Superyacht Technology love to provide you with unique content but when an article like this is in the public arena we just have to share. Superyacht Technology News Editor, Joanna Palmer spoke to the author Matthew Roberts for authorisation to publish this. It’s a great read. Enjoy.
Disclaimer: for privacy and security, the name of the Superyacht and specifics of systems will remain confidential.
How did I do it?
- Did I target and hack a Superyacht supplier with a connected system onboard (e.g. 4G provider or fridge supplier) that also had the same system installed on a vast fleet of other Superyachts?
- Did I dock walk and pose as a communications provider and secure an invite onboard? From there, I was shown to the rack room and left to take pictures of the equipment. While the ETO wasn’t looking, I inserted a USB Rubber Ducky into a USB port providing me remote access to that system whenever the yacht had an internet connection.
- Did I send the Captain a spear-phishing email with a ransomware attachment?
- Did I set up a rogue Wi-Fi access point in a marina with the SSID labelled “FREE [marina name] Wi-Fi” without any security enabled waiting for my victims to connect the internet via the compromised access point?
- Did I specifically target superyacht crew via social media? Using a fake profile I posed as a deckhand looking for superyacht work. I ‘friended’ lots of other crew across a varied number of social networking platforms. I got talking, sent them yachtie meme’s and video’s of which one particular video, when opened, loaded the device with malware and provided me access to the device and all of its contents. (This type of hack happened to Amazon founder Jeff Bezos, read more here).
None of the above methods were actually used. I do not have the skillset or intent, but be aware that there are people skilled and motivated enough to exploit these ‘cyber attack actors’, and it’s worth knowing about them.
The story of how I hacked a Superyacht
It turns out it was much more straightforward than any of the methods mentioned above. Late last year, before FLIBS 2019, I was attending meetings in Rybovich Marina in West Palm Beach, where I approached a yacht and got talking to the Engineer. I was working for a communications/IT company at the time, the Engineer and I spoke about Kbps/Mbps, mast blockage and how LEO is the next best thing… blah blah blah. The conversation quickly turned when the Engineer explained a charter was due to start the next day, and there was an issue preventing the requested music and movies from updating on the AV system. With no guarantees of a fix, I offered to help and take a look to the extent of my abilities.
Full disclosure: I consider my technical abilities and understanding are among the best of sales professionals in the industry, but this means nothing because it is still abysmal when compared to engineers and technical professionals back at the office with professional training.
Regardless, they were desperate and just needed it to work (sound familiar?), and their current AV/IT providers were ‘MIA’. The Engineer accepted my offer, hurried me on board and escorted me to the rack room. I received detailed network information located on the ‘Master’ iPad. I was left alone with the racks in front of me, the ‘Master’ iPad and it’s passcode (because it was on auto-lock after 1-minute) and the Engineer’s laptop (including their password on a post-it note stuck to the laptop!).
After some troubleshooting, there was a particular piece of hardware I wanted to access. The ‘Master’ iPad contained an (unprotected) spreadsheet with all the IP addresses, usernames and passwords for equipment onboard (Note: I could see a lot of default IP’s, usernames and passwords used over and over again! Passwords also contained identifiers of the yacht!). Typical that the password was missing for this particular piece of equipment and the Engineer didn’t know it either.
I want to tell you that I opened command prompt and typed commands like a cyber wizard to gain brute-force entry to the equipment. As you could probably guess, I did not.
Instead, I started guessing the missing password.
No success… My password guessing became more specific to the Superyacht:
- [vessel hull number]
- [vessel name]
- [vessel name][vessel hull number]
- Other variations of the above in different order and replacing letters with common symbols etc.
My final guess (because I had come across this password formula before, repeated on a lot of other Superyachts):
- MY or SY immediately followed by [vessel initials in caps]-pass! e.g. ‘SYB-pass!’
BINGO – HACKED!
Note: If you also use this password formula, change it immediately everywhere it exists, this is not a secure password! Easy to remember? Yes! Secure? No!
I bet you are saying “that’s not a hack, that’s luck” but what does it matter? Luck or skill, easy or hard; it does not matter what the cyber vulnerability is. If it can lead to a compromise, there is always the chance that someone can and will. Malicious or accidental, better access controls need to be in place.
To finish the story. The correctly guessed password gave me access to the equipment and allowed me to confirm a suspicion. I made a corrective configuration change and the music and movies started to update (again, no skill on my part, I had watched our engineers perform the same change in a similar situation twice before). I walked away from the yacht with an open invitation to return after the charter for cold beverages on the aft deck and feeling particularly chuffed with myself.
Unfortunately, this feeling only lasted until I sat down at the outside bar of M/Y CAFÉ at Rybovich marina, where I reflected over an ice-cold beer. I no longer felt chuffed. Instead, I felt deeply concerned that even I could gain access to their onboard systems with such ease. It is one of the biggest reasons why I started to search for a new challenge in cybersecurity. So here I am!
What are the lessons from my ‘hack’ of this Superyacht?
There are many. In future articles, I will cover them in greater detail, but to mention a few:
o The Engineer:
- should have signed me into a register and verified my credentials before ever letting me onboard
- should not have given me the ‘Master’ iPad passcode or left me alone with it
- should not have written down the password to their laptop. Let alone left it attached to the laptop and then handed it to me
o The spreadsheet with all the IP addresses, usernames and passwords should have been password protected or in a secure password database/app
o The passwords for all the equipment and websites in the spreadsheet should have been:
- Unique to every piece of equipment
- Long passphrases (e.g. using a home computer to guess a password it would take approx. 12 days to crack ‘p5£X?p*#’ compared to approx. 10,000+centuries to guess ‘Hedgehog_finite_minus’)
- Any identifier of the Superyacht should not be included in any password whether that consists of the name, hull number, length, tonnage, etc. it’s all public information at the end of a Google search
Note: I know some Engineers would not have let me do the same. This story isn’t to give ‘the Engineer’ or any crew member a lousy name. It is a fact that it happens and whether you would let someone on board in a desperate time or not, have you checked you don’t fall foul of the other lessons listed above?
At the beginning of this article, I described some malicious and scary tactics a hacker could use to hack a Superyacht. The truth is that they are less likely than the more frightening reality that cyber events in yachting are more likely to be accidental and a result of negligence. Before we worry and concern ourselves with the theoretical tactics of hackers in hoodies, start with tightening up:
- Physical access onboard (keep a visitor log and verify credentials of visitors, suppliers and contractors)
- Physical access to equipment (lock the rack room or at least the racks themselves, limit access to only trained crew)
- Change default IP addresses, usernames and passwords (without fail!)
- Password hygiene (create long passphrases and store them in a secure app like LastPass or Dashlane)
- Never re-use a password (the same tools mentioned above can help here too by remembering them for you)
The visit I described in Rybovich wasn’t the first time I’ve been left to my own devices with the controls to the IT and AV equipment onboard regardless if the Superyacht’s network was supplied and supported by the company I was working for, or not.
Hopefully, my ‘hacking’ of a superyacht provides a wake-up call for you to act upon the most realistic threats to safety onboard that can impact safe operations and the safety of the crew.
Ask Yourself This Final Question
This article started by describing malicious and deliberate ways a cybercriminal could hack a Superyacht. I don’t encourage the use of scare tactics because it doesn’t help Superyachts and their crew make meaningful changes to improve their cybersecurity posture and prioritise cyber compliance ahead of the IMO deadline. I felt the descriptions were necessary to include because they are real possibilities, and you should not turn a blind eye.
But ask yourself, what scares you the most?
The theoretical hacks I described, or the fact that I hacked a Superyacht..
If you would like to subscribe to more of Matthew’s articles subscribe here.