Select text to annotate, Click play in YouTube to begin
00:00:00
> So without further ado, I'll hand it over to Cybergibbons to talk about hacking cruise ships! If you would! Great, thank you very much for the intro. Hello people, wonderful people! Today I'm going to be talking about hacking ships. I'm going to talk about how ships work, how they're put together. Now this is the first time I've done this slide deck - it's a bit of a mishmash of two different slide decks so it might get a bit crazy at a few points. So, who am I? Well my name's Andrew Tierney, my handle's Cybergibbons.
00:00:33
I'm a professional penetration tester, which is a ridiculous name for someone who tests the security of various devices. This is me a few weeks ago on a 747 looking at some of the systems on board. I lead the hardware team at a company called Pen Test Partners - we look at planes, ships, cars, IoT hardware, industrial control systems. We call ourselves the "weird stuff team." We just do all of that kind of non-general purpose computer things.
00:01:00
So why can I talk about ships? Well this is me 16 years ago, I think, give or take - 2006? On a container ship in the Suez Canal. I used to work on container ships as an engineer - so down in the engine room. I did that for a few years. So I've got good knowledge of how ships work, bringing together the IT side of things and the ship side of things allows me to really drill into how they work and find
00:01:25
really interesting vulnerabilities. At the end of this, I'm going to show you how i was sat in my pants - I'm not actually going to show you that - I was sat at home on the sofa with remote control of a cruise ship. I could steer a cruise ship remotely, so that's where this is going. Now all of the work that I mentioned here is carried out with permission. We were on the cruise ship with permission to attack those systems,
00:01:51
so don't go and do this when you're on a cruise. You will get in trouble. So what is it like working on a ship? Well, this is the view out of my cabin when I was a cadet on container ships. I worked on kind of 300 meter, 350 meter long container ships. Back in those days they were the biggest container ships - they typically held between 6 and 7 thousand TEUs - twenty-foot equivalent units - so that's half of a normal container that we're used to. So
00:02:19
it's a lot of containers. You can see there we're looking forward from the accommodation - you can see all of those containers on the deck. Now most people think about container ships, when they go past they look at all those containers stacked up on the deck and that's all they think of, but actually the bulk of containers are below the decks in the hold. So you take off a hatch lid - there's three hatch lids across the width of the ship - and down there you can fill it up with containers.
00:02:44
So those are 40 foot equivalent units they fill that whole 40 foot gap - a 20 footer is smaller. On the right hand side there what you can see is something called a "bunker barge". You obviously have to get your fuel from somewhere - now a container ship like this holds about 10,000 tonnes of what's called heavy fuel oil - HFO. Now that - it's expensive - it's $500 per tonne. So the first time I remember I was helping take bunkers - take that fuel on board,
00:03:15
I did the maths. 10,000 tonnes at $500 a tonne is the best part of $5m worth of fuel. One little mistake and you could cause a real problem. This is a picture of a container ship that I worked on, whilst it was under construction. So you can see that cross-section of the ship - how deep it goes down in the holds. Down the sides, those hollow gaps at the sides - they're tanks - they hold ballast water or fuel. And you've
00:03:43
got a thing called the side passageway that goes all the way down at the top, all the way from the back to the front and it's quite crazy - you can stand in there in heavy weather look down that side passageway and, even on a container ship this size, you can physically see it twisting from side to side and moving up and down. Unfortunately, 2006, we didn't have camera phones really we didn't carry cameras about with us, so I don't have any videos of crazy stuff like this.
00:04:11
So what is it that powers one of these? Well it's a really, really, really big engine. So it's a two-stroke diesel engine. They're huge - they're three, four stories high. That red box there is covering one of the exhaust valves on one of what we call the "units" - one of the cylinders. Now this is a 10RTA96C - 10 means 10 cylinders. So it's already got 10
00:04:36
cylinders - it's bigger than most car engines. 96 means that the bore of the cylinder is 96 cm across. You can fit in the cylinders, they're that big. So these things are absolutely massive that huge pipe you see going along the top there - the big silver one - that's the exhaust manifold. The stroke of one of these as well: 2.4 meters. The piston goes up and down 2.4 meters.
00:05:03
When you look up at it from what we call the "bottom plate" right down at the bottom of the engine room you can see the scale - we've got three ladders going up towards the top of that engine. Now that big round thing there, you might think that's a flywheel underneath there, but it's not. It's actually what we call the "turning gear" - a massive cog. You use a tiny little electric motor to spin the engine round before you start it, to make sure it's all lubricated.
00:05:28
Now just to give you an idea of scale - this isn't my picture - that's what a banana is in relation to one of these. You can see the little guy stood on the top there by the exhaust valves. Now these engines are really different to normal car engines - first off, the crank case is so big that it's got ladders inside it. You have to climb inside the engine to do some maintenance work - it's
00:05:52
really slippery and grim. But they're two-stroke - what you have to do is you have to pressurise the space underneath the piston so you can force air in at the bottom and then the exhaust goes out of the valve at the top. It's like a two-stroke motorbike engine where the crank case is pressurised. It's not technically the crank case in this situation, but it is quite different. So what does a piston and a cylinder liner look like in one of these? So on the left hand side
00:06:21
there, you've got a piston. You carry a spare piston so you can swap it out. It's absolutely massive. On the right hand side you've got a cylinder liner. It weighs about nine tonnes so these are heavy, heavy things. Again, you carry a spare cylinder liner. Those holes you see around the bottom - that's where the air gets forced into the cylinder to push the exhaust gas out. Now of course, you have to measure to see if the engine gets worn
00:06:49
so you take the exhaust valve off, which - I made it sound like it's simple, it's not that simple - and you climb inside the cylinder. You use a very long micrometer - it's a stick - and you measure the wear on the cylinder. This is when one of the ships I was on was being built. Another crazy thing: those pistons need to be kept cool. You need to keep that piston actually physically cool. It's not like a car where you can just rely on the oil in the crank case
00:07:19
and the rest of the liner keeping it cool, so what actually happens is oil gets sent up the middle of the piston rod, sprayed through - I think about 56 - nozzles onto the underside of the piston and then it drains back down into the crank case. Really really cool little system that. So how do you get the power from the engine through to the propeller? It's just one big propeller, that's it. Well, you've got a gigantic prop shaft, and that is the prop shaft on this
00:07:45
ship. It's quite long, it's quite thick - I think it's about 90 cm across again - a massive, solid chunk of metal to carry the power from the main engine back to the propeller. And how big is one of the propellers? Well, it's about that big. This is when one of the ships I was on was in dry dock, so you can see the sheer size of this thing - it's absolutely massive. The edge of that
00:08:10
propeller actually moves so quickly that you get cavitation - little bubbles of steam forming. One of the ships I served on, the Southampton, actually had a tiny little window in one of the ballast tanks when they did a study to monitor how that cavitation happened so they put a camera in there to watch the propeller go round underwater. Now a weird thing about these these ships is the engines don't really go that fast. If you're moving a chunk of six tonnes worth of piston up and down, moving it two and a
00:08:41
half metres, you can't move it that quickly. So at most they do about 105 revs per minute, so very very slow compared to a car engine. When you're stood on the top plates and the engine's running it will shake you. It pulses through your body - it's that kind of frequency. Now the other thing is that, if you want to go in reverse, you don't have a gearbox. There's no gearbox to change your direction. You stop the engine, and you turn it round and make it
00:09:09
go the other way. You literally reverse the engine to change direction. So if you need to come to an abrupt halt - you're motoring along, 100 rpm, 25 knots, and you need to stop quickly, you need to stop the engine, bring it back in the other direction, and try and slow down. Now how much power do these make? Well, it's kind of variable but it's between 80 megawatts and 120 megawatts, so we're talking really, really huge amounts of power.
00:09:38
This is the power meter on the ship. Now the the cool thing is, the way it actually measures how much power is developed on the engine is, it's got two sensors on the prop shaft - a couple of meters apart from each other - and it measures how much that 90 centimetre chunk of metal twists. It's actually measuring the twist in that to work out how much power. At this moment in time we're doing 65 revs - quite low revs - we're only developing 15 megawatts.
00:10:04
Not that much power - I say, like that's a token amount of power. How do you start one of these things? Well, there's a thousand tons of rotating metal there. You can't just turn an electric motor on, like in a car. So you start it with compressed air. So this is called the start air system. It's 30 bar, so that's just over 400 psi, give or take.
00:10:32
This is scary pressures - most air compressors kind of top out at about 150 psi. If you make a mistake at these pressures, bad things are going to happen. Each one of those tanks - the walls are huge, huge thickness. But you store that air up, and then something like a distributor, a pneumatic distributor, admits air into each cylinder one by one and starts the engine. You also need to open and close the exhaust valve, and you need to inject fuel.
00:11:01
So this is on what we call the "middle plates" - the kind of middle section of the engine. On the outside there - the two big silver pipes leading up - they're hydraulic lines, leading to the exhaust valves. So they're hydraulically actuated - a massive camshaft is rotating around underneath pushing hydraulic fluid up there. The bit in the middle is the fuel pump: it pushes fuel - heated up to about 140 degrees celsius - up through a pipe, through to the cylinder head,
00:11:29
where it gets split into three and it goes in through three injectors. So this fuel pump covers two units, so you've got multiple fuel pumps across the length of the engine. Now, normally all of this is done automatically - all of it's happening in the background by pressing buttons on the bridge - but you've got to practice for when systems fail. So, right in the middle of all of these main engines you have some sticks. You literally have sticks that control how the fuel is admitted to the engine. At the moment you
00:12:02
can see there we're in "remote control" position, but what you can do is you can take it out into "run" and "start." So you put it into "run", you pull it through to "start" - it will put that start air through into the system - you can choose "forward" or "astern" - and then, on the right hand side, you've got something that controls how much fuel is being admitted to the engine. So we'd practice this - you call it "riding the sticks" - it's really, really challenging.
00:12:27
Normally, that control system is metering how much fuel there is - 10 times per revolution - and you don't have that ability, so you're sat there trying to maintain revolutions. Really, really challenging. You've got to wear a headset as well - the noise in the engine room is deafening, so you've got to wear a headset to get instructions from the bridge if they need to change speed. You remember I said that you need to have that pressure in the crankcase to force the fresh
00:12:54
air into the piston when it's down at the bottom? And the way we do that is with turbochargers. So these are the turbochargers - that's the exhaust side of one of three turbochargers. They're about the size of me - so not actually that tall. The thing is, though, those turbochargers kind of stop working at low speeds - anything below about 25-30 rpm, they just don't have the exhaust gas
00:13:20
to generate airflow, so on the left hand side we have what's called a "scavenge blower" - it's an electric fan that forces air into the scavenge space to take up for the turbocharger. The noise at this part of the engine room is deafening - these are like jet engines, essentially - they're massive turbines. You wear ear defenders, obviously, but I'd often put ear plugs inside the air defenders working in these areas just because of the noise.
00:13:49
Now the interesting thing is, your turbocharger's got exhaust gas going over it, and it will get dirty. I mean, it will get filthy - really, really, dank. And you need to get that filth off it, so what you do is you get crushed walnut shells. Literally tiny little bits of crushed walnut and you put it in that little green tank, you pressurise the little green tank with air, and you inject it into the engine - into the
00:14:12
exhaust - and it will hit the turbine and all of the crap will come off. It will fall off, and just go through into the exhaust. It's a really, really clever idea. Now, the intake for these - it takes the air from the engine room. It just sucks the air in through a big filter on the other side, so it's coming through the engine room. You get a really weird effect called "turbocharger surge" sometimes - it's kind of when the amount of air that the engine's bringing in doesn't really match up with how much the turbocharger's generating,
00:14:40
and the turbocharger "burps" or "coughs", people say. Now having stood next to one of them this big when it coughs...yeah, it's a bit more than a cough, to be fair. It's a bit scary. Now the next slide, there's a mild picture of a mild injury on it - it's just a red arm really, but i thought, just in case. Seafaring's dangerous - there's all of this machinery, all of this stuff
00:15:04
going on round you and accidents happen. And you might recognise that picture on the right hand side there - it's exactly the same colour - it is, well, it's the forward turbocharger off that very same ship. I was on board when this happened. This is an accident report - essentially the pipe came off the front of that tank. 7 bar air hit him with the, um, the walnuts. That sounds a bit strange!
00:15:30
It didn't actually look that bad to start with - it just looked like his skin was wet - you know, like an abrasion, but then over the course of the next hour or so he was in real severe pain and we actually had to divert to another port to take him to hospital. It's a pretty serious accident, that. Another thing that that ships this size - engines this size - have got that's unique is the crank case. It's huge - it's this massive space, and it's full of a mixture of oil and air. Now the
00:15:59
problem is, if you get a hot spot - friction on a bearing or something like that - it will produce an oily mist, and you have something called an "oil mist detector", and it sucks in air from each one of the units to detect whether it's got to explosive quantities in there, or an explosive proportion. Because sometimes it does blow up - it's sunk ships before. These big round doors on the side - they're explosion relief valves. If there is an explosion,
00:16:26
it lets the explosion out but doesn't let air back in, so there can't be a secondary explosion. Now this main engine, it needs power. It needs all those pumps, it needs cooling, all of these things going on. So you need to generate electricity to make the main engine work, and you do that with generators. So on this particular ship - the green one that we see here - we had four 3.6
00:16:52
megawatt generators, so just over 14 megawatts of power. Quite a lot. They power all of the pumps, they power all of the systems on board - it's quite a lot of power. But you do have all of those ancillary systems: you've got all the pumps, so you've got high temperature cooling water which transfers heat to low temperature cooling water, which transfers it into sea water. You've got lube
00:17:17
oil systems for the main engine, you've got fuel systems. Hundreds of pumps. Fire fighting water. Just so much stuff going on. You've also got these big heat exchangers which are titanium plates stacked together with rubber gaskets between them. Sometimes you have to open them up and clean them - it's a really, really unpleasant job with a pressure washer. We've also got to purify the fuel so those bulbous things are called fuel
00:17:44
oil purifiers. They're centrifugal purifiers - they spin round at some god-awful rpm and they take water and dirt out of the fuel so it can be used in the main engine. And on the right-hand side my favourite piece of engine room equipment: the shit tank. When you're the junior one on a ship, you look after the sewage plant. You're the one who deals with everybody else's poo. It's not just a tank though - it's actually a digesting plant.
00:18:10
It takes the sewage in, it digests it, bubbles air through it, chlorinates it on the outside, and then puts it into the sea. I did actually quite like looking after it, to be fair. The electrical systems on these ships are hugely complex. So those generators you saw, they run at 6.6 kilovolts. That's a really scary voltage. Now the only thing on the ship that actually uses voltage at that level is the bow thruster - a massive propeller that sits underwater in the
00:18:41
bow at the front of the ship, that helps you dock. Everything else gets dropped down to 440 volts like you'd have in most industrial situations. Now, the thing is, to get those big generators starting - those four 3.6 megawatt generators - well they need loads of pumps running as well, so you have what's called an emergency generator. Now this is a genuinely baby generator - 300 kilowatts
00:19:04
or so - normally in the accommodation, sometimes up forwards, and that will generate enough power to compress air, to get pumps starting, to get one diesel generator running, which can then bring up the other diesel generators, that will then start the main engine. If you lose all of those systems you have what's called a blackout. You lose all electricity. The ship will stop working for a few seconds. There's a few battery-backed things but nearly everything will stop at that point,
00:19:31
and if that happens at an inopportune moment - the Malacca Straits, the English Channel - you lose power, if the main engine stops working, if you lose electricity, you don't have a rudder, if you're not moving forward, the rudder doesn't work. So it's something you really want to avoid. This is the switchboard room. At the left-hand side you've got what's called a "mimic panel" - it's all the buttons to control that 6.6 kilovolt system. On the right-hand side you've got what's called a "motor control centre" - it's all contactors
00:20:00
and the control systems that control all the pumps and machines in the engine room. The 6.6 kilovolt stuff is just scary territory. I remember the first voyage I went on we used to rack these breakers out, after making sure they were dead, just wearing a boiler suit. That was it. Well, shoes and stuff as well, but there was no specific protection gear. But then there was a really serious accident where someone I think lost the front part of their arm because they
00:20:25
racked a breaker out without making sure it was isolated, and from that point onwards we had to get these crazy suits on - face masks, use loads of equipment to make sure we were doing it right. That's the bow thruster - it's a 6.6 kilovolt motor normally about two, two and a half megawatts, and all it does is move water from one side of the ship to the other, so you can move the front of the ship in and out. But the reason for having 14 megawatts of power on those generators is actually these things - what
00:20:54
we call "reefers". Refrigerated cargo. So, when you take one of these on board you've got to power it - you've got to plug it into the ship. You've got to get three-phase power to it. Now for, say, the Southampton - a ship I was on - it took 6,000 TEUs - so 3,000 40-footers - but only 700 of those spaces were allowed to be occupied by reefers. So they were the ones you could plug the power into.
00:21:19
It was a hugely time consuming job monitoring and keeping them all going. Now, I don't know if you saw this a while back on Twitter - there was this beer mat: "the largest cargo ships can store 745 million bananas in nearly 15,000 containers". No, no, this just doesn't make sense. What they've done is they've worked out how many bananas, if you filled every single container on the ship with bananas, but there are no ships that can take a full 100% banana load.
00:21:51
There's new sequences of words happening here. But yeah, ridiculous. Now, container ships like this operate what's called unmanned machinery space or UMS. That means, as an engineer, I can go to work between eight and five and then at five o'clock we put it into UMS, and then I can go and have my dinner, chill out in the evening - unlike the deckies you have to look out the
00:22:18
window all of the time. So there's loads of alarms and things going on in the background. This is the alarm signal light that you get - I'm sure it's got a better name than that - we just call them lights. The top one there - the green one - you never want to see that lit. That's a lifeboat - that means abandon ship. If you see that lit, it's a bit of a game over situation. The one below it - the cog and the fire - means a fire in the machinery space. Again, not great
00:22:45
to be honest. You don't really want to see that, but every now and then it will go off - a bit of oily mist, someone will be welding, something like that. The one below, it's actually - unfortunately I never got any pictures of this - the whole engine room can be flooded with CO2 if there's a fire. You seal all the doors, you seal all the vents, and you dump CO2 into it. On this particular ship it had about 120 of those massive CO2 bottles, wired up to a huge manifold,
00:23:12
and it would trigger and fill the space. If you're in that space and you see that light come on, you've got 15 seconds to get out before it gets triggered. You'd obviously try not to trigger it with someone in there, but, you know. The other one's the cog - a machinery alarm, something's not working quite right. The telegraph one - that's if you're having to ride the sticks on the side of the engine. The next one unsurprisingly means the phone's ringing.
00:23:38
Now, when you're in your cabin, when you're having dinner, when you're in the bar, what you have is panels - alarm panels on the walls of those rooms. And you'll go in as that duty engineer on watch, who has to monitor those alarms that night and they will come through to this panel. So if you're having lunch and an alarm goes off, you go and have a look and it will say something like "header tank low level", something like that, and then you'll
00:24:02
go and investigate it - you'll go back down to the engine room and see what the problem is. Now sometimes, you'd go down to the engine room and things would have not gone too well. Something bad would be happening. Something to make your day unhappy. And there's this big button - well, lots of buttons like this you'd press - and what that would do, is it would alert every single engineer on board and alert the bridge that there was a problem. Now, one of these problems that we saw: I got an alarm at lunchtime
00:24:30
and I go down to the engine room, and inside that red square there, water was spraying out. That's the high temperature cooling system, so we're talking water at over 100 degrees celsius - because it's slightly pressurised - spraying out of here. Yeah, not a good situation. So what had happened was that header tank at the top there should normally be full - it's like a header tank in any system - we sprung a leak on the main engine and that header tank was dropping
00:24:58
down really, really, rapidly. Now the thing is, that high temperature cooling system is shared between the diesel generators and the main engine. If we lose that high temperature cooling system, we lose the main generators, which in turn means that we can't get the main engine started. What we actually did was we got the engine stopped very quickly, and we lifted the fuel pump. So what
00:25:23
you do is you can literally - that big fuel pump on the middle plates - you can turn a handle on the side of it so that cylinder no longer does anything. There was no longer an immediate requirement for cooling on that cylinder, so we could get underway and then fix the problem. The other one - and this was the worst few weeks of my life, maybe that's a bit of an exaggeration - I was asleep in bed at about ten past seven in the morning and the general
00:25:49
alarm sounds, which is, you know - that's when someone hits that "assistance required" button. Boiler suit on, straight down to the engine room, and we've got a real situation. About two tonnes of fuel oil had sprayed out the top of the main engine all over the engine room. There was a fine mist of of oil everywhere, and what had happened is this little tiny pipe that circulates fuel around the main engine, all of the time just to keep it warm - the fuel's got to be
00:26:18
kept heated up to 140 degrees - it just gets circulated around an 8 mm line - had come off in the middle of the night and dumped two tonnes of fuel across the engine. So it's sprayed out, it got everywhere. It was all the way down at the bottom, all over the top plates, all over the bottom plates, in the bilges. It took us weeks and a crew of about 15 Taiwanese women on board - probably not
00:26:47
great that we're employing cheap labour like that to be honest - to clean the ship, it was crazy. Right, we're actually on track for time, so these are just some of the things that people see about ships and think "well that's cool". But that was 16 years ago - I don't do that any more, I hack stuff for a living. So, why hack a ship? Well, I'll be honest with you. I saw Speed 2. That's quite a good film.
00:27:13
You know, essentially someone on board the ship hacks the ship. And I think a few of you probably last night might have watched Hackers, which also involves the plotline of of hacking ships remotely. And I don't know if anybody recognises that - yes Bugs! - this is so formative in my career, it was just such a major influence to me when I was a kid. They just got involved with all these crazy plots. I don't know if they ever did actually get a ship that they could hack.
00:27:41
Now the thing is, when you look at a cruise ship, they're really, really complex. They're a hotel, they're shops, they're a ship. All these different systems, all coming together in one place and keeping them secure is really, really difficult. Just when you look at the different networks on board, you've got TV - everybody wants entertainment so you've got a TV network - you've got your VoIP phones, the ventilation system, the passenger Wi-Fi, the entertainment so that
00:28:08
you can watch what's going on in the theatre in your cabin. You've got CCTV - hundreds, possibly even thousands of cameras on board these days. You've got your business networks, your normal corporate stuff, third parties like the shops on board. You've got your control networks, the things that make things move, make things do things. And you've got safety networks as well. The thing was, when there was a limited number of networks on ships, you had discrete networks: you
00:28:37
had an individual cable going between the bridge and the engine room to do the control systems. You'd have a TV cable. You'd have a VoIP cable. But the thing is, that takes up lots and lots of cabling and space. So ships have done what's called "converged networks". So they're using VLAN trunks, so they're sending lots and lots of different networks down one physical cable. Now, from an attacker's perspective - from a hacker's perspective - that means quite a lot.
00:29:05
If I just attack that single network - if I plug into the tv socket in my room - my cabin - I don't get much. I just get access to the TV network. However, if I compromise the switch that turns those networks into the VLAN trunk - or literally just unplug the VLAN trunk cable and stick my own machine in it - I've got access to all of those networks. Cruise ships are divided up into what's called "fire zones" - they're also watertight as well.
00:29:31
So they're vertical divisions and this has an impact on how you design the networks on them. You have what are called "RDPs" - remote distribution points - massive network switches in each one of those fire zones. And to get all of these different signals into the cabins you have what are called "cabin switches" - so every pair of cabins will have a cabin switch that does the TV, the VoIP, the water, the lighting - all of those different things.
00:29:56
So they go vertically down the ship, so you don't have to make holes going across to carry those cables. Split into port and starboard for redundancy, but you've also got other things connected to it - it's a properly converged network. You've got your satellite connection, you've got bridge systems, engine room systems, all going down those cables. That's just a patch panel for one of those RDPs on a ship. You can see the number of cables - it's huge. So we've got a cabin switch, and our cabin switch is just outside our cabin,
00:30:28
so we can physically inspect it. I can open up the panel and I can look at that switch. We can see it's got a TV connected to it, it's got our VoIP phone, it's got what we call the "cabin control system" that does lighting, HVAC, door, and water. We've got our other cabin that's also on that switch as well. Now, in the passageways you've got Wi-Fi access points and CCTV as well, so people want to also dangle those off these cabin switches
00:30:53
as well. Now those black lines on the left hand side - they're a trunk - they carry all of these different networks which means to me, as an attacker, I really want to look at that network. So what did we do? Well, we unplugged our TV and our VoIP phone, so now we've got a cable going into our cabin. We then took the cables that the TV and the VoIP were on, and we patched them into the trunk. We then put our own switch in the cabin so we've looped that VLAN trunk
00:31:22
through the TV and VoIP connections - physical connections into our cabin, on our own switch and now we can attack those networks at will. We can do what we want to them. That's the kind of situation we've got there - we've opened up that panel and that's that switch. What can we do with that? Well, it turns out quite a lot. A lot of the time, the TV systems, no one set a password on them. Now imagine if you could change the image on every single TV on board - you could probably cause widespread panic.
00:31:49
The VoIP phones: no password. The Wi-Fi and the CCTV: quite often insecure. So in one instance we had control over all 800 CCTV cameras on board. The other thing is the cabin control system: now this is really there to save energy. When you're not in your cabin, you take your card out, the air conditioning and the lights turn off. But you can also turn that and flip it on its head and attack that system.
00:32:17
Now a weird thing is the way that this system works: rather than the cabins connect through to a server like we're kind of used to with a lot of IoT and things like that, the cabin control server connected out to the cabins. But that meant, as that attacker who's got network connectivity through to those, we could compromise the cabin control system. Now unfortunately the client didn't give us permission to do this, but what we wanted to do was write something on the side of the ship.
00:32:42
[laughter] One of the ships we've been on actually has this as functionality: on the bridge there's a web interface that you can draw on the side of the ship. I was really, really saddened to find out that on a lot of ships when they do this, it's literally: they get a chart and they write down which cabin, and then they go and turn the lights on in each cabin. [laughter] You don't want to see behind the curtain. Another one that we find really useful on ships is the fact that we have physical access to
00:33:12
this equipment. Now most Cisco switches, most Juniper switches, lots of equipment's got a console port - a serial console, and when you connect to that, you can do a lot of things. One of those things is called password recovery mode. You can dump the configuration of that switch. The thing with a lot of these is they'll quite often contain passwords or information that can attack other systems. So it's one kind of core principle of security: the compromise of
00:33:37
one device should not lead to the compromise of many. But the thing was, was in this instance we took the config of our switch and we recovered a password - it was encrypted rather than hashed, so we could get that password quite easily. It was a really good password - good quality - and then we thought, well, let's see where it works. Is it just this switch or is it lots of them? And it turns out actually, that in this case it was only one of those RDPs that
00:34:03
it worked on - someone had forgotten to change that password on the RDP. But we're now getting to this dangerous position where we're starting to get closer and closer to these engine room and bridge systems - the things that let you control the ship. Now you remember I said we've got all these motors, and we've got the motor control centre. They're literally contactors: big relays that turn motors on and off. Now if I'm physically stood
00:34:29
next to them, it doesn't really matter. I can just start and stop - I can press those buttons. So as a hacker what I want to do is I want to get further and further away from them. I want to do it from outside the engine room. I want to do it from my cabin. I want to do it from my sofa. Now most traditional control systems used to be what we call "air gapped". There was no connection from the control systems through to the business networks and the internet. And the thing is, you come along as an attacker - if I can access the contactor,
00:34:57
I can press a button on it. The motor starts, but i'm already there - what's the impact? I could go to the PLC - the controller - and do it, or I could go to the HMI - the display - and trigger something from that perspective, but it's not a great attack. The thing is that people add these jump boxes - pivots between different networks - they want to get data out from the control system to the business network. They want to be able to monitor things. So we're always looking for them
00:35:24
because that means that we can start attacking them from the business network and the internet. I'm not sure if Ryan's here - he might be. Yes Ryan's there, hi Ryan! Ryan said this a few years ago: much of hacking is about understanding systems better than those who built them and using that knowledge to do what is supposed to be "impossible". And i often find this on ships. This was completely unrelated to ships, it was to do with a crypto wallet, but we get on those ships and what we want to do
00:35:51
is we want to understand those systems better than the people who built them. So i'm going to give you a few examples of how we've done that. Now, typically we've got this air gap - the bridge and engine room systems on one side, and then we've got the satellite connecting through to the corporate network, you've got a crew welfare network so you can browse the internet in the evenings, you might have third parties on board, but there's a gap between them. Now one of the major costs in shipping is fuel: you want to make sure your ships are working
00:36:18
efficiently, so people put remote monitoring systems in. They gather things like your speed, how much fuel you're consuming, what speed the the propellers spinning at. All these bits of data. And we could see that there was one of these on a ship - we could see it on the network - but we didn't know where it physically was or what it did, and it took me a long time. Now, at the top there you've got the voyage data recorder - the black box
00:36:44
of a ship - that's recording all of those bits of data, but underneath it you've got a panel screwed onto the wall - no label or anything like that. Eventually I unscrewed that and we found this remote monitoring system, literally screwed in a panel behind the wall. No one on the ship knew where it was or what it did. So it's got ethernet coming in one side, it's got a connection to the network, which means we can access it from afar. On the other side it's got serial connections coming into it,
00:37:10
carrying data from various systems, but you might notice something about those connections - there's only two wires on each one of them. It's got eight different connections but there's only two wires. Now this is a crucial thing: at that point in time we didn't understand how that data was getting between the bridge systems and the monitoring system, but it turns out it was using conventional serial: you've got a receive and a transmit pair. The thing is with a lot of serial systems like this, what you can do, is you can
00:37:37
just cut one of the lines, so the data's being transmitted from the bridge systems through to the monitoring system. There is literally no way for me to get data back in the other direction. So in this case the system was secure. It was just confidentiality that would be the worry. Another one: this was on a container ship. We found this little, kind of, rugged industrial PC in one of the racks and no one knew what it did.
00:38:03
We plugged a monitor into it - it's often the easiest way to find out what's something doing - and we noticed it was running some software. Again, remote monitoring software, but it was using these little things that convert between IP and serial. So it's converting between that ethernet world - that TCP/IP world - and that serial line world. After a lot of digging - and I'm talking a lot of digging - we found out where it was physically connected. We had one
00:38:27
of them going through to the bridge systems and we had one of them going down to the engine room. We looked at the bridge systems and it turned out again that they'd cut one of those two lines - it was just transmitting position and speed data down to the monitoring system - no security impact. So we moved on to the one that went down to the engine room. I mean, this really was - it was a cable going all the way from the server room just underneath the bridge 11 decks down
00:38:54
into the engine room and we had to physically trace that cable. It was time consuming. But this was using something called Modbus. Now, Modbus is a different protocol - you'll notice that it says request, reply, request, reply. You have to ask for data from the other end before it will be sent back. What this means is you can't cut one of those wires. You've got to have the ability to transmit data from one end to the other. Now the thing here was, you weren't just able to request the engine
00:39:25
speed, you're also able to change settings on the engine by making requests through to that PLC. Now, unfortunately we weren't allowed to demonstrate exactly what we could do. We think we could have stopped the engine and made it operate strangely, but again, to do this you'd have to be on the ship. but then comes in TeamViewer. TeamViewer is everywhere. Now the thing was,
00:39:49
the shipping company wasn't paying for this tracking system anymore, so we had a company with TeamViewer access to a box that had access to main engine systems who there was no commercial relationship with. And it was TeamViewer, so we had that remote access vector, so we could really really cause something serious to happen. Another one: a generator on an offshore support vessel. In there, it had these little yellow routers. Now, we could see they only had one network port on the bottom of them.
00:40:20
So it was labeled LAN/WAN. Now this is really weird - the idea of one network port going into the bottom of a router that's supposed to secure something. You can't really properly secure something if the network traffic's going in and out of the same port. So again we tore that ship down, we looked at how it worked, and we realised that this router was actually completely pointless. If you wanted to try and secure the traffic by going through the router, fair enough,
00:40:46
but we could just set our IP addresses to be the same as the controllers on the generators and that was it. We could pop those generators. How did we do that? Well we could do it from the cabin. There was little TV boxes in each one of the cabins. We unplugged the network connection on that, we had direct network access, went down into the control room and we could see the brand and make of the controllers there. A little bit of software downloaded for free from the internet and we could now open and close the contactors that controlled the power coming from those diesel generators.
00:41:18
So on to the cruise ship. Cruise ships' bridges are really, really complex now. They have something called an ICMS - Integrated Control and Monitoring System. It's all the screens. It brings together all of the systems so you can operate them from one central place. You also have something called a Safety Management System - the SMS - now what this does is, if there's an event on the ship that needs evacuation, if there's a fire, flooding, you control it from here. It has access to the watertight doors, the CCTV,
00:41:47
aspects of the ICMS system, it glues all of those things together. But this was my goal: these are called azipods. They're massive electric motors on the bottom of the ship that both steer and control the speed of the ship. I wanted to get access to one of those. Now we've already secured network access from the cabin so i can access some systems that I shouldn't be able to. So from my passenger cabin I've got access to that core network.
00:42:16
Now the thing is, I now want to get to the safety management system, or the ICMS, but how am i going to do that? Well, it turns out that when you're evacuating a massive cruise ship, you want that information not only to be in the safety management centre, but to be available to people at muster points. People who are involved with the evacuation. So they had a series of rugged tablets that connected via Wi-Fi through to the safety management system to allow it to be viewed from wherever on the ship.
00:42:45
So we had these SMS tablets that access the core network and then through to the SMS network. So how did we get the password for this system? Yeah. It's pretty common to find stickers on stuff on ships. This wasn't off that particular situation, but you can see that. The amusing thing was, we told them to make the passwords longer on that and, yeah, that's the fix they did. [laughter] So we've now got access to the safety management system. Floor plans of the ship,
00:43:15
CCTV, lots of things. We had control over the watertight doors, so we could move these massive doors that are below the waterline that are designed to prevent flooding. Quite serious already. So the safety management system has been compromised now. An interesting thing on cruise ships is they've got three fire alarms that run redundantly, because fire on big ships like that is a major threat. If one of them breaks,
00:43:41
nothing bad is going to happen. If two of them break, you've got to go on to fire watch - you've got to have people walking around the ship making sure nothing's on fire. If all of them break, everybody's got to get off - all the passengers get off. That's going to be a big problem if you're away on a cruise. So we thought, let's have a crack at the fire alarm. Turns out the SMS logged into the fire alarm to pull data back from it. That password was stored in a plaintext file on the SMS system.
00:44:08
We could log into it and we could actually get a VNC remote session onto the fire alarms. We then looked at the voyage data recorder - again, if that breaks, the ship cannot sail. So we thought we'd have a look at that. Of course the default login from the manual worked at the lowest level. We could download a configuration file for the voyage data recorder. We got a load of password hashes - I'll skip over those - those password hashes
00:44:34
quickly gave us a kind of hidden account password. That hidden account through the web interface let us edit any file on the voyage data recorder - including the shadow password file. We edited the shadow password file to add our own account, and then we were root on the voyage data recorder. We could have bricked it, again. Things aren't looking great are they? We've caused a lot of problems for them so far, but let's make it worse. The officers wanted to be able to monitor what was going on, on the ICMS system, from their cabins.
00:45:06
So they built a read-only system so the officers could connect from their cabins, filtered to that network, to connect through to the ICMS to view it. But it was a read-only view - there was no way, it didn't matter what login i gave to the ICMS system, I could not take control of anything from that perspective. But the problem was, we could do what's called a breakout from that ICMS interface we could break out of it using the print dialog - it's a really common
00:45:32
way of doing things - and we're now admin on that remote box. So I'm no longer using it as it was intended. I'm not using it as a monitoring system, I'm using it as a normal computer. This is really useful to me: I can pivot to other networks from it. So now we've got control over one of these machines within the ICMS security domain. Pretty serious at this point. The thing was, I wanted to take control of the
00:45:59
azipods. That was another system and that was labelled and marked in diagrams as connected by serial. Now the thing with serial is when you've got serial connections going between two devices like this, if I compromise one endpoint, I can't remote desktop into the other end. I can't SSH into the other end. I can only send serial signals down it. But the thing is, lots of ships - again to save wiring - do something called serial over IP. They bundle
00:46:26
lots of serial connections down one physical cable. Now the thing is, again, if I just want to cause something to happen on a motor, that's fair enough. But I want to use it slightly differently. So I come along, I compromise that endpoint - the machine that I'm on - and now I don't just have to send serial down that TCP/IP connection. I can do remote desktop. I can do SSH. And I can compromise
00:46:50
the host at the other side. So we're abusing that connection that people thought was serial-only. The interesting thing was, the diagrams really did make out that it was serial. It literally - even physically on the box - said serial, and then had ethernet coming out of it going to ethernet switches. So people thought you couldn't really impact those other systems. So we're now...several remote desktop connections deep into this system, but we're on the azipod
00:47:17
control system now. Again, there was some vulnerabilities we had to work at there, but we've now got control of that system. It's looking quite serious to be honest. So yeah, that's me sat there, on the ship, from my cabin, able to control the azipods. Not brilliant. But I'm still on the ship. Let's make this really bad. I was down in the engine control room - we've got open access to the ship,
00:47:46
we can walk about, do what we want - and I noticed that the cabin control system, which is in a separate control room - the hotel control room - had TeamViewer installed. And let's just say the password was...not great on that session. I did have to be on board to get the ID and the password, but that meant that the people who administer - who performed remote access to the cabin control system - also had access to it.
00:48:16
So we demoed that and you could connect remotely. So now we've made things really, really quite bad. The cabin control system is connected to the internet. So we've compromised that. But how are we going to get from the cabin control system through to the ICMS? Well it turns out the cabin control system has to adjust how it operates based on things like seawater temperature and air temperature. Where does it get that from? It gets it from the ICMS.
00:48:42
So now we've got another connection. But what is that connection? Well lo and behold it's Modbus again, but it's Modbus TCP - it's over an ethernet connection. So although normally what's meant to happen is you'd say "what temperature is the sea water?" you get the temperature of the sea water back. In this case we RDP'ed from the cabin control system through to the ICMS and we've now got remote compromise. So yeah, completely remotely we were able to get onto this cruise ship and take control of
00:49:16
the azipods. So from the internet, compromise the cabin control system using TeamViewer, compromise that ICMS remote platform - because we know how that works, we can break out of it - compromise what's called a pack of programmable automation control in the engine room - another story for another day - and then compromise the azipod system. So yeah that's the actual screenshot of me,
00:49:43
on TeamViewer, at home connected to the azipod system on a gigantic cruise ship. [applause] I did ask if I could actually steer it, and they were like "I don't think so, that's a little bit dangerous." Oh well Is this kind of stuff going to happen? We had onboard access for days. In fact,
00:50:17
we were on board for 22 man-days to work out all of this stuff. We found lots of other problems but we had inside access, we had diagrams, we could unplug stuff, we could trace stuff people weren't asking us what we were doing. I think the chance of that long chain of exploits ever actually occurring by someone who wasn't on board - who didn't know the systems - is very low. But now our client knows about all of those issues and has applied controls to stop them being problems.
00:50:45
Should you go on a cruise? Not if I'm on it. Interestingly we've also managed to pay for food as the captain in restaurants. There's lots of other things we've been able to get - free Wi-Fi as well - on certain cruise lines they charge a fortune. But no, they're safe. I wouldn't go on a cruise personally, but i don't think they're going to be hacked. So yeah, I was going to talk briefly about how to
00:51:11
get into information security, but if anybody is interested come and grab me afterwards to have a chat. I love talking about ships, I love talking about hacking, though my voice is going a bit so I do hope you enjoyed that, I hope you learned something, and enjoy the rest of your EMF Camp. [applause]
End of transcript