[HN Gopher] What do you do if a hacker takes control of your shi...
___________________________________________________________________
What do you do if a hacker takes control of your ship? (2023)
Author : transpute
Score : 46 points
Date : 2024-03-28 15:37 UTC (7 hours ago)
(HTM) web link (maritime-executive.com)
(TXT) w3m dump (maritime-executive.com)
| wwweston wrote:
| I'd heard the solution involves getting Jonny Lee Miller and
| Angelina Jolie to help you hack the Gibson, but it's been a while
| and maybe that's out of date.
| pavel_lishin wrote:
| No, the solution is getting Jamie Lee Curtis, William Baldwin,
| & Sherman Augustus onto the ship.
|
| (Virus was a tremendously fun movie.)
| throwanem wrote:
| Virus was an _awful_ movie, not redeemed by the honorable
| efforts of those among its actors who understood there was
| nothing about it that needed taking seriously.
| erulabs wrote:
| Duke: "Well then, put the ships' ballasts under manual
| control!"
|
| THE PLAGUE: "There's no such thing anymore, Duke."
| MarkLowenstein wrote:
| 2023: fascinating We really live in a new world today It's
| crucial that we look ahead to the threats of tomorrow
|
| 2024: cyber attack on a ship? Conspiracy theory Grow up Live in
| the real world
| javajosh wrote:
| Good article, because it's a canary in the coal-mine that warns
| us against drive-by-wire in personal automobiles. Personally I
| will never own or use a car that is drive-by-wire, especially if
| it's connected to the internet. I believe strongly there will be
| (soon?) be an incident where an org or individual will hack a
| fleet of such cars, cause widespread death, and the public will
| pull their hair and say "how could this have happened?!"
| exe34 wrote:
| Well the authorities will probably do something sensible like
| ban keyboards or something. They already banned the flipper
| zero in Canada because it can be used to unlock insecure cars.
| devb wrote:
| What is your basis for strongly believing that?
| dogman144 wrote:
| Because there's been a number of solid proof of concepts to
| hack car -> kill transmission mid-driving, and that was
| several years ago.
| __MatrixMan__ wrote:
| To what end? If the hack happens, I think it's much more likely
| that we see a string of assassinations that look like
| accidents, or kidnappings that don't look like vehicle-related
| skulduggery at all. It's just not as valuable if you pull the
| trigger all at once.
| Terr_ wrote:
| > It's just not as valuable if you pull the trigger all at
| once.
|
| Not if they short-sell the car-manufacturer stock first!
| Granted, that might increase their odds of being caught, but
| attackers don't have to be wise to be dangerous.
|
| Depending on what can be hacked, another possibility would be
| a string of suspiciously-smooth thefts.
| __MatrixMan__ wrote:
| I don't want to want to discount the possibility that this
| would be the ambitious endeavor of an actor with otherwise
| small-time-crook vibes, but I think it's more likely to be
| a nation state with bigger plans than getting rich.
| pavel_lishin wrote:
| > _It 's just not as valuable if you pull the trigger all at
| once._
|
| I mean, it depends on the person pulling the trigger, right?
| A sociopathic 14 year old from Bogota might not care.
| javajosh wrote:
| _> To what end?_
|
| The US and China go to war, over Taiwan say. This would be
| part of a general attack on the US, and would include things
| like the power grid, internet infrastructure, and anything
| else that can be disabled or turned against us.
|
| Terrorists decide that 9/11 wasn't good enough, and they can
| do 1000x more damage, death and terror from the comfort of
| their computers.
|
| Extortionists decide to leverage this capability to extort
| money from car companies.
|
| More targeted killings would be motivated according to your
| thought.
|
| This is just the top of my head. I'm sure there are others.
| dogman144 wrote:
| I think Taiwan is the most logical short-term thread model
| that could lead to widespread cyber incidents internally.
|
| Other continues be something like NotPetya, localized
| cyberwar tactic that hits public internet and runs amuck.
| But to get from that to critical infra in US, let alone
| personal autos, is hard to picture.
| __MatrixMan__ wrote:
| I guess.
|
| It just seems like the degree of premeditation involved
| here would also come to the conclusion, given how over
| invested we are in our military, that is better to make it
| seem like the US is perpetually shooting itself in the foot
| rather than make it seems like the US has been shot. We
| tend to get all rambunctious when we know it was an attack,
| better to have us lose the war before we know we're
| fighting it.
|
| When it comes to remote vehicle access I think you could do
| more damage carefully over the course of a decade than you
| could do rashly in a day.
| vkou wrote:
| All a nation-state needs to do to asymmetrically cripple
| the US is to buy a few hundred junkers and stall them on
| busy bridges during rush hour.
|
| There's no need for Tom Clancy 46-dimensional chess plots
| that involve hacking the Gibson.
|
| The next time you see your neighbour driving poorly, ask
| yourself - are they a spy, wrecker, or saboteur? (/s)
| __MatrixMan__ wrote:
| Agreed. But the game being played here is the inverse:
| assume someone hacked the Gibson, what effects do we see?
| lp0_on_fire wrote:
| > To what end?
|
| "Because some people just want to see the world burn",
| unfortunately.
|
| The idea that someone would actually fly two commercial
| airliners into downtown manhattan to take out the World Trade
| Center was also pretty unlikely, circa 2000 and 2001.
| persolb wrote:
| I think the last 23 years has shown that, luckily, those
| people are mostly idiots.
|
| I suspect many people in HN could whip up mass violence
| with drones if they wanted to. Luckily the people who can
| generally have better things to do.
| dogman144 wrote:
| So I agree, but my question next is what cars are you finding
| that meet this standard? Networks show up in cars quite early,
| not sure how far back I'd have to go to buy one that is
| suitably off grid.
| jcgrillo wrote:
| I own a 1999 Mercedes-Benz E300 turbodiesel and a 1995 Toyota
| Land Cruiser. Both of these vehicles are modern, computerized
| machines with electronic engine management, airbags, and
| computer controlled transmissions. Neither of them have any
| need for "software updates" nor do they have any way to do
| so. They both have OBD-II interfaces, and the Benz has a
| proprietary interface as well. I'll be sticking with these
| vehicles for as long as it takes for the current complexity
| fetish to subside. If that means never buying another vehicle
| that's fine by me :)
|
| My plan for the Land Cruiser is to install the engine and
| transmission from an early 2000s Mitsubishi Fuso. This will
| entail grafting the ECU and TCU from the Fuso into the
| Cruiser's wiring harness, and doing some transmission
| modifications to hook up the tailshaft to the Toyota transfer
| case. Should just about double fuel economy and improve
| driveability. I can't think of any reason I'd buy a newer
| vehicle, the "improvements" they offer just aren't worth the
| cost.
| pixl97 wrote:
| > nor do they have any way to do so. They both have OBD-II
| interfaces,
|
| You sure about that, at least if someone has direct access
| to your car I'm guessing they could very easily clip
| something on that could control the car under particular
| conditions.
| jcgrillo wrote:
| Sure they could plug a device which sniffs or rewrites
| CAN frames right into the OBD-II port or the 38 pin port
| on the Benz. I have done so myself even. I'm not worried
| about it one bit. Someone would have to specifically want
| to target me, and if they have access to my car they also
| have (much easier) access to my house. I am not worried
| about that either.
|
| Look, if you want to really mess up a car all you need is
| a pair of needle nose pliers. Locate the brake lines
| where the hard line meets the soft line going to each
| caliper, and squash each hard line to crack it just
| enough that fluid starts to slightly weep out. When the
| driver first steps on the brakes in earnest the fluid
| will flow out, and eventually (maybe 5-10 braking events
| later) the brakes will no longer work.
|
| Again, my threat model does not include someone targeting
| me specifically. If someone wants to hurt me or vandalize
| my property they're not gonna do it by writing some
| esoteric computer program. If you connect your car to the
| Internet the threat model needs to expand to include
| "bulk" attacks, which I suspect are actually much more
| likely.
| toast0 wrote:
| > Neither of them have any need for "software updates" nor
| do they have any way to do so.
|
| Pretty sure they could get firmware updates for the ECU and
| TCU. There's probably somebody doing ECU tunes for more
| power / better efficiency / better noises, even if that's
| just tweaking the tables ajd even if there are no factory
| software updates. Electronicly controlled transmissions
| often have some updates available over their early service
| life, even if they're not well publicized or pushed. ODB-II
| is commonly used for that, although maybe the 1995 would
| need modules removed and rom chips replaced.
| jcgrillo wrote:
| Yes, and there are aftermarket standalone transmission
| and engine controllers available. Another thing people do
| is stick another node in the CAN network which intercepts
| packets and rewrites them. But what I meant is that the
| cars, when they were shipped, were _done_. Like, they
| struck the right balance between features and complexity
| s.t. the product that was shipped was complete. That 's
| the kind of equipment I like to depend on, not something
| that's a constant experiment.
| dogman144 wrote:
| Got it, so you accept the risk of local access and poorly
| segmented canbus and maybe access via complex RF style-
| hacks more or less, but remove the software, wifi, cell and
| presumably Bluetooth threat models. That makes sense to me.
| jcgrillo wrote:
| I also have a simple downgrade path to a fully mechanical
| vehicle. On the Benz replace the injector pump with a
| mechanical one and the transmission with an older
| hydraulically controlled automatic or manual. Similar
| options available on the Toyota.
|
| But really the "threat model" is about complexity, not
| malice. I'm not worried someone will try to hack my car.
| If they manage it, good on them. I _am_ worried about a
| manufacturer preventing me from maintaining my cars.
| Newer cars are so tightly locked down that maintenance is
| unnecessarily difficult.
| toast0 wrote:
| On grid cars don't tend to stay that way. My 2013 Ford was
| built with a 2g modem, a recall replaced that with a 3g
| modem, and now the 3g modem has no one to talk to. My 2017
| Chrysler also has a 3g modem with no one to talk to.
|
| A malicious person could standup a fake 3g network, I guess.
| But LTE has strong mutual auth, so cars with 4g modems will
| be very hard to attack once 4g is dead. OTOH, 4g and 5g can
| more easily coexist: as I understand it, 5g can run with 4g
| compatible control protocol, with some slots 4g and some 5g
| depending on the needs of the mobile stations nearby, 2g and
| 3g needed a block allocated, so once the minimum size block
| was no longer well utilized, it's a waste of spectrum. This
| may mean 4g is kept alive a lot longer than 2g/3g.
| toast0 wrote:
| Are there recent model vehicles without computer controlled
| throttles?
|
| I know ABS implies computer modulated braking, but I don't
| think it implies the computer can brake without user input or
| override user input and not brake. Otoh, automatic emergency
| braking is standard on some vehicles and optional on many.
|
| Computer controlled steering is currently rare, but is part of
| lane keeping assistance.
| 05 wrote:
| ESC (basically same actuator hardware as ABS) can definitely
| brake without user input and it's mandatory in all cars sold
| after 2012. Steering assist is mostly torque limited by
| design, you should be able to easily overpower it.
| RobotToaster wrote:
| I'm beginning to think Commander Adama had the right idea about
| networks on ships.
| lp0_on_fire wrote:
| I'm beginning to think that idea needs to be applied to a lot
| more than just ships.
|
| I'll write more about it once I figure out why my smart
| refrigerator is showing me porn instead of the weather.
| BitwiseFool wrote:
| The refrigerator is a distraction, the toaster is the real
| threat.
| m463 wrote:
| If only the crewmembers would maintain the airgap with the sexy
| computers.
| i_am_proteus wrote:
| Have a non-networked backup GPS.
|
| Have a non-networked backup navigation radar.
|
| Have a way to _manually_ control engines and rudder (wrench on an
| actuator, sound-powered phone circuit[a] from bridge to the
| machinery room).
|
| Practice using all of the above.
|
| [a] These are required on basically all ships as a safety
| measure. Crew know how to use them.
| lupusreal wrote:
| For the sake of an example, if we assume the Baltimore bridge
| ship was hacked to crash, I think it's doubtful crew could have
| gotten to and manually actuated the rudder (assuming that was
| possible) fast enough to prevent the collision.
| i_am_proteus wrote:
| If they were standing by to do so, then yes, they would be
| able to take action in a timely fashion. (It is a standard
| practice on some ships to have such personnel standing by
| during high-risk situations.)
| pixl97 wrote:
| The question is how much time does it take to realize what
| the emergency actually is? I'm sure the protocol for "X is
| broke and doing Y" is probably much different than "X is
| not broke but is actually being controlled by someone else
| who may also have control with other systems"
| voxic11 wrote:
| Yeah if they control the systems you use to navigate and
| assess the status of the ship you might not notice it
| isn't under your control for quite a while.
| jcgrillo wrote:
| They got the engine restarted, though, right? If there's a
| manual override for the rudder hydraulics it stands to reason
| that would also be located in the engine room, or at least
| very nearby. So I suspect this incident actually proves they
| _could have_ responded to a fly-by-wire anomaly, but can 't
| know without reading the report.
| dboreham wrote:
| Reports today say the engine was never restarted. Backup
| power only.
| swader999 wrote:
| Baltimore
|
| Bridge
|
| Battlestar Galactica
| CGamesPlay wrote:
| Basically the setup to Battlestar: Galactica.
| uwagar wrote:
| so could it be that the baltimore accident was a cyber attack? or
| is the timing of this post a coincidence?
| Sakos wrote:
| No, but it is worth considering what might be possible for a
| malicious actor in the near future, considering how disastrous
| this single collision is (which could have been significantly
| worse in lives lost had it been in the middle of the day).
| jandrese wrote:
| As it turns out had this happened in the middle of the day we
| might have been able to avoid all of the casualties. The
| harbor pilot managed to call shore early enough to have the
| bridge closed before the ship hit, so the only casualties
| were an extremely unlucky pothole crew who didn't get the
| warning in time.
| capitainenemo wrote:
| Unless it was rush hour and there was nowhere for backed up
| cars to go.
| toast0 wrote:
| The bridge closure was so fast because there were already
| police on the bridge for traffic control around the repair
| crew.
|
| Had it happened during the day, police may not have made it
| to the entrances in time. Or, if during rush hour, there
| may not have been time for the bridge to clear even if the
| entrances were closed.
| nickwarren wrote:
| I have some friends that work in a variety of positions on older
| boats in the maritime industry, and are quite skeptical about
| upgrades to drive by wire systems.
|
| They also generally aren't technically advanced, so I'm wondering
| what the extent of training they'd consume outside of highly
| technical roles - if it is really value adding, or your typical
| corporate security training "don't click phishing links".
| jvanderbot wrote:
| Fly / steer by wire is not necessarily hackable. But the
| temptation to make everything UDP packets might be too strong
| in some industries.
| petertodd wrote:
| To be clear, ships have been using drive by _wire_ systems for
| decades. Even in WW2 rudder control on liberty ships was
| partially electronic:
| https://surveyship.blogspot.com/2015/09/liberty-ship-or-vict...
|
| Of course, there's a _very_ big difference between a drive-by-
| wire system that has a set of dedicated electric wires with
| some simple communication scheme, and a networked, potentially
| hackable, system based on UDP packets.
| jyunwai wrote:
| What are some of the solutions to an cybersecurity incident in-
| progress that involves taking over a moving ship? Much of the
| article talks about how it's important to prepare for this
| incident and that there's a simulation developed for this
| scenario, but the recommendations at the end look preventative
| instead of intended to fix an active incident.
|
| The article's preventative methods include "Install security
| updates as soon as they come and automatically as much as
| possible," "Do not assign administrator rights to end users," "Do
| not allow the use of weak passwords," use multi-factor
| authentication, don't install non-approved software, conduct risk
| assessments for computer systems in use, and make plans for cyber
| incidents in advance.
| pixl97 wrote:
| Lol, preventative measures in this case are dumb as crap in the
| sense of they should be more
|
| "This is an extremely locked down industrial device that only
| executes signed code and has every port on the machine epoxied
| over" as just the starting paragraph.
|
| Unfortunately the exact details of what to do in a cyber
| incident are really closer to a per system plan. Honestly it's
| something that should be red teamed/blue teamed in a simulator
| many times, then dump some harbor pilots and captains in the
| sim against the red team to see what the common default
| reactions are.
| treflop wrote:
| I would put all the ship systems on one bus.
|
| Then put the networked stuff on another bus.
|
| Then add a bridge that connects the two buses where you could
| just pull a fuse for a total disconnect. The bridge would have to
| have a very simple protocol to make it difficult for a worm to
| cross.
|
| That's how I'd do it if I had to design a ship that also had to
| be networked.
| pixl97 wrote:
| Oops, the technician was having some problems one day, so they
| plugged a wireless device on one bus and another on the other
| bus so even after pulling the fuse hackers still had control.
|
| Of course, if they are connected by default, it's very likely
| the hacker could establish control of a device on the secure
| side of the bus and load up something in NVRAM on it
| maintaining control even after a disconnect.
| treflop wrote:
| Well I didn't add this but I would stipulate that the secure
| side would have almost no permanent memory at all if
| possible. I mean, we've been controlling boats without
| electronics for millenia so if you make it a priority to have
| no permanent memory, it should be achievable.
|
| It's doable. The biggest issue is that all these engineers
| are gonna cost $$$$ to design these systems and you will need
| to do a lot of QA, which also costs $$$$.
| reaperman wrote:
| It could be doable to transition back to pneumatic PID
| blocks by some royal decree but it's definitely not going
| to be any real government's solution. PLC's are here to
| stay for all complex machines, and these ships are
| relatively complex.
|
| More interesting to talk about options that could
| realistically happen, and discuss pros/cons of various
| government/industry solutions that are actually likely to
| occur.
|
| I wish I could find a cutaway of a pneumatic PID block
| though. They're quite amazing technology that implemented
| true P-I-D "calculation" logic in a purely physical form by
| using pressure of air at two inputs (setpoint, current
| value) to control one output penumatic pressure which in
| turn would control some valve a distance away. Really
| amazing engineering we had before electronic control! The
| air lines had a bad tendency to get clogged up though.
| MichaelZuo wrote:
| There's no way anyone could accidentally plug in a device of
| that size. It would be quite a sizable antenna array.
|
| If it was intentional then that's different.
| pixl97 wrote:
| Two small devices should be fine... you're just bridging
| the bus with something that can communicate with the bus.
| The 'unsafe' side of the bus will be doing all the heavy
| lifting for you across your unauthorized bridge. Think more
| like "IT guy leaves diagnostic connection up on laptop
| while connected to wireless type event.
| marcosdumay wrote:
| Well, at some point the answer will be "don't".
|
| Specifically, either don't plug wireless devices on the
| trusted network, or have some procedure that makes it damn
| sure any such device will be unusable when the ship is
| running.
|
| We have some ways of protecting against malicious firmware,
| but the kind of consumer hardware that gets those is so
| complex and flawed that you are better without. If the hacker
| needs full physical access to the ship before the attack, you
| are about as good as you can get.
| itsthecourier wrote:
| The issue is whether there a compromised device is in the ship
| systems bus. Even removing internet wouldn't fix that.
|
| Remember the sabotage of Iranian nuclear centrifuges
| treflop wrote:
| Yeah, well I wouldn't have any component on the secure side
| have any permanent memory.
|
| PLCs (as used in the Iranian centrifuges) are basically made
| to re-programmed on the fly. You use them because you didn't
| want to hire out a team to build a system so it's 1000x
| cheaper, but it means they are infinitely hackable. They're
| basically a port 80 web server on your network that openky
| dumps code into Bash to be run. Having them on any network is
| extremely dangerous.
|
| If I were to buy a product from a company, I would hope I am
| paying them good money to at least dedicate some engineering
| to build a custom device. You know, with circuits and non-
| networked signed EEPROM. Not ship control code in Bash on
| port 80.
|
| And at the end of the day, you can't guarantee anything to be
| unhackable, but practicing defense in depth makes it hard as
| possible.
|
| But anyway, I think the main issue is that ship companies are
| not tech companies and don't really have the money to build
| this. /shrug
| photochemsyn wrote:
| Zero-trust network isolation for the operational side is
| probably the only real solution, but it's expensive since using
| the network side to update the industrial control systems on
| the operational side is no longer allowed. Here's a writeup on
| the Colonial Pipelines ransoware attack for comparison:
|
| https://airgap.io/blog/zero-trust-network-isolation-for-indu...
| oooyay wrote:
| Been a while since I worked near this space but there are
| concepts in modern SCADA for air gapping the things that _do_
| versus the things that _request_.
| nimbius wrote:
| Reading the posts I feel like a lot of HN doesnt fully understand
| what we're defending against? These ships are BIG.
|
| First, "manually control" engines and rudder isnt a thing. You're
| talking about a rudder that could be _four stories tall._ manual
| input is physically impossible and you wouldnt want it anyway.
| screw around with the rudder too much or too quickly and the
| underway mass of a 500,000 short-ton tanker will rip it out of
| the ship.
|
| a tanker engine _starts_ at 2.5 stories tall (8-10m). Before ECM
| and modern SCADA automation these things could take _an entire
| day_ to start. Everything from fueling to speed and fire
| suppression are intimately linked through a network on the ship.
| you can restrict these networks from the rest of the ship but its
| generally not advised. ship engines communicate with breaker
| panels, engine controls on the bridge, and telemetry from
| shipping companies for preventative maintenance.
|
| the solution to this is to have a SOC or rapid response team
| combined with redundant systems. assume a serious compromise is a
| failure condition and start the EPO/Mayday.
|
| all it takes is a hacker to add a couple extra zeroes to the idle
| speed of the engines and youre now a runaway ship, or worse, a
| runaway engine fire.
| jcgrillo wrote:
| > First, "manually control" engines and rudder isnt a thing.
| You're talking about a rudder that could be four stories tall.
|
| Except it is actually a thing. Large ships have a separate
| emergency steering hydraulic circuit driven by its own
| generator, and operated by hand, commands given from the bridge
| by radio or telephone.
| nimbius wrote:
| technically true, but there is a common single point of
| failure many cadets and ships engineers fail to address in
| maritime shipping:
|
| https://www.imo.org/en/About/Conventions/Pages/International.
| ..
|
| Namely that every tanker, chemical tanker or gas carrier of
| 10,000 gross tonnage and upwards or every other ship of
| 70,000 gross tonnage and upwards, the main steering gear
| shall comprise two or more identical power units. Theres no
| requirement for separate circuits in these large
| applications. "power units" meaning we just duplicate the
| engine/partial drivetrain and slave it to the SCADA system as
| a standby unit. these standby's can be started by using
| residual air in the compressor system (if available) or by
| diverting charge air from the compressor system to the
| standby.
|
| remember: we've been hacked, so compressor valves are likely
| to be locked shut (or worse, destroyed) until someone can get
| down to the engine room and force-open the valve manually.
|
| ships will often "flip" between engines for service
| intervals, so it can be useful for the SOC team during
| triaging the problem, but the failover likely wouldnt provide
| much help.
|
| to answer the question "couldnt we steer using air?" and yes
| you could, but it would be glacially slow. you might only
| have enough power air to move 5-10 degrees.
| persolb wrote:
| Do you have inside industry knowledge here?
|
| I'm in an adjacent industry, with less risk of death or
| commercial loss, and the compressor backups only output to
| SCADA. The pressure regulation is all relay based and the
| on switch is a manual secondary contactor.
| transpute wrote:
| For this story: https://hnrankings.info/39852849/
| mhb wrote:
| Interesting. If I search for something, what is the ordering of
| the results? Looks sort of random.
| transpute wrote:
| For search, I prefer Algolia, e.g.
| https://hn.algolia.com?q=ranking
|
| For story history, https://HNrankings.info.
___________________________________________________________________
(page generated 2024-03-28 23:01 UTC)