Bad passwords and weak security are making ships an easy target for hackers

Commercial shipping vessels have such poor cyber security it's possible to track them down and hack into them via poorly secured communications systems.

Ken Munro, a security researcher at Pen Test Partners, who has documented the lapses in security said they are "simply not acceptable".

Many of the problems stem from how ships traditionally ran on dedicated, isolated networks which didn't connected to the outside world, meaning that network security wasn't really an issue, so long as physical security was in place to stop outsiders actually boarding the ships to tamper with computers.

Now ships have evolved to become connected industrial control systems which happen to float and sail around the world's oceans. Shipping vessels are now rife with complex always-on connected systems, as well as internet connections for crews, electronic navigation systems and more.

The problem is that while the maritime industry has evolved to use modern internet connected technologies, the operational security of ships hasn't always kept up.

One example: many of the satellite communication terminals employed on the ships -- including some from big brands in the maritime space such as Inmarsat, Telenor and Cobham - are discoverable on Shodan, a search engine which finds Internet of Things devices around the world.

In some cases the default credentials for 'securing' these systems are as dangerously simple as admin/1234, potentially leaving them open to misuse to hackers who know what they're looking for and are familiar enough with shipping infrastructure to take advantage of systems which haven't had logins and passwords changed.

See also: Your forgotten IoT gadgets will leave a disastrous, toxic legacy

Researchers at Pen Test Partners - some of whom used to work onboard container ships - also found that CommBox private network terminals were exposed online, lacking Transport Layer Security [TLS] cryptographic protocols.

By exploiting this information, penetration testers were able to identify a specific ship, where it was on the oceans and where it was heading.

The researchers were also able to identify users of the devices, potentially making those on the ship vulnerable to phishing attacks which could be used to explore the network of the vessel.

"Simple phish, take control of his laptop, look for a lack of segregation on the ship network and migrate on to other more interesting devices," said Munroe.

Ultimately, researchers found that the shipping industry is awash with cyber security vulnerabilities - even lagging behind power plants and critical infrastructure, which are infamous for running outdated systems.

In order to fix the issue, Pen Test Partners recommends that at the absolute minimum, TLS needs to be in place on satcom boxes - and passwords must be complex, especially for high privilege accounts.

"There are many routes on to a ship, but the satcom box is the one route that is nearly always on the internet. Start with securing these devices, then move on to securing other ship systems. That's a whole different story," said Munroe.

READ MORE ON CYBER CRIME

• UK becomes hotbed for testing autonomous ships, aircraft
• Hackers gain access to hundreds of global electric systems [CNET]
• Cyberwar: A guide to the frightening future of online conflict
• Report: Manufacturing industry most susceptible to ICS cyberthreats [TechRepublic]
• How secure is your car? Unpatchable flaw lets attackers disable safety features