Connect with us

Hi, what are you looking for?



Hackers Can Hijack, Sink Ships: Researchers

Vulnerable ship tracker by Pen Test Partners

Vulnerable ship tracker by Pen Test Partners

Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.

In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.

It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.

Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.

While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.

Many of the security holes disclosed this week by Pen Test Partners can be mitigated by setting a strong administrator password on the satcom terminal. Other serious issues discovered by researchers have been reported to Cobham, whose Fleet One terminal was used in experiments, and have not been disclosed.

According to researchers, once an attacker gains access to the terminal, they can replace the firmware due to the lack of proper validation checks or downgrade it to an older and more vulnerable version, and they can edit the web application running on the terminal. Experts also discovered poorly protected admin passwords in configuration files.

Advertisement. Scroll to continue reading.

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.

Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws. Most ran old operating systems, including one popular in the military that still runs Windows NT,” explained Pen Test Partners researcher Ken Munro.

In one case, the ECDIS had a poorly protected configuration interface that allowed an attacker to spoof the position of the GPS receiver on the ship and make the vessel “jump” to a slightly different location.

Reconfiguring the ECDIS can also allow an attacker to change the size of the targeted ship as seen by other nearby vessels via the automatic identification system (AIS) tracker.

“So, simply spoof the ECDIS using the vulnerable config interface, ‘grow’ the ship and ‘jump’ it in to the shipping lanes,” Munro explained. “Other ships’ AIS will alert the ship’s captain to a collision scenario. It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain.”

Another attack scenario described by Pen Test Partners targets the operational technology (OT) systems on board a ship. These systems are used to control steering, engines, ballast pumps and other components, and they communicate via the NMEA 0183 protocol.

Since messages sent over NMEA 0183 don’t use any authentication, encryption or validation, a man-in-the-middle (MitM) attacker can modify the data and, for example, inject small errors that would cause the ship to alter its course when autopilot is engaged, researchers warn.

“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality,” Munro concluded.

Related: Maritime Cybersecurity – Securing Assets at Sea

Related: China-linked Hackers Target Engineering and Maritime Industries

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.