NZISIG - Why Standards are like sausages

Transcript

1. Why Standards are like sausages “Laws, like sausages, cease to

   inspire respect in proportion as we know how they are made.” - Otto von Bismarck or John Godfrey Saxe. Tom Isaacson @parsley72

2. Insecure Career • Degree in Software Engineering • 5 years

   making broadcast TV equipment • 3 years contracting in Germany doing dashboard software • 5 years at Navman writing GPS navigation • 3 years at NextWindow doing production SW for touchscreens • 5 years doing Marine electronics
3. None
4. None

5. “Hacker Demonstrates Attack on Superyacht IT Systems” May 2017 http://maritime-executive.com/article/hacker-demonstrates-

   attack-on-superyacht-it-systems The key vulnerability was the high-power WiFi router. "Owners like to have strong WiFi . . . But this means that the network extends quite far from the actual ship to other vessels and the shore“. GPS spoofing presents another maritime cyber challenge – not just for yacht owners, but for merchant shipping as well. In 2013, college students and researchers from UT Austin managed to divert the yacht White Rose with a spoofing device, without setting off alarms or raising the suspicions of the bridge team. When they transmitted a fake signal to the yacht's GPS antenna, the chart plotter on the bridge showed that the vessel had drifted "off course." The crew altered the yacht's heading to compensate. In actuality, they were turning the vessel off its intended course because their GPS showed a false, offset position. https://youtu.be/ctw9ECgJ8L0

6. Marine security is a bit shit • Standards in place

   today weren’t designed with security in mind.

7. US6199204 Distribution of software updates via a computer network •

   http://share.analytics.patsnap.com/view/793C3109E6D2251047DD97E53A56B621CD2AA2399EA 15744 • Application Date: Sep 22, 1998 from IBM • “the information is a product identifier which is provided by the updater component to a search engine to initiate a search to identify the relevant network location at which are stored the software resources for implementing updates to that product. This search may be performed by a conventional Internet (or other network) search engine which is called by the updater component. When the search engine returns an identification of the network location, the updater component retrieves from this location a list of available relevant updates, checks the list against the locally held software product version and against predefined update criteria, and retrieves the update resources onto the local computer system if those criteria are satisfied.”

8. Global Positioning System (GPS)

9. GPS is insecure • Designed in 1972/3. • Medium earth

   orbit NOT geostationary • 20,200 km, 12 hour orbit • Kiwicon 8: Ammon Ra hacked an ankle bracelet

10. GPS jamming by accident http://www.newscientist.com/article/dn20202-gps-chaos-how-a-30- box-can-jam-your-life.html • January 2007, San

    Diego: • Two navy ships in harbour were conducting a training exercise. To test procedures when communications were lost, technicians jammed radio signals which also blocked radio signals from GPS across the city. • Air traffic control, pagers, traffic management for boats, cellphones, ATMs failed.

11. GPS jamming for fun • In 2010 an experiment was

    conducted in the North Sea aboard the THV Galatea, a 500-tonne ship. They used a simple jamming device that blocked GPS. • The ship went haywire. According to the electronic display on the ship's bridge, the Galatea was suddenly flying at Mach speeds over northern Europe and Ireland. Then alarms sounded. The ship's navigation backup – its gyrocompass – crashed, because it uses GPS to provide corrections. The radar did the same. Even the ship's satellite communications failed, because GPS points the antenna in the right direction.

12. GPS jamming by friends of Trump • http://www.popularmechanics.com/military/weapons/a20289/north- korea-jamming-gps-signals/ •

    Fourth round of GPS jamming by North Korea since 2010. • Previous attacks have affected approximately 1,000 civil aircraft and unmanned aerial vehicles of the South Korean military. • An attack in 2012 reportedly affected GPS-based car navigation systems in the capital city of Seoul.

13. GPS improvements • Kiwicon X: gpsnitch by Karit (Dave) •

    https://github.com/zxsecurity/gpsnitch

14. GPS serial protocol • National Marine Electronics Association - NMEA

    0183 • $GPGGA,092750.000,5321.6802,N,00630.3372,W,1,8,1.03,61.7,M,55.2,M,,*76 • $GPGSA,A,3,10,07,05,02,29,04,08,13,,,,,1.72,1.03,1.38*0A • $GPGSV,3,1,11,10,63,137,17,07,61,098,15,05,59,290,20,08,54,157,30*70 • $GPGSV,3,2,11,02,39,223,19,13,28,070,17,26,23,252,,04,14,186,14*79 • $GPGSV,3,3,11,29,09,301,24,16,09,020,,36,,,*76 • $GPRMC,092750.000,A,5321.6802,N,00630.3372,W,0.02,31.66,280511,,,A*43 • $GPGGA,092751.000,5321.6802,N,00630.3371,W,1,8,1.03,61.7,M,55.3,M,,*75 • $GPGSA,A,3,10,07,05,02,29,04,08,13,,,,,1.72,1.03,1.38*0A • $GPGSV,3,1,11,10,63,137,17,07,61,098,15,05,59,290,20,08,54,157,30*70 • $GPGSV,3,2,11,02,39,223,16,13,28,070,17,26,23,252,,04,14,186,15*77 • $GPGSV,3,3,11,29,09,301,24,16,09,020,,36,,,*76 • $GPRMC,092751.000,A,5321.6802,N,00630.3371,W,0.06,31.66,280511,,,A*45

15. Automatic Identification System (AIS) • Automatic tracking system used for

    collision avoidance on ships. • Designed in 1990s. • Broadcast information at regular intervals via VHF. • Maritime Mobile Service Identity (MMSI). • Position, speed, navigational status, vessel name, VHF call sign.
16. None

17. Hacking AIS • Blackhat ASIA 2014: “AIS Exposed - Understanding

    Vulnerabilities & Attacks 2.0”, Dr. Marco Balduzzi – @embyte Senior Research Scientist, Trend Micro Research (Kyle Wilhoit and Alessandro Pasta). • https://www.blackhat.com/docs/asia-14/materials/Balduzzi/Asia-14- Balduzzi-AIS-Exposed-Understanding-Vulnerabilities-And-Attacks.pdf • Spoofing online providers • Hijacking gateway • RF spoofing, MOB spoofing • RF Denial of Service • Fake a Closest Point of Approach (CPA) alert • Malicious Weather Forecasting

18. Radio Technical Commission for Maritime Services (RTCM) • Special Committee

    133 on Data Exchange for Navigation-Related Internet Connected Applications http://rtcm.info/sc133/ • “Internet-Based Automatic Identification System Services (AIS-i)” • 5 votes for, 1 against. • “Decisions are made by those who show up” - Harry Truman or Woody Allen or President Josiah Bartlet or his press secretary C.J. Cregg.

19. Internet-Based Automatic Identification System Services (AIS-i)

20. Internet-Based Automatic Identification System Services (AIS-i) • Low-cost solution for

    smaller vessels. • Works alongside AIS but doesn’t feed into it. • App connected to internet (e.g. via 3G) • Mobile phone • Chartplotter • Doesn’t require MMSI. • Reports vessel location. • Queries for list of other vessels in location and shows on map.

21. Login • This endpoint allows the client app to verify

    user’s credentials and retrieve available vessels for the user. • Method: POST • Headers: • Content-Type : application/json • Content-Length : • X-ApiKey : xxxxxxxxxx • URL: http://ais-i.com:11001/api/login • HTTP Content: • {"version":24, "userName": "test1" ,"password":"xxxxxx"}

22. Login return Name Type Description userID Integer User’s AIS-i ID

    number Example Values: 12345 screenName String User’s AIS-i Password Example Values: “password” Vessels [ … ] Array of Vessels Owned by User VesselID Integer ID of a Vessel Registered by User Example Values: 12345 VesselName String Name of Vessel Registered by User Example Values: 12345 ParentID Integer UserID of vessel owner MMSI_AB Integer MMSI Number authorizedVessels [ … ] Array of Other’s Vessels User is Authorized to Use VesselID Integer ID of a Vessel Registered by User Example Values: 12345 VesselName String Name of Vessel Registered by User Example Values: 12345 ParentID Integer UserID of vessel owner MMSI_AB Integer MMSI Number

23. Send Vessel Telemetry • This endpoint allows the client app

    to report attitude on the current user’s vessel to the server. • Method: POST • Headers: • Content-Type : application/json • Content-Length : XXX • X-ApiKey : xxxxxxxxxx • URL: http://ais-i.com:11001/api/vesseltelemetry • Http Content: JSON Object with following Parameters

24. Send Vessel Telemetry parameters Name Type Description vesselId Integer ID

    of a Vessel to send telemetry for Example Values: 12345 lat Float Latitude Example Values: 123.456 lon Float Longitude Example Values: 123.456 cog Float Course Over Ground Example Values: 123.456 sog Float Speed Over Ground Example Values: 123.456 heading Float True Heading Example Values: 123.456 vertAcc Float Vertical Accuracy of Altitude Example Values: 123.456 horizAcc Float Horizontal Accuracy of Latitude and Longitude Example Values: 123.456 altitude Float Altitude Example Values: 123.456 userId Integer User ID of User that’s reporting telemetry Example Values: 12345

25. Other issues • No API to register user. • No

    API to register vessel. • This specification is also supposed to cover the server, but doesn’t say anything about security, scalability or fault tolerance.