Incident Details

Incident: Ship-tracking Technology Hack Risks Chaos in English Channel

Published Date: 2018-06-07

Postmortem Analysis
Timeline	1. The software failure incident mentioned in the article happened around June 2018. - The article was published on 2018-06-07 [72575]. - Therefore, the incident likely occurred in June 2018.
System	1. Electronic Chart Display (Ecdis) system 2. Satellite communications equipment default username and password 3. Automatic Identification System (AIS) transceiver
Responsible Organization	1. The vulnerability in the ship-tracking technology was discovered by researcher Ken Munro from Pen Test Partners [72575]. 2. French researcher x0rz demonstrated the vulnerability in many ships' satellite communications equipment's default username and password, which could be exploited to gain remote access [72575].
Impacted Organization	1. Ship owners and operators [72575]
Software Causes	1. The vulnerability in the ship-tracking technology that allowed for spoofing the size and location of boats by hacking the Electronic Chart Display (Ecdis) software [72575].
Non-software Causes	1. Lack of changing default username and password for satellite communications equipment on ships [72575]. 2. Vulnerabilities in the computer-powered navigation system (Ecdis) used on ships [72575].
Impacts	1. The software failure incident allowed for the spoofing of ship sizes and locations, potentially triggering collision alarms on other vessels, which could lead to accidents and chaos in the English Channel [72575]. 2. The vulnerability in the ship-tracking technology could be exploited to block the English Channel's shipping lanes, disrupting the flow of traffic [72575]. 3. The incident highlighted the dire state of security on board ships, emphasizing the need for ship owners to take basic steps to protect their vessels against such threats [72575]. 4. While experts acknowledged the technical accuracy of the vulnerability, they deemed the worst-case scenario of completely shutting down the Channel's shipping lanes as extremely unlikely due to interventions by monitoring bodies and the unlikelihood of cascading effects [72575].
Preventions	1. Implementing strong passwords and regularly changing default usernames and passwords for satellite communication equipment could have prevented the software failure incident [72575]. 2. Ensuring that the latest software patches are installed on the Electronic Chart Display (Ecdis) systems could have helped prevent the vulnerability exploited in the incident [72575]. 3. Providing proper cybersecurity training to ship officers to enhance their awareness and ability to secure onboard systems could have mitigated the risk of such software failures [72575].
Fixes	1. Implement basic security measures on ships to prevent hacking, such as using strong passwords and installing software patches [72575]. 2. Provide proper training to ship officers on cybersecurity practices to ensure equipment is secure [72575]. 3. Enhance the security of the Electronic Chart Display (Ecdis) software to prevent misidentification of GPS locations and vessel sizes [72575]. 4. Develop a technical solution to address vulnerabilities in ship navigation systems that were not designed with cybersecurity in mind [72575]. 5. Establish protocols for intervention by authorities like the Channel Navigation Information Service in case of AIS collision warnings contradicting radar readings and visual observations [72575].
References	1. Ken Munro from Pen Test Partners [72575] 2. French researcher x0rz [72575] 3. Prof Kevin Jones from the University of Plymouth's Maritime Cyber Threats research group [72575] 4. Dr Tim Crichton from the University of Plymouth's Maritime Cyber Threats research group [72575] 5. Dr Kimberley Tam from the University of Plymouth's Maritime Cyber Threats research group [72575] 6. UK's National Cyber Security Centre (NCSC) spokesperson [72575]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	unknown	(a) The software failure incident related to the ship-tracking technology being hacked to spoof the size and location of boats has not been specifically mentioned to have happened again within the same organization or with its products and services in the provided article [72575]. (b) The article does not mention any specific instances of similar incidents happening at other organizations or with their products and services related to the ship-tracking technology hack discussed in the article [72575].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the article where it is mentioned that a vulnerability was discovered in a commonly used ship-tracking technology that could be exploited to spoof the size and location of boats, potentially triggering collision alarms on other vessels [72575]. (b) The software failure incident related to the operation phase is evident in the article where it is highlighted that many ships never changed their satellite communications equipment's default username and password, making it relatively easy to gain remote access and reconfigure a ship's Electronic Chart Display software to misidentify the location of its GPS receiver, potentially leading to accidents [72575].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident reported in the article is primarily within the system. The vulnerability exploited by the researcher, Ken Munro, involves targeting a computer-powered navigation system called the Electronic Chart Display (Ecdis) on ships. By reconfiguring the ship's Ecdis software, the location of the GPS receiver can be misidentified, potentially leading to collisions. Additionally, the incident involves manipulating the software to make the boat appear much larger than its actual size, triggering collision alarms on other vessels [72575]. These actions demonstrate how the software itself can be manipulated to create chaos and disrupt the normal functioning of the ships. (b) outside_system: The potential consequences of the software failure incident extend beyond the system itself. While the vulnerability lies within the software system used for ship navigation, the impact of exploiting this vulnerability could lead to significant disruptions in the English Channel's shipping lanes. The article mentions that the attack could effectively shut down the Channel's shipping lanes by causing AIS collision alarms to go off on numerous ships, leading them to avoid the area completely. This external impact highlights how a software failure within the system can have broader consequences on the overall maritime traffic and safety in the English Channel [72575].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the article is related to non-human actions. The incident involves a vulnerability in ship-tracking technology that can be hacked to spoof the size and location of boats, potentially triggering collision alarms on other vessels without direct human involvement. The attack targets the Electronic Chart Display (Ecdis) system, manipulating the GPS receiver's location and boat size to create false information that could lead to accidents [72575]. (b) The software failure incident also involves human actions. The vulnerability exploited in the incident was initially demonstrated by a French researcher who found that many ships never changed their satellite communications equipment's default username and password, making it relatively easy for hackers to gain remote access. Additionally, the researcher Ken Munro highlighted the lack of security measures on board ships, emphasizing the importance of ship owners taking basic steps to prevent such incidents [72575].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: - The incident reported in the article is related to a ship-tracking technology that can be hacked to spoof the size and location of boats, potentially triggering collision alarms on other vessels [72575]. - The vulnerability exploited in this incident involves the manipulation of a ship's Electronic Chart Display (Ecdis) software, which is a computer-powered navigation system found on ships [72575]. - The hack involves reconfiguring the ship's Ecdis software to misidentify the location of its GPS receiver, which is a hardware component crucial for accurate positioning information [72575]. (b) The software failure incident occurring due to software: - The software failure incident primarily originates from the manipulation and exploitation of the ship's Ecdis software, which is a software system used for navigation on ships [72575]. - The hack demonstrated by the researcher involves altering the software to misidentify the GPS receiver's location and spoof the size of the boat, leading to potential collision risks [72575]. - The vulnerability exploited in this incident highlights the importance of software security on board ships and the need for software patches and secure configurations to prevent such attacks [72575].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident reported in the articles is malicious in nature. The incident involves a ship-tracking technology being hacked to spoof the size and location of boats in order to trigger collision alarms on other vessels, potentially leading to accidents and chaos in the English Channel [72575]. The vulnerability was exploited by manipulating the ship's Electronic Chart Display (Ecdis) software to misidentify the GPS receiver's location and make the boat appear much larger than its true size, which could lead to collisions and disruptions [72575]. The attack was demonstrated by researchers to show the potential risks and consequences of such malicious actions, highlighting the need for ship owners to protect their vessels against such threats [72575].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident was related to poor_decisions. The incident involved a vulnerability in a commonly used ship-tracking technology that could be exploited to spoof the size and location of boats, potentially triggering collision alarms on other vessels. The vulnerability was identified by a researcher, Ken Munro, who demonstrated how the Electronic Chart Display (Ecdis) software on ships could be manipulated to misidentify GPS locations and make boats appear larger than they actually were. This could lead to chaos and potential accidents in the English Channel [72575].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in the article is related to development incompetence. The vulnerability in the ship-tracking technology that allowed for spoofing the size and location of boats was discovered by a researcher, Ken Munro, who highlighted the lack of basic security measures on board ships. He mentioned that security on ships is often dire and emphasized the need for ship owners to take simple steps to prevent such incidents [72575]. (b) The incident also involved accidental factors, such as ships not changing their satellite communications equipment's default username and password, making it relatively easy for unauthorized access. The ability to reconfigure a ship's Ecdis software to misidentify the GPS location was a result of these accidental vulnerabilities that were exploited by the researcher [72575].
Duration	permanent, temporary	The software failure incident described in the articles can be categorized as both temporary and permanent. Temporary: The vulnerability in the ship-tracking technology that allowed for spoofing the size and location of boats to trigger collision alarms was a temporary failure. This vulnerability could be exploited to cause chaos and potentially shut down the English Channel temporarily [72575]. Permanent: The underlying issue of poor security on board ships and the potential for hackers to exploit various vulnerabilities in ship systems, including the Electronic Chart Display (Ecdis) software, can be considered a permanent failure. The lack of proper security measures and the presence of easily exploitable weaknesses in the systems indicate a long-term risk of software failure incidents [72575].
Behaviour	other	(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The incident involves a vulnerability in ship-tracking technology that could be exploited to spoof the size and location of boats to trigger collision alarms [72575]. (b) omission: The incident does not involve a failure due to the system omitting to perform its intended functions at an instance(s). Instead, it focuses on the manipulation of ship navigation systems to misidentify locations and sizes of vessels, potentially leading to accidents [72575]. (c) timing: The software failure incident is not related to the system performing its intended functions correctly but too late or too early. It revolves around the manipulation of ship navigation systems to deceive other vessels about their location and size, potentially causing accidents [72575]. (d) value: The incident does not involve a failure due to the system performing its intended functions incorrectly. Instead, it highlights a vulnerability in ship navigation systems that could be exploited to misidentify vessel locations and sizes, leading to potential accidents [72575]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. It focuses on the exploitation of a vulnerability in ship navigation systems to deceive other vessels about their locations and sizes, potentially causing chaos in the English Channel [72575]. (f) other: The behavior of the software failure incident can be categorized as a security vulnerability that allows for the manipulation of ship navigation systems to spoof vessel locations and sizes, potentially triggering collision alarms and causing chaos in the English Channel. The incident highlights the importance of addressing cybersecurity vulnerabilities in maritime systems to prevent potential accidents [72575].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, processing_unit, embedded_software	(a) sensor: The software failure incident discussed in the articles is related to the sensor layer of the cyber-physical system. The vulnerability exploited in the attack targets a computer-powered navigation system called the Electronic Chart Display (Ecdis), which provides crews an alternative to using paper charts. By misidentifying the location of the GPS receiver, the attack can manipulate the sensor data, leading to potential collisions ([72575]). (b) actuator: The articles do not specifically mention any failure related to the actuator layer of the cyber-physical system. (c) processing_unit: The software failure incident does involve the processing unit of the cyber-physical system. The attack demonstrated by the researcher involves reconfiguring a ship's Ecdis software to misidentify the location of its GPS receiver, which involves processing errors in the software ([72575]). (d) network_communication: The incident does not directly involve a failure related to network communication errors in the cyber-physical system. (e) embedded_software: The failure incident is related to the embedded software layer of the cyber-physical system. The vulnerability exploited in the attack targets the Ecdis software, which is embedded in the ship's navigation system. By manipulating this embedded software, the attacker can spoof the size and location of boats, leading to potential collisions ([72575]).
Communication	connectivity_level	The software failure incident reported in the articles is related to the communication layer of the cyber-physical system that failed at the connectivity level. The incident involved exploiting vulnerabilities in the ship-tracking technology and the Electronic Chart Display (Ecdis) system, which is a computer-powered navigation system used on ships [72575]. The vulnerability allowed for the manipulation of the GPS receiver's location and the identification of the boat as being much larger than its true size, potentially leading to triggering collision alarms on other vessels and causing chaos in the English Channel [72575]. The attack targeted the AIS transceiver on many new ships, which is part of the connectivity layer in the communication system [72575]. The incident highlighted the importance of securing the communication systems on ships to prevent such cyber-physical system failures at the connectivity level.
Application	TRUE	The software failure incident described in the article [72575] was related to the application layer of the cyber physical system. The incident involved a vulnerability in the Electronic Chart Display (Ecdis) software used for navigation on ships. The vulnerability allowed for the manipulation of the GPS receiver's location and the identification of the boat as being much larger than its true size, potentially leading to triggering collision alarms and causing chaos in the English Channel. This manipulation of the software at the application layer could result in accidents and disruptions due to incorrect information being processed by the system.

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence, other	(a) death: People lost their lives due to the software failure - There is no mention of people losing their lives due to the software failure incident reported in the articles [72575]. (b) harm: People were physically harmed due to the software failure - The articles do not mention people being physically harmed due to the software failure incident [72575]. (c) basic: People's access to food or shelter was impacted because of the software failure - The articles do not mention people's access to food or shelter being impacted due to the software failure incident [72575]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident could potentially impact property as it could lead to accidents or collisions between ships due to false information being transmitted [72575]. (e) delay: People had to postpone an activity due to the software failure - The articles do not mention people having to postpone an activity due to the software failure incident [72575]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted non-human entities, specifically ships, as their navigation systems could be compromised leading to potential accidents or disruptions in the English Channel [72575]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had potential consequences discussed, but there were no real observed consequences mentioned in the articles [72575]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences of the software failure incident, such as triggering collision alarms, causing chaos in the English Channel, and disrupting shipping lanes, but it is noted that the worst-case conclusion is considered extremely unlikely in practice [72575]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident could potentially lead to disruption in shipping operations, financial losses for ship owners, and a need for increased cybersecurity measures to prevent future incidents [72575].
Domain	transportation	(a) The failed system was intended to support the transportation industry. The incident involved a ship-tracking technology hack that could manipulate the size and location of boats, potentially leading to collision alarms triggering on other vessels [72575]. The attack targeted the Electronic Chart Display (Ecdis) system used for navigation on ships, affecting their GPS positioning and potentially causing accidents in the English Channel [72575]. The consequences of the hack could disrupt shipping lanes and create chaos in the busy English Channel, a critical transportation route [72575].

Sources

Ship hack 'risks chaos in English Channel' - BBC.com - Published on: 2018-06-07
Article ID: 72575

Back to List