Commerical Shipping and Commercial Aviation under Scrutiny By Researchers and Potentially Hackers
4 days ago, researchers from Pen Test Partners demonstrated at InfoSecurity Europe (London) that the satellite communication and charting coms of certain maritime ship equipment were vulnerable to IOT attacks. And the main culprit was – direct internet access to vulnerable systems and yes —default passwords.
Like many IoT devices, the default passwords were never changed from admin /1234 or admin/12345. According to the Register, "Shodan, the Internet of Things search engine, publishes a shipping tracker. PTP that used this to put together a system linking satcom terminal version details to live GPS position data – a vulnerable ship tracker. Knowing the version of software on terminals could tell miscreants what security weaknesses it has and how it might be hacked.
“PTP created a clickable map where exposed ships are highlighted with their real-time position.] (ptp-shiptracker.herokuapp.com/) Week-old data was demonstrated at InfoSecurity London. The tracker – available here – deliberately omits any data refresh and features only historic data, making sure it isn’t of any utility to hackers.
If exploiting vulnerabilities to hijack admin rights on a ship’s satellite communications terminal is considered too much effort, attackers can take advantage of weak and default passwords.”
“Many satcom terminals on ships are available via the public internet. Many have default credentials, admin/1234 being very common,” PTP reported.
Maritime experts are worried about the potential for collisions in one of the busiest shipping channels - The British Channel.
[Crappy IoT on the high seas: Holes punched in the hull of maritime security](https://www.theregister.co.uk/2018/06/06/infosec_europe_maritime_security/
Oh, and if that wasn’t enough, A couple days later the (Department of Homeland Security (DHS) reported that that a Boeing 757 was hacked in flight by researchers last year who had been able to get into the WI-FI system (and further) leading the Department to warn “Indeed, the lack of cybersecurity protection in the ‘network of trust’ model upon which today’s commercial aviation backbone is built leaves systems increasingly vulnerable to malicious attacks. As the lifespan of current aircraft is set to increase, so does the risk of potential compromise. Organizations shouldn’t assume they’re not going to get hacked; they need to take proactive steps to protect their systems."
According to Informationsecuritybuzz, “The research is a continuation of analysis that was made after a group of security experts last year were able to remotely hack a Boeing 757 aircraft without the pilots knowing about it. Edgard Capdevielle, CEO at Nozomi Networks commented below.“Indeed, the lack of cybersecurity protection in the ‘network of trust’ model upon which today’s commercial aviation backbone is built leaves systems increasingly vulnerable to malicious attacks. As the lifespan of current aircraft is set to increase, so does the risk of potential compromise. Organizations shouldn’t assume they’re not going to get hacked; they need to take proactive steps to protect their systems.”
“The airline industry should pay closer attention to the risk of cyberattacks on their systems before significant damage is done. Indeed, manufacturers and airlines should take aviation cybersecurity seriously and work together with critical infrastructure owners, hardware vendors, information security experts and government officials to identify and mitigate vulnerabilities. Organizations need to ensure multiple layers of security defenses governance are designed and implemented to ensure the security of all critical systems."
All this comes on the heels and fallout of connected car accidents. Chicken little may not be falling, but this is going to be a long cat and mouse game. Read more about the Boeing 757 Hack here . While we had to worry about our cell phones interfering with commercial flight communications, hackers were virtually already inside the cockpit. Are you confident we’ll deal with the security of all the connected technology in the near future?