Hacking on the high seas is no longer a matter of fiction. Security researchers discovered vulnerabilities in the communications and navigation networks used by the shipping industry which could potentially be exploited by hackers looking to track, hijack, redirect, steal and even sink shipping vessels.
Security researchers at Pen Test Partners tested over 20 Electronic Chart Display and Information Systems (ECDIS) - the system used by ships to navigate oceans. The researchers found several vulnerabilities in ECDIS which could potentially give hackers the ability to take control of the operation technology (OT) system. This system is used to control ships’ engines, steering, ballast pumps and more.
The vulnerabilities in ECDIS could also be exploited by attackers to redirect a ship on a different course, whist tricking the crew into believing that the ship is on the right path.
“Hack the ECDIS and you may be able to crash the ship, particularly in fog. Younger crews get ‘screen fixated’ all too often, believing the electronic screens instead of looking out of the window,” Pen Test Partner researchers wrote in a blog.
Apart from vulnerabilities in the shipping systems, the industry is also plagued by a lack of proper security hygiene, with many using default credentials on critical systems. Others still employ old and outdated systems such as Windows NT. According to Pen Test researchers, an operating system popular with the US military was also spotted using the outdated Windows NT.
Researchers discovered administration interfaces over HTTP and telnet, no firmware signing and the ability to edit the web app running on the terminal. The ships tested by the researchers also had little to no protections in place to prevent hackers from escalating their attacks.
Overall, Pen Test researchers were able to hijack ECDIS to alter a ship’s route, make changes in the data used to communicate with GPS satellites, gain complete control of a ship’s autopilot and more. The researchers were also able to hack and monitor a ship’s satellite communications, which in turn, could give them the ability to live-track the location and vulnerability of nearby ships in real-time, SC Magazine reported.
Security in the shipping industry is still in its nascent stage with players within the industry failing to to properly update shipping technology. As a result, the issues that were fixed ages ago in the mainstream IT industry, still continue to plague the shipping community.
“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality,” Pen Test researchers said.