 Okay Yeah, good morning everybody It's early in the morning. I know everyone has party lot last night. I think Yeah, today. I want to talk a little bit about remote yacht hacking so About some attacks and some issues that I found on maritime stuff and Yeah We will have some fun together. I think My clicker is not working Here we are We were short watching the movie I think Yeah, that was 1995 they give already suggestions about what could happen so they hacked the balance system of an big ship there and That was 1995 now we have 19 2019 and We will see actually such kind of attacks more and more happen, maybe Yeah What I talking today is a short overview about a maritime 101 Routa and sitcom vulnerabilities out of normal ships and some Q&A if we have time enough Why hacking yachts Maybe someone have an idea about that why not that's a good answer Yeah, why hacking yachts? They are mostly privacy owned privately owned and CEOs or people who have big money Doing their job on board and when you have access over the satellite Internet connections or the modem over Wi-Fi or whatever you maybe have the option to get some information That should not be outside there or Another one could be also celebrities on their ships when you have actor access to the Multimedia devices all those smart TVs on board you maybe get some pictures that Some others not have Yeah, that's the two things Why privately owned yachts mostly are attacked? Yeah, several celebrities are also said and Ever mentioned if we have access over the internet connection, we can do whatever we want My name is Stefan Gehrling. You can also find me on the OB 1 6 6 6 on Twitter I'm older than the internet Quite old now. No, not really a Couple of certifications. I have GCFA CISSP MCSE you name it. I'm an electronic specialist from the past Doing now IT security staffs. I joined the army a couple of years and doing their navigation systems maintenance for helicopters By the way, I'm also a firefighter volunteer and firefighters in 31 years now I'm working in the oil and gas industry for my employer Rosen, so we doing pipeline inspection That's our main business, but also focusing now more and more on yachts That's why the company so duration is here on my slides. So that's another branch of our company Yes, I void guarantees. I buy stuff Looking how it is working then I open it and to see what's in there And I'm volunteering Giraffel, I'm the cavalry and also DevCon As you seen, I'm just on duty. I've just come for my shift here and now there Yeah, how it is started There were a couple of news about hacking yachts in the in the past So the Marine had some accidents a couple of years ago the 2017 so they Had four accidents with their ships and also some other things that hackers owning an in yacht or Cybercrime on a high sea and so on. So That were some Information that you find there. So this is also then one of the news that was really interesting so when we looked at the schedule there the US Navy had 2017 four accidents with their warships and Then you try to figure out so why the fuck they have four accidents with their ships They should know about navigation very good, but It happens at that time. So the rumors come up that somehow their ships were maybe hacked but I've read two of those Reports after that It turns out that it was more or less in a human error navigation failure. So People at night. We are not really well trained doing their own they're doing the navigation at night alone So it was somehow a human error. So they did not follow the good guidelines for that and Last year also there was an Norwegian free gate So during during the military exercises in a NATO they had also an accident with that Yeah So this was a couple of pictures from the free gate. So it crashed into another vessel and You see it has now 45 degree on the light on the side When you maybe remember the pictures this was the The vessel that crashed in it or the free gate crashed in that and this picture was shown If you could see here, maybe Here are some scratches. So the first thing that you'd maybe think about this is the free gate crashed into the side here, but the fit not with the The things that you see here. So Also open source intelligence will help a little bit So I looked up on marineretraffic.com. There you find pictures with the same dense and cradsters and when you look at the Data of the date of the pictures It turns out that the picture was taken half a year before the crash happens. So those The marks are not fitting together. So just only a quick thing about Some pictures that shown in the news Yeah vessel yachts and ships a yacht is more or less a recreational ship and the term comes from the Dutch Marine so The Dutch had some very fast small vessels for hunting pirates in the shallow waters in the past so and Yacht Yacht yacht is a Dutch term. It means hunting and from that the term yacht Was introduced because of small and fast vessels and of course size matters Small boats are up to seven meters Yachts are already over 10 meters. If you have a super yacht, then you're bigger than 24 meters Or 79 feet it's already equipped with some kind of GSM Wi-Fi internet stuff and so on and Mega yachts you can say it's a swimming IoT device Because of you have already smart TVs a smart home equipment ICS stuff in the propulsion units and so on Just a small picture about one of the super yachts. So this is a picture of TV star from Germany and his yacht But we've seen information about it later So why swimming IoT Because we have so many different systems on board that yeah vessel traffic services We have automatic identification system. We have an autopilot somehow GPS radar system cameras a thermal imaging We have engine control units and monitoring devices. We have internet access and we have a couple of entertainment systems. I know for example from a 72 meter yacht they have 50 smart TVs on board 15 and more than 150 connected devices on the network Only for getting their stuff Like at home Yeah for the maritime stuff Most of the things are connected with an enemy a bus the enemy a bus it's somehow In the past it was in a serial bus and it's called enemy at zero one eight three so here we have one of those things and When in modern yachts now we have enemy as 2000 and enemy as 2000 is nothing less than Like a canvas in the car So we have some terminators here. This is the canvas and everything is connected to the bus system so When we have connection to the trend to the bus here like here we have a gateway from that turns the The signals from the can bus to your computer or it is directly connected into the network and some other computers So that's how everything is connected together So the cabling is a little bit easy I'm not sure if you have seen it in the exhibit on the on the CTF There are where are some pictures all you can see it also there, but it looks like these old 10 base T connectors from the past when where the people have Dealed with the cheaper net and B and C cabling so it looks like that, but it's a little bit different Yeah in the past the enemy a zero one eight three from the national marine electronic association It was in serial bus with four thousand eight hundred boat speed not that much, but it was much enough For echo sauna sonars animators gyro compass autopilot and GPS and some other stuffs Whatever you send us you have there So the speed was not enough so then they introduced the canvas part and called it enemy as two thousand Here we have now one megabit Network bandwidth what we can use Yeah, it's electrically the same as the canvas and automobile industry but You have different connectors for that And it's not electrically compatible with the old standard. So there you have some converters for that And because the speed was not enough Then they introduced Newest done that's Ray marine called it for example C talk next generation. That's why it and G and There's also this one has already 10 megabit And then there is an C talk high s high speed HS There you have already 100 megabit on speed on the bus system so When you look here at the pictures this are most of the stuff for the navigation part and some of the points that I trigger on this here is The receiver and the sender for the autopilot system here We have the GPS receiver and all those information going to the bus system and then spread it to all the devices Who interested in the information? So some of the systems are used as a trap method traffic service so It's some kind of an Yeah, you can say it's similar to the air aircraft aircraft control system where they Are traffic control you can say it's similar to that it's used mostly in harbors where they Get the information about the system or the ship and put it in the right place It using radar CCGD VHF radio communication and the AIS system The AIS system it's a pretty easy You have it on most ships from a specific size on Then it's a mandatory and The most of the system are working on VHF We see later or there's also a satellite version of that So the AIS supplements and the radar system and Get also the information from that. So it's some kind of collision avoidance that you can look up for that So the AIS using the GPS information from the canvas from the enemy and network to be correct And we have an actors The electronic chart display and information system. So this is some kind of an Electronic version about your C cards. So in the party you have a paper print out of the C cards where you travel on and You don't have to have it now At least you have two simple two different GPS devices and then you can completely rely on those actors on this electronic version. So the thing is then All the information that the actors get About the position. It's getting from the AIS and also from the GPS system on the enemy a bus system And then we have some kind of IT equipment on board Anyhow we have to have internet access. So it's done by GSM or Wi-Fi or satellite digits where you can access the internet on the IC And on board we have a couple of IT systems also entertainment system voice over IP I've seen a couple of things Wi-Fi for the guest for the crew for the for the owner of the ship and so on This for example is a picture of an 40 meter yacht with a 90 inch rack full of IT stuff To just show a little bit. It's an internet router where you have your access Here are three servers to get all the things controlled We have two voice over IP gateways there and and completely full stacked Networks which with 848 ports and some kind of uninterrupted power supply And the other things we have on board are 10 smart TVs one sharp PC and the actors 14 voice over IP telephones on the network The internet router and for access points for Wi-Fi As I mentioned in front of it the 72 meter yacht That I have seen has 24 access point on the ship to have a whole coverage over Wi-Fi So 24 already Who is patching that shit? We will see That's a big story And the ships are going more and more to be smart ships, so As you can see your only small a few picture about you control with your tablet You can control the light you can control the electric curtains of the ship you have monitoring access or also Other access to the rudder information the rpm of the engine The oil stand and so on So all the information you can access Via your smart tablet tip, so it was a smart TV the smart devices And you can also access those things remotely with your mobile phone So This is then how a network on the ship looks like so I've putting everything together and Yeah, it looks like a network at home and your business and your company however, so Starting at the top we have some internet routers That we maybe can access or attack The next attack situation situation we could have is the computers on board So they are connected to the network and through the internet Another attack vector could be the mobile devices of the crew of the Guests and so on that are connected over the Wi-Fi system to the network of the ship and Then when we have access maybe on the network of the ship We have to look for the gateways that's going to the canvas. So Here it is separated by these devices. It could be in a USB device that could also be in a standalone device and then We are now on the ship network On the canvas of the ship where we have access then to all other informations as you can see the GPS the engine AI as radar so now and so on and so on So this is then the bus where we can access it So the first thing we maybe can do is We can spoof or fake the GPS information to get the ship maybe on a different course By the way, there are a couple of GPS systems today online We have the US version and it was the first one that most of the people say GPS is GPS But GPS is the US version of the global navigation satellite system The Russians using their glonar system the Europeans the Galileo it's not fully operable now and Two weeks ago. They have a big issue with their system. So they fucked up the atomic clock synchronization so I Don't know it has someone heard about that that the Galileo system was more than one week not working What? No, no, no, it wasn't I Read a report about that So the problem was The satellites are have atomic clocks inside for correct timing So these atomic clocks are synchronized to the ground station And for the Galileo system, we have two ground stations. One is in Germany. One is in Switzerland So and they are maintained by two different companies So the German ones is a different company than the Switzerland ones. So the problem was then the German had normal maintenance phase where they switched off the atomic clock in Germany and at the same time in Switzerland somehow something happened with their system So they have to so the clock drifted a little bit away and they have to shut down their system too. So both atomic clocks Could not synchronize with a satellite in the air and the satellite then decided, okay I have no synchronized synchronized clock now We switched off our operation And then all the satellites all the 24 satellites for the Galileo were then switched off and get not Any more a correct position about that It took them more than one week to recover all the synchronization to the system and now it is working again Yeah, only a small story about that Yeah, when we look at the frequencies You can see we have three bands where all the systems are working on and All all privately used Devices for that are working on the L1 band and then you have only a couple of frequencies where all of the systems are working on It's not that much So the scenarios could be then we can spoof the signal or we can jam it Jamming is very easy You just have to have a software radio Software defined radio device that can transmit something and then you can jam the signal Or using some other stuff spoofing is a little bit difficult, but you can also do it with equipment Starting about 350 euro 400 bucks for example Yeah Jamming happens quite often Every time when the military is doing a military exercise you will see somehow GPS interferences Anomalies and so on Especially when the Russians doing their exercises they jam the GPS all the time There's also a link here to a report from from 2017. We're more than 20 20 ships and some aircrafts reported anomalies in their system Yeah, for jamming It's not really. Yeah, by the way the US Navy teaching again Navigation with a sixth and so they stopped somehow teaching that and after they figure out a couple of years ago That it is not maybe a good idea only to rely on GPS information. We should be able also to navigate in a traditional way and the first Navy officers trained again on that come to Germany and get trained on the system again how to navigate with the sixth and just to know about GPS jammers you can buy online for example at sell jammers.com It's starting from yeah, these are the little bit expensive one And you can also have small USB devices for 80 bucks and also for the cigarette lighter in your car so when you maybe are Thinking about someone has a GPS tracker on your car take these a cigarette lighter version and then Your GPS tracker and the car is not working anymore Yeah, for professional testing you can have also these DNS simulators. They're quite expensive This one is around 15,000 euro, but then you can simulate all the things that a real satellite navigation system is doing You can replay waypoints and so on We had used one for our devices that we using in our company So for for the pipeline tracking we have also some GPS trackers that we build our own and to test them We use in such kind of device But yeah, it's very expensive, but maybe it's a little bit easier to fake the GPS signals on the enemy of us So then we come to the spoofing so spoofing is a little bit It's not really difficult You need only the right tools for example by an hacker F have the right antenna in place and You need some strips for that and that's it Or you can also use an a blade RF. It's a little bit more powerful And then you can gamble with that Just a small advice Don't mess with the GPS signals. You may disturb some others use a forensic back or Faraday cage away can set up your lap for that Yeah for spoofing the signals You need to software defined radio and you need to write a software for that so the software you can download on github It's a GPS SDR simulator and with that you cannot already do all what you want One thing you need for that is Once you have all your equipment in place You need to have the daily download of the constellation of the satellites in the air So that you can download from the FTP side of the nasa And then you have to Calculate your daily Daily Daily fellow about that and then with the information that you want to spoof you put everything in place you compile a new Script for that and then you transmit it with the software defined radio devices. So This are the few commands that you don't need As you can see you set this frequency on the device that you need You need the right sample rate and bandwidth the gain for that and below you can see that there is This is then the wind file that we use what with the information of the GPS signals that we want to spoof and then You send the file over the device and you're done Some drawbacks are there. You have to have the right gain of the signal So if your signal is too strong, maybe the devices are not accepting yours because Some devices are detecting. Okay. There is now another signal with an with an higher gain We ignore that so But somehow it works another thing When we have access to the enemy a bus we can maybe use different things So this is an software from at the ATL soft. It's an GPS simulator You can see it's connected to the enemy a zero one a three bus it's with a comport connected and then you can set your information to what Long latitude and longitude you want and then press the start button and then it sends out the enemy Data on the bus with the fake GPS signals So if you have somehow access for example to the bus by renting in yacht You maybe have them when you have enough time and access the system you can put some Fishies poofy devices in the ship and then can do some stuff with it later Yeah So now how we can protect for that This is in research project in Germany They using in four by near two by two antenna device. So here is the antenna. It's an array about four antennas it's and then you see the radio signal about that and by The four antennas you can already calculate. Okay, the signal is maybe coming from the side or it's coming from the right position from the top With that you easily can see If it is a spoof signal coming from the side or is it an original one from the top and Another thing that is possible with this It can filter out the spoof signal and amplify the original one. So it's it's still in a test phase. It's It is working and I think we will see it in a couple of years as a normal device And I have also found you can buy no GPS firewall Sounds like a little bit little bit like snake oil. I don't know Yeah, it's a device that you can buy maybe it working like the same as Through the research for the Germans because it's connected between the GPS antenna the device and doing them some stuff Anyhow, if I have the chance to get one of those devices to test I will do it and Put it in later Have someone maybe one. I don't know if yes Contact me, please Okay Yeah, AIS system AIS using the GPS information that already mentioned and Sends then over its own device over their own system the information back to another thing Every ten to two to ten seconds they sending messages when the ship is on the way For example the status I'm on anchor or I'm I'm on the way on the motor my speed My heading my course of our ground and so on and The system is quite easy. It is working on VHF radio 161 megahertz and 162 megahertz or just two channels that you need The encoding is also very easy and with those informations and with your software defined radio You can receive your own AIS system Just use a software defined radio device like the hacker app download the scripts for a new AIS and You can receive your own's your own's and when you change some kind of Those new radio stuff, then you can also transmit different systems. So When you change it a little bit you are able to transmit fake AIS information and it shows Then on every other systems on the world to the AIS devices another one is the autopilot I have already mentioned about so I'm still on the research phase of that so in September I have access again to one of those systems and then I can record the radio signals and Get more in my research for that. So how it is working. It's an handheld Radio-controlled and then on the right you see the receiver for that In this case it was in the Raymarine S1-100 wireless device and you can put in some new heading and Speed information. So you put in those information Say okay. This is my new course on speed It sends them to the autopilot system and the ship is then following that Mostly you find it on sailing yachts, but this was also on a normal motor yacht Yeah, how you look at this stuff every device that is Sending transmitting radio signals must be registered at the FCC So and then you can also look up at the FCC ID There's search options where you can figure out what it is I've done it here in the picture. It's a The the granted code. It's called PG-5 and it's it's a smart device Miko Hoepen and said once when a smart device is smart you can hack it Just Okay When you read and the documentation there You figure out okay It's some kind of an autopilot system and it's working on 2.45 gigahertz and it's not Wi-Fi So it's somehow something else and there are other information about that you can find So this is then also the information that you can get on the FCC ID website How the system is working? So there is some kind of a processor and network processor and an RF transceiver It's an Omega microprocessor and they're running their own Mbastak wireless protocol on that So with that information you have already everything that you needed To figure out how maybe the RF signals are looking like so I Think I have an update on that in October this year Now we coming on how to hack the internet connections, so When I started with that I Had access to these yeah the local marines. You're brought up Sort of never very nice device is looking like this It has an Wi-Fi booster with 1.6 watt Electrical energy and with the right antenna I had on the Monkey Island around 20 25 watt ERP sending power it's very high and they claim to have Wi-Fi at least at 15 nautical miles and A mobile phone should be working up to 30 nautical miles. I Was not able to test it because I always only on the yacht when it is in the harbor Yeah, some drawbacks But yeah When I looked up then how the system is working they have a nice Software for that. You can install it on your computer. You can install it on your mobile phone on your tablet, whatever So this is then an overview about the complete things that you can do so navigation There this are the different Wi-Fi systems that they have Access to other systems surveillance and so on yeah, you can also access your multimedia devices and This is all done over these control panel. So then I Looked up how these software was working and it figured out The software connects Viya FTP to the router That's the first thing so FTP. Okay, FTP is clear text Then it downloads an XML file When you change something in the software you change it on your tablet, for example Then you modify it and later on when you say save it sends them back the XML file to the router And then restart it Yeah, yeah, as you know FTP is clear text First thing I thought okay, they're using anonymous authentication. So that means nothing or they're using hard-coded credential what could be Even worst step. So in this case it figured out They're using hard-coded credentials so the username was loco loco is a Spanish word for Matt and I love the password secure connecting user. Wow Yeah, some Some things of that so then I downloaded again the software and Looked up what it is. So it's an in this case. It's an net application Then I used a tool like I'll spy where you can reanalyze the source code about that and in Then you find a couple of juicy information Inside of the software for example one of those developers Somehow John, I don't know who is it Jara is one of the developers from the company some other information that and When you find the yotrouter engine there you find a complete configuration about Okay username password IP address of the internal server The name of the XML file some information about the Wi-Fi the Wi-Fi names the passwords for the Wi-Fi and so on So, okay First thought they're using it only internally let's look up how it looks like from the internet So I didn't end map scan on the eye on the public IP address after the device is online and This are done the open ports. So what? We have hard-coded credentials and the fdp port is open to the internet So you can access that device anyhow when it is online with those hard-coded credentials And some other information and some other ports also This one is very nice. We see it later Yeah Then another thing is in this software. They have some remote support. This is from the documentation So when you read it, you will find out you don't have to send them an IP address If you need remote support from them You have only to say okay. This is my serial number of my device and this is the time when you can access it That's it How they know that? They need an IP address for that. So It turns out that they Make a ping back to their systems. So this is the IP address of their devices and it's belonging to local marine So every time when the device is online, they knew your IP addresses when you are online. So on Privacy reason, it's also not so fine Okay, then how can they access then so yeah, okay, they know the the hard-coded credential of the fdp, but It turns out they're using then the micro take Windbox management software, so it's running on port 8291 TCP and it's a very nice software With these management software You can do much more than in the normal software of the device You can also change the Wi-Fi settings and there is also I Do not see it here now, but I have a picture here You have access to the user list These are the credentials that are then in turn so the user local we already know but there's another one Jerry So Jerry has always access to the device when it is online and he knows every time when it is online. So If this is a good idea, I don't know Yeah After I reported it they may changed it. I have to look up later so they promised they have a new device now online and And they promised to send me a new sample of that. I'm waiting for that if you're not familiar with Looking up the stuff with aisles by deco decompiling software. You can also use tools like mkbrutus Where you can attack micro take Router devices, so it does done everything for you. For example, there's a small Python script You only need the Python script and the IP addresses and it gives you an M bag the username and the password for that Very easy Yeah, I reported the things to the vendor Two bucks. They fixed the other one take a little bit longer They gave out a new software about that and then they patched it. I received my CVE for that Yeah, and then I looked up the patched software that I gave so they changed now FTP to SSH That's already a good version. And then I was thinking, okay Yeah, and they're still using Hard-coated credentials The other thing that I did Obfuscation they obfuscated their software so that you not easily can decode it, but with a little bit more Time investment. It's also not that bad. So maybe takes an hour more longer yet It's not that hard Yeah, this is then the normal crash of your decompiler. So it has some errors then In that case Okay, I struggled at that point. So I downloaded the Android version of the software It's also not that application and they forget about it. So they Obfuscated the windows version but forgot about the Android version and it's still in a normal version about that So it's not obfuscated. So when you then look at the same Classes for the software the yotara engine you find there is now in the same user with a new password It's a complex one. Yeah, but it's still hard-coded and it's still accessible over SSH now Yeah so that's the last point of those things and Yeah, I'm waiting for the new hardware of them Yeah, some other information you can find there patch backbone data leak It's a nice class. Yeah It's looking fancy and you are all the other information like IP addresses from the internal network and so on Yeah, that I said already SSH instead of FTP now They obfuscated the DLL in the windows version, but not in the Android the iPhone version. I don't know I had no way to test it Still using hard-coded credentials. That's not good and SSH and Windbox is still reachable over the internet when the device is online. So the firewall scripts are not set up that correctly So coming to the last point now You can have on the high-c also access over satellite So because Wi-Fi coverage is very bad when you thousand miles away on the high-c So you need how to communicate over internet to the internet over satellite systems. So while while I was looking up some of those local marine systems I Struggled yeah a little bit on showdown and find some other nice devices So, yeah that are already set You can look up in showdown for those devices These are some of the search string where you can look for These are all things that other people have already find out with vulnerabilities and therefore you use the search strings here and Yeah Showdown has also a chip tracker For the VZ setcom devices So ship tracker dot showdown dot IO and then you can look up all the devices that are online So yeah, they're using VZ and so on Yeah, in my point I Was looking for those local marine devices and I found some Names that called stabilized digital antenna systems. So wow that sounds good. I want to know more about that So I looked up in showdown a little bit more and then it Claimed and okay. There's a co-pam mxp web server With the easy search string micro digital web server it gives you a better result you find those devices Yeah, this is then how it looks like in showdown At that point where 21 devices online And this is the device that you find then Yeah Then I looked up Yeah, the first thing that I do I show it I show it later. It's it's more fun than in general This is how the device is working the ICU and antenna devices on top of your ship and Below then you have the computer and the mxp web server that's controlling those things That's the point where we switch to the demo and Internet is still running Okay, here we have showdown I have already put in here the third string micro digital web server. I'm looking for Today we have 16 devices online a couple of here in the US. I don't care where they are just Take the first one Need to lock on that's bad. Oh, no, here we go. Oh, that's a very old one. It doesn't matter Hopefully it is online. Yeah, here we go. It's a little bit slow because it's over satellite And now we have the web interface of a ship live in the internet Yeah, I cannot now use the username and password to lock in I don't have one So we have to find another way. So the first thing that I did was right click Source code that's it and Then the first thing that paid my intention was this part here Hopefully you can see it JavaScript user login.js. So let's click on it and this is then the login script for that If we scroll now a little bit down Here are the funny places If the login username is dealer then use the menu dealer gx dot html if the lock-in is user then use another one So, okay, what we do to hack the system. It's very easy We copy the URL and the funny thing is It's working It takes now a little bit time and now I have admin access to that device It's switching now back After a couple of seconds because I have to set also a referrer information that the thing is always there, but Here's some kind of a ship and we have here latitude longitude information and the name for that if we look now My real traffic dot-com we can easily we can yeah, we can try it Din din din 41 point two five and nine point four three Okay, let's look Marine Dot-com to see if it is the right ship Meridiana Okay, yes one it could be maybe this Din din din It looks good Let's look at the information. Okay here actual position of the ship is 41 point two five latitude and nine point four three longitude Come on And here in my system. It's the same information. It's that ship It's actual laying in Yeah, I don't know five minutes ago last position It is mort engine is stopped, but yeah, it's anyhow laying in a harbor, I think It's a nice yard. Okay So now we have access to that device. We can see also some other things here Command line interface. I can change the position of the antenna information So I can reconfigure the information about how the antenna is accessing the internet and so on Yeah That's that's from that part switching back to the Okay, so the demo I gave Yeah in short review If the username is dealer then you have admin access if the user is user then you have a little bit less information Here are some Pictures of the software. Yeah, as I already said a command line interface from that point You can then dig for other devices in your in the network of the ship looking for example for the TCP IP converter to NMEA signals and Spoof your informations on the ship from that From the internet to the NMEA system. It's not a big problem anymore Or you can also make some firmware upgrades and so on Or You also can try to use the default credentials from the documentation When you look the hand when you read the handbook The username is dealer and the password is CTL 3 and so on It's not a big deal Yeah, someone found it already before me When I looked it up But he only claimed the version of one to one is vulnerable So I tested all the versions listed here down and they are vulnerable to the same thing I Also contacted then The vendor because I found something different that I will explain now Yeah, some kind of the web pages that you can access without under the indication Where you have all the things? Yeah You can increase the cost by just Uploading downloading software or doing other stuff or you can switch off the internet connection on high-ceat That is maybe a bad idea, but it's also then bad for The crew on on board they have no internet access anymore and get no information anymore. So Yeah Another thing that I found then was There was an Other issue in this device so When you send two specific parameters to the web device It created then a complete backup of the configuration and put it in a temp folder of the web server As we know we don't need an authentication. We download the configuration file And we have then all the information about the system with a configuration the username password and so on so Here you see my test script that I've written for that and Then this is then a short overview about what your information you can download then later So it's an in a temp folder in a configuration file where you can find everything So, yeah coming to the last part now The engine control units are also connected to the network and then I think Brian Olsen has already covered it in his talk We figured out that some kind of the auto masking engine control units that are connected to the web to the network Have some drawbacks where you can bypass also the authentication and have control over the engines So yeah, then you can say okay engine left full full speed ahead and the other ones and the other way direction As you can see here also It's connected to the network and also using some industrial protocols like modboss or something else Yeah The future is maybe it coming more and more autonomous So autonomous ships need some kind of internet connection and using GPS information Yeah For that we have to be clear that then the system should be protected very good So This we can skip yeah autonomous ships There are already things going on so Rolls Royce test 2017 the first voyage of an autonomous ship So a captain was still on board just for backup But the main control of the ship was done in the harbor from a control room. It was not really autonomous, but Let's say more or less remote controlled If they remote can remote control it someone else maybe can also control it. So that's Because of maybe they're using the same weak internet devices So yeah, what's next? We need to test more and more on the enemy The enemy should be a protocol should we have more security security authenticating and so on in place so that Nobody can temper the signals that are put on the Yeah on the bus The wireless auto protocol autopilot I'm working on So all those other internet things has to be tested a Couple of others are working on it, but we need more time for that to figure out all those devices And it becomes more and more that all the devices are connected to the cloud and how so Here we see one of those things Where they are using now For example this for Marathon this part we had already in my network design and Here everything is connected also to the cloud where you can access then all the devices over your tablet smartphone or your laptop, so You have no full access from anyhow to your ship So I know sure if someone has already tested these cloud services, but yeah when I have time I will do it So this then again one of those things where you have remote control about that Yeah, rather information rpm oil temperature and whatever Yeah coming to the end and a mea gateway also needs more tested such come boxes mostly unpatched the problem is They have only a small window where they have time to patch those things so most more or less they are running all the time and Once a year or maybe once all two years they're coming in the harbor in the yard And then there is only time to patch the things so in between the ships are vulnerable if there's something is found So the vessel transport services needs all to be tested more and more Autopilot I'm working on it injecting enemy I'm messages Some other people's are also testing with that GPS boofing. Yeah It's some fun But yeah, I think the first devices we will see to protect that systems Coming to the last slide now May the force be with you My Twitter handle my email address if you want to contact me you can also speak up after me with me a little bit. I Cannot give out some business cards. I lost everyone I run out of business cards. So yeah, you have to take my email address and contact me for that Thank you for joining and have a fun. Have a nice rest Defcon