Re: The Security Was Possibly Via a Screwdriver
Yep - it was just a square key! Very easy.
53 publicly visible posts • joined 24 Sep 2014
I sent one email chasing the original report to make sure it had been received.
They don't have a means to report security issues, so there is a significant chance that the email doesn't reach the person responsible for the security of these systems, and the issue remains unfixed, leaving them at risk.
This is not "pestering".
I'm not a freelance penetration tester, but not sure I have seen any operate under that model either. It's not exactly going to be lucrative working like that.
As you can see, the way we report issues, we ensure that we aren't offering any services:
https://twitter.com/cybergibbons/status/1446022192928595973
By that analogy, if there were cameras in your dining room, that would be fine, because there are public restaurants.
It hurts the people being watched because their reasonable expectation of privacy in a private place. Everyone has been told that the system is secure, and it isn't.
You've also missed that this is the place of work for the staff, who can be viewed out of hours.
And that the cameras are installed in receptions and offices as well.
And that some cameras have audio.
I mean, if WND are having cashflow problems such that they can't pay people, it's not unreasonable to assume that other people are also having cashflow problems. Many people are coming close to the line due to COVID, and there is a massive lack of respect in not asking or even notifying people that you can't pay.
It sounds like the network is currently supported by investors rather than subscribers. At £2/device/year, they need over 250k devices subscribed to pay the rent. There's a chance that investment doesn't materialise, and they can't pay. People are paying for electricity to support these nodes - by the time 6 months is up, that could be £30 in bills.
I don't think we do though - you are under the notion that the crew are infallible. That they will notice, that it will be obvious.
https://www.gov.uk/maib-reports/collision-between-ro-ro-passenger-ferry-red-falcon-and-moored-yacht-greylag
"the master became fixated upon the information displayed on his electronic chart and operating engine controls, ignored information displayed on other electronic equipment, and became cognitively overloaded due to high stress"
It's a downplaying of the risks because you are not accounting for human factors.
Well, since you need to obey the law of the flag state of the vessel, which is pretty obvious, you need to obey their rules:
https://www.ics-shipping.org/docs/default-source/Piracy-Docs/comparison-of-flag-state-laws-on-armed-guards-and-arms-on-board-2017.pdf?sfvrsn=0
I've been on plenty of voyages passing dangerous parts of the world. No guns. It's a rarity.
Ah, the good old "topic drift" thing. I'm here too, and it drifted back to what the article is about.
We've had access to common-rail engine PLCs from the corporate network before. So, they can be attacked.
You've picked clear weather, with an alert crew, not taken into account human factors.
I will just leave this here.
https://features.propublica.org/navy-uss-mccain-crash/navy-installed-touch-screen-steering-ten-sailors-paid-with-their-lives/
I'd love to come up for a solution for 3.
There are certain systems - like the ECDIS - where it's just not possible to set passwords that are long, complex, per-user, and confidential.
But it is possible to set the password on your switches and PLCs to not be the same across all 150 rigs with the same drilling package.
Same with HMI consoles - it may need a basic level of access with simple creds, but the Windows box doesn't need to have local admin password of 00000000.
You've got a totally broken threat model.
The article describes and oil rig using dynamic positioning. The generators are running pretty much all the time, as the thrusters are continuously working to keep the rig on station.
If there is significant mechanical failure, and the position cannot be held, then a big red button is pressed. This triggers the BOP, cutting the drill chain at the seabed, and drop the drillchain from the top.
The operator of the rig performed a risk analysis and found that even under normal mechanical failure, manual control was simply not quick enough to stop this happening. The generators, if you cannot control them from the bridge, are around 3-4 minutes away from the bridge. The thruster controls are in the legs, two of which are 1-2 minutes away, the other 3-4 minutes away, then a slow lift ride (unless the weather is rough - then it's a ladder climb). You now have 6+ people (1 for the four legs, 1 for the two generators needed) communicating via phone with the bridge to keep things working. They cannot fully practice this with every crew, as unlike on a ship, as it would cause too much risk. When it has been practiced, the control required to use 4 separate thrusters to keep it on station is incredibly hard without the control systems in place.
Now, an attacker comes along. We found you could disable the phone system, causing them to fall back to radios - which even with leaky feeders, were found to be unreliable in the legs. You now don't have comms. We found that it was possible to wipe the configuration of the breakers in the main switchboard, preventing automatic synchronisation. This highlighted the problem that although the generators had synchroscopes, the bus ties did not. This made operation much more awkward. At the same time, totally control over the drilling control network had been obtained. We could brick every switch and PLC, stopping that working entirely. That's just the start of systems we took control of.
So now you've got the potential for drive-off incident, which costs millions of dollars. Even if you don't, you have the potential to cost the company huge sums whilst they restore the config of over 400 PLCs, many of which don't have up-to-date backups.
And no, you won't wake up with the sound small changes on a rig, unless you never sleep.
So remember kiddo, if you paint the only risk as the most severe one and in limited situations, yes, you can ignore it.
This attitude is why there are problems.
Last time I checked, I didn't need to put on a boiler suit, hard hat, safety boots, and gloves to go out to a PC in an air-conditioned space to fix a user's PC.
Then there's the weather. People die on vessels going out 300m.
https://www.londonpandi.com/knowledge/news-alerts/maib-report-on-fatal-accident-on-board-maersk-kithira/
There are no IT crew. Outside of cruise ships, there is no one with training in this. It's down to the person who knows the most IT.
Honestly, your comment is glib and pretty offensive, and totally lacking in understanding that not everyone is a desk jockey.
That's actually a lot of money for most IoT devices, where the entire cost of the device will typcially be less than £5. It's got a lot more power than you would ever need, as well.
That said, there have been Pi-based commercial products, such as the early revisions of this:
https://www.geniushub.co.uk
This really isn't the case though.
The PIC18F - which currently only support SSLv3 and below with weak ciphers - is ~£1.75 in bulk. An ARM Cortex-M3 that costs the same, has more functonality and more flash can support TLSv1.2 with good ciphers.
Time and time again I see people saying "but the hardware can't do it". It's perfectly possible to design your hardware to the same cost and have the functionality required.
People really seem to be losing perspective of what an alarm is protecting you from...
You don't expect your front door to withstand a hydraulic breach tool, or your lock to withstand a drill for 30 minutes. That's because they have been designed to protect a normal domestic property, with a small value of goods inside. The attacker is a normal burglar.
The basic wireless alarms are designed to add a layer to that protection from those attackers. It isn't meant to protect you from advanced, knowledgeable criminals. If you want that protection, you buy a graded, wired, professionally installed alarm.
I can build a device that will disable a significant number of wireless alarms on the market in the UK. It costs about £12 to make. It took very little research (relatively) to work it out.
Never seen anyone else sell them - I've even tried asking on some of the forums that are used for trading ATM skimmers, fake chip&pin terminals etc. They just aren't made - criminals aren't currently interested in bypassing alarms on domestic properties.
Which would probably be why they said "it would be beyond the capability of most would-be burglars with access to no more than basic electronic tools like wire strippers, a multi-meter, and crocodile clips".
Are you arguing that most burglars would be capable of this? That would strongly go against the available evidence.
Burglary and car theft have very different risks and rewards, which you seem to have ignored in your analogy/comparison.
You can almost entirely work out the security system on a car just by the model and year. There is very little variation. Not possible with a home alarm. It's easy for criminals to identify and target cars like this.
Once you have bypassed the security system on most modern cars, that's it. You can open the door and start the engine. Not so with a house - bypass the alarm, and you still need to deal with physical security.
Most burglaries don't result in a good reward of a known value. You might get £500, you might get £5k. Lift a high-end car, and you will be looking at a lot more.