The scariest man at CMA was a mild-mannered Englishman Ken Munro, managing director of Pen Test Partners. He was armed with a kettle.
Mr Munro is an ethical hacker. He is paid by companies and the military to hack into their systems, find flaws and advise on how to prevent others from hacking in. The kettle was a prop in his speech about how easy it is to hack into a ship’s systems.
According to Mr Munro, IoT is not internet of things but internet of tea, and in the UK many people have smart kettles. You can start the kettle from your smartphone. He had taken his kettle apart, and found it was using 40-year-old dial up modem software and with a few simple DOS commands he was able to expose the wifi router and the login key. He could, if he wanted, remotely monitor data going through the router, logging IP addresses and passwords. For your online banking, for instance.
Mr Munro’s company has a mix of ex-ship crew and officers. They understand systems on ships and his kettle brought his first warning. Do you monitor what your crew bring on board the ship? What personal devices are they connecting to the ship’s wifi, and is that wifi shared by the ship’s systems?
Then he got even scarier. Shodan is a Google-style search engine for satellite communication software. Using Shodan he quickly found the manual for a common sat nav system, which was integrated with the loading computer. He quickly assured the CMA audience that what he about to demonstrate had now been fixed by recent updates. But the fix only works if the updates had been faithfully followed.
Using the manual, he found the admin password (000000) and the fun began. He was easily able to change the load codes for containers, causing a cargo of frozen prawns to defrost alongside a container of small-sensitive cargo, which the crew had been instructed to leave the door open. What larks!
But he was also able to instruct the computer to load heavy-load cargo from the lower to upper decks, drastically altering the metacentric height and increasing the probability of a capsize. In the hands of a terrorist, the hack could see the explosive codes removed from a container, or allow a container of drugs to be smuggled on board and then released to a truck driver in a port.
He also warned about blockchain, which relies on every computer in the chain having the same unbreakable code. He listed the military specification unbreakable codes from 20 years ago. All had now been broken, and ‘switching’ out codes for newer unbreakable codes is extremely difficult. In a distributed network like blockchain, switching out a broken code may be prohibitively difficult, rendering the value of coin or token to zero.
The good news was that it is relatively simple to protect your ship from hackers. Below is his list of good practice that every owner should implement:
Ask your software suppliers about security – is it adequate for purpose?