The vulnerability of shipboard systems has been laid bare for all to see on social media.
Splash has seen how one France-based security researcher was able to enter the satellite communications system of a ship in mid-voyage by entering simple username and passwords. The researcher used the search engine Shodan to find easy online targets at sea.
Shodan is now live tracking ships via VSAT antennas exposing web services. Using the username ‘admin’ and the password ‘1234’ the tech expert was then able to access the communication centre of the ship as it made its way through South American waters. The researcher then made his findings known on Twitter.
The satellite communication provider that was at the center of this hack was Thrane & Thrane, a Danish company bought out by Cobham in 2013. Cobham has yet to reply to questions sent by Splash.
“I’m connected to a mother****ing ship as admin right now. Hacking ships is easy,” the researcher posted on Twitter, adding later, “I can even upload my own firmware #HackingShips”.
Splash contacted the researcher who gave advice to Cobham and to the shipping industry in general.
“My two cents: 1) don’t expose admin interface to the internet 2) change default passwords,” the unidentified researcher said. He stressed that he did no harm to the system he entered.
Commenting on the news, Lars Jensen, the founder of CyberKeel, a maritime cyber security specialist, told Splash: “What is concerning – but unfortunately not surprising – is that the person behind this service also found that a number of the exposed services were using factory settings, which makes it possible to obtain remote administrator rights over the VSAT system on the vessel.”
Jensen said shipowners should urgently check their VSAT systems today.
“If a vessel operates with a VSAT system using factory settings, the vessel operator has a problem. All vessel operators should check all their VSAT setting right now and if they are factory settings also change them right now – with this one out there since yesterday, there might be more attempts already simply because the challenge is there,” Jensen stressed.
Chris Young, the founder of Fidra Films, had some harsh words for those who had been compromised in this latest online skirmish.
“Make sure your VSAT provider takes security seriously,” Young said. “They should be restricting remote access as a bare minimum and they should be insisting that you adopt good security practices. Secondly, whether it’s a $9.99 baby monitor or a $200m ship you never, ever, connect anything to the internet using the default username and password combination. That’s just stupid, real stupid. You’re making life so much easier for the criminals that you deserve what you get.”
Young’s production company launched a short film this month Be Cyber Aware At Sea, available to watch for free here.
The ease with which a ship can be hacked comes just three weeks after one of the world’s largest shipping firms, Maersk, was hit very hard by the Petya ransomware.