Poorly maintained IT systems on container ships are leaving the vessels open to cyber-attack and catastrophe, it is claimed.
This is according to folks this week at security house Pen Test Partners, who found that in some cases, connected maritime devices dating back to the early 1990s are being left open to the public internet for miscreants to play with. Many devices also have hardcoded and easily discoverable passwords.
This may all seem like some kind of fantasy based on the plot of the hit 1990s movie Hackers, in which heroes Acid Burn and Zero Cool and their cyber-pals race to stop malware sinking a bunch of oil tankers. However, UK-based Pen Test Partners (PTP) have dug up legit vulnerabilities before, so forgive us if we give them the benefit of the doubt here.
“If one was suitably motivated, perhaps by a nation state or a crime syndicate, one could bring about the sinking of a ship,” explained PTP consultant Ken Munro. “Maybe one wanted to delay an LNG shipment in winter to a country running out of gas, affecting spot prices.”
And how exactly would the theoretical hacker go about sinking or waylaying the ship? Munro says that wreaking havoc on your average container ship would be as simple as messing with its ballast tanks, shifting the distribution of the weight from one part of the vessel to another and causing it to tip.
Modern container ships are basically floating hulls that are stacked high with cargo that has been weighed to make the boat stable. Blowing the ballast tanks on one side and filling the others might well make a craft unstable, particularly if coupled with an attacker forcing the ship to make a sharp turn at 25 knots.
This, explains Munro, would be terrifyingly easy to accomplish once the hacker gains a foothold within the ship’s computer network, such as by finding a vulnerable edge device like a digital compass or GPS receiver, or simply by getting malware onto the personal laptop of a captain or crew member.
IT at sea makes data too easy to see: Ships are basically big floating security nightmares
Once within the ship’s network, the attacker would likely encounter little in the way of resistance or protections that would stop access to the industrial controllers that manage the critical ballast pumps and autopilot or navigation (ECDIS) systems. Shipping systems rarely have firewalls or intrusion detection systems and, once in place, malware usually has a free rein.
“Consider that some ECDIS devices still run Windows XP, and to a lesser degree Windows NT, released in 1993 don’t forget,” Munro explained.
“Any half-decent attacker can happily abuse these operating systems all day long and still cover their tracks effectively. This means that trying to establish confidence in the data that these systems hold will be difficult at best, impossible at worst.”
This isn’t the first time Munro and his crew have taken the maritime industry to task for lax security protections. Last summer, Pen Test Partners put together a full presentation showing the myriad ways miscreants can mess with vessels on the high seas by exploiting bugs in connected appliances and tracking gear on board. ®