»how to hack a Yacht - swimming IoT«
2018-10-17, 17:00–17:45, Europe

Modern vessels and yachts are equipped with a lot of specialized equipment communicating over internal control and IT networks, and connected to Internet. Due to my background, I was curious to know how modern vessels navigate and how the ship electronic is working. This is why I asked for an access to a big expensive yacht to assess its security.

The Backbone network of the vessels is nowadays based on NMEA0183 or the newer NMEA2000 , which is electrically similar to CAN Bus. The main IT network is connected to the backbone ship’s control network via the Ethernet-to-NMEA gateways. Cloud based apps give u access directly to the engine of the Yacht. Voila!
We have a swimming IoT device with many attack vectors. In my Talk i will show how to use vulnerabilities in internet Routers for maritime environment, lookup SatCom Boxes and their (In)security and how remote control, cloud services etc. connected to the Yacht IT equipment.

Modern vessels and yachts are equipped with a lot of specialized equipment communicating over internal control and IT networks, and connected to Internet. Due to my background, I was curious to know how modern vessels navigate and how the ship electronic is working. This is why I asked for an access to a big expensive yacht to assess its security. Some attack vectors already made it into the news. The Backbone network of the vessels is nowadays based on NMEA0183 or the newer NMEA2000 , which is electrically similar to CAN Bus. The main IT network is connected to the backbone ship’s control network via the Ethernet-to-NMEA gateways. Voila!
We have a swimming IoT device with many attack vectors. In my Talk i will show how to use vulnerabilities in internet Routers for maritime environment, lookup SatCom Boxes and their (In)security and how remote control, cloud services etc. connected to the Yacht IT equipment. While I was working with one of the maritime internet router models, I found several critical security issues. The vendor was informed patch is released and I am now allowed to present the findings. Another topic I will address is a SatCom Device where I found similar vulnerabilities. One is already public under CVE-2018-5267. I found 3 newer versions and builds vulnerable to the same and different other vulnerabilities that I currently reported to the vendor. One of them is a web based CLI interface that allows to send commands to the router. I I will show few exploitation scripts scripts and a metasploit integration. A couple of software projects are available to read NMEA datagrams on a PC with an USB to NMEA gateway. But this device can also be used to send NMEA Datatgrams back onto the bus. This is the point, where we can gamble with the ship network.
Targeting yachts or large vessels would become a new threat and we will hear about more in the next years. • Outline Basics about NMEA and Networks on Ships - different NMEA standards - how navigation interact with the NMEA bus - Internet on Board - Remote monitoring and control

Attack surface - GPS - AIS - SatCom - Internet in Harbor - remote control devices - Raymarine Autopilot - cloud based services

impact of attack - DOS - loss of ship / leakage - collision

Vulnerabilities in Devices - cobham Seatel - default credentials - auth bypass

  • Locomarine
    • defaut credentials
    • hardcoded credentials in software
    • obfuscated in WIN, but forgotten iOS and Android
    • remote services
    • Winbox Management

countermeasures - GPS spoofing detection - etc

Q&A

• Scheduling Information - available all days