Hacking Superyachts. Advice for owners

2019-04-01T13:27:05
ID PENTESTPARTNERS:6D59337E41059E111FA63B437533F231
Type pentestpartners
Reporter Tony Gee
Modified 2019-04-01T13:27:05

Description

If you own a superyacht they are your homes, your offices, your play areas. They are islands of exclusivity and provide safety and security and above all privacy, but are they really as secure and private as you hope they are?

Finding your yacht

Most yachts have safety features such as Automatic Identification Service (AIS) installed. These can be tracked in real time using just the vessel's name, with services such as Marine traffic. You can turn off AIS, but it is generally not done for obvious reasons.

We can link yachts to owners via some open source intelligence, there are services online to help, but often just reading magazines will provide valuable snippets of information. If you are a charter owner your website will likley tell us the names of your yachts. Leaving the privacy issues aside, finding the yacht is easy, but what about hacking it?

Home comforts

Your yachts are homes often for months on end. You will have Wi-Fi, connected televisions, connected lighting, connected audio services to allow whole yacht audio, smart TVs are installed, allowing you to stream content from your device either over wireless or Bluetooth. We have hacked Google Chromecast devices previously and shown how to abuse smart TVs. You may even have a virtual concierge onboard using biometrics to identify you and then change blinds, lights, heat, etc. to suit your specific needs.

Office 24/7

Your yacht is not just a home it’s also your office. You spend a significant part of the year living and working on the yacht, you have a modern office, with Voice Over IP telephones, video conferencing services and high-speed internet. Video conferencing services connect directly to 3rd party services and can be controlled remotely. We have found flaws that allow us to compromise the devices to turn them in to in room bugs or even open them up to virus infection.

Countless times we find issues in networking devices, only to be told they are “out of support” and that the issues won’t be fixed. How old is the technology on your boat? Are they still supported?

Playtime

Yachts are play areas for you, your family or your clients. You use drones to film you at play, connected dive watches and connected gym equipment are all in use. Rarely are these tested effectively by manufacturers for security issues, yet are often connected to critical safety systems such as navigation. What security assurances have your manufactures provided?

Onboard Security. Outsourced threats…

The security of this mesh of technology, including the safety tech is often the domain of your technology partner. Can you be certain all of that has been implemented securely?

Often the security will be down to the specific engineer who installs it. When considering home automation engineers, technology security skills are usually lacking. Time is limited (get it done as fast as possible) and security is often overlooked in the rush to deliver.

Does your technology provider give assurances that the technology has been installed securely?

Connected captains

You may have connectivity via mobile devices, possibly allowing your captain to ‘autodock’ yachts or for you to track your vessels in real time. Your yacht is usually permanently connected to the internet via it’s satcom system. We have shown how these can be compromised remotely, eating in to bandwidth and potentially impacting the ability for the captain to navigate effectively. Often issues are fixed by applying updates and changing default passwords. Both can be overlooked by captains in a desire to keep yachts moving, this is especially a concern for charter owners. Do you allow regular maintenance windows for your captains?

Awareness of technical security issues among owners, captains, crew and installers is generally low. It’s common for crew to plug personal devices in to navigation kit to charge them. Charter yacht owners may have no knowledge of who will be coming onboard and what they will be doing with the equipment on board. Are you checking your yachts after each charter for rogue devices?

Tactical advice

  • Ask your captain when the satcom and navigation systems were last updated
  • Task your technology partner with providing assurance systems have been tested for security issues
  • Seek assurances that services like smart devices cannot interact with safety critical systems
  • Ensure all default passwords on systems are changed
  • Regularly audit charter yachts for rogue systems/devices
  • Seek training for captains and crew on good security practices

Related posts:

Hacking Superyachts. Advice for integrators

Hacking Superyachts. Advice for captains