Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.
According to pen testers, shipping industry security is where mainstream IT was years ago.
The pen testers say that the attacks are TRIVIAL to execute an easy to mitigate against.
These ships are connected via satellite and are always on the Internet, like most businesses. Just with crappy, insecure software.
The pen testers created proof of concept attacks were they took ships off course. A bad guy could cause ships to crash into each other at night or in fog.
The flaws that they revealed are just the tip of the iceberg, the pen testers say.
They say that this is definitely a matter of when a big attack happens and not if.
One attack targeted the electronic chart display and information system (ECDIS). Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled. They tested 20 different ECDIS systems and they were all easy to hack. If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go. That is just one attack.
OK, so what does this mean to you and me?
Since most of us are not a captain of a tanker or container ship, it is not about that. But, if you are, take note!
These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.
While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time. When you buy a car, do you ask about the security of it? If you do, the salesperson is probably clueless and has no idea about the answer. Most people just believe whatever babble the salesperson provides.
Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.
Once you buy it, you likely own the problem. The problem has to get massively large before anyone is really going to help you.
You are, pretty much, on your own. Understand that and make sure that you are OK with that.
Information for this post came from Threatpost.