June 13, 2018 By Douglas Bonderud 2 min read

Physical movement of goods relies heavily on ships and airplanes. According to the International Chamber of Shipping, water-based transport accounts for approximately 90 percent of world trade, while a recent Boeing white paper noted that air cargo traffic will more than double in the next few years.

Given this rapid growth, recent research suggests that both the aerospace and shipping industries may be on a crash course with cybersecurity compromise thanks to their use of outdated (and often unprotected) technology.

Shipping Industry Faces New Threats

To stay on course and ensure that cargo arrives on time, most ships use Electronic Chart Display and Information Systems (ECDISs). Security firm Pen Test Partners recently demonstrated that vulnerabilities in these systems are extremely simple to execute. While they’re also easy to mitigate against, many shipping companies don’t recognize these inherent flaws.

Pen Test Partners tested multiple ECDIS systems and found that most were running old operating systems, such as Windows NT. If compromised, cybercriminals could send ships off course by changing the perceived location of GPS receivers. Since autopilot is often used for regular transport routes, crew members may not even realize the ship is being diverted.

The researchers demonstrated the ability to trick the ECDIS into thinking that ships are a kilometer wide and then transmit this data to other vessels, forcing unnecessary course corrections that could impact shipping lanes. It’s also worth noting that systems such as steering, engines and ballast pumps communicate using NMEA 0183 messages sent in plaintext without authentication, making them easy to compromise.

Finally, Pen Test Partners leveraged a database compiled by device search provider Shodan to create a vulnerable ship tracker. In the wild, this data could enable cybercriminals to target specific ships for maximum impact.

Fight or Flight?

In addition to shipping industry fleets, cargo flights are also under threat. As noted by Avionics, Robert Hickey, aviation program manager within the Cyber Security Division of the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, was able to accomplish a “remote, non-cooperative penetration” of a commercial 757 within two days — and without any physical insiders aboard the plane.

According to Newsweek, meanwhile, security researcher Ruben Santamarta noted that entire fleets of aircraft remain accessible via the internet. He also claimed that threat actors on the ground could potentially use satellite communications networks to compromise devices on aircraft in flight. Just like their shipping counterparts, breaches to these networks could send aircraft off course and cause major havoc around high-traffic international airports.

While ships and planes remain integral to worldwide shipping, cybersecurity uptake hasn’t kept pace with technology adoption. As a result, savvy cybercriminals could hijack both navigation and communication systems to steer ships off course or compromise aircraft operations.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today