[1]Crappy IoT on the high seas: Holes punched in hull of maritime

[1]Crappy IoT on the high seas: Holes punched in hull of maritime
security:

Years-old security issues mostly stamped out in enterprise
technology remain in maritime environments, leaving ships vulnerable
to hacking, tracking and worse.

A demo at the Infosecurity Europe conference in London by Ken Munro
and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple
methods to interrupt the shipping industry. Weak default passwords,
failure to apply software updates and a lack of encryption enable a
variety of attacks.

(Via [2]The Register - Security)

[3]Vulnerable ship systems: Many left exposed to hacking:

"Ship security is in its infancy - most of these types of issues
were fixed years ago in mainstream IT systems," Pen Test Partners'
[4]Ken Munro says, and points out that the advent of always-on
satellite connections has exposed shipping to hacking attacks.

(Via [5]Help Net Security)

[6]Maritime navigation hack has potential to wreak havoc in English
channel:

As [7]reported by the BBC, security researcher Ken Munro from Pen
Test Partners has discovered that a ship navigation system called
the Electronic Chart Display (Ecdis) can be compromised, potentially
to disasterous effect.

[8]Ecdis is a system commonly used in the shipping industry by crews
to pinpoint their locations through GPS, to set directions, and as a
replacement to pen-and-paper charts.

The system is also touted as a means to reduce the workload on
navigators by automatically dealing with route planning, monitoring,
and location updates.

However, Munro suggests that a vulnerability in the Ecdis navigation
system could cause utter chaos in the English channel should threat
actors choose to exploit it.

The vulnerability, when exploited, allows attackers to reconfigure
the software to shift the recorded location of a ship's GPS receiver
by up to 300 meters.

(Via [9]Latest Topic for ZDNet in security)

I've been talking with companies in this space about these types of
issues. While Munro's research is telling, this is not shocking.

It does very nicely illustrate the real values in good penetration
testing: challenging assumptions, taking nothing for granted, and
divorcing motive from threat.

For example, the 300 meter location discrepancy could have nothing to
do with the shipping company or the ship itself. It could be used by a
crypto mining concern looking to delay the arrival of new GPUs for a
rival firm. This type of attack could be part of a larger series of
attacks, subtile enough that further investigation would be unlikely
(as opposed to the English Channel scenario in the ZDNet article), and
could reap substantial benefits for the crypto mining concern.

I believe it to be a war of pretexts, a war in which the true motive
is not distinctly avowed, but in which pretenses, after-thoughts,
evasions and other methods are employed to put a case before the
community which is not the true case.

DANIEL WEBSTER: Speech in Springfield, Mass., Sept. 29, 1847
__________________________________________________________________

My original entry is here: [10]Holes punched in hull of maritime
security. It posted Sun, 10 Jun 2018 22:44:01 +0000.
Filed under: business, tech,

References

1. http://go.theregister.com/feed/www.theregister.co.uk/2018/06/06/infosec_europe_maritime_security/
2. https://www.theregister.co.uk/security/headlines.atom
3. https://www.helpnetsecurity.com/2018/06/07/vulnerable-ship-systems/
4. https://www.helpnetsecurity.com/2018/05/10/iot-hacking/
5. https://www.helpnetsecurity.com/feed/
6. https://www.zdnet.com/article/maritime-navigation-hack-has-potential-to-wreak-havoc-in-english-channel/#ftag=RSSbaffb68
7. https://www.bbc.co.uk/news/technology-44397872
8. https://www.marineinsight.com/marine-navigation/what-is-electronic-chart-display-and-information-system-ecdis/
9. http://www.zdnet.com/topic-security/rss.xml
10. https://www.prjorgensen.com/?p=1209