June 13, 2018 By Douglas Bonderud 2 min read

Physical movement of goods relies heavily on ships and airplanes. According to the International Chamber of Shipping, water-based transport accounts for approximately 90 percent of world trade, while a recent Boeing white paper noted that air cargo traffic will more than double in the next few years.

Given this rapid growth, recent research suggests that both the aerospace and shipping industries may be on a crash course with cybersecurity compromise thanks to their use of outdated (and often unprotected) technology.

Shipping Industry Faces New Threats

To stay on course and ensure that cargo arrives on time, most ships use Electronic Chart Display and Information Systems (ECDISs). Security firm Pen Test Partners recently demonstrated that vulnerabilities in these systems are extremely simple to execute. While they’re also easy to mitigate against, many shipping companies don’t recognize these inherent flaws.

Pen Test Partners tested multiple ECDIS systems and found that most were running old operating systems, such as Windows NT. If compromised, cybercriminals could send ships off course by changing the perceived location of GPS receivers. Since autopilot is often used for regular transport routes, crew members may not even realize the ship is being diverted.

The researchers demonstrated the ability to trick the ECDIS into thinking that ships are a kilometer wide and then transmit this data to other vessels, forcing unnecessary course corrections that could impact shipping lanes. It’s also worth noting that systems such as steering, engines and ballast pumps communicate using NMEA 0183 messages sent in plaintext without authentication, making them easy to compromise.

Finally, Pen Test Partners leveraged a database compiled by device search provider Shodan to create a vulnerable ship tracker. In the wild, this data could enable cybercriminals to target specific ships for maximum impact.

Fight or Flight?

In addition to shipping industry fleets, cargo flights are also under threat. As noted by Avionics, Robert Hickey, aviation program manager within the Cyber Security Division of the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, was able to accomplish a “remote, non-cooperative penetration” of a commercial 757 within two days — and without any physical insiders aboard the plane.

According to Newsweek, meanwhile, security researcher Ruben Santamarta noted that entire fleets of aircraft remain accessible via the internet. He also claimed that threat actors on the ground could potentially use satellite communications networks to compromise devices on aircraft in flight. Just like their shipping counterparts, breaches to these networks could send aircraft off course and cause major havoc around high-traffic international airports.

While ships and planes remain integral to worldwide shipping, cybersecurity uptake hasn’t kept pace with technology adoption. As a result, savvy cybercriminals could hijack both navigation and communication systems to steer ships off course or compromise aircraft operations.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today