Ship hack ‘risks chaos in English Channel’ by Leo Kelion.
From the post:
…
A French researcher, who goes by the nickname x0rz, had earlier demonstrated that many ships never changed their satellite communications equipment’s default username and password, and that it was relatively easy to find cases via an app to gain remote access.Mr Munro has shown that it is possible to take advantage of this to reconfigure a ship’s Ecdis software in order to mis-identify the location of its GPS (global positioning system) receiver.
The receiver’s location can be moved by only about 300m (984ft), but he said that was enough to force an accident.
“That doesn’t sound like much, but in poor visibility it’s the difference between crashing and not crashing,” he said.
He added that it was also possible to make the software identify the boat as being much bigger than its true size – up to 1km sq.
… (emphasis in original)
Kelion’s non-specifics on hacking ships were posted within the last hour. One report, with actionable details, on hackable ships, appeared on July 17, 2017, Welp, even ships are hackable now by Matthew Hughes.
If you are interested in timely news on cyber-security weaknesses, follow @x0rz.
Great pirate pic from x0rz’s post in July of 2017:
The unimaginative use of the hack to “block the English channel” was suggested by the Pen Test Partners report, Hacking, tracking, stealing and sinking ships by Ken Munro.
The report imagines numerous ships in the English Channel being frightened into immobility due to false collision alarms.
American warships appear to lack collision alarms (or they don’t turn them on) so false ship locations may lead to more than simple confusion.
I haven’t seen this reported but one assumes that military gear comes with default user names and passwords as well. Not unlike the rumored nuclear missile launch codes being 00000000 for 20 years. User name and password defaults for military systems have definite potential.