Hacking a yacht is too easy
Yachts are floating targets for criminal hackers.
In one of the most popular ports in Russia, a security researcher shows us how yachts are highly vulnerable to hacking and attacks.
It’s velvet season here in Sochi, Russia — September, October, still warm but easing into winter, when the Russian upper classes used to trade calico clothing for velvet.
Mooring your yacht here on the edge of the Black Sea can be pricy, even now.
A short ride on a boat for hire can cost you less than $10, but a berth for a luxury yacht can go for more than $25,000 a month, depending on size.
But yacht owners spending thousands on prime marina spots may be spending little, or nothing, on cyber security.
Researchers are showing again and again that they can walk right in to a yacht’s computer network and take over.
Sochi, Russia, site of the 2014 Winter Olympics. Image: Archer News
At a hotel on a hill looking over Sochi’s coastline, researcher Stephan Gerling with ROSEN Group talks to the audience at a Kaspersky Industrial Control Systems security conference last week.
He shows how yacht app developers left “juicy” information wide open in the code of the site, where anyone could see.
The username and password, not obscured or encrypted.
But Gerling doesn’t even need those.
With a few clicks, the site lets him right in — without even a passcode.
This yacht is his.
Stephan Gerling shows how he hacked a yacht at the Kaspersky Industrial Control System conference in Sochi in September 2018. Image: Archer News
“How easy is it to hack a yacht?” Archer News asks Gerling in an interview.
“Depending on the background, I think some things are very easy to do,” he says. “I think that normally everybody can do this.”
The Wi-Fi, entertainment system, mobile devices, GPS, smart phones, engine control — all vulnerable, he says.
Malicious hackers can cause many problems, according to Gerling and other researchers.
The entertainment system, like the smart TV and sound system, bring the outside world to celebrities at sea or in port.
But the cameras and microphones can also work in reverse.
Spying on the stars could bring big money.
“Best paparazzi system,” said Gerling. “Maybe the celebrities should think more about that.”
Hackers have already stolen some yacht owners’ private pictures and held them for ransom, reported Slate.
Yachts in port in Sochi, Russia. Image: Archer News
More than privacy
Yachts are not just for party photos and pleasure cruises.
“Most owners of bigger companies owning a yacht and doing their business from a yacht, they’re doing their business stuff,” Gerling said.
That means attackers could get into business networks, harvesting insider info, stock secrets, corporate data and corporate bank accounts.
One yacht owner lost $150,000 to a cyber attacker, reported The Guardian.
Ship (Security) Wrecked?
But Gerling shows another, perhaps more disturbing, vulnerability.
Some captains can run the yacht’s control systems from a tablet.
That tablet — a target for hackers wanting to take over the ship.
Off the coast of Italy, in 2013, a test aboard a multi-million dollar super yacht showed what attackers could do.
The owner of the 215-foot White Rose of Drachs allowed a team from the University of Texas at Austin to try to hack it off course.
Researchers tried to steer the White Rose of Drachs off course in 2013. Image: Cockrell School
The team sent out fake GPS signals from a special device on the deck.
The navigation equipment showed no alarm, no danger.
The screen displayed a straight line.
But in reality, the boat slowly curved away from its route, as the crew adjusted for the fake signals coming in.
Captains are trained to use more than just technology to guide their vessels, so it might be difficult to cause extreme problems.
The White Rose test showed not a dramatic attack, but a sign of things to come — in the future, hackers could potentially steer ships like remote control toys, if the crew does not notice that digital piracy is underway.
The White Rose of Drachs showed no alarms during the hack that steered it off course. Image: Cockrell School
In 2011, Somali pirates took over the Quest, a yacht in the Indian Sea with four people on board and planned to hold them for ransom.
Jean and Scott Adam, from California, and Jean Macay and Bob Riggle, from Seattle, were sailing on an around-the-world venture.
The U.S. military eventually boarded the ship, found all four Americans shot, and could not save them.
Scott and Jean Adam and Phyllis Macay and Bob Riggle died in a 2011 pirate attack in the Indian Ocean. Images: www.SVQuest.com
The pirates’ mastermind on shore complained to Reuters that he’d invested more than $100,000 in this attack and didn’t get a payoff.
Two pirates died and three others were sentenced to life in prison.
You might wonder if pirates will continue to spend money and risk their own lives with a physical attack when they can send an e-mail with ransomware, an electronic attack that could yield riches at a low personal cost.
It’s already happened, according to a security expert.
A charter yacht about to take off for the open water found its computers locked down by ransomware.
“…[T]he crew discovered that ransomware was affecting all their systems — entertainment and yacht management. They were all but immobile, with no technology at all and guests due,” said Malcolm Taylor, head of cybersecurity at G3, in a post on the law firm Bargate Murray’s site. “A well-defended network would have reduced the impact massively.”
The Quest at sea before the pirate attack in 2011. Image: www.SVQuest.com
Lack of Security
Companies working in yacht systems and technology may be thinking about security too late, Gerling said.
The vendors he contacted about the vulnerabilities he found have made some corrections, he said.
Still, many yacht technology developers are not following basic security guidelines that could keep their systems and passengers safe, according to Gerling.
“You have to do some additional steps,” he said. “Following the guidelines, like in the IT industry. Just following the guidelines for IoT [Internet of Things] stuff, for ICS [industrial control systems] stuff. Or web applications, the OWASP [Open Web Application Security Project] standards and so on.”
“Just following the guidelines that are available, then you would be secure,” he added.
Hackers may target the communications systems on yachts. Image: Archer News
There are also guidelines specifically for cybersecurity on ships, put together after attacks on larger vessels.
“Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again,” reported Reuters in 2014.
Yacht technology developers and companies should step up their game, he believes, before malicious attackers take advantage of the many security holes already known — and those soon to be discovered.
“There are more coming, yes,” Gerling said.
A number of researchers have shown how hackers can attack ships, including:
Main image: Yachts in port in Sochi, Russia. Image: Archer News