Cyber Threats to the Shipping Industry

Introduction

Several cyber threats pertaining to the shipping industry have been reported of late, illustrating the vulnerability of this industry – a fact that cyber criminals, terrorists and even hacktivists are already exploiting.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Shipping Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Vulnerabilities of Automatic Identification System Exposed

Researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.

The researchers were able to spoof the route of a vessel to spell "PWNED", meaning "hacked"
The researchers were able to spoof the route of a vessel to spell “PWNED”, meaning “hacked”

The breach was carried out in two phases:  first they identified the main AIS Internet providers that collect and distribute AIS information, and exploited their vulnerability to manipulated data:

  • Modification of all ship details such as position, course, cargo, flag, speed, name, MMSI (Mobile Maritime Service Identity) status, etc.
  • Creation of fake vessels with the same details, e.g. having an Iranian vessel with nuclear cargo show up off the coast of the U.S.

In the second phase, they exploited flaws in the AIS communication protocol mandatory in hardware transceivers in all vessels. Using a US$200 transceiver (using Marine VHF channels 161.975 MHz and 162.025 MHz) they were able to:

  • Permanently disable the AIS system on a vessel, forcing the ship to stop communicating its position, and also stop receiving AIS notifications from all vessels in the vicinity.
  • Issue a fake CPA alert (Closest Point of Approach) and trigger a collision warning alert.
  • Fake a “man-in-the-water” distress beacon at any location that would also trigger alarms on all nearby vessels.
  • Send false weather information to a vessel, e.g. storm approaching, to route around.
  • Cause all ships to transmit AIS traffic much more frequently than normal, flooding the channel and blocking communications from marine authorities and other vessels in range.

This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.

Cyber Attack Breaches Port Security; Container Hijacked

On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived.

The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved. It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars.

KVM devices used in the Antwerp attack
KVM devices used in the Antwerp attack

The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems. The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s