Cyber Security: Connected Devices
Knowledge is Power
Most of you reading this will have a smartphone onboard with you at the moment. I know this because, each year since 2012, Futurenautics has run the Crew Connectivity Survey, which asks around 3,000 seafarers about their access to, and usage of, devices and connectivity onboard. 2015 was the year in which smartphones overtook other devices to become the most common piece of equipment seafarers have on ships. For the record, the others are laptops, hard drives and other types of mobile phones. Oh, and one guitar. Yeah, I know. I don’t think he understood the question.
There is something else I know about your smartphone. If it is running Android software and apps then there is a 90% likelihood that it is carrying malware – malicious software which should not be there. If it is an iPhone running iOS then that’s up to an 80% likelihood. That’s malware of which you will be entirely unaware, and unlikely to affect your usage of the device at all. It is sitting there quietly, waiting until the phone is plugged into something else, when it will execute and infect whatever machine it has been offered.
That machine might be a laptop, or desktop PC, or perhaps the ECDIS, because someone was low on battery We have all come to rely on our smartphones, laptops and constant access to the Internet to help us run our lives. Yet how safe are we, sitting quietly behind our screens? The answer might be rather alarming and needed to charge up their phone quickly. Or maybe that laptop in the engine control room, which was delivered by the manufacturer to run the main engine under strict instructions that it must never be connected to the Internet. A laptop, therefore, with absolutely no virus protection or firewall that, being the only open computer on the vessel, has been surreptitiously hooked-up to the FleetBroadband so that the crew can get online.
Password-protected?
I also know that there’s a 60-70% likelihood that the password you use both for your personal devices and the corporate network onboard will be the same, and that the password in question has an 80- 90% likelihood of being either weak, default or quite easily guessable. If a little brute-force cracking doesn’t work, then I know exactly where to go next to check out the kind of personal, intimate details about you and your friends and family that will allow me to fashion a very plausible email.
Where do I go for that? Facebook, which I know is the number one social media site for seafarers accessed by around 79% of you while you’re at sea. The email, when it arrives, won’t come from me. It might come from someone in your IT support unit ashore telling you that they think that someone has been trying to use your login to access the network, but they know it can’t be you because HR say you’re at sea. It might correctly identify the name of the vessel and its next port of call, and ask for your login credentials in order to investigate. And I know that there is a 70%+ likelihood that you will supply them.
But you might not. On the off-chance that you’re one of the 30% who decides to dig a little further, recognises a spelling mistake in the company name in the email address or just gets a little suspicious, that’s still not a problem for our hacker. Financially motivated cyber crime is a US$1 trillion+ per year industry and it can be very random. Not always, though. Sometimes, individuals are carefully targeted because they have access to systems or privileges which others don’t.
Navigation officers onboard ship have access to systems which could be crippled — or not — in return for a ransom. The good news, or bad news depending upon your perspective, is that according to our survey, seafarers have above average technology skills and competence — you guys are pretty savvy. So you’re likely to make the hacker’s job harder. But not that much harder.
Risky recruiting
For the first time in 2015, LinkedIn appeared as a favourite job search site for deck officers, according to our data. Even if you’re happy where you are, there’s no harm in connecting with a recruiter on LinkedIn who is advertising the kind of jobs you might be interested in, paying a bit more money. When that recruiter asks you to contact him directly by email to discuss opportunities, you will. Then, when he sends you a positions-listing sheet encouraging you to take a look and let him know whether you’re interested in being put forward, you will click on the attached document, download it, and read it. There’s no harm in that, right? Other than the fact that the recruiter is me, and contained within the document is malware which, when opened will begin beaconing to an external IP address that will allow me to install a PHP reverse shell on your system, search, collect, change or remove sensitive data or access systems at will.
Sound unlikely? I’ve been reliably informed by one connectivity provider that the volume of unauthorised traffic over its network — that is malware beaconing IP addresses from ship’s networks all over the world — is so great that it’s beginning to cause network issues. To the extent that the provider is contacting its customers and trying to help them root out the malware in their systems.
This would tend to bear out our survey findings, because 43% of you reported that you had sailed on a vessel which had become infected with a virus or malware. Yet 88% of you claim never to have received any advice or training around cyber security or hygiene.
There are a lot of numbers here. For most cyber criminals, it’s a numbers game. Every single one of the scenarios I have outlined above has taken place on a ship or shore-based office. The guy who plugged his phone into the ECDIS was responsible for malware wiping every single electronic chart on the vessel.
Unlike the majority of seafarers, people who run shipping companies, and particularly shipping associations, are often far from technology-savvy. They have failed to understand that technology dependence leads to cyber risk and have not adequately addressed the issue at board level in the same way they would address any other type of risk. It is a risk to you because their networks and their vessels are your home and hold a wide range of data about you. For example, the data on your phone alone right now is worth around $14,000 to a cyber criminal.
The truth is that attackers no longer target infrastructure, they target people. So if you are one of the thousands of seafarers who have been given no cyber hygiene support, training or advice then I suggest you ask for it – or seek it out.
There’s one other thing I know about you. Properly trained and resourced, you are a line of defence more solid and impregnable than all the firewalls and privileges your IT department can muster. I know that. The cyber criminals know that. No.w you know it too.
We have all come to rely on our smartphones, laptops and constant access to the Internet to help us run our lives. Yet how safe are we, sitting quietly behind our screens? The answer might be rather alarming
43% OF YOU REPORTED THAT YOU HAD SAILED ON A VESSEL WHICH HAD BECOME INFECTED WITH A VIRUS OR MALWARE
PROPERLY TRAINED AND RESOURCED, YOU ARE A LINE OF DEFENCE STRONGER THAN ALL THE FIREWALLS AND PRIVILEGES YOUR IT DEPARTMENT CAN MUSTER
Author: K. D. Adamson, Futurenautics Futurenautics’ Crew Connectivity Survey can be viewed as a PDF online at www.futurenautics.com