Physical movement of goods relies heavily on ships and airplanes. According to the International Chamber of Shipping, water-based transport accounts for approximately 90 percent of world trade, while a recent Boeing white paper noted that air cargo traffic will more than double in the next few years.

Given this rapid growth, recent research suggests that both the aerospace and shipping industries may be on a crash course with cybersecurity compromise thanks to their use of outdated (and often unprotected) technology.

Shipping Industry Faces New Threats

To stay on course and ensure that cargo arrives on time, most ships use Electronic Chart Display and Information Systems (ECDISs). Security firm Pen Test Partners recently demonstrated that vulnerabilities in these systems are extremely simple to execute. While they’re also easy to mitigate against, many shipping companies don’t recognize these inherent flaws.

Pen Test Partners tested multiple ECDIS systems and found that most were running old operating systems, such as Windows NT. If compromised, cybercriminals could send ships off course by changing the perceived location of GPS receivers. Since autopilot is often used for regular transport routes, crew members may not even realize the ship is being diverted.

The researchers demonstrated the ability to trick the ECDIS into thinking that ships are a kilometer wide and then transmit this data to other vessels, forcing unnecessary course corrections that could impact shipping lanes. It’s also worth noting that systems such as steering, engines and ballast pumps communicate using NMEA 0183 messages sent in plaintext without authentication, making them easy to compromise.

Finally, Pen Test Partners leveraged a database compiled by device search provider Shodan to create a vulnerable ship tracker. In the wild, this data could enable cybercriminals to target specific ships for maximum impact.

Fight or Flight?

In addition to shipping industry fleets, cargo flights are also under threat. As noted by Avionics, Robert Hickey, aviation program manager within the Cyber Security Division of the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, was able to accomplish a “remote, non-cooperative penetration” of a commercial 757 within two days — and without any physical insiders aboard the plane.

According to Newsweek, meanwhile, security researcher Ruben Santamarta noted that entire fleets of aircraft remain accessible via the internet. He also claimed that threat actors on the ground could potentially use satellite communications networks to compromise devices on aircraft in flight. Just like their shipping counterparts, breaches to these networks could send aircraft off course and cause major havoc around high-traffic international airports.

While ships and planes remain integral to worldwide shipping, cybersecurity uptake hasn’t kept pace with technology adoption. As a result, savvy cybercriminals could hijack both navigation and communication systems to steer ships off course or compromise aircraft operations.

More from

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…