A commonly used ship-tracking technology can be hacked to spoof the size and location of boats in order to trigger other vessels’ collision alarms, a researcher has discovered.
Misguiding ECDIS systems
The attack targets a computer-powered navigation system called the Electronic Chart Display (Ecdis), which provides crews an alternative to using paper charts.
A French researcher, who goes by the nickname x0rz, had earlier demonstrated that many ships never changed their satellite communications equipment’s default username and password, and that it was relatively easy to find cases via an app to gain remote access.
Mr Munro has shown that it is possible to take advantage and reconfigure a ship’s Ecdis software in order to mis-identify the location of its GPS (global positioning system) receiver.
He added that it was also possible to make the software identify the boat as being much bigger than its true size – up to 1km sq.
The receiver’s location can be moved by only about 300m (984ft), but he said that it was enough to force an accident.
False alarms
“Ecdis feeds the automatic identification system (AIS) transceiver on many new ships,” he said.
“So, AIS collision alarms would be firing on numerous ships and many would then simply avoid the area completely.”
“It would make for a very brave captain to continue on course while the alert was sounding.”
The consequence, he added, was a hacker could effectively shut down the Channel’s shipping lanes.
ECDIS not easy to crack
Experts at the University of Plymouth’s Maritime Cyber Threats research group says that, “There are no technical inaccuracies in anything [Mr Munro] has said, but the cascading of effects that would be necessary to reach the worst case conclusion are extremely unlikely in practice”.
Also, Dr Tim Crichton adds that if AIS collision warnings contradicted both radar readings and what deck officers could see with their own eyes, then the Channel Navigation Information Service, a body that monitors the flow of traffic in the area will take control of the situation.
He adds, “Fairly quickly, if AIS were giving spurious results in that area, an information message to all ships would be put out”.
“So, instead of investing too much money in creating a technical solution that might not work, it may be easier to address human training.”
Tough credentials
Mr Munro concurs, says that ship officers must be instructed to lock down their equipment with strong passwords and ensure the latest software patches are installed.
Also, they are advised to follow the best practice guide released last year by the UK’s National Cyber Security Centre (NCSC), which might be useful.
“By raising their basic defences, organisations of every size can protect their operating capabilities, finances and reputation, significantly reducing the return on investment for attackers.”
Did you subscribe for our daily newsletter?
It’s Free! Click here to Subscribe!
Source: BBC
