October 18, 2017 By Shane Schick 2 min read

They may be a lot bigger than the average smartphone or desktop, but a researcher recently demonstrated a plethora of security gaps that could expose container ships to cyberthreats. In a blog post, Ken Munro of Pen Test Partners detailed shipping industry security vulnerabilities such as weak passwords, easily exploitable satellite antennae and other misconfigurations that can be identified by conducting a simple search on Shodan, a search engine for internet-connected devices.

Exposing Shipping Industry Security Flaws

At a shipping conference in Athens, Greece, Munro showed a private network terminal that listed the vessel name and identified the entire crew of a naval ship on its login page. Fraudsters usually have to jump through hoops to get those details, but they can deduce this information by simply hovering over the page.

As The Register pointed out, a cybercriminal could use those names to facilitate phishing attacks by learning more about the crew members through social media profiles. Cases of employees accidentally giving threat actors access to corporate networks are common and well-documented, but shipping industry security flaws also affect satellite communications equipment, which contains location data, information related to cargo and more. If crew members fail to use strong authentication, they increase the potential for a data breach.

Getting Security in Ship Shape

One key issue is that industrial control systems (ICS) such as those used on naval ships were designed long before most organizations began to understand cybersecurity or actively monitor emerging threats to their corporate networks. Today, however, those ships are connected to all kinds of technology via Wi-Fi, very small aperture terminal (VSAT) and Global System for Mobile communication/Long-Term Evolution (GSM/LTE), according to SC Magazine.

It’s also important to note that the IT on a ship often runs 24/7. If nothing else, Munro’s research is a wake-up call for shipping industry security: Unless the sector beefs up measures to protect data, the future will be anything but smooth sailing.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today