HackDig : Dig high-quality web security articles for hackers

Maritime Security: Hacking into a Voyage Data Recorder (VDR)

2015-12-09 21:10

by Ruben Santamarta @reversemode

In 2014, IOActive disclosed a series of attacks that affect multiple SATCOMdevices, some of which are commonly deployed on vessels. Although there is nodoubt that maritime assets are valuable targets, we cannot limit the attacksurface to those communication devices that vessels, or even large cruise ships,are usually equipped with. In response to this situation, IOActive providesservices to evaluate the security posture of the systems and devices that makeup the modern integrated bridges and engine rooms found on cargo vessels andcruise ships. [1]

There are multiple facilities, devices, and systems located on ports andvessels and in the maritime domain in general, which are crucial to maintainingsafe and secure operations across multiple sectors and nations.

Port security refers to protecting all of these assets from acts of piracy,terrorism, and other unlawful activities, such as smuggling. Recent activity appearsto demonstrate that cyberattacks against this sector may have beenunderestimated. As threats evolve, procedures and policies must improve to takethese new attack scenarios into account. For example, https://www.federalregister.gov/articles/2014/12/18/2014-29658/guidance-on-maritime-cybersecurity-standards

This blog post describes IOActive’s research related to one type of equipmentusually present in vessels, Voyage Data Recorders (VDRs). In order tounderstand a little bit more about these devices, I’ll detail some of theinternals and vulnerabilities found in one of these devices, the FurunoVR-3000.

What is aVoyage Data Recorder?

(http://www.imo.org/en/OurWork/Safety/Navigation/Pages/VDR.aspx ) A VDR isequivalent to an aircraft’s ‘BlackBox’. These devices record crucial data, suchas radar images, position, speed, audio in the bridge, etc. This data can be usedto understand the root cause of an accident.


Several years ago, piracy acts were on the rise. Multiple cases were reportedalmost every day. As a result, nation-states along with fishing and shippingcompanies decided to protect their fleet, either by sending in the military or hiringprivate physical security companies.

On February 15, 2012, two Indian fishermen were shot by Italian marinesonboard the Enrica merchant vessel, who supposedly opened fire thinking theywere being attacked by pirates. This incident caused a serious diplomaticconflict between Italy and India, which continues to the present. https://en.wikipedia.org/wiki/Enrica_Lexie_case

'Mysteriously', the data collected from the sensors and voice recordingsstored in the VDR during the hours of the incident was corrupted, making ittotally unusable for authorities to use during their investigation.  As this story, from Indian Times, mentions theVDR could have provided authorities with crucial clues to figure out whatreally happened.

Curiously, Furuno was the manufacturer of the VDR that was corrupted inthis incident. This Kerala High Court’s document covers this fact: http://indiankanoon.org/doc/187144571/ However, we cannot say whether the model Enrica Lexie was equipped withwas the VR-3000. Just as a side note, the vessel was built in 2008 and theFuruno VR-3000 was apparently released in 2007.

Just a few weeks later, on March 1, 2012, the Singapore-flagged cargoship MV. Prabhu Daya was involved in a hit-and-run incident off the KeralaCoast. As a result, three fishermen were killed and one more disappeared andwas eventually rescued by a fishing vessel in the area. Indian authoritiesinitiated an investigation of the accident that led to the arrest of the MV.Prabhu Daya’s captain.

During that process, an interesting detail was reported in several Indiannewspapers.

So, What’sGoing on Here?

From a security perspective, it seems clear VDRs pose a reallyinteresting target. If you either want to spy on a vessel’s activities ordestroy sensitive data that may put your crew in a difficult position, VDRs arethe key.

Understanding a VDR's internals can provide authorities, or third-parties,with valuable information when performing forensics investigations. However, theability to precisely alter data can also enable anti-forensics attacks, asdescribed in the real incident previously mentioned.

As usual, I didn’t have access to the hardware; but fortunately, Iplayed some tricks and found both firmware and software for the target VDR. Thedetails presented below are exclusively based on static analysis and user-modeQEMU emulation (already explained in a previous blog post). [2]

Figure: Typical architecture of aVR-3000

Basically, inside the Data Collecting Unit (DCU) is a Linux machine withmultiple communication interfaces, such as USB, IEEE1394, and LAN. Also insidethe DCU, is a backup HDD that partially replicates the data stored on the DataRecording Unit (DRU). The DRU is protected against aggressions in order tosurvive in the case of an accident. It also contains a Flash disk to store datafor a 12 hour period. This unit stores all essential navigation and status datasuch bridge conversations, VHF communications, and radar images.

The International Maritime Organization (IMO) recommends that all VDRand S-VDR systems installed on or after 1 July 2006 be supplied with anaccessible means for extracting the stored data from the VDR or S-VDR to alaptop computer. Manufacturers are required to provide software for extractingdata, instructions for extracting data, and cables for connecting between a recordingdevice and computer.

The following documents provide more detailed information:

After spending some hours reversing the different binaries, it was clearthat security is not one of its main strengths of this equipment. Multiple servicesare prone to buffer overflows and command injection vulnerabilities. The mechanismto update firmware is flawed. Encryption is weak. Basically, almost the entiredesign should be considered insecure.

Take this function, extracted from from the Playback software, as anexample of how not to performauthentication. For those who are wondering what 'Encryptor' is, just a word:Scytale.

Digging furtherinto the binary services we can find a vulnerability that allowsunauthenticated attackers with remote access to the VR-3000 to executearbitrary commands with root privileges. This can be used to fully compromisethe device. As a result, remote attackers are able to access, modify, or erasedata stored on the VDR, including voice conversations, radar images, andnavigation data.

VR-3000’sfirmware can be updated with the help of Windows software known as 'VDRMaintenance Viewer' (client-side), which is proprietary Furuno software.

The VR-3000firmware (server-side) contains a binary that implements part of the firmwareupdate logic: ‘moduleserv’

This servicelistens on 10110/TCP.

Internally, bothserver (DCU) and client-side (VDR Maintenance Viewer, LivePlayer, etc.) use aproprietary session-oriented, binary protocol. Basically, each packet maycontain a chain of 'data units', which, according to their type, will containdifferent kinds of data.

Figure: Some ofthe supported commands

'moduleserv' severalcontrol messages intended to control the firmware upgrade process. Let's analyze how it handles a'SOFTWARE_BACKUP_START' request:

An attacker-controlledstring is used to build a command that will be executed without being properly sanitized.Therefore, this vulnerability allows remote unauthenticated attackers toexecute arbitrary commands with root privileges.

Figure: ‘Moduleserv’ v2.54 packet processing

Figure:‘Moduleserv’ v2.54 unsanitized system call

Atthis point, attackers could modify arbitrary data stored on the DCU in order to,for example, delete certain conversations from the bridge, delete radar images,or alter speed or position readings. Malicious actors could also use the VDR tospy on a vessel’s crew as VDRs are directly connected to microphones located,at a minimum, in the bridge.

However,compromising the DCU is not enough to cover an attacker’s tracks, as it onlycontains a backup HDD, which is not designed to survive extreme conditions. Thekey device in this anti-forensics scenario would be the DRU. The privilegedposition gained by compromising the DCU would allow attackers to modify/deletedata in the DRU too, as this unit is directly connected through an IEEE1394interface. The image below shows the structure of the DRU.

Figure:Internal structure of the DRU

BeforeIMO's resolution MSC.233(90) [3], VDRs did not have tocomply with security standards to prevent data tampering. Taking into account thatwe have demonstrated these devices can be successfully attacked, any datacollected from them should be carefully evaluated and verified to detect signsof potential tampering.

IOActive,following our responsible disclosure policy, notified the ICS-CERT about thisvulnerability in October 2014. The ICS-CERT, working alongside the JPCERT/CC,were in contact with Furuno and were able to reproduce and verify thevulnerability. Furuno committed to providing a patch for their customers"sometime in the year of 2015." IOActive does not have furtherdetails on whether a patch has been made available.


Source: lmth.egayov-otni-gnikcah-ytiruces-emitiram/21/5102/moc.evitcaoi.golb

Read:10212 | Comments:0 | Tags:0day cyber attack Furuno hacking maritime piracy ruben santa

“Maritime Security: Hacking into a Voyage Data Recorder (VDR)”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud