Research

Ships, Update Cycles, and the Reliance on Guidance Systems

Multiple parties are looking into ways of disrupting GPS, and especially GPS-related systems. However, this attack is notable because it demonstrates how cyber attacks can leverage wireless communication systems that were not designed with security in mind.

First Published 8th June 2018  |  Latest Refresh 29th January 2023

Ships, Update Cycles, and the Reliance on Guidance Systems

"Fortune brings in some boats that are not steered." - William Shakespeare (searching for his GPS).

4 min read  |  Reflare Research Team

Security researcher Ken Munro released limited information on a novel attack vector that may be used to disorient (and in a worst-case scenario even crash) ships. In this briefing, we will take a look at what is known about the attack and at the problems faced when securing expensive machinery or vehicles in general.

What is the attack?

While limited details are available, the attack seems to target modern ships’ Electronic Chart Display (ECDIS) systems. Such systems are used to display charts and map routes in lieu of traditional paper charts. ECDIS systems also commonly tie into the ship’s GPS receivers and automatic identification systems. The latter are used to track ships and avoid collisions between vessels.

According to Munro, the ship’s position as perceived by instruments can be altered by roughly 300 meters. This indicates that the declared position of the GPS antenna aboard the vessel itself may be altered. While 300 meters is a somewhat limited range when compared to outright GPS Spoofing attacks, it is enough to lead to confusion or potential collisions, especially in narrower waters.

While navigation by sight is always available as a fallback, larger ships often strongly rely on electronic navigation due to their size, inertia and poor visibility.

It is further reported that the attack could be used to alter the reported size of the ship itself and set it to up to a square kilometre. If a ship affected by such an attack were to navigate a relatively small straight or river, all other ships equipped with automatic navigation systems would likely raise alarms or automatically come to a full stop to avoid the perceived collision.

What can be done to prevent this attack?

No mitigation strategies have been released at the time of writing this briefing. However, the researchers claim that trivial steps can be taken to mitigate the vulnerability. Since attacks against default passwords for shipping-related equipment have been common over past years, it is a reasonable assumption that the new attacks will target a similar attack vector.

It's not just boats

As more and more critical infrastructure of the global supply chain becomes increasingly reliant on location tracking and connectivity, there is much at stake if emerging vulnerabilities are not addressed quickly.  

As we have stated in previous briefings, expensive vessels or machines pose a unique challenge in terms of information security. Such equipment usually has life spans measured in decades. Many of the ships, refineries and production facilities in use today were designed and installed before information security was even a term. It is not uncommon to find computers running Windows NT 4 or even a Commodore VIC-20 at the heart of a piece of technology worth millions of dollars.

Securing expensive equipment

The cost of the equipment makes replacing it outright economically impossible. At the same time, there may be no upgrade routes available for the computing portion as standards might have changed or vendors might have gone out of business. Combined with the low-risk awareness and high attack value in heavy industries and shipping, we predict that cyber attacks in this sector will increase over the coming years.

However, the low-risk awareness element can be addressed by staying up to speed with the latest in other cyber security breaches (both within and outside their industry) and undertaking regular infosec capability development training. Suppose security teams are exposed to the misadventures of others, and they possess the knowledge to prevent those breaches. In that case, you have a team of people who will have a sharper eye to catch and address the problems that may exist right beneath your nose.

Subscribe by email