During my internship at Georgia Tech Research Institute in their CIPHER lab, I was part of the team that placed second and won $10,000 for Track 1 at HackTheMachine 2021.
The challenge involved hacking a model of a ship that included a full bridge navigation suite and a fly-by-wire propulsion system, to accomplish arbitrary tasks like spoofing the ship’s location or taking control of the rudder.
There’s a cool walkthrough of the testbed on Youtube that shows what we worked with.
NMEA 2000
The ship replica had a central CAN bus backbone that carried commands to their components. The specific protocol to interface with the tools is NMEA 2000. I’d never heard of this protocol before the competition, but diving into it was pretty cool.
Like many “secure” protocols in operational technology, it’s proprietary:
Although the National Marine Electronics Association divulges some information regarding the standard, it claims copyright over the standard and thus its full contents are not publicly available. For example, the NMEA publicizes which messages exist and which fields they contain, but they do not disclose how to interpret the values contained in those fields.
Interestingly, the NMEA 2000 protocol is totally unauthenticated and operates on an implicit trust model - the bus carrying the commands is assumed to be secure. Given physical access, you can inject arbitrary commands, which we leveraged for the challenges.
CANBOAT is a repo with a collection of reverse engineered NMEA 2000 messages. It was a super helpful utility for understanding some of the offline challenges, and I was able to find PCAPs others had posted online to see what normal traffic looks like.
Live hacking
Our team scored enough points in the offline challenges to qualify for a short timeslot on the live testbed. As an intern, it was awesome to be trusted as the hands-on-keyboard operator during our official run.
I’d prepared a number of Python scripts to automate the various challenge tasks, by sending pre-crafted NMEA 2000 commands over a serial port to the testbed during our timeslot.
There’s often a gap between theory and practice– and since during our timeslot we were SSH’d into a laptop connected to the test bed, the serial port connection didn’t work as expected.
I spent a few minutes debugging, but ultimately pivoted to running the pre-prepared commands manually to make sure we didn’t waste too much time. The team helped out with making sure we were prioritizing the right tasks and getting things working correctly.
It was pretty cool to see the rudder start to move and GPS glitch as we got stuff working on the live stream. We managed to complete enough tasks to put us in 1st place, though we were eventually knocked down to 2nd once another team had their timeslot.
Takeaways
The competition was a blast, and I learned a lot about OT networks, boats, and got more practice decoding PCAPs. I also got to spend more time working with OT protocols during my internship at Censys, there’s a lot on the internet! The state of OT infrastructure security is pretty wild, but there’s a lot of work that’s being done to harden it.