Vulnerabilities

Hackers Can Hijack, Sink Ships: Researchers

Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners. In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels.

The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws. It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time.

However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse. Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive. While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.

Many of the security holes disclosed this week by Pen Test Partners can be mitigated by setting a strong administrator password on the satcom terminal. Other serious issues discovered by researchers have been reported to Cobham, whose Fleet One terminal was used in experiments, and have not been disclosed. According to researchers, once an attacker gains access to the terminal, they can replace the firmware due to the lack of proper validation checks or downgrade it to an older and more vulnerable version, and they can edit the web application running on the terminal.

Experts also discovered poorly protected admin passwords in configuration files. Learn More at SecurityWeek's 2018 ICS Cyber Security Conference An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems.

One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation. Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship. "We tested over 20 different ECDIS units and found all sorts of crazy security flaws.

Most ran old operating systems, including one popular in the military that still runs Windows NT," explained Pen Test Partners researcher Ken Munro. In one case, the ECDIS had a poorly protected configuration interface that allowed an attacker to spoof the position of the GPS receiver on the ship and make the vessel "jump" to a slightly different location. Reconfiguring the ECDIS can also allow an attacker to change the size of the targeted ship as seen by other nearby vessels via the automatic identification system (AIS) tracker.

"So, simply spoof the ECDIS using the vulnerable config interface, 'grow' the ship and 'jump' it in to the shipping lanes," Munro explained. "Other ships' AIS will alert the ship's captain to a collision scenario. It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain."

Another attack scenario described by Pen Test Partners targets the operational technology (OT) systems on board a ship. These systems are used to control steering, engines, ballast pumps and other components, and they communicate via the NMEA 0183 protocol. Since messages sent over NMEA 0183 don't use any authentication, encryption or validation, a man-in-the-middle (MitM) attacker can modify the data and, for example, inject small errors that would cause the ship to alter its course when autopilot is engaged, researchers warn.

"The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we've only seen in the movies will quickly become reality," Munro concluded.

Related: Maritime Cybersecurity - Securing Assets at Sea

Related: China-linked Hackers Target Engineering and Maritime Industries

Facebook Admits Privacy Settings 'Bug' Affecting 14 Million Users

Facebook acknowledged Thursday a software glitch that changed the settings of some 14 million users, potentially making some posts public even if they were intended to be private. The news marked the latest in a series of privacy embarrassments for the world’s biggest social network, which has faced a firestorm over the hijacking of personal data on tens of millions of users and more recently for disclosures on data-sharing deals with smartphone makers. Erin Egan, Facebook’s chief privacy officer, said in a statement that the company recently “found a bug that automatically suggested posting publicly when some people were creating their Facebook posts.”

Facebook said this affected users posting between May 18 and May 27 as it was implementing a new way to share some items such as photos. That left the default or suggested method of sharing as public instead of only for specific users or friends. Facebook said it corrected the problem on May 22 but was unable to change all the posts, so is now notifying affected users.

“Starting today we are letting everyone affected know and asking them to review any posts they made during that time,” Egan said. “To be clear, this bug did not impact anything people had posted before — and they could still choose their audience just as they always have. We’d like to apologize for this mistake.”

Facebook confirmed earlier this week that China-based Huawei — which has been banned by the US military and is a lightning rod for cyberespionage concerns — was among device makers authorized to see user data in agreements that had been in place for years. Facebook has claimed the agreements with some 60 device makers dating from a decade ago were designed to help the social media giant get more services into the mobile ecosystem. Nonetheless, lawmakers expressed outrage that Chinese firms were given access to user data at a time when officials were trying to block their access to the US market over national security concerns.

The revelations come weeks after chief executive Mark Zuckerberg was grilled in Congress about the hijacking of personal data on some 87 million Facebook users by Cambridge Analytica, a consultancy working on Donald Trump’s 2016 presidential campaign.

Facebook Admits Privacy Settings 'Bug' Affecting 14 Million Users

Facebook acknowledged Thursday a software glitch that changed the settings of some 14 million users, potentially making some posts public even if they were intended to be private. The news marked the latest in a series of privacy embarrassments for the world's biggest social network, which has faced a firestorm over the hijacking of personal data on tens of millions of users and more recently for disclosures on data-sharing deals with smartphone makers. Erin Egan, Facebook's chief privacy officer, said in a statement that the company recently "found a bug that automatically suggested posting publicly when some people were creating their Facebook posts."

Facebook said this affected users posting between May 18 and May 27 as it was implementing a new way to share some items such as photos. That left the default or suggested method of sharing as public instead of only for specific users or friends. Facebook said it corrected the problem on May 22 but was unable to change all the posts, so is now notifying affected users.

"Starting today we are letting everyone affected know and asking them to review any posts they made during that time," Egan said. "To be clear, this bug did not impact anything people had posted before -- and they could still choose their audience just as they always have. We'd like to apologize for this mistake."

Facebook confirmed earlier this week that China-based Huawei -- which has been banned by the US military and is a lightning rod for cyberespionage concerns -- was among device makers authorized to see user data in agreements that had been in place for years. Facebook has claimed the agreements with some 60 device makers dating from a decade ago were designed to help the social media giant get more services into the mobile ecosystem. Nonetheless, lawmakers expressed outrage that Chinese firms were given access to user data at a time when officials were trying to block their access to the US market over national security concerns.

The revelations come weeks after chief executive Mark Zuckerberg was grilled in Congress about the hijacking of personal data on some 87 million Facebook users by Cambridge Analytica, a consultancy working on Donald Trump's 2016 presidential campaign.