Commercial shipping vessels have such poor cyber security it's possible to track them down and hack into them via poorly secured communications systems.
Ken Munro, a security researcher at Pen Test Partners, who has documented the lapses in security said they are "simply not acceptable".
Many of the problems stem from how ships traditionally ran on dedicated, isolated networks which didn't connected to the outside world, meaning that network security wasn't really an issue, so long as physical security was in place to stop outsiders actually boarding the ships to tamper with computers.
Now ships have evolved to become connected industrial control systems which happen to float and sail around the world's oceans. Shipping vessels are now rife with complex always-on connected systems, as well as internet connections for crews, electronic navigation systems and more.
The problem is that while the maritime industry has evolved to use modern internet connected technologies, the operational security of ships hasn't always kept up.
In some cases the default credentials for 'securing' these systems are as dangerously simple as admin/1234, potentially leaving them open to misuse to hackers who know what they're looking for and are familiar enough with shipping infrastructure to take advantage of systems which haven't had logins and passwords changed.
Researchers at Pen Test Partners - some of whom used to work onboard container ships - also found that CommBox private network terminals were exposed online, lacking Transport Layer Security [TLS] cryptographic protocols.
By exploiting this information, penetration testers were able to identify a specific ship, where it was on the oceans and where it was heading.
The researchers were also able to identify users of the devices, potentially making those on the ship vulnerable to phishing attacks which could be used to explore the network of the vessel.
"Simple phish, take control of his laptop, look for a lack of segregation on the ship network and migrate on to other more interesting devices," said Munroe.
In order to fix the issue, Pen Test Partners recommends that at the absolute minimum, TLS needs to be in place on satcom boxes - and passwords must be complex, especially for high privilege accounts.
"There are many routes on to a ship, but the satcom box is the one route that is nearly always on the internet. Start with securing these devices, then move on to securing other ship systems. That's a whole different story," said Munroe.