Researcher: Not Hard for a Hacker to Capsize a Ship at Sea

hacking maritime systems shipping capsize

Capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.

Maritime transport still contributes in an important way to the world’s economy, with on-time shipments influencing everything from commodities availability and spot pricing to the stability of small countries. Unfortunately, capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.

With so many previously outlined ways to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), the question becomes, what could an adversary do with that access?

“If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week.

At issue is the fact that critical ship control systems, including IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), tend to be easily compromised; some on-board devices for instance still run Windows XP and Windows NT, and converters rarely have their admin passwords changed.

Those that do have non-default credentials will likely have such out of date firmware that they’re easily exploited anyway: Munro pointed out that many of the Moxa device servers commonly found aboard vessels were recently found to be vulnerable to a firmware downgrade attack that allowed trivial compromise.

“It’s a low-skill attack,” Munro told Threatpost. “Password security and patch management are so poor at sea that compromise does not require significant expertise. There’s a documented case of a kid finding a mobile drilling platform control system using Shodan and clicking buttons to see what happened. I believe they unintentionally took the dynamic positioning system offline.”

These easily hacked devices communicate with a raft of control systems via a standardized messaging system, called NMEA 0183 messaging (it’s a superset of the messaging format that GPS devices use).  These include autopilot systems, propulsion control, dynamic positioning, engine control, ballast control and digital compasses – everything that’s needed to steer a ship off-course or cause catastrophe.

“The messages are usually exchanged using RS485 serial datacomms, either directly or encapsulated over IP networks,” Munro said in a posting. “In some cases, CAN is used as a bridge between IP and serial. Any point where serial meets IP is a point where the hacker can potentially access the messaging system.”

Once the hacker is able to reach the control systems, it would for instance be possible to replay the Hoegh Osaka incident, where a car carrier’s ballast tanks weren’t properly filled, which resulted in the ship developing a heavy list during a tight turn out of the port. It narrowly avoided capsize, thanks only to a favorable wind blowing.

“Modern ballast control systems provide remote monitoring and operation from the bridge, usually running on a PC,” Munro explained. “So, the attacker would simply send the appropriate serial data to the ballast pump controllers, causing them all to pump from port to starboard ballast tanks. That change in trim alone could cause a capsize.”

He added, “If the change in ballast wasn’t enough to sink the vessel by itself, when a list had started to develop, send a NMEA message to the autopilot, commanding a turn to starboard. Or, send a helm message commanding the same turn direction. The list, combined with the change in stability when turning, is likely to cause a capsize.”

Access to the control systems could be remote or local, depending on the attacker. PTT has done prior research on remote attacks over satcoms; and serial network attacks can be carried out remotely via the satcom connection, or by physically locating the convertors.

“Any half-decent attacker can happily abuse these operating systems all day long and still cover their tracks effectively,” Munro said.

Previous research has shown that other concerning attacks are possible as well, such as forcing a ship off-course or causing collisions. The issue with remediating the dismal state of maritime security is a lack of clearly defined responsibility for security, according to the researcher.

“It’s a lack of awareness,” he told Threatpost. “Ship owners are rarely the ship operator, charter parties are rarely interested in security. When responsibility and liability for security incidents is unclear, it’s hard to determine who should take control of patching and cyber-risk management. Clarity is urgently required; several organizations such as the [International Maritime Organization] are taking action, though it will take time for processes to change.”

Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals, Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.

Suggested articles


  • Lars Bergqvist on

    I do not think any professional mariner believes that you t´remotely can hack a ship like this. https://splash247[dot]com/fear-fake-news-cyber-hype/
    • Tara Seals on

      Hi Lars-- it's actually not fake news, as Pen Test Partners have shown over and over again how it can be done (links are in the article). But you hit the nail on the head: mariners don't think about this -- there's a dreadful lack of awareness. Combating that lack of awareness is exactly why we write stories like this.
  • Shawn Ellis on

    A big thank you to Pen Test Partners for performing analysis like this one and sharing. As Tara Seals pointed out, there is a lack of awareness but it is not maritime community fault per se. The issue is the technology adoption in the marine environement came faster then the User understanding of the technology. However, the user did not need to fully understand the guts of the system, only that is worked and fulfilled their needs. This is no different than when Windows 10 came out for your PC. You just wanted it to work when you need to get to your email and such. There was a large gap where the technolgy providers took the responsibility of managed the "technical" issues with focus on making it work and not making it secure. As time passed, users have become more aware of the security issues, but the time gap as allowed the attackers to unfortunately refine their trade craft. Marine is catching up though. I recommend having a gander at what DNV-GL has done in the area of Marine Cybersecurity. They have even mandated Cyber shalls for CLass approvals.
  • Richard Mackenzie on

    Several years ago their was a running debate on the perils of antonymous vessels and 'spoofing'. Unless the bridge is manually checking the data , the course tracked on the chart screen and the true course could be made to slowly diverge. Back when piracy was rampant of the Horn of Africa the new technology could conceivably bring victims to within striking distance of a pirate camp. Allthe pirates need do is then is sit back, chew khat and watch their computer screens

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.