If an attacker wanted to sneak a monitoring device into a target network, how might they go about it?
As Naked Security reported last week, they could try soldering a tiny chip on to the circuit board of something like a firewall on the assumption that it will never be noticed.
But there might be a much simpler approach – hide the device in plain sight, safe in the knowledge that its very conspicuousness means its legitimacy will probably never be questioned.
This was the initial suspicion of a team from UK-based outfit Pen Test Partners when they noticed an unlabelled, “potentially toxic box” connected to the onboard LAN of a ship that the team was performing a security assessment on.
Ship networks feature a lot of specialised equipment, of course, but every box should have a purpose. And yet, after enquiring about its origins, the message came back:
Fleet management told us that shoreside had no invoice, record, or inventory listing for it. They were blissfully unaware of its existence.
It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night that the crew covered it up. The assumption had been that it was meant to be there.
“Suspicious”
The box had a second Ethernet connection, which after analysing, the pen testers discovered was UDP encapsulating NMEA data, a format that offers a universal interface for different GPS systems. That suggested it had something to do with the onboard Electronic Chart Display and Information System (ECDIS).
It also had an RS232 Serial converter connected to it, leading to a cable that disappeared into the deck. The traffic running across this was Modbus, an ancient master-slave protocol still used by industrial control systems (ICS).
After checking to see whether the master/slave would answer when fed data, the other end of the Modbus turned out to be 11 decks down on the ship’s engine, adjacent to its safety systems designed to slow or shut down the engine.
We’d found a Windows machine that was connected to main engine controls, which no one knew about.
It was obviously alarming that an unknown device was connected to a system involved in ship safety. Comically, the Windows console was running a long unpatched version of Team Viewer.
The culprit
It turned out that the box had been put there legitimately for monitoring fuel and engine efficiency by a third party some years before, forgotten about, but left running despite the arrangement having ended.
A vulnerable box that no-one knew about with a direct, remote connection to the main engine.
One observation from this is that engineers and crew simply assumed it had a right to be there even though nobody knew what it was doing.
This raises the question… how many more mystery boxes might be quietly sitting connected to numerous other networks?