Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse.
A demo at the Infosecurity Europe conference in London by Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods to interrupt the shipping industry. Weak default passwords, failure to apply software updates and a lack of encryption enable a variety of attacks.
“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” Pen Test Partners’ Ken Munro says, and points out that the advent of always-on satellite connections has exposed shipping to hacking attacks.
As reported by the BBC, security researcher Ken Munro from Pen Test Partners has discovered that a ship navigation system called the Electronic Chart Display (Ecdis) can be compromised, potentially to disasterous effect.
Ecdis is a system commonly used in the shipping industry by crews to pinpoint their locations through GPS, to set directions, and as a replacement to pen-and-paper charts.
The system is also touted as a means to reduce the workload on navigators by automatically dealing with route planning, monitoring, and location updates.
However, Munro suggests that a vulnerability in the Ecdis navigation system could cause utter chaos in the English channel should threat actors choose to exploit it.
The vulnerability, when exploited, allows attackers to reconfigure the software to shift the recorded location of a ship’s GPS receiver by up to 300 meters.
(Via Latest Topic for ZDNet in security)
I’ve been talking with companies in this space about these types of issues. While Munro’s research is telling, this is not shocking.
It does very nicely illustrate the real values in good penetration testing: challenging assumptions, taking nothing for granted, and divorcing motive from threat.
For example, the 300 meter location discrepancy could have nothing to do with the shipping company or the ship itself. It could be used by a crypto mining concern looking to delay the arrival of new GPUs for a rival firm. This type of attack could be part of a larger series of attacks, subtile enough that further investigation would be unlikely (as opposed to the English Channel scenario in the ZDNet article), and could reap substantial benefits for the crypto mining concern.
I believe it to be a war of pretexts, a war in which the true motive is not distinctly avowed, but in which pretenses, after-thoughts, evasions and other methods are employed to put a case before the community which is not the true case.
DANIEL WEBSTER: Speech in Springfield, Mass., Sept. 29, 1847