 So without further ado, I'll hand it over to Cyber Gibbons to talk about hacking cruise ships if you would great. Thank you very much for the intro Hello people wonderful people today. I'm gonna be talking about hacking ships I'm gonna talk about how ships work how they're put together now. This is the first time I've done this slide deck It's a bit of a mishmash of two different slide decks. So it might get a bit crazy at pace at a few points So who am I? Well, my name is Andrew Tierney my handle cyber Gibbons I'm a professional penetration tester, which is a ridiculous name for someone who tests the security of various devices This is me a few weeks ago on a 747 looking at some of the systems on board I lead the hardware team at a company called pen test partners So we look at planes ships cars IOT hardware industrial control systems We call ourselves the weird stuff team. We just do all of that kind of non-general purpose computer things So what can I talk about ships? Well, this is me 16 years ago. I think give or take 2006 on a container ship in the Suez Canal I used to work on container ships as an engineer. So down in the engine room. I did that for a few years So I've got good knowledge of how ships work Bringing together the IT side of things and the ship side of things allows me to really drill into how they work and find Really interesting vulnerabilities At the end of this I'm going to show you how I was sat in my pants. I'm not actually going to show you that actually I was sat at home on the sofa with remote control of a cruise ship I could steer a cruise ship remotely. So that's where this is going Now all of the work that I mentioned here is carried out with permission We were on the cruise ship with permission to attack those systems So don't go and do this when you're on a cruise. You will get in trouble So what is it like working on a ship? Well, this is the view out of my cabin when I was a cadet on container ships So I worked on kind of 300 meter 350 meter long container ships back in those days They were the biggest container ships. They typically held between six and seven thousand TEUs 20 foot equivalent units. So that's half of a normal container that we're used to so it's a lot of containers You can see there. We're looking forward from the accommodation You can see all of those containers on the deck now most people think about container ships when they go past They look at all those containers stacked up on the deck and that's all they think of But actually the bulk of containers are below the decks in the hold So you take off a hatch lid there's three hatch lids across the width of the ship and down there You can fill it up with containers. So those are 40 foot equivalent units They fill that whole 40 foot gap a 20 footer is smaller on the right hand side there What you can see is something called a bunker barge. You obviously have to get your fuel from somewhere Now a container ship like this holds about 10,000 tons of what's called heavy fuel oil HFO Now that it's expensive. It's $500 per ton So the first time I remember I was helping take bunkers take that fuel on board I did the maths 10,000 tons at $500 a ton is the best part of five million dollars worth of fuel One little mistake and you could cause a real problem This is a picture of a container ship that I worked on whilst it was under construction So you can see that crush section of the ship how deep it goes down in the hold Down the sides those hollow gaps at the sides their tanks they hold ballast water or fuel You've got a thing called the side passageway that goes all the way down at the top all the way from the back to the front And it's quite crazy. You can stand in there in heavy weather Look down that side passageway and even on a container ship this size You can physically see it twisting from side to side and moving up and down Unfortunately 2006 we didn't have camera phones really we didn't carry for you know cameras about this So I don't need videos of crazy stuff like this So what is it that powers one of these well, it's a really really really big engine So it's a two-stroke diesel engine They're huge their three four stories high That red box there is covering one of the exhaust valves on one of what we call the units one of the cylinders Now this is a 10 RTA 96 C 10 means 10 cylinders So it's already got 10 cylinders is bigger than most car engines 96 means that the bore of the cylinder is 96 centimetres across you can fit in the cylinders. They're that big So these things are absolutely massive that huge pipe you see going along the top there the big silver one That's the exhaust manifold The stroke of one of these as well 2.4 meters the piston goes up and down 2.4 meters When you look up at it from what we call the bottom plates right down at the bottom of the engine room you can see the scale We've got three ladders going up towards the top of that engine Now that big round thing there you might think that's a flywheel underneath there, but it's not It's actually what we call the turning gear a massive cog Use a tiny little electric motor to spin the engine round before you start it to make sure it's all lubricated Now just to give you an idea of scale. This isn't my picture That's what a banana is in relation to one of these you can see the little guy stood on the top there by the exhaust valves Now these engines are really different to normal car engines First off the crankcase is so big that it's got ladders inside it You have to climb inside the engine to do some maintenance work. It's really slippery and grim But they're two-stroke What you have to do is you have to pressurize the space underneath the piston So you can force air in at the bottom and then the exhaust goes out of the valve at the top It's like a two-stroke motorbike engine where the crankcase is pressurized It's not technically the crankcase in this situation, but it is quite different So what does a piston and a cylinder liner look like in one of these? So on the left hand side there you've got a piston you carry a spare piston so you can swap it out It's absolutely massive On the right hand side, you've got a cylinder liner. It weighs about nine tons So these are heavy heavy things again. You carry a spare cylinder liner those holes you see around the bottom That's where the air gets forced into the cylinder to push the exhaust gas out Now of course you have to measure to see if the engine gets worn So you take the exhaust valve off Which I made it sound like it's simple. It's not that simple and you climb inside the cylinder Use a very long micrometer as a stick and you measure the wear on the cylinder This is when one of the ships I was on was being built Another crazy thing those pistons need to be kept cool. You need to keep that piston actually physically cool It's not like a car where you can just rely on the oil in the crankcase and the rest of the liner keeping it cool So what actually happens is you oil gets sent up the middle of the piston rod Sprayed through I think about 56 nozzles onto the underside of the piston and then it drains back down into the crankcase Really really cool little system that So how do you get the power from the engine through to the propeller? It's just one big propeller That's it. Well, you've got a gigantic prop shaft and that is the prop shaft on this ship. It's quite long It's quite thick. I think it's about 90 centimeters across again a massive solid chunk of metal to carry the power from the main engine Back to the propeller and how big is one of the propellers? Well, it's about that big This is when one of the ships I was on was in dry dock so you can see the sheer size of this thing It's absolutely massive The edge of that propeller actually moves so quickly that you get cavitation little bubbles of steam forming And one of the ships I served on a Southampton actually had a tiny little window in one of the ballast tanks When they did a study to monitor how that cavitation happens They put a camera in there to watch the propeller go around underwater Now a weird thing about these these ships is the engines don't really go that fast If you're moving a chunk of you know, six tons worth of piston up and down Moving at two and a half meters you can't move it that quickly. So at most they do Sort of about 105 revs per minute. So very very slow compared to a car engine When you're stood on the top plates and the engines running it will shake you it pulses through your body It's that kind of frequency Now the other thing is is that if you want to go in reverse, you don't have a gearbox There's no gearbox to change your direction. You stop the engine And you turn it round and make it go the other way. You literally reverse the engine to change direction So if you need to come to an abrupt halt You're motoring along 100 rpm 25 knots and you need to stop quickly You need to stop the engine bring it back in the other direction and try and slow down Now how much power do these make? Well, it's kind of variable But it's between 80 megawatts and 120 megawatts. So we're talking really really huge amounts of power This is the power meter on the ship Now the cool thing is the way it actually measures how much power is developed on the engine is it's got two sensors on the prop shaft Couple of meters apart from each other and it measures how much that 90 centimeter chunk of metal twists It's actually measuring the twist in that to work out how much power at this moment in time. We're doing 65 revs Quite quite low revs. We're only developing 15 megawatts not that much power I say like that's a token amount of power How do you start one of these things? Well, there's Thousand tons of rotating metal there You can't just turn an electric motor on like in a car. So you start it with compressed air So this is called the start air system It's 30 bar. So that's just over 400 psi give or take. This is scary pressures Most air compressors kind of top out at about 150 psi if you make a mistake at these pressures Bad things are going to happen each one of those tanks the walls are, you know, huge huge thickness But you store that air up and then something like a distributor and pneumatic distributor Admit air into each cylinder one by one and starts the engine You also need to open and close the exhaust valve and you need to inject fuel So this is on what we call the middle plates the kind of middle section of the engine On the outside there the two big silver pipes leading up their hydraulic lines leading to the exhaust valves So they're hydraulically actuated a massive camshaft is rotating around underneath pushing Hydraulic fluid up there The bit in the middle is the fuel pump. It pushes fuel heated up to about a hundred and forty degrees Celsius Up through a pipe through to the cylinder head where it gets split into three and it goes in through three injectors So there's this fuel pump covers two units So you've got multiple fuel pumps across the length of the engine Now normally all of this is done automatically All of it's happening in the background by pressing buttons on the bridge But you've got a practice for when systems fail So right in the middle of all of these main engines you have some sticks You literally have sticks that control how the fuel is admitted to the engine So at the moment you can see there we're in remote control position But what you can do is you can take it out into run and start so you put it into run You pull it through to start it will put that start air through into the system You can choose forward or a stern and then on the right hand side You've got something that controls how much fuel is being admitted to the engine So we'd practice this you call it riding the sticks It's really really challenging Normally that control system is metering how much fuel there is 10 times per revolution and you don't have that ability So you're sat there trying to maintain revolutions really really challenging You've got to wear a headset as well the noise in the engine room. It's deafening So you've got to wear a headset to get instructions from the bridge if they need to change speed You remember I said that you need to have that pressure in the crank case to force the fresh air into the piston when it's down at the bottom and The way we do that is with turbochargers. So these are the turbochargers That's the exhaust side of one of three turbochargers. They're about the size of me So not actually that tall The thing is though those turbochargers kind of stop working at low speeds anything below about 25 30 rpm They just don't have the exhaust gas to generate air flow So on the left hand side we have what's called a scavenge blower It's an electric fan that forces air into the scavenge space to take up for the turbocharger The noise at this part of the engine room is deafening. These are like jet engines essentially. They're massive turbines I you wear ear defenders obviously, but I'd often put earplugs inside the ear defenders working in these areas just because of the noise now the interesting thing is is Your turbochargers got exhaust gas going over it and it will get dirty I mean it will get filthy really really dank and you need to get that filth off it So what you do is you get crushed walnut shells Literally tiny little bits of crushed walnut and you put it in that little green tank You pressurized a little green tank with air and you inject it into the engine into the exhaust And it will hit the turbine and all of the crap will come off It will fall off and just go through into the exhaust. It's a really really clever idea Now the the intake for these it takes the air from the engine room It just sucks the air in through a big filter on the other side So it's coming through the engine room you get a really weird effect called turbochargers surge sometimes It's kind of when the amount of air that the engines bring in doesn't really match up with how much the turbochargers Generating and the turbocharger burps or coughs people say now Having stood next to one of them this big when it coughs Yeah, it's a bit more than a cough to be fair. It's a bit scary Now the next slide and there's a mild picture of a mild injury on it It's just a red arm really okay, but I thought just in case See fairings dangerous There's all of this machinery all of this stuff going on around you and accidents happen And you might recognize that picture on the right-hand side there. It's exactly the same color It is well, it's the forward turbocharger off that very same ship. I was on board when this happened This is an accident report Since she the pipe came off the front of that tank seven bar air Hit him with the the walnuts Sounds a bit strange It didn't actually look that bad to start with it just looked like his skin was wet You know like an abrasion, but then over the course of the next hour or so He was in real severe pain and we actually had to divert to another port to take him to hospital So pretty serious accident that Another thing that that ships this size engines this side have got that's unique is the crankcase It's huge. It's this massive space and it's full of a mixture of oil and air Now the problem is if you get a hotspot friction on a bearing or something like that It will produce an oily mist and you have something called an oil mist detector And it sucks in air from each one of the units to detect whether it's got to explosive quantities in there Or an explosive proportion because sometimes it does blow up. It's it's sunk ships before These big round doors on the side They're explosion relief valves if there is an explosion it lets the explosion out But doesn't that air back in so there can't be a secondary explosion Now this main engine it needs power. It needs all those pumps It needs cooling all of these things going on So you need to generate electricity to make the main engine work And you do that with generators So on this particular ship the green one that we see here. We had four three point six megawatt generators So just just over 14 megawatts of power quite a lot and They power all of the pumps they power all of the systems on board. It's quite a lot of power But you do have all of those ancillary systems You've got all the pumps so you've got high-temperature cooling water which transfers heat to low-temperature cooling water Which transfers it into seawater? You've got lube oil systems for the main engine. You've got fuel systems hundreds of pumps firefighting water Just so much stuff going on You've also got these big heat exchangers which are titanium plates Stacked together with rubber gaskets between them sometimes you have to open them up and clean them It's a really really unpleasant job with a pressure washer We've also got to purify the fuel so those those bulbous things are called fuel oil purifiers They're centrifugal purifiers. They spin round at some god-awful RPM and they take water and dirt out of the fuel So it can be used in the main engine And on the right-hand side my favorite piece of engine room equipment the ship tank and When you're the junior one on a ship you look after the sewage plant You're the one who deals with everybody else's poo It's not just a tank though. It's actually a digesting plant. It takes the sewage in it digests it bubbles air through it Chloronates it on the outside and then puts it into the sea. I did actually quite looking after it to be fair The electrical systems on these ships are hugely complex So those generators you saw they run at 6.6 kilovolts. That's a really scary voltage Now the only thing on the ship that actually uses voltage at that level is the bow thruster a massive propeller That sits underwater in the bow the front of the ship that helps you dock Everything else gets dropped down to 440 volts like you'd have in most industrial situations Now the thing is to get those big generators starting those four 3.6 megawatt generators Well, they need loads of pumps running as well So you have what's called an emergency generator now This is a genuinely baby generator 300 kilowatts or so normally in the accommodation sometimes up forwards and That will generate enough power to compress air to get pumps starting to get one diesel generator running Which can then bring up the other diesel generators that will then start the main engine If you lose all of those systems you have what's called a blackout You lose all electricity the ship will stop working for a few seconds There's a few battery-backed things, but nearly everything will stop at that point And if that happens it in an opportune moment the Malacca straights the English channel you lose power If the main engine stops working if you lose electricity You don't have a rudder if you're not moving forward the rudder doesn't work So it's something you really want to avoid This is the switchboard room the left-hand side. You've got what's called a mimic panel It's all the buttons to control that 6.6 kilovolt system on the right hand side You've got what's called a motor control center. It's all contactors and the control systems that control over the pumps and machines in the engine room The 6.6 kilovolt stuff is just scary territory. I remember the first voyage I went on We used to rack these breakers out after making sure they were dead just wearing a boiler suit That's it. Well shoes and stuff as well But there was no specific protection gear But then there was a really serious accident where someone I think lost the front part of their arm because they racked a breaker out Without making sure it was isolated and from that point onwards We had to get these crazy suits on face masks use loads of equipment to make sure we're doing it right That's the bow thruster It's a 6.6 kilovolt motor normally about two two and a half megawatts And all it does is move water from one side of the ship to the other so you can move the front of the ship in and out But the reason for having 14 megawatts of power on those generators is actually these things what we call reefers refrigerated cargo So when you take one of these on board you've got to power it you've got to plug it into the ship You've got to get three-phase power to it now for say the Southampton a ship I was on it took 6,000 T use so 3040 footers But only 700 of those spaces were allowed to be occupied by reefer so they were the ones you could plug the power into It was a hugely time-consuming job monitoring and keeping them all going Now, I don't know if you saw this while back on Twitter There was this this beer map the largest cargo ships can store 745 million bananas in nearly 15,000 containers No, no, this just doesn't make sense what they've done is they've worked out How many bananas if you filled every single container on the ship with bananas? But there are no ships that can take a full 100% banana load There's this news there's new sequences of words happening here But yeah, ridiculous Now container ships like this operate what's called unmanned machinery space or UMS now that means as an engineer I can go to work between 8 and 5 and then at 5 o'clock we put it into UMS and Then I can go and have my dinner chill out in the evening unlike the decades who have to look out the window all of the time So there's loads of alarms and things going on in the background This is the alarm signal light that you get I'm sure it's got a better name than that We just call them lights the top one there the green one. You never want to see that lit That's a lifeboat that means abandon ship if you see that lit It's a bit of a game over situation the one below it the cog and the fire means and fire in the machinery space Again, not great to be honest You don't really want to see that but every now and then it will go off a bit of oily mist some will be welding and something like that the one below it's actually Unfortunately, I never got any pictures of this the whole engine room can be flooded with co2 if there's a fire You seal all the doors you seal all the vents and you dump co2 into it on this particular ship It had about 120 of those massive co2 bottles wired up to a huge manifold and it would trigger and fill the space If you're in that space and you see that light come on You've got 15 seconds to get out before it gets triggered You'd obviously try not to trigger it with someone in there But you know the other ones the cog and machinery line something's not working quite right the telegraph one That's if you happen to ride the sticks on the side of the engine the next one Unsurprisingly means the phone tringing Now when you're in your cabin when you're having dinner when you're in the bar What you have is panels alarm panels on the walls of those rooms and you'll go in as that duty engineer on watch You asked to monitor those alarms that night and they will come through to this panel So if you're having lunch and an alarm goes off you go and have a look and it will say something like Had a tank low level something like that and then you're going to investigate it You'll go back down to the engine room and see what the problem is Now sometimes you'd go down to the engine room and things would have not gone too well Something bad would be happening something to make your day unhappy and there's this big button Well, the lots of buttons like this you press and what that would do is it would alert every single engineer on board and alert the bridge That there was a problem Now one of these problems that we saw I've got an alarm at lunchtime and I go down to the engine room and That inside that red square there water was spraying out. That's the high temperature cooling system So we're talking water at over a hundred degrees Celsius because it's slightly pressurized Spraying out of here. Yeah, not a good situation So what happened was that header tank at the top there should normally be full It's like a header tank in any system We sprung a leak on the main engine and that header tank was dropping down really really rapidly Now the thing is that high temperature cooling system is shared between the diesel generators and the main engine If we lose that high-temperature cooling system, we lose the main generators Which in turn means that we can't get the main engine started What we actually did was we we got the engine stopped very quickly And we lifted the fuel pump So what you do is you can literally that big fuel pump on the middle plates You can you can turn a handle on the side of it so that cylinder no longer does anything There was no longer an immediate requirement for cooling on that cylinder so we could get underway and then fix the problem The other one and this was like this was the worst worst few weeks of my life. Maybe that's a bit of an exaggeration I was asleep in bed about 10 past seven in the morning and the general alarm sounds which is you know That's when someone hits that assistance required button boiler seat on straight down to the engine room and We've got a real situation About two tons of fuel oil had sprayed out the top of the main engine all over the engine room There was a fine mist of oil everywhere And what happened is this little tiny pipe That circulates fuel around the main engine all of the time just to keep it warm the fuels got to be kept Kept heated up to 140 degrees It just gets circulated around an 8 mil line had come off in the middle of the night and dumped two tons of fuel Across the engine So it's sprayed out It got everywhere It was all the way down at the bottom all over the top plate all over the bottom plates in the bilges It took us weeks and a crew of about 15 Taiwanese women on board Probably not great that we're employing cheap labor like that to be honest, but to clean the ship. It was it was crazy Right, we're actually on track for time So these are just some of the things that like people see about ships and think well, that's cool But that was 16 years ago. I don't do that anymore hack stuff for a living So why hack a ship? Well, I'll be honest with you and I still speed to that's quite a good film You know essentially someone on board the ship hacks the ship and I think a few of you probably last night might have watched hackers Which also involves the plot line of Hacking ships remotely and I don't know if anybody recognizes that Yes bugs. This is so formative in my career. It was just such a major influence to me when I was a kid They they just got involved with all these crazy plots. I don't know if they ever did actually get a ship that they could hack Now the thing is when you look at a cruise ship, they're really really complex. There are hotel their shops they're a ship all these different systems all coming together in one place and Keeping them secure is really really difficult Just when you look at the different networks on board, you've got TV. Everybody wants entertainment. So you've got a TV network You've got your VoIP phones The ventilation system the passenger Wi-Fi the entertainment so that you can watch the what's going on in the theater in your cabin You've got CCTV Hundreds possibly even thousands of cameras on board these days. You've got your business networks You're normal corporate stuff third parties like the shops on board You've got your control networks the things that you know make things move make things do things and you've got safety kneeworks as well Now the thing was when there was a limited number of networks on ships You had discrete networks You had an individual cable going between the bridge and the engine room to do the control systems You'd have a TV cable. You'd have a VoIP cable, but the thing is that takes up lots and lots of cabling and space So ships have done what's called converged networks. So they're using VLAN trunks So they're sending lots and lots of different networks down one physical cable Now from an attackers perspective from a hackers perspective that means quite a lot If I just attack that single network if I plug into the TV socket in my room my cabin I don't get much. I just get access to the TV network However, if I compromise the switch that turns those networks into the VLAN trunk or literally just unplug the VLAN trunk cable And stick my own machine in it. I've got access to all of those networks Crewships are divided up into what's called fire zones. They're also watertight as well So they're vertical divisions and this has an impact on how you design the networks on them You have what are called RDPs remote distribution points massive network switches in each one of those fire zones and To get all of these different signals into the cabins You have what are called cabin switches So every pair of cabins will have a cabin switch that does the TV the VoIP the water the lighting all of those different things So they go vertically down the ship. So you don't have to make holes going across to carry those cables Splitting to port and starboard for redundancy But you've also got other things connected to it. It's a properly converged network. You've got your satellite connection You've got bridge systems engine room systems all going down those cables That's just a patch panel for one of those RDPs on a ship. You can see the number of cables. It's huge So we've got a cabin switch and our cabin switch is just outside our cabin So we can physically inspect it I can open up the panel and I can look at that switch We can see it's got a TV connected to it. It's got our VoIP phone It's got what we call the cabin control system that does lighting HVAC door and water We've got other cabin. That's also on that switch as well Now in the passageways, you've got Wi-Fi access points and CCTV as well So people want to also dangle those off these cabin switches as well Now those black lines on the left-hand side, they're a trunk They carry all of these different networks, which means to me as an attacker. I really want to look at that network So what did we do? Well, we unplugged our TV and our VoIP phone. So now we've got a cable going into our cabin We then took the cables that the TV and the VoIP are on and we patched them into the trunk We then put our own switch in the cabin. So we've looped that VLAN trunk Through the TV and VoIP connections physical connections into our cabin on our own switch And now we can attack those networks at will we can do what we want to them That's the kind of situation we've got there. We've opened up that panel and that's that switch What can we do with that? Well, it turns out quite a lot a lot of the time the TV systems No one set a password on them Now imagine if you could change the image on every single TV on board You could probably cause widespread panic the VoIP phones no password the Wi-Fi and the CCTV quite often insecure So in one instance we had control over all 800 CCTV cameras on board The other things the cabin control system now This is really there to save energy when you're not in your cabin you take your card out The the air conditioning and the lights turn off, but you can also turn that and flip it on its head and attack that system Now a weird thing is the way that this system works rather than the cabins connect through to a server like we're kind of used to With a lot of IOT and things like that the cabin control server connected out to the cabins But that meant as that attacker who's got network connectivity through to those we could compromise the cabin control system Now unfortunately the client they didn't give us permission to do this But what we wanted to do was write something on the side of the ship One of the ships we've been on actually has this as functionality on the bridge There's a web interface that you can draw on the side of a ship. I was really really Saddened to find out that on a lot of ships when they do this It's literally they get a chart and they write down which cabin and then they go and turn the lights on in each cabin Yeah, you don't see behind the curtain Another one that we find really useful on ships is the fact that we have physical access to this equipment Now most Cisco switches most juniper switches lots of equipment's got a console port a serial console And when you connect to that you can do a lot of things one of those things is called password recovery mode You can dump the configuration of that switch The thing with a lot of these is they'll quite often contain passwords or information that can attack other systems So it's one kind of core principle of security the compromise of one device should not lead to the compromise of many But the thing was was in this instance We took the config of our switch and we recovered a password. It was encrypted rather than hashed so we could get that password quite easily It was a really good password Good quality and then we thought well, let's see where it works Is it just this switch or is it lots of them and it turns out actually that in this case It was only one of those RDPs that it worked on someone had forgotten to change that password on the RDP But we're now getting to this dangerous position where we're starting to get closer and closer to these engine room and bridge systems The things that let you control the ship Don't you remember I said we've got all these motors and we've got the motor control center They're literally contactors big relays that turn motors on and off now if I'm physically stood next to them It doesn't really matter. I can just start and stop I can press those buttons So as a hacker what I want to do is I want to get further and further away from them I want to do it from outside the engine room. I want to do it from my cabin. I want to do it from my sofa Now most traditional control systems used to be what we call air gap There was no connection from the control systems through to the business networks and the internet And the thing is you come along as an attacker if I can access the contactor I can press a button on it The motor starts, but I'm already there. What's the impact? I could go to the PLC the controller under or I could go to the HMI the display and Trigger something from that perspective, but it's not a great attack The thing is is that people add these jump boxes pivots between different networks They want to get data out from the control system to the business network. They want to be able to monitor things So we're always looking for them because that means that we can start attacking them from the business network and the internet I'm not sure if Ryan's here. He might be yes, Ryan's there. Hi Ryan Ryan said this a few years ago much of hacking is about understanding systems better than those who built them and Using that knowledge to do what is supposed to be impossible and I often find this on ships This was completely unrelated to ships. It was to do with the crypto wallet But we get on those ships and what we want to do is we want to understand those systems better than the people who built them So I'm gonna give you a few examples of how we've done that Now typically we've got this air gap the bridging engine room systems on one side and then we've got the satellite Connecting through to the corporate network. You've got crew welfare network So you can browse the internet in the evenings. You might have third parties on board, but there's a gap between them Now one of the major costs in shipping is fuel you want to make sure your ships are working efficiently So people put remote monitoring systems in they gather things like your speed how much fuel you're consuming What speed the propellers spin at all these bits of data and we could see that there was one of these on a ship We could see it on the network, but we didn't know where it physically was or what it did and it took me a long time Now at the top there you've got the voyage data recorder the black box of a ship That's recording all of those bits of data, but underneath it. You've got a panel screwed onto the wall no label or anything like that Eventually I unscrewed that and we found this remote monitoring system literally screwed in a panel behind the wall No one on the ship knew where it was or what it did So it's got ethernet coming in one side. It's got a connection to the network. Which means we can access it from afar On the other side, it's got serial connections coming into it carrying data from various systems But you might notice something about those connections. There's only two wires on each one of them It's got eight different connections, but there's only two wires Now this is a crucial thing At that point in time you didn't understand how that data was getting between the bridge systems and the monitoring system But it turns out it was using conventional serial you've got a receive and a transmit pair The thing is with a lot of serial systems like this what you can do is you can just cut one of the lines So the data is being transmitted from the bridge systems through to the monitoring system There is literally no way for me to get data back in the other direction So in this case the system was secure. It was just confidentiality. There'd be the worry another one This was on a container ship. We found this little kind of rugged Industrial PC in one of the racks and no one knew what it did We plugged a monitor into it It's often the easiest way to find out what's something doing and we noticed it was running some software again remote monitoring software But it was using these little things that convert between IP and serial So it's converting between that that ethernet world that TCP IP world and that serial line world After a lot of digging and I'm talking a lot of digging we found out where it was physically connected We had one of them going through to the bridge systems and we had one of them going down to the engine room We looked at the bridge systems and it turned out again that they'd cut one of those two lines It was just transmitting position and speed data down to the monitoring system. No security impact So we moved on to the one that went down to the engine room I mean this really was it was a cable going all the way from the server room just underneath the bridge 11 decks down into the engine room and we had to physically trace that cable. It was it was time-consuming But this was using something called Modbus Now Modbus is a different protocol. You'll notice that it says request reply request reply You have to ask for data from the other end before it'll be sent back What this means is you can't cut one of those wires You've got to have the ability to transmit data from one end to the other Now the thing here was was you don't just you weren't just able to request the engine speed We were also able to change settings on the engine by making requests through to that PLC Now unfortunately, we weren't allowed to demonstrate exactly what we could do We think we could have stopped the engine and made it operate strangely But again to do this you'd have to be on the ship But then comes in team viewer Team viewer is everywhere Now the thing was the shipping company wasn't paying for this tracking system anymore So we had a company with team viewer access to a box that had access to main engine systems Who there was no commercial relationship with and it was team viewer So we had that remote access vector so we could really really cause something serious to happen another one a generator on an offshore support vessel in There it had these little yellow routers now We could see they only had one network port on the bottom of them So it was labeled LAN slash one now This is really weird the idea of one network port going into the bottom of a router that's supposed to secure something You can't really properly secure something if the network traffic is going in and out of the same port So again, we tore that ship down We looked at how it worked and we realized that this router was actually completely pointless If you wanted to try and secure the traffic by going through the router fair enough But we could just set our IP addresses to be the same as the controllers on the generators and that was it We can pop those generators How did we do that? Well, we could do it from the cabin. There was little TV boxes in each ones of the cabins We unplugged the network connection on that. We had direct network access Went down into the control room and we could see the brand and make of the controllers there a Little bit of software downloaded for free from the internet And we could now open and close the contactors that controlled the power coming from those diesel generators So onto the cruise ship Cruise ships bridges are really really complex now They have something called an ICMS integrated controller monitoring system. It's all the screens It brings together all of the systems so you can operate them from one central place You also have something called a safety management system the SMS Now what this does is if there's an event on the ship that needs evacuation if there's a fire flooding you control it from here It has access to the watertight doors the CCTV Aspects of the ICMS system. It's glues all of those things together But this was my goal these are called as iPods They're massive electric motors on the bottom of the ship that both steer and control the speed of the ship I wanted to get access to one of those Now we've already secured network access from the cabin so I can access some systems that I shouldn't be able to So from my passenger cabin I've got access to that core network Now the thing is I now want to get to the safety management system or the ICMS, but how am I going to do that? Well, it turns out that when you're evacuating a Massive cruise ship you want that information not only to be in the safety management center But to be available to people at muster points people are involved with the evacuation So there's a series of rugged tablets that connected via Wi-Fi through to the safety management system To allow it to be viewed from wherever on the ship So we had these SMS tablets that access the core network and then through to the SMS network So how did we get the password for this system? Yeah And It's pretty common to find stickers on stuff on ships. This wasn't off that particular situation But you can see that the amazing thing was we told them to make the passwords longer on that and yeah, that's the fix So we've now got access to the safety management system floorpans of the ship CCTV lots of things We had control over the watertight doors So we could move these massive doors that are below the waterline that designed to prevent flooding quite serious already So the safety management system has been compromised now An interesting thing on cruise ships is they've got three fire alarms that run redundantly Because fire on big ships like that is a major threat if one of them breaks Nothing's nothing bad's gonna happen if two of them break you've got to go on to fire watch You've got to have people walking around the ship making sure nothing's on fire if all of them break Everybody's gonna get off or the passengers get off. That's gonna be a big problem if you're away on a cruise So we thought let's have a crack at the fire alarm turns out The SMS logged into the fire alarm to pull data back from it That password was stored in a plain text file on the SMS system We could log into it and we could actually get a VNC remote session onto the fire alarms We then look to the voyage data recorder again if that breaks the ship cannot sail So we thought we'd have a look at that of course the default login from the manual worked at the lowest level We could download a configuration file for the voyage data recorder. We got a load of password hashes I'll skip over those Those password hashes quickly gave us a kind of hidden account password That hidden account through the web interface. Let us edit any file on the voyage data recorder Including the shadow password file. We edited the shadow password file to add our own account And then we were roots on the voyage data recorder. We could have bricked it again Things aren't looking great are they we've we've caused a lot of problems from so far, but let's make it worse The officers wanted to be able to monitor what was going on on the ICMS system from their cabins So they built a read-only system So the the officers could connect from their cabins filtered to that network to connect through to the ICMS to view But it was a read-only view. There was no way it didn't matter what login I gave to the ICMS system. I could not take control of anything from that perspective But the problem was was we could do what's called a breakout from that ICMS interface We could break out of it using the print dialogue It's a really common way of doing things and we're now admin on that remote box So I'm no longer using it as it was intended. I'm not using it as a monitoring system I'm using it as a normal computer. This is really useful to me. I can pivot to other networks from it So now we've got control over one of these machines within the ICMS security domain pretty serious at this point The thing was was I wanted to take control of the azipods. That was another system and That was labeled and marked in diagrams as connected by serial Now the thing with Syria is when you've got serial connections going between two devices like this if I compromise one endpoint I can't remote desktop into the other end I can't SSH into the other end. I can only kind of send serial signals down But the thing is lots of ships again to save wiring do something called serial over IP They bundle lots of serial connections down one physical cable Now the thing is again, if I just want to cause something to happen on a motor, that's fair enough But I want to use it slightly differently So I come along I compromise that endpoint the machine that I'm on and now I don't just have to send serial down that TCP IP connection I can do remote desktop I can do SSH and I can compromise the host at the other side So we're abusing that connection that people thought was serial only The interesting thing was the diagrams really did make out that it was serial It literally even physically on the box said serial and then had ethernet coming out of it going to ethernet switches So people thought you couldn't really impact those other systems So we're now several remote desktop connections deep into this system, but we're on the asie pod control system now Again, there were some vulnerabilities. We had to work out there, but we've now got control of that system It's looking quite serious to be honest So yeah, that's me sat there on the ship from my cabin able to control the asie pods not brilliant But I'm still on the ship Let's make this really bad. I was down in the engine control room We've got open access to the ship we can walk about do what we want and I noticed that the cabin control system Which is in a separate control room the hotel control room had team viewer installed and Let's just say the password was not great on that session And I did have to be on board to get the ID and the password But that meant that the people who administer who perform remote access to the cabin control system also had access to it So we demoed that and you could connect remotely So now we've made things really really quite bad. The cabin control system is connected to the internet So we've compromised that but how are we going to get from the cabin control system through to the ICMS? Well, it turns out the cabin control system has to adjust how it operates based on things like sea water temperature and air Where'd it get that from? It gets it from the ICMS So now we've got another connection, but what is that connection? Well, lo and behold, it's Modbus again, but it's Modbus TCP. It's over an ethernet connection So although normally what's meant to happen is you'd say what temperatures the sea water you get the temperature of the sea water back In this case we RDP'd from the cabin control system through to the ICMS and we've now got remote compromise So, yeah Completely remotely we were able to get onto this cruise ship and take control of the ASI pods So from the internet compromise the cabin control system using TeamView Compromise that ICMS remote platform because we know how that works. We can break out of it Compromise what's called a pack of programmable automation control in the engine room another story for another day And then compromise the ASI pod system So, yeah That's the actual screenshot of me on TeamViewer at home connected to the ASI pod system on a gigantic cruise ship I did ask if I could actually steer it and they were like I don't think so. That's a little bit dangerous. Oh well So is this stuff kind of stuff gonna happen we had on board access for days in fact we were on board for 22 man days to work out all of this stuff we found lots of other problems, but We had inside access. We had diagrams. We could unplug stuff. We could trace stuff people weren't asking us what we were doing I think the chance of that long chain of exploits ever actually occurring by someone who wasn't on board Who didn't know the systems is very low, but now our client knows about all of those issues and has applied controls to stop them being problems Should you go on a cruise? Not if I'm on it Interestingly, we've also managed to get pay for food as the captain in restaurants There's lots of other things. We've been a get free Wi-Fi as well on certain cruise lines. They charge a fortune But no, they're complete. They're safe. I Wouldn't go on a cruise personally, but I don't think they're gonna be hacked So, yeah, I was gonna talk briefly about how to get into information security But if anybody is interested come and grab me afterwards to have a chat. I love talking about ships I love talking about hacking that my voice is going a bit. So I do hope you enjoyed that I hope you learned something and enjoy the rest of your EMF camp