Practical maritime OSINT

Advancing telecommunications positively affects the maritime industry. The industry is more organized and well-connected; however, the rising technology brings new challenges and vulnerabilities.

Although flags and semaphores are still applicable in some cases, most communications are radio-based. Vessel traffic service (VTS) tracks maritime traffic similar to what the air traffic controller does for aircraft; the VTS receives vessel information via the AIS system. The automatic identification system (AIS) helps in collision avoidance, navigation, facilitates search and rescue, and assists fleet and cargo tracking by transmitting the following information in real-time:

• Ship identity
• IMO number (7 digit unique ship identifier number)
• Length
• Type of vessel
• Destination
• Route plan
• Type of cargo
• ETA (estimated time of arrival)

AIS uses a transceiver for bi-directional communication; it sends information to shore stations, other ships, and satellites (S-AIS). The vessel-based-AIS facilitates ship-to-ship and vessel-to-shore communication due to its range (about 20-30 miles); however, the S-AIS tracks ships in the deep sea farther from the coastline. The AIS, similar to ADB-S, transmits information in plain text; it is an unprotected radio system prone to sniffing, spoofing, and other attacks. 

Tracking maritime traffic

Online services, such as marinetraffic.com, vesselfinder.com, and fleetmon.com use both vessel-based and S-AIS to track the ships. The free subscription allows tracking ships near the coastline; however, a trial or a premium account gives plenty of helpful information. For OSINT analysis, gathering the following information is suggested:

• Vessel owners
• Ship schedules
• Ship ports and destination
• Assess how long the vessel will be at its destination
• What else the ship is transporting
• Who's on the boat, as well as what information can we glean from the sailors?
• Which sort of technology is using on the vessel, and is it hackable?
• What is available on social networking sites?
• If there are any marine strategies that we may glean from social networking sites' posts?

Further research depends on the goal of the OSINT analysis; if you are interested in a particular ship, you can search it via its name or IMO. Secondly, we can also conduct research about a specific port to determine its business activities; the vessel filter provides rich filtration options. We can select any particular sort of ship, for instance, cargo, tanker, passenger, etc.

Let’s consider a passenger vessel example. The basic search reveals ship’s current location, weather, speed, and other important information, such as its IMO number, year of built, capacity, flag, call sign, size, builder, and owner information.

We can also see the details of the companies operating at the destination port. This information helps further analyzing the ship's activities at the port. The owner information is a strong lead; we can follow this and try to find out the team members' information.

Myship.com is a career portal that holds information about the people working in the maritime industry; secondly, social media sites, especially LinkedIn, are ideal for discovering relevant people.

A basic search reveals former and current employees of that particular ship. 

LinkedIn also suggests more than 900 employees working in that company, the CEO, captain, operation department people, and other key personnel profiles are open for further investigation.

This information is very crucial; attackers generally target employees to get into the corporation’s network. In this scenario, the attacker might infect an employee's personal device, and once the employee connects his device with the ship’s network, it will put the ship at risk. Furthermore, there could be many attack vectors that an attacker might use.

Since it is a passenger ship, we can also explore the information of the passengers; Instagram and Facebook searches along with event pages and relevant hashtags provide tons of valuable information about passengers.

Explore connected network devices

Modern ships utilize interconnected devices for various purposes, such as communication and IoT. Let’s look at VSAT, radio, and satellite devices using Shodan, Censys, or Zoomeye.

Cobham SATCOM provides integrated technology to facilitate all sorts of communications for the cruise; it also provides an Internet connection for onboard passengers. Similarly, Inmarsat provides satellite communication facilities; searching those keywords on search engines gives valuable information. Commbox is also an interesting search term; it connects ship’s network with the office network for the crew to manage the office routine work.

A fundamental vulnerability analysis or even Zoomeye result shows many web-based vulnerabilities that an attacker might exploit to get into that ship’s network.

After finding the web-based portal, we can also try logging in using the default credentials; companies usually don’t harden the security of these devices; look at the SSL.

Sailor 900 VSAT is also an exciting search term; it is an antenna system often installed in ships. The search result of this keyword on Censys can reveal an open administrative portal.

These things can provide exciting information to any attacker; they can see the ship's coordinates and the frequencies; most importantly, it allows them to alter the information without authorization. I did not this IP further, but I am sure it consists of many vulnerabilities. It also gives internal network information because SNMP, Telnet, and many other ports are open.

Wrap up

Communication technology and increasing network accessibility play an essential role in the maritime sector. The sea transportation sector has made daily procedures simpler - but they have also exposed it to many types of assaults.

Attackers can gather valuable information about specific vessels or crew members using a few OSINT websites. By delivering phishing emails to the crews operating on vessels, any attacker can begin an assault. User education is, as always, very important in this sector.