New yacht models, including IoT devices with routers and switches, can be hacked, like any other device with an Internet connection. According to security researcher Stephan Gerling at the cybersecurity summit in Cancun, Mexico, modern yachts have many vulnerabilities that can potentially be exploited by intruders, such as an onboard router with an unprotected FTP protocol.
As explained by the expert, the yacht’s on-board network there can be a device for tracking vessels, an automatic identification system, autopilot, GPS-receivers, radar, cameras, depth sensors, engine monitoring and monitoring systems and much more. Because these functions are connected to a network that can be controlled by an external device, such as a smartphone or tablet, an attacker can crack the device data and gain control of the vessel.
As part of the presentation, Gerling opened the yacht management application (the yacht model and the router are not opened) on the tablet, phone and on the computer, and then connected to the router and downloaded the XML file containing the router configuration. The researcher managed to obtain the credentials of the router, the SSID of the Wi-Fi network, and also the password. According to the expert, since the file is transmitted over an unsafe FTP protocol, it can be easily intercepted by hackers, after which attackers can fully control the router and network.
In addition, an account with superuser rights, created by developers, probably for remote technical support, was discovered in the operating system of the router.
After Gerling’s presentation at the summit, the yacht manufacturer, whose software was used, issued a fix that eliminated some of the listed security concerns. The patch changed the FTP protocol of the yacht router to SSH, but the account with superuser rights was not fixed.