Attack Chain

1. Attacker identifies a vulnerable Signal K server.
2. Attacker establishes a WebSocket connection to ws://server:3000/signalk/v1/stream?subscribe=none.
3. The server sends a hello message, confirming the connection.
4. Attacker sends a series of login attempts via WebSocket messages using the following JSON format: {"requestId": "1", "login": {"username": "admin", "password": "guess1"}}.
5. The server processes each login attempt without rate limiting.
6. Attacker continues sending login attempts using different password guesses.
7. If successful, the attacker gains unauthorized access to the Signal K server.

Impact

Successful exploitation of this vulnerability allows attackers to bypass HTTP rate limiting and brute-force credentials to gain unauthorized access to Signal K servers. An attacker can achieve a brute-forcing speed of approximately 20 attempts per second, limited by the bcrypt hashing algorithm. A dictionary attack with 10,000 words can be completed in approximately 8 minutes over a single connection. Since Signal K servers are commonly deployed on boat networks, successful exploitation can lead to unauthorized access to sensitive maritime data.

Recommendation

• Monitor network connections to Signal K servers for unusually high rates of WebSocket login attempts. Create a detection rule that triggers when a single IP address sends more than 5 login attempts per second via the WebSocket protocol.
• Deploy the Sigma rule Detect High Volume SignalK WebSocket Login Attempts to identify potential brute-force attacks against Signal K servers.
• Upgrade Signal K servers to a patched version that includes rate limiting on the WebSocket login endpoint.