Seven ways attackers can hack yachts — and other ships
- March 12, 2020
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Cyber Crime, Cyber Crime, Cyberattack, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Ransomware, Smart Devices
Hacking a yacht or other seafaring vessel?
Cyber crooks have an array of options.
Researchers sounded the alarm over yacht hacking years back. But not every owner and crew has heeded the warnings.
Walk the marina in Cabo San Lucas, Mexico, and you’ll see dozens of yachts for rent, for fishing or for a luxury week at sea.
Many are connected with Wi-Fi and more.
While some owners use lasers to zap paparazzi cameras, others may roll out the red carpet for cyber crooks.
Easy to Attack
In 2018, researcher Stephan Gerling of ROSEN Group showed how he could easily hack yachts at a cybersecurity conference in the port city of Sochi, Russia.
Now, in 2020, what has changed?
Yacht are still hackable, Gerling said.
“It’s like attacking a normal computer network in a company, it’s the same attack tactics,” he told Archer News.
“In our experience, the cybersecurity of superyachts can be very poor,” said cyber investigator Ken Munro with Pen Test Partners, who has demonstrated how to hack ships in multiple ways. “Although we have seen examples of excellent security.”
Seven Ways In:
One of the easiest ways to attack a yacht, smart boat or commercial ship may be through email.
“The ship is like an office, a network that you can access from anywhere,” Gerling said. “When you can send in an email with malware attachments or with a link where they have to click on, then you have the same capabilities as in a targeted attack in an office.”
Reports say crooks have tricked owners into sending big payments to their own accounts, like a more-than-$100,000 fake fuel payment and more than $12 million for a boat-buy.
But floating office cyberattacks can hurt more than your bank account, if attackers hack engine controls.
“When you have control over the engines, then you can do whatever you want,” Gerling said. “When you want to crash the ship, to have some financial loss to the owner or whoever is owning the ship, then you can try maybe on maneuvering and crash it into the port. Or the worst thing that you can do is try it at high sea and then crash it in another ship to make it worse damage.”
Crooks sent out poisoned emails last month with the subject “Coronavirus – Brief note for the shipping industry”, according to Proofpoint.
Last year, the U.S. Coast Guard warned about phishing emails targeting ships — pretending to be a port authority and stealing info —as well as reports of malware designed to hit crucial ship controls.
A ship heading into New York in February 2019 had a “significant cyber incident,” according to the Coast Guard.
Malware “significantly degraded the functionality of the onboard computer system,” though luckily did not hit “essential vessel control systems.”
Ransomware tortured shipping company Maersk on shore in 2017, but could cause more problems at sea.
In one case, ransomware grounded a ship at an Asian port, shutting down the switchboard that manages power for the propeller and other equipment, the BBC reported in 2017.
Attacks may come in the form of a thumb drive.
At another Asian port, a crew member reportedly brought a thumb drive on board to print paperwork and brought malware, too, the BBC said.
The malware infected navigation systems and halted the launch.
Another way in — Wi-Fi.
For example, you may connect to the harbor Wi-Fi in port.
But are you sure it’s really the harbor or another one with a look-alike name?
Yachts may have insecure Wi-Fi networks, according to Campbell Murray with BlackBerry.
In 2017, Murray said it took 30 minutes for him to hack the Wi-Fi of a multimillion-dollar yacht next to him in the water.
“Owners like to have strong Wi-Fi so they can operate their businesses from the vessel,” Murray said in a Guardian article. “But this means that the network extends quite far from the actual ship to other vessels and the shore. If you moor up in Monaco, who are you moored up next to?”
5. Smart Devices
Security holes in smart TVs, voice assistants and security cameras can turn cyber crashers into spies.
And even ships’ captains, with enough extra work.
“I’m going from one system to the next one, going to the next one, going to the next one, until I’m at the target where I have full control over the ship,” Gerling said.
GPS can be hackable, as shown in a 2013 experiment that steered a yacht off course.
It can be jammed or fed wrong information.
One study found almost 10,000 cases of fake location data sent to ships since 2016.
“GPS spoofing will always be a problem where there is a sufficiently motivated threat actor,” Munro said.
7. Machines & Software
Researchers have found ways to hack or fool satellite equipment, bridge controls, industrial devices and the software running on them.
If crews don’t change the default passwords that come on new devices, anyone can look up the password and get in on their own.
Munro described how he can hack satellite communications systems, the satellite terminal, the Electronic Chart Display and Information System or ECDIS, and NMEA 0183 messages in a blog post.
Attackers can abuse vulnerabilities in devices and software.
For example, a malware called ECHOBOT targets a vulnerability in a yacht control web application, according to Palo Alto Networks.
The web application controls the power generator, lights, heating, air conditioning and other systems.
Some yacht owners dismiss cyberattack warnings, according to Gerling.
“Most of the owners don’t care about that,” he said. “Some of the owners care only about privacy. The safety or security, ‘So, the captain is responsible for that.’ And most of the captains don’t know about that.”
For other ships, changes may be coming.
The latest Guidelines on Cybersecurity Onboard Ships from a group of maritime organizations including shipping association BIMCO and cruise lines association CLIA “encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.”
All Hands on Deck
The case of the New York-bound ship cyberattack shows what some owners, captains and crews are not doing.
“…(T)he interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities,” the Coast Guard bulletin read.
“Prior to the incident, the security risk presented by the shipboard network was well known among the crew,” it continued.
The ship used just one computer network for both business and engine control, allowing smooth sailing for attackers wanting to mess with the ship’s industrial functions.
A few crew members used the network for personal email and banking as well.
The crew also used thumb drives to transfer cargo data without checking for malware first.
But 47% said they had worked on a ship that had been targeted by a cyber attack.
Just 15% said they had received any cyber security training.
Only 18% had a work policy requiring that they change the default passwords that come on devices.
—Check what you plug in
—Change the default passwords that come on devices
—Update or patch your systems
—Plan for a cyber attack
The Coast Guard also recommends:
—Install antivirus software
—Create a network profile/password for each employee rather than generic logins
—Require employees to enter a password and/or insert an ID card to log on to onboard equipment
—Limit access/privileges to only those levels necessary to allow each user to do his or her job
Planning could ease the pain if you find yourself adrift and under attack, like the case reported in Fort Lauderdale Magazine at the end of 2018.
Controls reportedly froze on a yacht in the Mediterranean.
A note appeared on ship computers saying attackers have hacked the navigation system.
Pay up, or we’ll send you aground.
No word on what happened next.
But for high seas pirates, this might turn out to be an easier way to carry out misdeeds.
Main image: Luxury yacht. Image: PaulVinten/iStock