A thread of the variety of products on ships that allow remote monitoring of critical systems on ships.

Just really want to put to bed the idea that systems are always air gapped.

Kongsberg offer multiple systems allowing remote monitoring of ICMS.
kongsberg.com/globalassets/m…
Wartsila NACOS, another of the very popular ICMS, allows remote maintenance of their systems.

wartsila.com/docs/default-s…

I broadly agree with this thread, but there's a few aspects where I think the scale and magnitude of the issues on modern ships is maybe not clear.

The number of modern vessels that have all their critical safety systems air gapped is getting lower and lower.

https://twitter.com/johnkonrad/status/1775307764073365920

What do I mean by critical systems?

Steering (which, oddly, depends on the type of vessel)
Propulsion (which can be the same as steering)
Power management system
ECDIS (electronic charts, which may or may not directly impact navigation)

Ships might be "wide open" to cyber attack, but in my opinion, this shows a lack of nuance around what is being attacked, what the impact would be, and if it would be stopped by the crew.

https://twitter.com/LawrenceSellin/status/1773541530474823933

I would say that IT security - the corporate stuff - in maritime is as bad as it can get.

Getting from IT to OT - operational technology, the actual moving bits - is much harder.

(or just to OT, direct, another topic)

Another thread on container ships and how the power and steering systems *should* work when things go wrong.

This diagram is of a fairly typical containership's electrical distribution.

You have four main diesel generators (often called auxilliary engines). They are multi-MW in size and produce 6.6kV.

Picture from another ship BTW.

When you are maneuvering you need power and redundancy - so you will have 3 or 4 of these running and on the bus.

What are the engine rooms like on these Panamax container ships?

They are quite big!

This is the top of the single main engine. It's a Sulzer 10RTA96C.

That's 10 cylinder, each 96cm across. With a 2.5m stroke.

These are just the exhaust valves. It's a slow-speed, two stroke diesel. Max speed is around 100rpm.

The ship has a full blackout for over a minute before impacting the bridge, followed by a second shorter loss of power.

Just after the lights come back on, you can see heavy soot which would likely be one of the main diesel generators being brought up.

https://twitter.com/Bharat_Maurya66/status/1772558620044980564

A blackout at this point in time is about a worst case situation. You'd lose the rudder, main engine and bow thrusters, leaving you unable to do anything.

The 440V emergency generator would be first to start, but this would only restore power to the steering gear immediately.

I've obtained one of these "EMP generators" that are intended to cause glitches in gaming machines, either for free gaming or to dump coins.

It's pretty odd.

Most prominent is the 3-pin device on top.

It's an NPN transistor for RF.

It's socketed and comes with a spare....

I'm trying to decode some digital modes from an SDR and I think I've found the most capable but least user friendly software, ever.

Now, it is free. And it seems to be the best available. BUT OMG, the UI.

This is the config screen. Then you get the main RX/TX screen.

Can you spot the button you need to press to open the control of frequency?

After the #FlipperZero threads, there's been a few people questioning the ethics and legality of these devices, particularly with respect to NFC cloning.

I think explaining some of the history of NFC security - particularly Mifare Classic - attacks might help. Mifare Classic cards are everywhere.

In the UK and US, most hotels and a very large proportion of commercial access control systems will use Mifare Classic.

We've known that they have serious security weaknesses in these cards for over a decade, yet they are still used.

Onto another aspect of the Flipper Zero... and not really knowing what it does.

The Frequency Analyzer seems pretty opaque. When it works, it works, but under what conditions does it work? There is documentation, but it doesn't really explain any of the limitations.

docs.flipper.net/sub-ghz/read#b…

I finally caved and bought a Flipper Zero.

Whilst it's useful, there's a fair few bits of it that aren't particularly well explained.

Let's start with the Mifare Classic reading!

What's it doing, and how is it doing it? There are two dictionaries stored on the SD card in the device - both in /nfc/assets/

mf_classic_dict.nfc (built-in dictionary)
mf_classic_dict_user.nfc (user dictionary)

I'm looking at the VDDI-PROG and how it bypasses security mechansisms on many automotive microcontrollers. It's a nice device, in a good plastic case.

Double-sided board, no components on back.

Minimal silkscreen.

The 3V lithium cell is interesting - I'm not sure what needs backup.

No 32.768kHz crystal for an RTC and no real need.

Remember: seek out those to troll, do not let them seek out you. Remember.

How is your weekend going? I think I am going to get vanned.

Trance songs that I like but also have really strange low budget videos.

Delerium - Silence AKA woman going for a run on a beach with her man but he can't keep up and they are both very serious.

Darude - Sandstorm.

Lady steals briefcase and weird chase starts with handguns.

The world of Chinese audio gear is so strange.

Here we have the Nobsound power supply, made by Douk.

NOBSOUND?

LOOK AT THAT FONT MIXUP. It has a 4-bit display.

Ahead of the Emperor's Knew Cloves talk ending up on YouTube, it's worth showing some of the slides.

There have been persistent attempts to edit the What3Words Wikipedia page to suppress criticism. This resulted in the article being edited to misrepresent one of my tweets.

"Tierney admitted that three words are easier to remember and communicate than the alternatives"

The edit even linked to the tweet, and it said nothing of the sort!

I've been reading a few books about espionage recently, and the harm it causes to both those deceived and the deceiver.

And I can't help but think back to physical access jobs I have done where I have manipulated or exploited people.

And I'm not sure it is healthy. I'd love to distance myself from what spys do, but the techniques I use are calculated and practiced.

It's not a few off-the-cuff lines delivered as me to gain access, it's normally a name, persona, clothing, props, speech, body language, and pre-text. None of it is truth.

One of the devices that's existed on Shodan for far too long are the C-More HMIs.

The UI is read-only but does update.

The issue is that the same IP will often have other services on it. It's incredibly common to find the cellular modem on another port - 8443 etc.

There's often other web interfaces that aren't read only.

And of course, information leakage.

Thing is, I've never found one of these and not found other issues.

Hey @ConsiliumSafety @MacGregorGlobal @Cargotec - I'm trying to responsibly disclose some security issues in your products.

Tried contact forms, LinkedIn, Twitter - no response.

pentestpartners.com/about-us/vulne… Just to preempt: "wHy DoN'T yOu CaLL THem?"

Honestly, I've given up on this path. I've spent hours on the phone to various companies only to get nowhere.

In light of failings in What3Words, lots and lots of people have come up with solutions.

But very few people seem to have actually analysed the problem.

In fact, a lot of people haven't even considered what problem is trying to be solved.

https://twitter.com/cybergibbons/status/1571081746497798145

Let's assume our goal is to transmit a location using words.

For the system to be usable, these words need to be:
* Easy to spell
* Hard to mishear
* Hard to typo
* Known by most