Dated ship security open to attack

Ken Munro Ken Munro: "TLS needs to be in place on satcom boxes”

Dated security being used by maritime satcoms companies are leaving vessels open to attack.

Security researcher Ken Munro is issuing the warning after demonstrating it is possible to precisely pinpoint a named vessel, identify a staff member and potentially attack a ship.

A partner in Pen Test Partners, Mr Munro said combining OSINT (openly available or open source data) with satcomms is compromising shipping.

TLS needed

He stressed to prevent an attacker from taking control of onboard systems “TLS needs to be in place on satcom boxes” and “password complexity is a must, particularly for high privilege accounts.”

Boxes must be “updated as a matter of urgency” and companies should “start with securing satcom boxes” as this is the one route that is nearly always on the internet. Then move on to securing other ship systems, he advises.

The research exposed a massive risk when Mr Munro searched for ‘html:commbox’ to find a collection of KVH CommBox terminals.

Crew details available

TLS was missing on the login, while the vessel name was also displayed. Below the login box, the person logging in had the option to view ‘active crew internet users’ which showed all the crew online in real time.

From AIS, the ship was located and Mr Munro used Google to identify the Facebook profile of the deck cadet who was listed as using the CommBox.

He said from this point, an attacker could simply phish, take control of the cadet’s laptop, “look for a lack of segregation on the ship network and migrate on to other more interesting devices.”

Or, he suggested, they could “scrape his creds to the commbox” and take control that way.

He added some of the network configuration was available by just hovering over the GUI.

By Rebecca Jeffrey

Latest Press Releases

Iskes Towage names twin Damen ASD Tugs 3212 Mars and Mercurius

Two of Iskes Towage’s vessels, the Damen ASD Tugs 3212 Mars and Mercurius, have been officially name... Read more

A Huge Success for Datum Electronics’ Cutting-Edge Marine Shaft Power Meter at SMM Hamburg

SMM Hamburg, the biggest maritime fair of 2018, ended recently and Datum Electronics, together with ... Read more

Damen supplies DOP150 submersible dredge pump for new power plant project in Brazil

Damen has supplied a DOP150 submersible dredge pump to Brazilian civil engineering contractor BELOV.... Read more

Damen performs tank testing of new FCS 7011

Damen Shipyards Group has carried out tank testing of its 70-metre Fast Crew Supplier (FCS) 7011. Th... Read more

Damen Shipyards Galati opens historical exhibition as part of continuing 125 year anniversary celebrations

Displaying an extensive collection of historical maritime memorabilia, Damen Shipyards Galati has op... Read more

Damen Chairman meets Romanian Minister of Economy

3 September 2018: Chairman and owner of Damen Shipyards Group Kommer Damen has held a meeting with t... Read more

View all