by TARA SEALS on June 7th, 2018

The global shipping industry is vulnerable to a range of hacks, including one that can send multi-million dollar vessels on a collision course for disaster, according researchers. Worse, the flaws are trivial to execute and easy to mitigate against, according to a report by Pen Test Partners.

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” said Pen Test Partners researcher Ken Munro, in a report on the findings released this week. “The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality.”

As part of its report, Pen Test Partners also released a number of proof-of-concept (PoC) attacks where it demonstrated multiple techniques for disrupting the shipboard navigation systems. “We’ve broken new ground by linking satcom terminal version details to live GPS position data,” according to the report.

Munro said that the PoC flaws are the tip of the iceberg. Many more worse issues were uncovered. He said other bugs would be shared privately with vendors.

Forcing Ships Off-Course

In one of the PoCs shared in the report, researchers noted that the electronic charts that are used to navigate, called Electronic Chart Display and Information System (ECDIS), are a ripe target for hackers. They said the ECDIS is not difficult to hack and manipulate once an attacker breaches the vessel’s network. And that’s fairly simple to achieve because of an abundance of outdated OS and poorly protected configuration interfaces, researchers said.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws,” Munro said. “Most ran old operating systems, including one popular in the military that still runs Windows NT.”

__

Read the complete article at threatpost.com

__

Tara Seals is a cybersecurity writer for threatpost.com