Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: thenextweb
Large shipping vessels and aircraft are often equipped with VSAT systems, allowing crewmembers to send and receive messages and access the Internet during voyages. Turns out, some of these VSAT systems are profoundly insecure, and could allow an attacker to gain access, and disrupt communications.
Security researcher x0rz discovered that many VSAT systems can be reached from the public Internet. Not only does this mean they can be tracked through services like Shodan, but some are configured in a way that could see a remote attacker gain access using default credentials.
Duuuuuude, default creds everywhere. I'm connected to a motherfucking ship as admin right now. Hacking ships is easy 😏 pic.twitter.com/UmLPIveTah
— x0rz (@x0rz) July 18, 2017
TNW spoke to the x0rz over the messaging app, Signal. At the start of the interview, he wrote “no ships were harmed during [his] experiments.” However, anyone with less scruples could have caused significant harm. The system they obtained access to allowed them to review the call history from the VSAT phone, change the system settings, and even upload new firmware.
They also noted that the VSAT system “might be connected to other onboard devices — maybe more critical,” noting that theoretically, you could exploit a VSAT system to get inside a network, in order to cause more damage.
Shodan now live tracking ships via VSAT antennas exposing web services 🤦♂️ https://t.co/WTtc7tAvYz #OSINT #shodan pic.twitter.com/Ap5hW5EijX
— x0rz (@x0rz) July 18, 2017
Because these systems are publicly accessible, it’s possible to figure out where ships are to a troubling precision. During the interview, x0rz gave me the latitude and longitude of a vessel which he insisted was Russian in origin, due to the language used in the system, and its IP address. John Matherly, founder of Shodan, has also created a map where you can track vessels in real-time.
x0rz has only identified a few vulnerable VSAT. These are all from the British manufacturer Cobham (although they note that other systems may ship with the same flaw), and are configured to expose HTTP web services to the Internet. Others exposed SNMP or UDP only.
As pointed out by x0rz, VSAT systems are also popular on aircraft, ranging from small private jets, to military and passenger aircraft.
Exposed VSAT devices could also impact connected airplanes. Hacking ships and airplanes from your bedroom… #IoT #VSAT #HackingShips pic.twitter.com/hFzSwOs2Jf
— x0rz (@x0rz) July 18, 2017
While it’s theoretically possible that there’s an aircraft equipped with an insecure VSAT system, x0rz noted that they hadn’t found any.
According to Thane & Thane, a Danish shipping company, the VSAT system is used to calibrate instruments. Any disruption could have disastrous consequences.
So, @Acidgen called Thrane & Thrane in Denmark (doing the 900 VSAT)
tl;dr: it's really bad for ships to leave this interface exposed! pic.twitter.com/ea73vBo3Gg— x0rz (@x0rz) July 18, 2017
This news adds a troubling dimension to the “Internet of Insecure Things.” It’s no longer about $10 Chinese-made IP cameras, and hackable fridges. The paradigm now includes boats and planes. With that comes the inherent risk of loss of human life.
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv9,CHFI,ECSAv9,CAST,ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India