Naval systems that track the current position of ships have an array of vulnerabilities that could make it simple for hackers to break in, the BBC reported on Thursday, which could enable attackers to set off collision alarms on other vessels.
Ken Munro of Pen Test Partners (PTP), which is releasing some details of a proof-of-concept attack on a navigation system called the Electronic Chart Display for the Infosecurity Europe conference, told the BBC, “There are really basic steps that can be taken to prevent this from happening. In our experience, security on board ships is often dire.”
According to the BBC, Munro took note of earlier findings that many ships never bother to change their satellite communication equipment’s default passwords and usernames—finding that in such a situation he could gain access to and alter GPS settings:
The receiver’s location can be moved by only about 300m (984ft), but he said that was enough to force an accident.
“That doesn’t sound like much, but in poor visibility it’s the difference between crashing and not crashing,” he said.
He added that it was also possible to make the software identify the boat as being much bigger than its true size - up to 1km sq.
Munro suggested that while it would be obvious to captains that no real collision had occurred, simply setting off the alarms could cause havoc in shipping lanes. According to the Register, the team also suggested that gaining access to the Electronic Chart Display could be enough to crash or ground the ship in poor visibility conditions where the crew might be “screen fixated.”
Many of the vulnerabilities can be fixed by simply setting strong passwords on all communications equipment and installing the latest updates, though University of Plymouth Maritime Cyber Threats experts told the BBC that deck officers and authorities would likely be able to coordinate naval traffic manually in the event of a breach.
However, other shipboard controls like Operation Technology systems managing “the steering gear, engines, ballast pumps and more” communicate in unprotected plain text. PTP presenters at the conference said this could be used to steer a ship off course by modifying its GPS autopilot, the Register wrote.
Department of Homeland Security researchers recently reached similar, if not more dire, conclusions about cybersecurity preparations in civilian aircraft, finding that “viable” attack vectors exist which could potentially jeopardize pilots’ control of an aircraft.