Newer yacht models nowadays might include IoT devices with routers and switches, which also means they can be hackable, just like any other device with an internet connection. As Stephan Gerling of the Rosen Group demonstrated during a security summit last week, modern yachts still have a lot of openings for bad actors to potentially exploit, such as the onboard router having an unsecure FTP protocol.
A yacht’s onboard network could have a vessel traffic service device, automatic identification system, autopilot, GPS receivers, radar, cameras, depth sounders, engine control and monitoring, and more. Since these features are connected to a network that can be controlled by an external device like a smartphone or tablet, a bad actor could target those devices to access the entire yacht.
As part of his demonstration, Gerling opened a yacht control app on tablet, phone, and desktop, which then connected to a router and downloaded an XML file that contained the entire router configuration. This includes router credentials and the Wi-Fi SSID and password. Since the file was transmitted over an insecure FTP protocol, Gerling noted that it could be easily intercepted by hackers who could then take full control over the router and network. Once in, the bad actors could intercept HTTP links, audio and video streaming, and any device on the yacht.
There was also a user account with root access on the router’s operating system, created by developers, likely for remote tech support. The patch that the vendor issued has kept the root account available — which Kaspersky notes as as a potential security concern.
“Looking at the situation as a whole, we do not have many tips for yacht owners,” the Kaspersky report notes, since yacht owners usually purchase their onboard network and devices as a single package and are unlikely to DIY install each router and cable by themselves. “In a nutshell, all we can recommend is to choose your infotainment solution’s manufacturer wisely.”
After Gerling’s comments at the summit, the unidentified yacht vendor he had used during his demonstration issued a patch addressing some of those security concerns. The patch changed the FTP protcol of the yacht router to SSH, but still kept an account that has root access inside the router.
While rich yacht owners may not seem like particularly sympathetic victims, given that many of those owners are high-profile and might be using their ships to negotiate businesses or discuss other confidential matters, they might want to prevent any spying on board. The Kaspersky report recommends that manufacturers tighten up security and “not simply wait for serious leaks, for which they will be rightly blamed.”