Remotely hacking ships shouldn’t be this easy, and yet …
Look at all the boats.
The Internet of Things has shown us time and time again that nothing connected to the internet is safe from hackers, and yet we’ve mostly written off security-camera fueled botnets as someone else’s problem.
But what if the thing in question happens to be a boat loaded with weapons?
A group of cybersecurity researchers is having a field day online with the discovery that the configuration of certain ships’ satellite antenna systems leaves them wide open to attack — and the possible consequences are startling.
Anyone who gained access to the system in question, and was so inclined, could manually change a ship’s GPS coordinates or possibly even brick the boat’s navigation system entirely by uploading new firmware. And why would anyone want to do that?
"Next gen boat ransomware?," suggested the security researcher x0rz over Twitter direct message with Mashable. "Military special operations? Somalian pirates 2.0?"
The recent revelation appears to have kicked off with the creation of a ship-tracking map, credited to Jeff Merrick, which shows the real-time locations of boats around the globe. The map is powered by data from Shodan, a search engine that lets users search for internet-connected devices and, according to x0rz, uses data from boats’ very small aperture terminals (VSAT) to pinpoint their locations.
VSATs are common tech on yachts, and allow for internet access and communication even when boats are in movement. Interestingly, at least some boats with one type of VSAT, the SAILOR 900, have public IPv4 addresses without any firewall. And, you guessed it, Shodan makes it possible to search for this type of device.
Once located, data about the boat — such as its location — is readily available.
Oh there it is.
But here’s where things get wild: The default login credentials, which are easily found online, remain unchanged on at least some of these devices (we’re choosing not to publish those credentials for what we hope are obvious reasons) — allowing anyone to gain administrator-level access. Once in, x0rz confirmed to Mashable, a ship’s GPS coordinates can be manually changed. What’s more, an attacker could upload their own firmware and possibly brick the entire navigation system in the process.
"It’s just badly configured," explained x0rz, "but just like as the rest of the Internet (banking, energy, corporate, …)."
With just a little googling, a person can determine a bit more about the vessel in question — like, for example, that it contains a "secure, sealed, climate-controlled armoury."
بعد البحث عن هذه السفينة أكثر اكتشفت بعد تنبيه احد الاخوة انها سفينة MNG Discovery وهي سفينة تقوم بنقل الأسلحة لمحاربة قراصنة الصومال! pic.twitter.com/KTNOSVbv3p
— محمد الدوب (@Voulnet) July 18, 2017
This isn’t the first time someone has called out Cobham, the UK company that manufactures the SAILOR 900, for potentially problematic security vulnerabilities. A 2014 security white paper from IOActive, a cybersecurity research team, dived into the SAILOR 900 and found that the "vulnerabilities in these terminals make attacks that disrupt or spoof information consumed by the on-board navigations systems, such as ECDIS, technically possible, since navigation charts can be updated in real time via satellite."
One of the VSAT wide open ship is a from a private maritime security company (PMSC), loaded with guns & ammunition pic.twitter.com/fL2i1cbgRH
— x0rz (@x0rz) July 18, 2017
So what does Cobham have to say about all of this? We reached out to the company, but have yet to receive a response. We’ll update if and when we do.
How worried should we be?
Like so many things, the answer to whether or not we should be concerned about ships being hacked is: it depends. Importantly, x0rz pointed out that the number of boats easily accessible in the above-described manner is limited. However, he also noted that "one is enough to cause a catastrophic event, right?"
And if the boat in question is carrying hazardous material, weapons, or happens to be something other than a pleasure yacht? Well, then we may suddenly find ourselves taking these kind of vulnerabilities a lot more seriously.