privileges and the the anniversary celebrations like break down yeah bottles of wine oh yeah uh when you sign up for a for every cruise I've been on um as you're signing up for the cruise they ask you check the box have you are you expecting any anniversary is

there a special event no right just well you know one of them but if you do pick one pick anniversary that's usually the most lucrative I don't I don't suppose you've looked into the uh jurisdictional issues uh of hacking a cruise ship for instance like if you're in international waters uh on a Barbados Flagship who comes after you if you do something you shouldn't do well first off you shouldn't do anything badly no no no no obviously no never never hack anything ever but if you do hack something who arrests you you know that's a good question I think if you should accidentally okay all right theoretically okay um I would assume there's some sort of maritime law

regarding that as far as who comes and bus you I guess the next Port of Call or maybe at the very end if you left out of Miami or Fort Lauderdale somebody might be waiting for you uh or they know who you are where you live and they

oh yeah is there okay I'm not very familiar with martime law so I'm actually gonna have to look some of this stuff up well I mean I guess I don't really have to have done nothing wrong but it's good to know knowledge and power and all that is La also running

yes question how's it going um I was just wondering if you when you're were talking to these uh Cruise Line operators if you ever bring up the subject of like denial of service especially with their Wireless links like what if somebody were to plant a box on a cruise ship or any ship that basically disrupts all GPS signals or vsat what if somebody finds One open on showan and like turns it off I wonder what sort of you know that that's something I hope I never see especially when I'm on the ship yeah yeah so I just I don't know if that subjects ever come up when you like talk to them or well I would assume they

have uh several backup systems again they're on they it's part of a satellite Network so maybe there's other things they could do I mean I'm sure there's some kind of backups I would hope uh but do I know that for sure no uh the satellite navigation systems if you've ever been on a cruise ship they have these big globes outside okay well that's it and you can usually touch them over the rail so that's kind of creepy yes sir yeah um obviously container ships won't offer you the same perks if it's your anniversary and you're shipping cargo but how much of what was on the cruise ship such as navigation and insecurity of physical facilities how much that

would carry over into the containership fleet pretty much the same thing except for the free stuff um speaking of which um I actually submitted this presentation February 7th of 2016 I didn't find out until May um I was doing some Google searching and found that uh some Somali pirates actually compromised uh a containership Manifesto to make themselves more uh efficient at being Pirates so they knew where all the good stuff was because they got a a Manifesto of everything that was on the ship so so what about the navigational data coming back you know on the on the public side of the ship it'll tell you basically where it is MHM all time yeah there well there's actually Maps uh

online maps to show you where every ship is pretty much all over the world in in international waters is there anybody else any more questions all right thanks Chad all right thanks a lot everybody appreciate it