Should You Trust the WiFi on Your Cruise Ship?

Justin Baker Avatar by Justin Baker
on June 9, 2020

Today’s Research Paper:

A Tale of Sea and Sky: On the Security of Maritime VSAT Communications

Today’s world is rooted in technology. Everything from video chats with grandma to business investments require the use of the internet. Consequently, the internet handles significant amounts of sensitive data which must be properly protected from adversaries. Lots of time and research has gone into securing our day-to-day internet communications, however as the researchers in this paper discovered, there is hole in this protection when it comes to maritime internet connections. A commonly overlooked area, these communications are proving to expose not only personal information such as Visa/Passport details, credit card numbers, and emails, but also puts the safety of entire cargo and cruise ships at risk.

Maritime vessels, not unlike society, are becoming increasingly digitized due in no small part to better ship-to-shore communications. This paper has focused on the security of Very Small Aperture Terminals (VSAT) which are used by maritime vessels to receive internet communications from land and provide internet access for passengers and crew members aboard the vessel. These VSATs connect with satellites, which in turn connect with a ground station, providing ships with a digital link to shore, even in the middle of the ocean. This connection to land based internet has opened a new attack vector that exposes ships, along with their passengers and crew, to potential vulnerabilities.

The desire for internet access on ships is not unlike that on land, but it can vary from ship to ship. A cruise ship, for example, wants to provide internet access for its passengers to satisfy their demand to stay digitally connected. However, a fishing boat may desire internet access to obtain up to date data on fishing yields to maximize their profit. While there are specific use cases for many different vessels, there exist many commonalities as well. Communication with port authorities before docking is important for boats, somewhat like a plane in communication with air traffic control. Similarly, many companies have multiple different vessels, and the ability to maintain constant awareness of each ship is beneficial. Finally, all ships must navigate the open waters and do so with navigational charts which can be updated constantly with changes in weather and other ship locations.

While VSATs are termed “very small”, the reality is that they are often quite large, as large as a small car, and can cost $50,000 or more. This has made it cost prohibitive to study or hack these devices, but as we will see in a moment, there is a way around this. While these VSATs can communicate with a wide array of protocols, there are commonalities between most maritime applications. The VSATs themselves connect with a satellite in geosynchronous orbit due to the satellites’ ability to provide a constant connection over wide regions of the world. Due to the distance between the earth and the satellite, latency of about 700ms often occurs, with 500ms in ideal conditions. The nature of how these satellites provide their downlink to the earth, an expansive coverage area, is the exact element that can easily be exploited by a third party as we will soon see. Consequently, it is the downlink from the satellite to the ship that is most vulnerable, and was the primary target of this research paper.

VSAT network diagram

The experiment in the paper wanted to prove feasibility with consumer available materials, since it is unreasonable to assume an adversary would spend that money to buy a VSAT. Thus, the experiment used a simple TV dish that anyone could purchase. While this does make the attack cheaper to carry out, there is inherently less accuracy when using such equipment resulting in lost frames as the researchers tried to intercept communications. Even with cheap equipment (the whole setup cost less than $400) the researchers were able to extract 40% - 60% of the bytes transmitted on a given frequency. And with the software they wrote, designed specifically to intercept these signals, they were able to further reconstruct 60% - 85% of the bytes transmitted, even if they were missing some of the information. This data can be recorded continuously, with the only limitation being the amount of storage the attacker has, and multiple satellite dishes could be used concurrently.

The findings of the researchers are quite startling. For starters, the data that is transmitted through open air and is clearly interceptable, is not encrypted by default. Furthermore, the VSAT network sees traffic similarly to how an ISP might see it, resulting in adversaries having ISP level eavesdropping. This gives access to web browsing, media streaming, and personal communications all of which are often in plaintext. It appears that these providers are unaware that such vulnerabilities exist, as traffic that is local to the network is more frequently unencrypted, implying that companies treat the network as a secure LAN network. However this “LAN” network can easily be intercepted.

From the results of the research, sensitive traffic is coming from small and large corporations alike. Due to network constraints and high latency with satellite communications, VSAT networks typically use static IP address allocations which can roughly map to physical host routers onboard vessels. This, along with other data intercepted, has allowed the researchers to identify specific owners and fleets of ships. Furthermore, it appears to be possible to determine what computing devices are onboard a ship. This opens the possibility of targeted, device specific attacks of known device vulnerabilities.

As previously noted, VSATs are used by ships to provide real time ship navigation information. This information often comes in the form of navigational charts, which were found by the researchers to often be sent over unencrypted POP3 email. This is a serious concern as it appears possible for an adversary to send altered nautical charts that display incorrect information such as falsified locations of known ships and obstacles. Furthermore, these charts could be intercepted easily by pirates, giving detailed course information that could put the ship at risk of an attack. However, there is a simple solution to all of these problems. There are already cryptographic methods to verify these charts, but they were almost never used according to the findings.

An intercepted nav chart update path

The researchers were able to intercept manifests listing all crew members aboard, offering attackers an easy way to determine if they would be able to overwhelm a ship. Cargo manifests were also intercepted, providing detailed records of onboard cargo. A ship that is known to be carrying high value or dangerous cargo is much more likely to be targeted in an attack.

An intercepted crew manifest

There were many instances of leaked personal information pertaining to both passengers and crew. For example, the researchers were able to intercept Visa and Passport details, credit card details, many unencrypted emails, and employee intranet profiles including full names, DOBs, and other identifying information. All of this personal information was transmitted in plain text and could be intercepted by anyone. Although TLS was found to be used, there were many instances of weak versions that are not secure enough by today’s standards.

Finally, the researchers looked at possible active attacks that could be carried out. There are barriers to these attacks, however, due to the nature of satellite communication. The highly directional signals from ship to satellite or ground station to satellite require some kind of an aerial vehicle with line of sight to the ship or ground station in order to intercept the traffic. Regardless, the researchers determined that a TCP session hijacking attack is quite possible. Due to the significant time delay or satellite communication, the attacker is almost guaranteed to win in a hijacking attempt. Although these attacks would be difficult to carry out, they could be used to falsely report ship location details or ship status. Other possible attacks include command injection, man-in-the-middle, and denial of service attacks. The particular nature of satellite communication makes it very difficult to prevent TCP session hijacking and denial of service.

In the end, this paper serves as an important starting point for companies that use VSAT communication. The researchers have clearly shown that current standard practices are woefully inadequate. Moving forward, I think we all hope that these companies will take active steps to mitigate the risks involved with VSAT communications.

Please note that this post represents my takeaways from the paper; all credit goes to the authors. Images within this post (not including the title photo) are from the paper.

Title Photo courtesy of Peter Hansen

You Might Want To Read...
Research Explainer: Jamming and Spoofing

Jamming and spoofing are two very real threats to satellites, yet it can be difficult to defend against such attacks. Both attacks can have disastrous consequences...

Research Should You Trust the WiFi on Your Cruise Ship?

The findings of the researchers are quite startling. For starters, the data that is transmitted through open air and is clearly interceptable, is not encrypted by default...

technology An Introduction to CubeSats

In order to analyze the security of satellites, it is important to first understand what exactly goes into a satellite...