Commonlly used technology for ship monitoring can be hacked to falsify the location and size of boats for the purpose of firing collision alerts from other boats, point out recent discoveries.
Ken Munro, President of Pen Test Partners, notes that the attacks are directed to the electronic chart display of the boats (Ecdis), the main alternative to the paper maps of the crews.
A French researcher, under the pseudonym of X0rz, recently demonstrated that many vessels never change the user names and passwords that companies assign to the Global positioning devices by default, affecting their information security. Munro has shown that it is possible to take advantage of the foregoing to reconfigure the Ecdis in order to modify the indications received by their global positioning system.
According to information security experts from the International Institute of Cyber Security, the location of the receiver can be changed in a range of up to 300 meters, in Mr. Munro’s words, “this is more than enough to provoke a large number of accidents”, adding also that it is possible to cause errors in calculating the size of the boats nearby up to 1 km2.
Despite the fact that the counterfeits in the calculations could be obvious on that scale, Mr. Munro argues that in the boats this can still generate an unusual chaos.
The main recommendation made to boat captains is to strengthen theinformation security of their navigation equipment, establishing more secure passwords and applying the relevant software updates.
A spokesman for the United Kingdom’s National Cyber Security Center (NCSC) has noted that more than a year ago a guide has been published for the best use of such equipment that has also proven useful.
“We are alert to the threats of information security and its origin, we are ready to confront them but the government cannot do it alone, employers and other organizations need to do their part,” says the spokesman.
“Increasing basic defense techniques, the companies, whether large or small, will be able to provide information security, protect their operating capacities, finances and reputation, significantly reducing the need to re-invest in resolving these attacks”.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
