Manufacturers of modern vessels didn’t escape the common trend of connecting various parts of their ships to the Internet.
As a result, any modern yacht now contains not only navigation systems, but also a pack of IoT devices with routers and switches — regardless of whether they’re really necessary.
As a result, yachts have the same security problems as other devices that suddenly became Internet-friendly: Technologies developed before modern security standards, navigation and infotainment systems connected to the same network, unprotected Internet connections on board, and more. Stephan Gerling of the ROSEN Group reported some of these problems during the Security Analyst Summit 2018 conference.
A yacht’s onboard network may include a lot of things — a vessel traffic service (VTS) device, automatic identification system (AIS), autopilot, GPS receivers, radar, cameras (including thermal), depth sounders, engine control and monitoring (some are cloud based now), and more. All of these electronics are connected to a network through a bus based on National Marine Electronics Association (NMEA) plug-and-play standards. The newest of these standards is NMEA 2000 (or N2K). Curiously, it’s related to the CAN bus used in road vehicles.
Even when electronic marine tools are not connected to the Internet, they can fall prey to some known vectors of attack: GPS jamming, GPS spoofing, AIS spoofing, and so on. Such attacks are not just theoretical; some have already happened. In attacks of this kind, malefactors alter information about a ship’s position and speed — data collected by AIS and transmitted, for example, to a harbor master to avoid collisions. Attacks on a GPS signal or AIS connection can cause navigation problems and even lead to collisions with other vessels, with serious damage and even human casualties.
In addition to NMEA, modern yachts have other networks on board. Infotainment networks are based on the TCP/IP protocol, which we use every day and includes the connected devices we know well: routers and switches, Wi-Fi access points, VoIP phones, smart TVs, and so on.
The issue here is that NMEA and TCP/IP networks are connected through a gateway. On the one hand, that means a yacht’s owner can remotely control and monitor the vessel’s systems, from lights or curtains to an engine, from his/her smartphone or tablet. Even the autopilot can be controlled by special wireless device. On the other hand, that means that these two networks are not isolated, and if an infotainment network is hacked, it is possible to hack deeper — into the NMEA network.
Of course, infotainment networks get Internet access through satellite, high power 4G/3G/2G, and Wi-Fi modules. To demonstrate how insecure a boat’s network can be, Gerling brought aboard one available solution to set up and control the Internet connection and local networks. For the user’s convenience, the solution can be remotely controlled (by software for Windows, iOS, or Android), and that is where problems start.
For example, every time the control app is opened on a tablet, mobile phone, or computer, it makes an FTP connection to the router and downloads an XML file. This file contains the complete router configuration, including hardcoded router credentials and Wi-Fi SSID and password in clear text. Thanks to the insecure FTP protocol, this data is easy to intercept, meaning that criminals can take full control over a yacht’s router and infotainment network. In addition, Gerling found a user account with root rights in the router OS that was left by developers, probably for a remote technical support.
What can a cybercriminal do after taking control of an infotainment system? Well, for example, intercept traffic including HTTP requests, audio (VoIP) and video (surveillance) streaming, and more. It’s a good start not only for espionage, but also for attacking every device on board that has a Wi-Fi connection.
After Gerling reported all discovered issues to the vendor, the network protocol was changed from FTP to SSH, and new app and router firmware versions were developed. The patched software does still contain hardcoded credentials — developers just changed the password from “12345678” to a more complicated one. And the developer’s root account still remains in the router’s operating system, even after the patch.
Looking at the situation as a whole, we do not have many tips for yacht owners. Onboard infotainment systems are not usually a DIY setup of routers and cables but instead are delivered as a complete solution with limited options. And it’s unlikely many yacht owners will install and adjust their own systems. In a nutshell, all we can recommend is to choose your infotainment solution’s manufacturer wisely.
That said, the research shows even complicated and expensive solutions may contain primitive, easily exploitable flaws that can be used for espionage on a yacht’s owner and guests. What happens on board won’t stay on board, in other words. Taking into consideration how many high-profile victims own or rent a vessel, manufacturers should pay much more attention to security — and proactively involve experts and pentesters — not simply wait for serious leaks, for which they will be rightly blamed.
From an IT-security perspective, a connected yacht is very similar to a connected car, so similar methods can be used for protection: for example, implementing a gateway that secures the data exchange between the components of an onboard computer system.
