Ken Munro of Pen Test Partners a company offering Cybernet Penetration Testing Services has suggested that the vulnerability of ECDIS could be exploited to block superyacht ports and wreak havoc throughout the superyacht community.
His statement comes after his firm looked into shipping using the English Channel, which is the busiest shipping route in the world.
He made limited details of the hack public to coincide with London’s Infosecurity Europe exhibition, where he was showing off his work.
Munroe found a commonly used ship-tracking technology can be hacked to spoof the size and location of boats in order to trigger other vessels’ collision alarms.
Munroe told the BBC that a researcher has discovered that it was relatively easy to find cases via an app to gain remote access to the ECDIS System on ferries crossing the channel.
Using the nickname x0rz, the French researcher demonstrated that many ships never changed their satellite communications equipment’s default username or password, and that in his experience, security on board ships is often dire
The attack targets the computer-powered navigation Electronic Chart Display System (ECDIS), so that it is possible to take advantage of this to reconfigure a ship’s Ecdis software in order to mis-identify the location of its GPS (global positioning system) receiver.
The receiver’s location can be moved by only about 300m but he said that was enough to force an accident.
“That doesn’t sound like much, but in poor visibility it’s the difference between crashing and not crashing,” he said.
He added that it was also possible to make the software identify the boat as being much bigger than its true size – up to 1km sq.
Mr Munro took this photo of passwords recently spotted on one ship
Although the deception would be obvious to others on that scale, Mr Munro suggested it could still cause chaos.
Munroe believes that because ECDIS feeds the automatic identification system AIS transceiver collision alarms would be firing on numerous ships many would then simply avoid the area completely.
“It would make for a very brave captain to continue on course while the alert was sounding.”
“The consequence,” he added, “Was a hacker could effectively shut down shipping lanes.”
Experts at the University of Plymouth’s Maritime Cyber Threats research group have reviewed some of the details Mr Munro has shared and have come up with different conclusions.
“There are no technical inaccuracies in anything [Mr Munro] has said, but the cascading of effects that would be necessary to reach the worst case conclusion are extremely unlikely in practice,” said Prof Kevin Jones.
His colleague Dr Tim Crichton added that the Channel Navigation Information Service – a body that monitors the flow of traffic in the area – would soon intervene if AIS collision warnings contradicted both radar readings and what deck officers could see with their own eyes.
Even so, another member of the department said, Mr Munro’s research should not be ignored.
Mr Munro suggests those who use the bridge on superyachts must be instructed to lock down their equipment with strong passwords and ensure the latest software patches are installed.