2. Goal of the talk
IdentiïŹcation of potential security ïŹaws on a
marine context using the most recent  asset-
oriented hacking techniques.
Potential scenarios pirates could pursue targeting a vessel:
1- Compromised communications.
2- Malfunctioning/Sabotage of PLC systems
3- GPS precise ïŹeet position discoveringÂ
3. Key concept
A.P.T. (Advanced Persistant Threat): Refers to a group with
both the capability and the intent to persistently and effectively target a
speciïŹc entity.
Advanced: Intelligence-gathering techniques
Persistent: Not opportunistic
Threat: Capability and Intent
4. Are sea pirates an A.P.T.?
Persistent: Hijacking from early 90s.
Threat: 53 ships on 2010
But...could they become
Advanced?
5. Are sea pirates an A.P.T.?
Persistent: Hijacking from early 90s.
Threat: 53 ships on 2010
But...could they become
Advanced?
6. Are sea pirates an A.P.T.?
Persistent: Hijacking from early 90s.
Threat: 53 ships on 2010
But...could they become
Advanced?
7. Cyberattacks makes them Advanced
Intelligence-gathering: Information Systems Intrusion
Communications interception: Fake base station techniques
Satellite Imaging: Google Maps, Bing...
8. Classic Cyberattacks: IP oriented
Every device connected to the Internet has an IP address
Basic steps of a âclassicalâ Hacker (Not Persistent)
IP ranges scan for listening services
Target Characterization
Investigate vulnerabilities and exploits
9. New Cyberattacks: Asset oriented
Asset oriented search engine.
Basic steps of a âPersistentâ Hacker (Addressed to a certain target)
Search for a concrete target in Shodan: e.g. Router Model
Find exploit in Shodan
So much faster and straightforward technique!
10. DEMO: Quick hacking session
Search for USAL assets: hostname:usal.es
Find vulnerable ones. (But be nice to them :)
http://www.shodanhq.com
19. Communications interception
By Tsaitgaist [see http://commons.wikimedia.org/wiki/File
%3AGsm_structures.svg for license], via Wikimedia Commons
20. Communications interception
By Tsaitgaist [see http://commons.wikimedia.org/wiki/File
%3AGsm_structures.svg for license], via Wikimedia Commons
21. Communications interception
By Tsaitgaist [see http://commons.wikimedia.org/wiki/File
%3AGsm_structures.svg for license], via Wikimedia Commons
22. Communications interception
A5/x No real time. Look up tables
Needs saved CUDA/GPUs Very costly
Cryptoanalysis transmission.
Fake base Micro BTS
Close to the target Freq.inhibitor for 3G Less than 10kâŹ
station openBSC, openBTS
Cellphone Close to the target Motorola C123,155
baseband No GPRS by now
OsMoComBB Less than 13$!!!
modification Experimental
30. Sabotage
Stuxnet Very sophisticated. 4 Zero-days
Deeply targeted at vulnerabilities. Extremely
(Infects PLCs PLCs. 2 stolen digital expensive
from FieldPGs) Spionage certificates.
Needs a infection
ScadaTrojans pathway to install a
Inspired by Stuxnet
(Infects PLCs but âLow costâ
client side modified Cheaper
from SCADAs) file.
3 Zero-days.
40. Intelligence gathering
Internet connection.
Depends on
Asset oriented Computer.
manufacturerâs
Classic hacking Extremely cheap
hacking security
tools.
41. DEMO: Quick assets oriented search session
Membrane Biological Reactor, Merchant Vessels, Worldwide
Control system solution comprises: Siemens S7-300 PLC with MP
HMI and S7-200 PLC based control systems and networking for the
water treatment systems.
Search for Maritime related assets:
Zynetix MaritimeGSM, S7-300, advantech
http://www.shodanhq.com
42. Conclusions
Pirates should be considered an APT.
They could virtually use Cyberattacks to hijack vessels
more easily.
Complex Cyberattacks are more and more affordable.
A ship may become practically speaking an Internet
node with all its risks (should be managed).
Letâs be in the look out!