Researchers Discover Critical Flaws in Aviation and Shipping Industry Systems

Researchers Discover Critical Flaws in Aviation and Shipping Industry Systems
Douglas Bonderud June 13, 2018 https://securityintelligence.com/news/researchers-discover-critical-flaw...

Share Researchers Discover Critical Flaws in Aviation and Shipping Industry Systems on Twitter Share Researchers Discover Critical Flaws in Aviation and Shipping Industry Systems on Facebook Share Researchers Discover Critical Flaws in Aviation and Shipping Industry Systems on LinkedIn

Physical movement of goods relies heavily on ships and airplanes. According to the International Chamber of Shipping, water-based transport accounts for approximately 90 percent of world trade, while a recent Boeing white paper noted that air cargo traffic will more than double in the next few years.

Given this rapid growth, recent research suggests that both the aerospace and shipping industries may be on a crash course with cybersecurity compromise thanks to their use of outdated (and often unprotected) technology.
Shipping Industry Faces New Threats

To stay on course and ensure that cargo arrives on time, most ships use Electronic Chart Display and Information Systems (ECDISs). Security firm Pen Test Partners recently demonstrated that vulnerabilities in these systems are extremely simple to execute. While they’re also easy to mitigate against, many shipping companies don’t recognize these inherent flaws.

Pen Test Partners tested multiple ECDIS systems and found that most were running old operating systems, such as Windows NT. If compromised, cybercriminals could send ships off course by changing the perceived location of GPS receivers. Since autopilot is often used for regular transport routes, crew members may not even realize the ship is being diverted.

The researchers demonstrated the ability to trick the ECDIS into thinking that ships are a kilometer wide and then transmit this data to other vessels, forcing unnecessary course corrections that could impact shipping lanes. It’s also worth noting that systems such as steering, engines and ballast pumps communicate using NMEA 0183 messages sent in plaintext without authentication, making them easy to compromise.

Finally, Pen Test Partners leveraged a database compiled by device search provider Shodan to create a vulnerable ship tracker. In the wild, this data could enable cybercriminals to target specific ships for maximum impact.
Fight or Flight?

In addition to shipping industry fleets, cargo flights are also under threat. As noted by Avionics, Robert Hickey, aviation program manager within the Cyber Security Division of the U.S. Department of Homeland Security (DHS) Science and Technology (S&T) Directorate, was able to accomplish a “remote, non-cooperative penetration” of a commercial 757 within two days — and without any physical insiders aboard the plane.

According to Newsweek, meanwhile, security researcher Ruben Santamarta noted that entire fleets of aircraft remain accessible via the internet. He also claimed that threat actors on the ground could potentially use satellite communications networks to compromise devices on aircraft in flight. Just like their shipping counterparts, breaches to these networks could send aircraft off course and cause major havoc around high-traffic international airports.

While ships and planes remain integral to worldwide shipping, cybersecurity uptake hasn’t kept pace with technology adoption. As a result, savvy cybercriminals could hijack both navigation and communication systems to steer ships off course or compromise aircraft operations.