 Okay Our next speaker here today is Vincent Osamann. What? Osavada Vincent's a long long-time participant of these events has been coming since I think the Galactic Hacker Party and Long career in information security and payment security, but today he's gonna be talking about a subject also very close to my heart boats and About some of the onboard protocols used and some of the possible vulnerabilities in those so please a warm welcome to Vincent Osavada Thank you so much and Welcome to my presentation For something about me as you already mentioned I'm a long participant in These events I have a whole bunch of t-shirts at home of all the events have been in fact The only one that I missed was the Intergalactic Hacker Party in Paradiso because I was too young to travel on my own to Amsterdam by then But since then I've been to almost every event that's been held in the Netherlands I'm also an active sailor boat or anything that floats or is in the water I'd like to be on it and I'm Enthusiastic about it, and I'm a crew member. I've been sailing a lot of miles or across the sea And I'm a real enthusiastic boater in my daily life. I am Active in the payment security industries. I'm a qsa. So anyone that has anything to do with payments Probably has hated me as your PCI auditor But that's not what we're gonna talk about today. We're gonna talk today about boats and about security and safety onboard and with ships We are And I'm talking about we because my colleague Rogier was here in the room We did all the research and all the stuff together. So we are a big thanks to him as well And we have been taken a look on how secure or insecure the design and the communications of vessels and interfacer communication is Which one of you has any prior knowledge of boating over Any so that's that's very good We came to this talk after research of a lot of onboard electronics And it has been a road that brought us into places We've been to Barcelona to go to one of the biggest harbors in Europe in order to have a look at how big super yards are actually protected For their onboard systems here you can see Rogier on the Dock of the ship in Barcelona not showing on the picture is the security cam Which was right above him and filming everything for this Russian billionaire yacht where we are sitting at But we've also done some research on our own vessels So this is my sailing yacht and you can see her on a sunny day, but it hasn't always been sunny So then we moved downstairs and went into the boat itself As we take a look at boats, this is what people normally perceive of boat navigation In ancient times boat navigation was just a steering wheel to get the ship from island to island but now it looks more like a cockpit of a aircraft or a Lot of screens. So this is actually a picture of a large vessel and this is a picture of the Marine Control Center in the Helder where they track all the all the ships you can see a radar screen Just on this screen and you can see a map up there which displays every target that is in the sea currently So this central command is able to safeguard all the ships into docks or into harbors across the Netherlands Which is quite important because Netherlands harbors one of the largest harbors in Europe It's the second largest harbour. So it's always a very busy shipping lane up there This is a glass bridge on modern Normal yacht and you can see here that modern navigation is more in screens All these screens are just available on consumer electronics This is just regular consumer electronics, which is fitted on a yacht that is normally Which which you can normally drive yourself And of course for all the sailors Among us this looks familiar here. You can see how navigation takes place on a sailing vessel In fact, you have the same data, which is important for your safe passage and why is that important in Onward systems and safe navigation has always been a very important part of marine traffic You can see a paper map in here, which is not something from the way back machine But in fact, it's still the predominant way of navigating right now if you're on a vessel Every boater has his paper charts and still has to learn how to navigate with all these old-fashioned tools Like a ruler and a pencil modern ships Do have some advance advancements ships normally have Sensors that censor every part of the ship in order to safeguard a safe and comfortable Passage and why is that important as you know ships do not cannot see the road So you do not see how deep it is on the water you cannot see how quickly you are moving and By navigating on the water you also have to do with tides and with waves and with wind So it's necessary to have the proper amount of sensory electronics In order to measure how your ship is moving towards a safe and navigational passage And there's one just one law of the sea that you Immediately learn if you ever venture on any trip outside the inland waters That the rule of the sea is good seamanship is rule number one So whatever your legacy there is telling you whatever the local laws are good seamanship and safe passage Is rule number one So what are we what are the typical sensors that we need we have a sailing yacht here But this is also true for any other yacht every boat owner knows about these because they always break You'll always have to refit them once in a while. So we have a depth sensor We have our wind sensor you have a temperature sensor which temperatures the sea and you have a speed sensor This is just the regular basics of any vessel editors. It's normal what you need here As you can see by the way Sorry for the Slides all these sensors they communicate with each other Along a bus and the orange line which ends up at the end of the ship where the people that stare the ship Receive these data on these screens. So you've got a temperature. You've got the depth You get the wind meter up here and you got the The sensors up there. This has all also done some sensors up there So if we take a close look at these systems, what are these actual systems? these systems are analog systems that produce analog data and send it over to Screens into measurement needles. So on the left part you have a measurement needle that is Viewable by the captain or by the skipper and then all these sensors produce any data and they send it along to the bus And this bus is speaking a protocol which is called and Mia 0183 This and me a protocol is part of a standard. It's not a normal protocol It's a protocol that's being used for a lot of stuff and it's a standard published by the National Marine Electronics Association and why is it published there and why did they make it they made it? So you have interoperability between different vendors and different systems and you probably know about it because this is also the protocol that many GPS systems output also GPS systems that are just a household GPS systems outputs and Mia 0183 and If you take a close look at it, you can see that it's a protocol based on serial links Well, we know what serial links because we are in the IT stuff. So we know what serial links are and what they what they do one of the things One of the things important is that a device has a certain role a device can either be a talker or it can be a listener And you can only have one talker and multiple listeners in theory on a system So that is the reason why you have for example one depth sensor and you can see that into multiple screens These are examples of and Mia 0183 Messages you can see them just by clear text. You can see them just going around with a message and with a Data block just as we would normally perceive. This is if you take a close look at it and you can see some IA some other Traffic as well because you can easily capture that if you have the right equipment And Mia 0183 was designed in 1983 1983 This was 1983 which of you has been born before 1983 So and after so these systems were being developed before you were born This is what the current Fashion industry was in 1983 and you also may might have one of these cameras sitting at grandfather's or grandmother's home The computer show was introduced by then and of course everyone had access to your computer by a telephone So this was the year just to give you a slide or just to give you some examples This was the year when one of the predominant protocols was being born and was being made that is still in use on all commercial vessels in the sea and on our waters So in 1983 we didn't have encryption. We didn't have any authentication We didn't have confidentiality. In fact the old CIA triangle, which is a normal concept in information security was not there then Security was just not an issue in 1983 Skipped through it to today you can see that and Mia 0183 is still the predominant standard, but as time advances some people have more Requirements on their traffic. So a new protocol was being built in 2000 and you can already guess what's name it was it was and we had to Okay, I mean it took a added some extra stuff to the protocol which can be used on a vessel So it added the possibility to do high-speed communications over your bus And it also changed the way how these systems work in and we are one a three You had one talker multiple listeners You had a link between one device and another but it changed in and Mia 0 to 0 0 The concept of a bus was introduced and also prioritization So in order to make sure that all Stuff was being able to work on your boat. No one thought of replacing this stuff. No, let's just build a converter. So Today's system still speak and Mia 0183, but in order to read them out on Sophisticated sophisticated equipment. We have a converter box which converts these standard messages into a bus and As you all know if you're talking about a bus if you're talking about a converter You can easily do a lot of stuff that you probably don't want that's not all in Recent times we've seen the development of wireless connections towards your ship And of course any vessel is not a real vessel if you're not able to do it by the Wi-Fi's So we have on the left part on that part of the screen We have our multifunctional device that is capable of reading out all your systems in your ship Which is in this example communicating with a new kind of radar device over Wi-Fi on the Middle part you have this converter which transmits Wi-Fi towards your Normal systems and why did we do it? It was new. It was never seen before at the state of the art technology You don't want to ship without Wi-Fi. You don't need any wires. It's perfect But it does have some disadvantages because if you're able to connect to a radar Wait a second if you're able to connect on the Wi-Fi network on a radar You cannot see which device is connecting towards it. So let's have a look at it under the hood this radar dome Which is one of the most popular radar domes right now is a radar built by the radar production company called FLIR Wi-Fi security was not implemented there They actually didn't put any Wi-Fi in there. They built a chip and this chip Converts canvas traffic, which is to the normal standard for industrial applications towards Wi-Fi And if you install it on a standard vessel, it doesn't come with any Wi-Fi security. Oh Wait a sec doesn't that Make it possible to log into your ship over Wi-Fi if you have such a radar dome And it's also quite easy to work on the docks and see if the radar dome is up there You almost immediately now. Ah, the ship does have Wi-Fi and I can connect to it But there's more you can also connect your iPad or your laptop Wireless to your ship This is an example of a chart in here where we are connecting our iPad towards the ship The ship the iPad is just receiving its connection from the converter and it's just receiving its connection from all the data from the bus And Let's make it very easily We can also add an app which allows us to fuel all the data in the ship And in order to make stuff more easy, we can even control the ship over Wi-Fi without any wireless security This control is a little bit It's a you can just download it, but we took a look on it and have taken a look What's behind this control sequence and in fact, it just turns out to be regular RTSP traffic So let's just try to see if we can have this Data from the ship over on my own laptop or on my own machines That's kind of easy. I just open my field C which are normally used for any other movies And I can connect to my ship and I have all the stuff in your ship This is just a fewing stuff, so Let's not make it worse Except if you install one of these so these are the autopilots an autopilot is Fiddle if you take a long passage because you don't want to steer it by a hand So you have these autopilots that's actually a rely on all the sensory information that is coming towards these autopilots This is an autopilot system where you can see the same device which is for monitoring You can see in here. This is a steering steering Machine which steers the stuff and this is the a radar dome and some other equipment in order to a Gyroscope in order to balance out the ship But if we are able to connect to the ship we can also Modify this autopilot and make sure that it for example steers Around depth or it can do other stuff So you can easily control it and it's even more essential if you have such a system Which is connecting to the Wi-Fi's as well and you can easily configure Your ship So when you own the sensors you can inject data that is used by onboard systems If you saw in the previous slide you can see it for example, you can we can add depth detection we can add Stuff in it and we can inject it over the Wi-Fi We can easy even do many of the board procedures, but communications get a lot worse if you look at AIS. AIS is a Specific protocol on systems to monitor all the shipping activity in your environment So this is a chart of the Netherlands where you can see some AIS targets These are the blue ones and the blue ones are ships that actually Are able are floating in the sea it is a mesh Like system where all devices send out AIS message and it uses VHF as its main carrier And it sends encoded data on there You need an MMSI number and you're either and Transponder a receiver if you're a receiver you only receive that and if you're a transponder you can also transmit it This protocol is protected. So You need to have a maritime license and you need to have a radio license in order to operate equipment that is used For AIS and all the equipment on board must be certified That is the only safeguard that there is so you can only buy certified equipment The equipment should function completely standalone Including its internal GPS system so you cannot send GPS data towards any AIS system It has to have its internal GPS Large and commercial facials are required to have such a system on board. It's not optional You are required to have it in order to identify yourself But if we want to have a look at that We actually only need something that can send AIS and as already explained you only It's only protected by the fact that you cannot you only have to buy certified equipment So AIS transponders are protected by law, but It's just VHF so any device that can send out on the VHF Frequency would be able to send out IAS messages and let's have a look this system is an SDR It's a software defined radio So you can program anything in it and it can be anything you want it can be an FM radio It can be a walkie-talkie. It can be a taxi sensor But it can also be a VHF and if it can be a VHF we can use it to send data out of it so That's what we did AIS is a An insecure protocol because you can actually send it but by researching in it and by testing it You are crossing the boundary of illegal stuff because you are transmitting on frequencies that you're not supposed to be And you're using equipment that you're not supposed to be So what you're going to see here on this on this on the slides is an SDR Which is turned to an output frequency so we modified the number that you can see up there Into words an open frequency that is public in use and we throw down the power transmission in order to not disturb the other traffic I'm doing this on the official AIS Fyrgosys would be potentially harmful and I wouldn't suggest that you do that for testing purposes Um, so if we can send out a yes, let's see if we can easily do that. So we have this screen so can we Actually send out a yes. Yes, we have installed a great tooling We have patched some some stuff in order to make it work and in fact if you're gonna look in in here You can see on the official map you can see One vessel appearing up here Um, that's not how it's supposed to be because this map on the right side or on your right side is the official map where Authorities monitor ship activity. So we just protected projected a ship which it actually is not there So any presentation or Shah wouldn't be a presentation without Bob and Alice So what happens if we can impersonate? Our cells to be someone else. I just projected a ship up there, but can we project to be someone else? So this is my sailing vessel with my MMS ID, which is on the top part So would we be able to modify this MMS ID in order to for example put a larger ship in here? So any more any enthusiastic army lover would immediately recognize this as the USS Nimitz one of the bigger flight ships in in the US Navy And of course It's a little bit hard to understand that the Nimitz is actually turning up just before fanhouser You can see this is the Nimitz and this is the screen and this is the display that other people would see if they would monitor their IIS stuff right now you can see here It's the this is the ship and the length of the line Indicates the current speed as it is received by the fewer right now So this is the ID of the Nimitz and you can see here the speed of ground It's going up right a hundred knots if you can actually see it. It's going really fast stuff So it's just pretty new what it's Something that you can easily figure out if you have a look at it and if you If you know how VHF works But there's a little problem in here and The problem comes if we are going to take a look at why we are using AIS So you'll of course know that you're on a ship and you can see the surrounding on your so you can see that the USS Nimitz is not there But there are some Applications where you won't be able to see it and this application is a very special application that is a very dangerous field This application is what we call and that's it's going to be a tongue-breaker for me It's going to be a virtual buoy in English or beauty buoy So this is a virtual buoy that's Layed out in the in the in the water and this is actually what you're going to see if you're on deck of your ship You're going to see Absolutely nothing you're going to see water. You're not going to see the red or the green view in the water But you're going to see on your maps You're going to see one of these sites because some system is sending out these views towards your system and telling your onboard navigation system Well, you have to display a virtual beauty here. So you can safely Guard your ship around it. So these are some options of the views that you can see And this is in fact a map of US territory where you can see on the arrows You can see how a view is represented on my chart. It's just a regular chart. You can just see the view Popping up because someone is transmitting that So let's dive a little bit deeper into that because that might be interesting Would be be able to have a look at these views that are virtual that are being used in commercial traffic That are being laid out that someone is going to see and we can just send them out So this is what you and maybe it's a little bit hard to see But this is actually the message that you're going to send So I know you can also see why this is an important stuff You can send all kind of commands to a ship for example say well, you have to avoid this area You have to go to that area. This is an obligated area to go take care because there's a row ship recommender there or take care There's no depth in there In fact, it's currently widespread in use on wind farms in order to make sure that you're not Entering an illegal area of a wind farm a wind farm. You cannot just go through it. You cannot Go to towards a wind park. There's a perimeter which is secured But there's no way to put a perimeter fence or anything on the water. So they're using virtual tonnage up there But hey, wait a second if we can impersonate use as limits to be in the iso mere can we also Impersonate some views and we also think of a view and say well, let's make a virtual view up there Well, that's something that we tried and yes, we can yes We can do that and in here you can see a map and you can see if you look this is also a map of the Netherlands But we could have done this anywhere at all. You can see the Island of Mark and in here and you can see for the dumb out there and we decided well Let's have a look can we can we put a view on there and can we well, this is a little bit of a It's not a it's a movie. That's being a little bit quicker than normal But yes, we can so we we yes, we can put in views here So we try to make a race track on views and see if any ships would be able to follow this You can see this is a special kind of view. It's a called a north cardinal mark which Protects something on the south of it Well, this is what we actually did on the for any traffic guidance Or any control Tower that was actually watching the screen at that time would see the displays of these virtual views They are not there of course, but Would be able to see what's going in here any ship, which is there would have seen It as well. We've felt it out all the other ships up there So this is what we See of problematic part of AIS traffic But there's more you have several attack vectors on any public channel So you can do resource derivation, of course It's easy to do denial of service attack because there's a little time frame where this VHF Traffic is going through but you can also do easily do a poisoning attack or send false data In fact, it goes wrong because this ship had an accident a short while ago where this big US based ship didn't turn on its AIS and a Japanese ship ran into it At the tragedy in here is it's completely IIS based So we know that it doesn't meet the standard requirements of Confidentiality and integrity and availability the stuff that we think is important if you look at information security And we are also aware of several attack factors what what you are seeing in here We've seen other stuff being presented at Hack in the box and black hat that's Tark towards the same area So the most logical thing of course to do right now is implement this So this is an official publication of the Dutch coast guard, which is sent out to all the people that are on the sea it's an official Statement that we're gonna replace all the real beauties by virtual beauties and we don't think that's a very smart idea if you can easily Falsify them and easily send them away So in fact AIS virtual atons are currently being deployed worldwide. They are currently being deployed worldwide and they're currently in use for wreckage of ships of protection of wind farms of fencing out no-go areas of Port authorities to safeguard and make sure that for example refugee boats do not enter a certain line before the cost and It's implemented in several countries as real views. In fact some of the in America They say let's bring the Americas waterways into the 21st century by replacing all the current views for virtual views So AIS is inherently insecure and voting as well There's no authentication or encryption and its channel is insecure and we know that and we have been here before So let's hope that we can use the lessons learned from the IT stuff to make the water world a little bit safer and more secure And of course keep on voting anywhere. Anyway Thank you So any questions If you have questions, could you please come up to the microphones, please? Yeah, this is a perfect way of Doing the Q&A part, but any questions on this report? So do I do we understand it correctly that the only limit to this kind of attack of fake buoys Would be to figure out who is sending and to shut him down Could you repeat the question? Yeah Do I understand it correctly that the only defense against this attack is to find who is sending and to shut him down Yes in fact, that's the only only only real solution to add some thing like integrity or some kind like a Source Stuff because you cannot see who is transmitting it right now. That's the only way that you can actually Resolve the issue. It doesn't mean that you don't have any other options. For example We know some firms that have been active in building an IDS for Some but what we call an IDS for AIS systems But they were asked to shut it down because of this insecurity stuff. So there are some some Small fixes, but the only real fix would be to put in some authentication on the system or on the station that is sending out What is what is the typical sending power or the typical reach of this kind of system Well, the the typical reach of AIS doesn't have any any power Limit so you can send it out easily, but the main problem is that and we currently have a few Important systems like marine traffic or a vessel finder that has sensors all over the place to sensor any data and Replicate it and make sure that it's being sent towards the whole world These systems are very important in order to have a few of your whole world But the main problem is that these stations are public So you can just drive up to them and do an injection on it and it's being propagated all around the world Next question Boys also monitor their own location Do boys also monitor their own location and transmit errors if the chain comes loose or something like that No, the question was that if it does a bureau also send its own location So would you be able to have a look at the system that that's sending it and having a Some kind of a source coordinate and check against it, but unfortunately it's not required The protocol allows you to send it, but it's not required and it's there are many instances where it's not being used Because some of the equipment can't handle all the data fields that are in the packets So unfortunately, that's not a real very good alternative I'm not so into boats, but I like planes so I do plane how do you call it? Looking at the sky with also some kind of device and see what planes passes my house. I Was thinking about How is this do you know anything about the aviation world is good? Could you impersonate a plane? Yes, you could because a is is being it's not only used in the marine world It's also used in the flight world, but it does have some some extra stuff. It does have some extra Features in there, but it's also used in the in the in the In that world, but there's some different because you have there you have just a sending station and one receiving station And in the marine world you have multiple receiving stations and multiple sending stations. So you just have One ship can send it out to anyone who is going to listen so but the AIS system in terms of this is the same I Earlier in the talk you were talking about the GPS units that that had basically no security on it So would it basically be possible to tell the GPS unit to shut down? imitate the GPS units Say that the boat is at a certain location and have it stare wherever you want Yes injecting location. Yes, that is a Dual wall attack you can do it you can open up your box and just put in another GPS by Design or by the certificate of these units do not allow you to have an external GPS But any hardware hacker would immediately open up the thing and put in its own GPS because it's just a Different different thing. It's just a different module on it. So any smart Soldering our king would be able to modify this and send its own GPS by default an AIS system With its internal GPS can only send out its internal GPS coordinates But if you can modify those which is pretty easy You have a very good attack factor in order to have to ship think well on somewhere else or Half like the autopilot or have the onboard systems steer you towards a goal that you probably do not want to go to Yeah, I was thinking not even with the AIS just the the GPS You showed a picture of the thing and I assume that goes to the to the pilot It's the autopilot itself without going through a yes. Yeah so So this is gonna be this this picture you mean well what we have to GPS of course, which is in In this box you it's very easy to poison this and send out your own GPS data. In fact what you Need for that is not so much. It's Where good did I have the strings and me a string? Well, I just showed you the picture of the enemy of strings They're just here. I'll show them again So this is what coming over your bus So you can if as soon as you have access to your bus by doing the Wi-Fi you can send out any of these Messages so you can send out your time position of your data You can have so all the G stuff is all the GPS stuff GPS messages and in fact if you if you look at this this is a live capture of what we saw So this GPS traffic is coming by and you can easily poison your ship and make sure that the enemy of us contains an extra GPS signal and your Equipment does not know where it's coming from because there's no way to see it because it's being converted The old protocol is being converted in to another protocol and they're all the source information is lost It's just originating from it's It's acting like a net net proxy in IT terms So any device that's behind that can send it and there's no way that the onboard systems actually know Which system is sending it? Any other questions good? Thank you so much