 Welcome to DEF CON 28, the Safe Mode Edition. You're watching a video or a talk by Hexpercy Village, and this provided you from Obi-Wan666. Yeah, let's talk about swimming IoT, an IT and OT overview. But, yeah, it's better without a mask. So, I don't expect anything here. So, let's go. Yeah, what will we listen to today? We have a short introduction over me. Then we get an overview of IT and OT systems on Yacht. Then we look a little bit deeper into the bridge network, how the bridge network is working, and how some messages are transmitted. So, let's send more details in the Actus Technical 101. So, how is an Actus network working, and how the messages are transferred, how it is looked like, and what will be the outlook for, let's say, the next year until the DEF CON. Hopefully, back in Vegas then. Yeah, we're hacking Yacht. Accidentally, I slipped into this topic. So, my boss owns one, and I was able to build some devices on the ship, and then I started to look at them, and, yeah. So, mostly they are owned by private, they're privately owned and chartered by private people, and are CEOs running their business from Yacht while they are traveling. So, the best office that you can have is away from everyone else. So, it's not crowded anyhow. So, you have your safe place, and you can do their business from your office on the water. So, it's a nice place to work from. And all the celebrities, they are using also Yacht and showing off on the famous places in the world and make their Insta stories and so on. So, if you maybe have access to an Yacht where a celebrity is on, then you can do maybe some other things with that information. So, the thing is then, if we have control over the Yacht, the Internet access for example, or all the smart devices, or the IT or the OT network that is on board. So, what we will have there, we will see in this presentation. So, my name is Stefan Gehrling. I'm also named Obi-Wan666. Older than the Internet, as always, have a couple of certifications like GCFA, CISSP, Microsoft Certified System Engineer, CCNA, Pisysco and a couple of others. So, yeah, some of them are not maintained anymore. So, the one that I... Yeah, my favorite one is the CISSP. OSCP is the next one I maybe will start on, but yeah. So, my background is an electronic specialist. I was working in the German aviation army on navigation systems for helicopters and also 32 years now a volunteer firefighter in my city here in the beautiful Lingen. Yeah, I volunteer also in a couple of groups. So, Giraffel is one of the things. It's a group of nerd hackers. Yeah, from around Europe you can say. I'm the cavalry, cavalry project I'm also working on. Then we have an AG Critis. It's an NGO on critical infrastructure and also for the CCI. Yeah, what kind of networks we have on board. Yeah, so I've counted a little bit. So, I found five different networks that we can have. So, it's on the IT network. We have the IT network and we have the wireless network as one. And then we have a couple of more networks when we look at the OT side. So, you can say the bridge network is an own network. So, all the navigation system and so on. Everything that's needed for the operation of the ship is on the bridge connected together. So, I call it the bridge network. So, then we have an enemy network or the enemy bus. So, we will see a little bit what kind of system is that. Then we have an ICS network where all the PLCs and something else is connected to it. And yeah, the KNX or Instabuzz. You can say it's also a network. Yeah, you can count it to the ICS network but it can also count it to the IT network. So, I have it putting here as an additional one. So, I've counted here six. But yeah, it's five networks. Maybe more. GSM is not explicitly here in or the satellite network. Then we are already on a seven. We'll count that also. Okay, what have we? IT and OT. Yeah, you think now yachts. What could be on there? I say it's a swimming IoT device because there are so many systems on board that are connected together and most of them will have also internet connection. And from that point of view, so we have an ICS network and we have an IT network with maybe VPN connections to offices and so on. And everything is working from this small vessel. In detail, we have there, for example, the VTS, the vessel traffic service. We have automatic identification system, the AIS. We have autopilot. We have GPS. We have radar. We have cameras, also Tamil cameras. We have energy control and monitoring units that's in the ICS network. Some of them are more and more cloud-based or cloud-connected now so that you have access over your cloud-based devices on the engine control or the engine monitoring systems. The control, that's a bad idea. And we have internet access for the guests, for the crew and for the owner. And a couple of entertainment systems that are also connected over various systems together. So all of those things in the network view we will see a little bit later now. A couple of things I have already given some talks. Yeah, so I will sometimes use it as a reference. So for the basic overview, we have the NMEA network here. So it's a bus system. In old days, it was a serial bus. It's going completely through the whole ship and it's connected with tabs to the devices. So this is an old serial system. The connections look a little bit like the 10 base 2 connectors or the G-Bahnnet from the old days and everything is connected to that. It's not that fast, it's only 4,800 speed and it's, as I already said, a serial communication protocol and it connects the echo sounders, sonars, aniometers, gyros, autopilots, GPS and something else. There are a couple of devices more. Then we have the NMEA 2000. This is already a KANBUS standard KANBUS technique and we can operate already with one megabit fast but not that fast. For more and more applications, we need now faster networks. So the next generation is then, for example, a rain marine called the CTOG-NG. This is also a KANBUS system but rain marine calls it, we call it CTOG-NG next generation but it's the same like NMEA 2000. But the new version is a CTOG-HS, so it's HSS for high speed. So this is a 10 megabit Ethernet network where, for example, you see in the pictures, some camera devices and navigation systems are connected together. Six is, for example, part of the bridge network from the Glassbridge series and so on and all the devices are connected together. Then we have a couple of IT equipment on board. I would think now, yeah, what could be on there? Well, the bigger the ships are, the more equipment is on it. So the first listing that I have here is from a 30 meter yacht. 30 meter is not that much but it's already a big one. So here we have a half-sized wreck completely full with IT equipment. So we have a router. We have some servers, three in total. We have two voice-over IP gateways. We have a fully equipped 80-port switch. And we have an uninterrupted power supply for that. In total on that ship, we had 10 smart TVs and such receivers. We had a sharp PC, 14 voice-over IP telephones, internet router, UPS and four access points for the Wi-Fi. This is from a 48 meter yacht. So this is already a complete full wreck and there is a second wreck full of additional stuff. And in each cabin is also a small wreck with the entertainment systems and AVR system, the amplifiers and that stuff. So that's in each cabin also in extra housings. And this one was from a 70 meter yacht class. Here you see already two complete full equipped wrecks and there is a third one with a navigation system wreck. So it's a total on that ship already three full stacked 42 inch network wrecks, you can say. And we had for that ship already around 25 access points, for example, to have a Wi-Fi coverage over the complete board. To get an idea about what the network on the AV equipment looks like, so an audio and video network. So here you see and it's connected to the IP network. There is a Crestron device that's connecting to everything. So the smart TVs are connected on the IP side and they are not connected on the IP side. They are only connected on the video side to the Crestron. The Crestron is the multimedia device that is connected to the IP network. So it's a little bit different. But there's also an Apple TV and sub receivers that you will see there. So we have the BlueRays, Apple TV and the Crestron system itself. And they have also different connection types. You will see it on the chart with different colors and well documented in this one. We have also a different other thing. So most of the equipment you can access with a tablet. So we have a tablet on board where you can connect to the audio and video streaming. You can stream music on your tablet. You can use the tablet and say in the cabin, okay now I want to have the audio to the amplifier to listen to the audio system on my room where I'm currently in. Or you go into the gym where you have flat TV screens in the ceiling where you can watch to the news or listen to music or whatever. Or have multimedia training system then on there. So you are cycling on your bicycle and you see a video of virtual reality where you are cycling. You have also other things like light control where you can switch on the lights and on and off. The electric curtains you can lever them up and down. You have for example an engine monitor, a rudder monitor and so on. So everything is accessible for example over a tablet. On the OT side we have a couple of other things. So one of the monitoring systems is the engine monitoring and control system. Also the propulsion, road thruster, the KNX system for the light control, the PLCs, the valve controls and so on. So it's a whole bunch of systems on the OT side that we have connected. To get into a bigger overview of the OT I have a couple of pictures of that that you get a feeling about what you will see. So you have all the engines that are connected to mostly two engines that you have on that. Then you have two or three power generators that are connected. You have a couple of heat sensors, water sensors, sensors for how many fuel is in there and so on. The HVAC control, water distribution, pumps and valves and so on. For example this is only the diagram of an engine control unit. So you have the engines with all the sensors. In this case it's an AutoMaskin 400. The last year the OT was on, there was also an AutoMaskin control unit on it. The engine is connected to the engine control unit. There's a special safety unit, the SCU and everything is connected with different links together. And at the end it's everything connected to the Ethernet network. So there's an Ethernet switch and also connections maybe to the MAPOS or other bus systems that you will find there that I have shown here. So this is then the picture of an engine control room where the ETO is sitting. The ETO is the electrical technical officer and so mostly at yachts 60, 70 meters or there you have an ETO. Below that the technical officers are in charge for that. But on bigger ships you have a dedicated person for that. And then you have the different monitor systems where you can see all the kind of things. So here we have a monitor of the engines. So the port engine and the starboard engine. This is an overview of the ICS network itself. So how it is connected, how many PCs are in the network, how many PLC systems are there and so on. So this is in this case an overview of how many systems are there and where I will find it. You have here on the right side for example main cabinet, remote rack and so on. Also a PC client in the Ethernet or Ethernet. This is where the crew is sitting. There is an extra monitor. You have clients on the bridge, on the starboard side and on the port side. For example in the captain's cabin there is also a connection so that the captain when he is at rest he has also access to all of those systems. And this is one of the computers that are connected to the monitors. And that are connecting or getting all the information from the PLCs for example. And here on the right you see also a big silver thing. I am not sure if my mouse is here. So this device is the network connecting. So in this case the complete PLC network is separated. I have seen also some other ships where this connection is active. So this owner or this crew has decided when we don't need it we pull the plug to the normal network so nothing is connected on that side. Very good decision. And when they need remote assistance then they put the network cable into the normal switch and then they can give a remote access for the maintenance people that they have remote visibility or maybe can do some remote tasks on that. This for example is one of the racks where the complete PLC system is. So this is a full rack of Siemens PLCs with all the subunits of that. And here you see some kind of fuel tanks and how many fuel is in which tank and also you can access all the valves for the fuel tank that you can pump fuel for one tank to another one to balance the ship with that. So this is an HMI unit for example. This is one area where you maybe have to open the door for the garage or for the bus platform or whatever. So there are some HMI units also for that. And this is from another ship. Even here you see the main PLCs, the rudder, the ECR and so on and also some other connections where we connect together. So here you see already also a serial connection where the sensors are connected and also the network layout of that. So this is then a different system, a different ship with different view on the things but in general they are doing more or less the same. Here we have other systems. Here is more or less ABB stuff connected. Here we also have KNX for the light controls and so on. So this is one of the connection boards where everything is connected together. So this is from the electrical point of view one of the nice things. This is another bridge, under the bridge or behind the bridge you can say. So the bridge panel is on the right one, the brown thing and on the left one the open thing that you see here with the wires that is from the PLC network and you see in the middle two network devices that belongs to the bridge network. So that we will have a closer look at it later. So this is then also the connections where another REC is with some PLC stuff and connecting the information from the systems. And here we have another connection system. So everything is connected over Ethernet together. What kind of attack records we have there. So this is a network diagram that I have wrote or painted. And I think I have to adjust it a little bit because there are a few things that are missing when I don't get it. But in general we can say we can attack the systems over the internet for example and we have access to the internet router. In my last year talk I have shown how to bypass authentication for example on an internet router model with the vulnerabilities there and also on the satellite systems where I had also access over the satellite modems to the network. Of course you can plant malware on the crew PC's or the captain PC or the owner PC or whatever then you have access for example on that. The personal digital assistant devices of the crew or the owners is also another point where you can plant malware or where you can start with your attacks. And another interesting point is then once you have access on the internet side you have to dig for a gateway for example the enemy gateway. So the enemy gateway is often a B-directional gateway. When you have access to that gateway and can plant enemy messages on that device you can interact also with enemy messages on that. But yeah these were points of my previous talk. And on the PC network itself you have a couple of other attack things that you can do. Okay the bridge. We have seen already a couple of OT pictures. Now we look a little bit more on the bridge. So this is a bridge from a 70 meter class. You have seats for two captains but only one rather in the middle of the ship. So two people can sitting there and doing their job. And they have access to a couple of systems and monitors that you can see here. I will not go in detail on the systems. You have the OT monitoring devices. You have all the normal things to operate the ship. And you have the navigation things that you need there. Another side view of that. So it looks very nice there. It's a good place to work. The view from front from the night. So it looks a little bit like a Star Wars ship. I love that view. This is from a 45 meter yacht from the interview. Here you have only one seat for the captain. But also a couple of monitors you will see here. And where you will find all the necessary information to operate the ship in a safe manner. Here on the left the monitor is already switched on. I switched on the actus so that I can test some devices. Later I had also the S-band and X-band radar on. So I switched on only the system but it was not transmitting a radar echo. So radar in an hour is not a good idea. But you can switch on the system itself. But it's then in standby but you will see then the network messages. So that's my working place when I'm looking at the yachts. So it looks nice but sometimes the AV is not on. So you have not that cool temperature there when you have outside above 30 degrees. Sometimes the climate control is not working. So it becomes hot on the bridge when they do their tests. But in general it's a nice place to work. I love that kind of audits. So this is an overview that I found in the actus installation guide. For example from the Tranzas and Navisaila MD-4000. They have a nice overview about that. You have here two screens on the left and the right side. And they are connected together so you can switch from one actus to another. And all the information you can also switch. It's in the documentation. You can find it the link I have put in my slides here. So that you can put a look in. It's more than 200 slides presentation for that. But it's very nice to read because that is very detailed. There are also, you can say, how the datagrams are configured on the network. That we will need later for what our sharp module is. Here we have the network diagram in an overview. And here we go a little bit more detailed in the DCU, the battery pack, the UPS. The keyboard, the monitor and the computer system itself. And what kind of connections you have there. Where this is going. For example you see the S-band radar connector. There is some special board for that. There is another picture of that. Here we have the X-band and another one is the S-band radar. How it is connected. In reality it looks a little bit more crowded like this. You open the cabinet and then it looks like, wow, sometimes a little bit like a mess. But yeah, it is working. So this is from pictures from the... I must say it's the 30 meter yard. Yeah, that's from the 30 meter yard where I made my first audit there. And got the recordings from that. This is then the PC. That's for the navigation system. So you think you have a navigation system with the electronic chart system. So in general it is a Windows computer. Windows computer with Windows software where you have your digital navigation charts on it. Where the navigator is navigating through the sea. That's it. It's connected with an app and so on. But when you now think about, okay, let's do an end map scan on the bridge network. I say, think twice about it. It's very legacy old stuff that you sometimes have. On the 30 meter yard where I was on, it was a transit system. The ship was nine years old. And the transit system at that time was a Windows XP embedded system. And you can imagine nine years not connected to the internet. No patches, no updates, nothing. And it's still running. So that was the point for me. Okay, I don't make an end map scan on that network. I passively connect to that and to see what's on the wire. So I take in this case my Linux PC. It's a Kali Linux in that case. And my configured my network interfaces to passively monitor the network. And later we will look a little bit deeper in that how it is looking like. So on the left you see my laptop connected. And the biggest screen is already one of the data grams you see there. I will come later in the wire plan demo where we can see a little bit more. Then we have the active system itself. So the active, it's the short abbreviation version of electronic chart display and information system. In the past we had paper charts for navigation. We also will be using a sift stand and a compass and whatever. Compass is still there. GPS is also there. But we need also electronic charts. So it's called ANX. So the thing is under the IMO regulations it is now allowed that you don't need any paper charts anymore. So unless you have two active devices, independently active devices, active devices. So two active devices does not mean that you have two different active devices. So when you update one the fail and you update also the other one. The failure will be on both of the same systems. Also they are connected in the same network. When maybe an attacker is able to attack on a network area, the devices, they will most likely be successful on both devices. But you need two devices and then you are fulfilling the requirement. So it's a graphic information system for the navigational navigation of the ship. So you have to position heading speed. You have also deep information about the waterways there and also the waterways itself. And you can have overlays on the active system from the NAIDA, from NAVTEX, from the AIS system and so on. So the active system is more or less the main navigation system. And you can have as an overlay, as an additional layer on top, all the other systems like the radar or whatever. What you need. This is then a picture of the active system and what it looks like. This is in the port of Barcelona for example, where you see where the one ship is and all the other ships are also. These are here the small things here. They are laying in the docks. Here is a big cruise ship and here is also another cruise ship. And you have also the waterways how to travel into the different areas there. And here the transars from the old system from 2011. You see here it's a Windows XP with default credentials because it's not connected to the Internet and never changed it. So it's a Windows XP system and the login name are as in the documentation of the system. So people installed it and it's working like that. So nobody takes care about it. So it's more likely when you have access to the network of it or accidentally someone connect the network to the other networks. Then it would be not so good idea. You can have also access on the active to all the enemy messages. There are special Modi where you can look at these informations. But these informations you will also see on the network. The enemy data is like that. So two weeks ago I did the last audit on a 45m yacht. And I was connecting then also to the network and then I found nice information. One of the things what I do mostly is then sniff all the data and then using at first the statistical diagrams. So to get an overview who is talking with how many packets are going to that. And then here in this picture you see there is only one public IP address. And it's only six packets in that time frame where I was scaling. So in this case it is a furuno active system. It's not a transas, it's a furuno. So transas is the major player. Furuno is the second biggest in that area. So it doesn't matter. So technically they're doing all the same. These internet connection paid my attention. And then I was looking so wow what it is. It's going to the address. So I used a filter to look up and it is an NTP protocol. So the active system is connected to the normal network. And then it makes a network time protocol call to an NTP server and the internet. Why? So why it is? Why should the bridge network connected to the internet? So normally it makes no sense. Especially not to get the network time from the internet. It could be accurate but what is when the network is not available. And we have GPS systems on board. So why don't take the GPS time as the time source. So I then introduce the captain. So hey, just take a network time protocol server. It's a small box. It gets the time information from the GPS system. And it's then acting as an NTP server. And then you can say the active so okay this is your NTP server. Take the time from that. And at this point you don't need internet connection anymore. Yeah, SATCOM is another thing I had in my last talk. A couple of vulnerabilities in. So yesterday I looked up some systems there. And there are still a couple of them online. Why SATCOM? So you have offshore internet access via SATCOM. Patching mostly not. And still many old versions are online and out there. So technically it's a satellite antenna dish on top of the ship. With an ICU unit for that. And then under deck you have a computer that's connected over. And then a media exchange protocol system. Then to the ICU. That's simple. It's a little bit more complicated but yeah that's how it looks like. You can look on showdown for a couple of satellite dishes that I will not be able to think. And yeah the thing that I found was in co-op MCTEL systems in the MxP web server. And yeah this is the first thing we use it. So this was 2018. I had then 21 online. So at that time I was thinking okay there are a couple of them online. But not that much but I find out the reason why it is. I will explain later. Yesterday I looked up there are still 19 online. Not really 19 you have here on port 80-15 devices that are still accessible. Why not more? Yeah also showdown had a live ship tracker. So all the systems that are connected over VZ. We are available over the ship tracker.showdown.io. But showdown has decided I don't know why. But yeah it's okay to switch off those systems so the ship tracker is currently not anymore there. So then I was thinking okay why not more set devices are in the internet to find. And in my last audit I also found out that depending on the VZ provider that you get. They will using a network address translating IP masquerading they are using. So you have a private IP address on your modern device that's connecting over the satellite. And the internet provider over the satellite is making the connection to the internet. So it's hiding all the ships that are using the VZ to the internet. So it's a good decision yes. But on the other hand it's shifting the attack level from the bad guys in the internet to maybe bad guys at the internet providers. So the internet provider has still the ability if they want or if they have to do by what kind of government. They maybe have then access to the ship network over the internet because of the vulnerabilities that are still there. So yeah the device is not visible to the internet. And it gives the owner or the crew a deceptive security because my device is not findable over the internet. But yeah they are still there and the provider could exploit it now. Or someone else who is working at the provider level. And most of the devices that you find also using always the same default credentials. So install it and change it. Yeah coming more or less to the end of my talk. Yeah I show a little bit more on wire shark demos now. But all of my tools I will publish on github also the decoders later on for wire shark. So I'm working on now to make some kind of ectis decoder for the data runs that you have to see. Because in wire shark it's very hard to find out how this looks like. Let's have a look for that. So we have wire shark here. So this is from one of my first network audits. We have here many UDP protocols. So what you see I always use the statistics. Let's look for the endpoints for example. And then you see no magnifying here. You see then here the connections. But that's okay. So the thing that you see here is that we can make bigger. Most of the informations are UDP. So the ectis is working with UDP broadcasts. They don't care about and acknowledge if the information is done. It's more or less in real time traffic protocol. Yeah you can say. So each device is broadcasting their information as in UDP broadcasts on the network. And the design of the protocol is then in that. So when we look here for example for the UDP stream. Then you see here a couple of information. We have to wait. I picked one of the biggest. This is how it is looking like that. But you then see here the NMEA satellite GPS information. So in this data gram it's 462 bytes. There are the GPS information that the GPS receiver for example gets. So the thing is now to write in the code for that data here. That you can make as an wireshark plug-in. Information is more invisible like that. On the other hand I have here also another network from the Furuno network. It's a little bit more readable. You see already something from the AIS system in that case. You look up and here you see a couple of error messages. There is even channel 2 male function TX male function external EPFS lost and so on. So at that time when it was sniffing on the network. There was an NMEA network gateway that was 40 and a couple of messages are missing. So also you can find errors by analyzing those protocols. And the idea to provide a filter for that. And also at the Furuno network everything is here in UDP broadcast. Do I find another nice one? This is for example an AIS message. Male function message. Another one. Here we have GPS information with the coordinates and so on. Okay let's switch back to the presentation. Once I have it ready I put it on my Github in the Maritime channel. I have a couple of other sections there. You find some X-ray pictures from devices. IoT devices that I analyze and so on. Feel free to look at it and so on. Coming to the end. With my content details I have to say thank you for watching my talk. And have a nice DEF CON 28. Stay safe and when go out always wear your mask. Goodbye and thank you.