Credit where it's due
"a password that Pen Test Partners cracked in 10 minutes"
If it took 10 minutes, that does at least imply the password wasn't "admin".
A software suite intended to let merchant ships’ crews digitally communicate with the world ashore was riddled with security vulnerabilities including undocumented admin accounts with hardcoded passwords and widespread use of Adobe Flash. Infosec consultancy Pen Test Partners said it took all of 90 minutes to discover enough …
Password repetition time outs are really useful too. Many people are also amazed to discover most DBs include user access management which can prevent the wrong people doing the wrong things without too much difficulty.
"Sorry you cant do that unless your come into the office and sit at this PC"!
I am not bothered by the fact that multi-million dollar floating transport behemoths can be taken over by miscreants. If the owner of the ship doesn't care, it's no skin off my back.
When they have had several ships wrecked because of malware of outright network takeovers, then they'll pay attention and the problem will go away.
Until then, it's not a problem.
I doubt that detonation would really matter at all that much, far too much trouble compared to the impact and the difficulty. It all comes down to fear and disruption, as in money (to clean up the mess). It would be much more effective and easier to just sail a large transport ship at high speed* deliberately into docks and oter vessels damaging them and leaving a very large wreck (navigational hazard) in the way at the same time.
* relative high speed, but even a few knots for something with the mass of these is a lot of collision energy.
"Until then, it's not a problem."
It is if, like me, you live close to an area where ships in trouble are taken, i.e. tankers leaking oil or on fire, crews holed up in secure areas because of suspected piracy and so on.
Just because you live away from any potential damage does not make it of no consequence which is what you are asserting.
"I'm alright Jack!"
No, its sounds like fairly standard software development by developers who have been made to add security features with little or no support from management to provide the required InfoSec background.
As someone who has been on that journey, it doesn't matter how good a developer you are, writing good security code is hard, because it is a totally different mindset. For example most developers are good at testing and finding bugs., but bugs don't actively morph to try and break your system. Security vulnerabilities do. However good you think your security solution is, there is a vast amount of talent out there trying to actively prove you wrong
"We don't let anyone work on creating a crypto system until they have 'earned their bones' by spending a decade breaking them." That excluded me.
I ventured, "Not many people have that experience."
"Indeed. It makes our job so much easier" he replied with a smile.
I recall a movie ('Hackers') in which a company was being threatened with a virus that would cause ships at sea to capsize, etc. etc. by flooding ballast tanks on one side of the ship and pumping dry the ballast on the other side.
So someone had at least thought up this particular 'ship-related' scenario. I'm surprised that employees of the company making the insecure ship software (apparently) never watched that movie, or at the very least paid attention to what science fiction authors foresee as a possible scenario. The movie has Angelina Jolie in it, after all... so you'd think it'd be popular amongst techno-geek engineering types!
Seriously, though, if Hollywood can predict a scenario where ships at sea (or oil rigs) being cracked into can result in extortion or terrorist plots being carried out, then software companies need to at least hire people with a mindset of watching "hacker-related" movies, if for no other reason than to get a perspective on what people that write books and movies THINK can happen, and at least prevent THOSE things from happening I.R.L..
Seriously as bad as IOT except they're multi-ton ships at sea with valuable cargo and/or potentially environmentally threatening cargo, and not just some light bulb being flashed on/off remotely (as a prank for the lulz).
The problem with ship security is that originally it wasn't much of an issue. Ships would generally not be connected to the internet, so the only was to hack them was to be physically located on the ship, which took away much of the fun of destroying it. Satellite bandwidth was expensive and used primarily for voice communication.
The satellite broadband came, prices dropped, and companies came up with the great idea that they could monitor there fleets around the world in real time. So they added connection boxes to there systems to grab diagnostics etc. Problem is, with the lifespan of a ship being upwards of 30 years, none of the kit they were connecting too was in anyway cyber secure, and it is too expensive to rip it it out and start again.
"Too expensive" is an interesting term when the cargo routinely exceeds a billion dollars in valuation.
Put the new equipment in a container. Make certain that container is accessible. Add the maintenance guys to the crew. You don't even have to take the ship out of service.
Is taken care of by not letting unauthorized people board your ship, and having a high quality lock on the door to the room where this comm system lived. Sometimes physical security is more important than software security. I think this is probably one of those times.