back to article Where's Zero Cool when you need him? Loose chips sink ships: How hackers could wreck container vessels

Poorly maintained IT systems on container ships are leaving the vessels open to cyber-attack and catastrophe, it is claimed. This is according to folks this week at security house Pen Test Partners, who found that in some cases, connected maritime devices dating back to the early 1990s are being left open to the public …

  1. Maelstorm Bronze badge
    Joke

    Hmmm... Ship Tipping

    Ship Tipping...

    Gives a whole new meaning to Cow Tipping.

  2. Maelstorm Bronze badge
    Joke

    And in other news...

    And still furious about the humiliating loss in the Falklands War, the President of Argentina orders his cyber warfare division of the military to tip the container ships which contain a shipment of underwear for the Queen of England.

  3. ecarlseen

    That's it.

    I'm hiring Penn Jillette for my NOC right freaking now.

    1. GnuTzu Bronze badge

      Re: That's it.

      ... or SOC.

  4. FozzyBear Silver badge
    Coffee/keyboard

    Oh God No. No God why oh why did you reference that infernal movie.

    Not to fear Mr The Plague is here.

    Thankfully randomly bashing buttons on some weird arsed console will destroy any incoming virus or malware.

    1. Long John Brass Silver badge
      Paris Hilton

      Oh God No. No God why oh why did you...

      Hey I liked that movie :)

      "There are worse things than death; And I can do *ALL* of them"

    2. Anonymous Coward
      Anonymous Coward

      Agreed. That movie was worse than garbage. For a real hacker movie see "Sneakers".

      1. Michael Wojcik Silver badge

        What little I remember of Sneakers makes me rather doubt the "real hacker movie" claim. Ooh, magic technology that breaks all decryption. Ooh, US ATC is accessible over the public Internet, just encrypted. Ooh, I'm going to wear a suit that prevents me from radiating any body heat. And I'm doing it to get past a security system which relies on infrared detection of body heat rather than the inexpensive, widely-available ultrasonic motion detectors that everyone actually uses, because the hacks in Hollywood haven't come up with a magic way to avoid those.

        A "real hacker movie" would be pretty damn dull, because real hacking mostly involves 1) thinking, 2) doing research, and 3) patiently trying things out on a computer.

    3. diodesign (Written by Reg staff) Silver badge

      "why did you reference that infernal movie."

      s/infernal/superb/

      C.

  5. CloudWrangler
    Holmes

    MSC Zoe was a proof of concept hack?

    The MSC Zoe lost over 345 containers in a storm off the dutch coast on the 1st of January this year, and no explanation has yet been forwarded for why. Someone messing with the systems remotely would explain SO MUCH.

    1. John Jennings

      Re: MSC Zoe was a proof of concept hack?

      Most likely not.

      1400 containers fall off ships PER YEAR, on average.

      The damn things can take years to sink. They are so massive that in collision tests, 9.99 times out of 10 , a yacht comes off worst.

      1. S4qFBxkFFg

        Re: MSC Zoe was a proof of concept hack?

        For this reason, and that shipping containers can contain valuable cargo, isn't there a case for fitting them with GPS trackers? A box with accelerometer (to detect the fall and splash, and turn the rest of the kit on), GPS, and a transmitter. Essentially it would be a PLB, but with a bigger battery, and would have to be triggered automatically but somehow not be susceptible to false alarms.

        Is this possible without adding too much cost per container (i.e. costing less than 1. writing off the cargo that could otherwise survive a fall + immersion and 2. repair costs for ships that accidentally find the floating containers)?

        1. phuzz Silver badge

          Re: MSC Zoe was a proof of concept hack?

          There's something like 20 million containers worldwide, and I'm sure some of them are fitted with trackers, but several things make it tricky to roll out to all containers.

          GPS signals don't go through water, and containers tend to 'float' with only about 1% of their body above the water. You can't have the antenna sticking out far, because it would get smashed during loading, so instead you've have to have multiple ones around the container so that at least one would be close enough to the surface to receive.

          Then you need some kind of transmitter, and you'll have similar problems with the antenna for that, plus transmitting is going to use a whole lot more power than receiving GPS signals.

          At the end of the day, containers are treated as only being semi-recyclable, sooner or later they get a bit too rusty and get dumped, or sold on for a hipster to build a restaurant in one or something.

        2. Rupert Fiennes Bronze badge

          Re: MSC Zoe was a proof of concept hack?

          I think quite a few sensitive containers already have GPS trackers. The only issue is probably the requirement for said container to have a power hookup to keep it charged and how a container buried under twenty others is going to get a satellite fix.

  6. W.S.Gosset Bronze badge

    Serious infrastructure carnage

    Never mind sinking a ship (rat's arse) -- how about overriding the controls near docking and driving into the port facilities at a rate of knots.

    Do that with 3 or 4 vessels (they're "vessels", btw, not "ships" -- fastest way to annoy a freight guy is to call them ships) in succession into different parts of the port, and you've pretty much disabled every bit of traffic in/out of that port for a year or more.

    You wanna bring a country to its knees in a hurry? Cripple the ports. There really aren't that many of them, either...

    1. W.S.Gosset Bronze badge

      Re: Serious infrastructure carnage

      Oh, and never mind little container vessels. eHijack 150,000 tons of iron ore or coal on your standard Capesize, or hell, grab some of the big boys: 400,000 tons.

      Even Panamax casually takes 50,000 tons, the Neopanamax are 120,000, and they're everywhere.

      Even if you can only get it up to 3 or 4 knots once you take it off the tug in the roads or the harbour, that's going to get a long way inland before it stops. Take it through the cranes, and that's that harbour out of action for container un/loading for a long time. Which eliminates virtually all food import/export, and all spare parts, and in fact all "normal" (non-bulk-ores/coal) goods. So all military supplies, in the case of an in-progress war, would essentially dry up immediately. For example.

      1. Korev Silver badge

        Re: Serious infrastructure carnage

        True, in case you haven't seen the video of someone having a bad day in Barcelona

        1. W.S.Gosset Bronze badge

          Re: Serious infrastructure carnage

          And that's just a cruise ship (barely moving; drifting). They weigh nothing. A thin weak box of air.

    2. phuzz Silver badge
      Trollface

      Re: Serious infrastructure carnage

      "fastest way to annoy a freight guy is to call them ships"

      That's why I call them boatys, it annoys all the swabbies :)

    3. Cuddles Silver badge

      Re: Serious infrastructure carnage

      "Never mind sinking a ship (rat's arse) -- how about overriding the controls near docking and driving into the port facilities at a rate of knots."

      Great, as if life imitating Hackers wasn't bad enough, now we're going for Speed 2 as well?

      1. W.S.Gosset Bronze badge
        Alert

        Re: Serious infrastructure carnage

        Heh. But on a more serious note:

        England nearly lost WWII in 1939-early1940 due to mines being laid IN their ports & roads, never mind normal routes. The pilots later got the glory for the Battle of Britain re a tactical attack, but the minesweepers were digging out truly startling quantities of explosives out of the ports for a year prior : a strategic attack. The Battle of the Atlantic was actually more important than the Battle of Britain, in terms of the war. Reason: supplies.

        Relatedly: Can you think of any sovereign nation which has been aggressively building military capability and extending territorial positioning, has been exponentially increasing aggression, has a recent (10-20yrs) history of exponentially increasing hacking/cracking for Nation State purposes, has a ~3,000yr history of pretending social/diplomatic niceties then conducting surprise attacks, and has a strong recent history of conducting NationState-crippling passive-aggressive attacks by eliminating trade/supplies?

        In answering that question, you might note something rather startling that happened just yesterday, re the last item in that list.

        9/11 & kamikazes (and "ogging") demonstrated conclusively that often the weapon-delivery system is more dangerous than the weapons, so long as you don't care about the people in it. And even ordinary vehicles are actually lethal (cf. trucks & cars used by terrorists the last few years). It just takes someone/some group to decide to DO it.

    4. HarryBl

      Re: Serious infrastructure carnage

      I was a 'freight guy' for 10 years and everybody on board called them ships.

      I've never sailed with anyone who called them vessels in every day speech.

      'Vessel' is reserved for logs or other official documents.

      Sometimes (shock horror) we even called them boats as in box boats or gas boats.

      1. W.S.Gosset Bronze badge

        Re: Serious infrastructure carnage

        > "'Vessel' is reserved for logs or other official documents."

        Hmm, good point. I was thinking from the point of view of the people hiring & directing & making/losing money from the vessels, rather than that of the people actually ON them.

        (So your iron ore trader/marketer finds, negotiates, and closes on a 12mth contract for 25,000 tons a month, then throws that to the freight traders, who find, negotiate, close on, then monitor/manage a 25,000 ton compartment and/or vessel to pick up from that port FOB & deliver CIF, while the traffic management boys have the day-on-day job of managing all the logistics drama of getting it from minehead to port & thru all the assaying and stockpiling and so on from to FOB status.)

        My apologies. We're both right, but in different frameworks.

  7. Claptrap314 Bronze badge

    ImPortant weaknesses

    I don't know any details (I was AF), but I am aware that CB instaport capabilities are a strategic asset. I don't know how far it goes, but for the US, at least, we can make a sizable port (or three) very rapidly.

    But it really all depends on what route you want to take. Consider a 10MT nuke in the shallows, or a 5OMT a bit further out. I know that our major ports are actively searching for those.

    I would also assume that when things get hot enough, that the PAs will get aggressive about requiring tugs and even "safeing" engines once a ship gets close enough--imagine a coal ship shearing a bunch of piers.

    I remember reading, what, thirty years ago? about computer controlled pumping systems on oil tankers. Trivial to overload the center and crack it up.

  8. c1ue

    I have no doubt the vulnerabilities noted exist, however, the connection between an XP terminal and the actual ship's controls and systems is far less clear to me.

    The XP based PCs are no doubt used for communications, shipping orders, paperwork, entertainment and whatnot but that is a far cry from steering, ballast control and so forth.

    And given the age of the PCs, it seems highly unlikely that the ships are networked such that such control capability is even possible.

    Mischief, in this case, is largely a command and control type interference such as was seen with NotPetya damage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019