If you own a superyacht they are your homes, your offices, your play areas. They are islands of exclusivity and provide safety and security and above all privacy, but are they really as secure and private as you hope they are?
Most yachts have safety features such as Automatic Identification Service (AIS) installed. These can be tracked in real time using just the vessel's name, with services such as Marine traffic. You can turn off AIS, but it is generally not done for obvious reasons.
We can link yachts to owners via some open source intelligence, there are services online to help, but often just reading magazines will provide valuable snippets of information. If you are a charter owner your website will likley tell us the names of your yachts. Leaving the privacy issues aside, finding the yacht is easy, but what about hacking it?
Your yachts are homes often for months on end. You will have Wi-Fi, connected televisions, connected lighting, connected audio services to allow whole yacht audio, smart TVs are installed, allowing you to stream content from your device either over wireless or Bluetooth. We have hacked Google Chromecast devices previously and shown how to abuse smart TVs. You may even have a virtual concierge onboard using biometrics to identify you and then change blinds, lights, heat, etc. to suit your specific needs.
Your yacht is not just a home it’s also your office. You spend a significant part of the year living and working on the yacht, you have a modern office, with Voice Over IP telephones, video conferencing services and high-speed internet. Video conferencing services connect directly to 3rd party services and can be controlled remotely. We have found flaws that allow us to compromise the devices to turn them in to in room bugs or even open them up to virus infection.
Countless times we find issues in networking devices, only to be told they are “out of support” and that the issues won’t be fixed. How old is the technology on your boat? Are they still supported?
Yachts are play areas for you, your family or your clients. You use drones to film you at play, connected dive watches and connected gym equipment are all in use. Rarely are these tested effectively by manufacturers for security issues, yet are often connected to critical safety systems such as navigation. What security assurances have your manufactures provided?
The security of this mesh of technology, including the safety tech is often the domain of your technology partner. Can you be certain all of that has been implemented securely?
Often the security will be down to the specific engineer who installs it. When considering home automation engineers, technology security skills are usually lacking. Time is limited (get it done as fast as possible) and security is often overlooked in the rush to deliver.
Does your technology provider give assurances that the technology has been installed securely?
You may have connectivity via mobile devices, possibly allowing your captain to ‘autodock’ yachts or for you to track your vessels in real time. Your yacht is usually permanently connected to the internet via it’s satcom system. We have shown how these can be compromised remotely, eating in to bandwidth and potentially impacting the ability for the captain to navigate effectively. Often issues are fixed by applying updates and changing default passwords. Both can be overlooked by captains in a desire to keep yachts moving, this is especially a concern for charter owners. Do you allow regular maintenance windows for your captains?
Awareness of technical security issues among owners, captains, crew and installers is generally low. It’s common for crew to plug personal devices in to navigation kit to charge them. Charter yacht owners may have no knowledge of who will be coming onboard and what they will be doing with the equipment on board. Are you checking your yachts after each charter for rogue devices?