Vulnerable controllers could allow attackers to manipulate marine diesel engines
Researchers have found several authentication and encryption vulnerabilities in the firmware of marine diesel engine controllers by Norwegian company Auto-Maskin, as well as the accompanying Android app.
These security flaws could be exploited by attackers to change the firmware and configuration files, install malware, and perform actions that effectively allow them to take control of a vessel’s engines.
The vulnerabilities
The four vulnerabilities were unearthed by infosec researchers Brian Satira and Brian Olson, who share an interest in industrial control systems and the maritime Internet of Things.
As detailed in this CERT/CC vulnerability note, there are four:
- CVE–2018-5399: The DCU 210E firmware contains an undocumented Dropbear SSH server with a hardcoded username and password, which is easy to crack.
- CVE–2018-5400: The Auto-Maskin products use an undocumented custom protocol to set up Modbus communications with other devices without validating those devices.
- CVE–2018-5401: The devices transmit process control information via unencrypted Modbus communications.
- CVE–2018-5402: The embedded webserver uses unencrypted plaintext for the transmission of the administrator PIN.
“CVE-2018-5401 and CVE-2018-5400 affect both Auto-Maskin Marin Pro field devices and the related Marine Pro Observer app for Android. An attacker could exploit them to send spoofed Modbus TCP packets to any Marine Pro field device to change any supported settings, including turning a vessel’s engines on or off,” Satira explained to Help Net Security.
“An attacker could send these spoofed Modbus packets from any arbitrary node with network access to the targeted devices. They could also conduct a “man in the middle” to observe or alter packets. These vulnerabilities would be mitigated by implementing Secure Modbus.”
CVE–2018-5399 and CVE–2018-5402 affect Marine Pro field devices such as remote panels and diesel control units.
The former allows attackers to potentially exploit the post-auth file upload to change firmware and configuration files and get uploaded binaries executed on the devices. The latter allows an attacker with network access to gain access as root on the device, basically allowing them to do anything including changing firmware, installing a backdoor or other malware, and even disabling or “bricking” the device.
Can some of these vulnerabilities be exploited remotely, I also wanted to know.
“The hard-coded credentials for the undocumented Dropbear SSH server mean that an attacker could search for the devices using a tool such as Shodan.io, although it is more likely that the devices will be on a ‘private’ RFC 1918 address,” Satira told me.
“While this it is a best practice in ICS security to keep field devices on logically isolated segments, it is not sufficient mitigation against these types of vulnerabilities. Maritime control systems are typically integrated on a ship-wide LAN connected by satellite broadband communications with shore-side networks. An attacker therefore can gain access to vulnerable devices either by compromising the personal electronic devices belonging to a vessel’s crew members, which have then been connected to the ship’s networks, or could gain access by compromising a computer on a shore-side network and performing post-exploitation ‘lateral movement’ – pivoting from one logical segment to another aboard the ship.”
The really bad news is that these vulnerabilities have yet to be patched.
Raising awareness about the security of maritime technology
The researchers privately notified Auto-masking about the flaws over 18 months ago, but didn’t receive a reply. They had better luck by going through Norway’s national CERT (NorCERT): the company acknowledged they knew about the security vulnerabilities but stated they had no intention to publicly disclose or to patch the issues.
Satira said that they are still reviewing the most recent firmware updates, which were released in September, but that it does not appear the vulnerabilities have been addressed by the vendor. (I also tried to get an answer from Auto-Maskin on that point, but have yet to hear back from them.)
Satira and Olson are volunteers with Project Gunsway, which brings together researchers committed to making sure that maritime-related technologies are worthy of our trust.
As many of the vulnerabilities they unearth can impact public safety, Satira pointed out that it is their responsibility as researchers to work with vendors when they can, but also to notify consumers and raise awareness of these issues when vendors are uncooperative.
“Of particular concern for us as ethical security researchers, we became aware that Auto-Maskin was providing potentially affected equipment to leading OEMs of marine diesel engines including Cummins, Caterpillar, Yanmar, and Scania. Potentially vulnerable equipment is therefore being introduced through the supply chain to end-users who may not be aware of the risks,” he added.
“One example we were made aware of was that re-branded Auto-Maskin equipment was included during the installation of Cummins diesel engines on National Oceanic and Atmospheric Administration (NOAA) scientific research vessels. Auto-Maskin has also publicly announced that Marine Pro equipment is being used to control the engines of a new aircraft carrier launched and undergoing sea trials by an unnamed navy in 2017-2018. The Maritime and Port Security Information Sharing and Analysis Organization (MPS-ISAO) assisted Project Gunsway with privately notifying organizations in the maritime industry, the US Coast Guard, and NOAA about these supply-chain issues.”
Satira and Olson have presented their research and findings at DerbyCon, and you can view their talk below: