Another beautiful day in the Mediterranean and life is good, ain’t it? The sun is dancing off the water, which has settled upon a simply magnificent shade of blue. The view from the yacht is, per usual, stunning and the wind feels like a cool salty hug. Why, is that a mimosa? Don’t mind if you do. But then, up in the wheelhouse, the captain begins to notice something is off. The equipment has frozen, just kind of stopped responding. Weird. The boat’s never done this before. It’s almost like the navigation has a mind of its own. Very weird indeed.
And then, a message appears on the ship’s computers, informing the captain of something along these lines: You no longer have control over your ship. We have hacked into your navigation system and set you on course to run aground, which we intend to stay unless you make a ransom payment. Oh, and we prefer Bitcoin. Pretty please.
What now? Call their bluff? Kill the engines and wait for help?
Wait. Whoever sent that message knows your GPS coordinates, and maybe they’re on their way right now to ask for that money in person. These aren’t American waters. Who knows how long help might take? Right. Perhaps it’s best just to just eat the 100 grand, get back to shore and ask questions later.
This might all sound a bit James Bond-ish and it is, admittedly, a rare scenario in the yachting world. Nearly, being the key word there. The above scenario actually did happen (though perhaps sans mimosa) according to one South Florida-based yacht industry professional with more than a decade of experience. He spoke to Fort Lauderdale Magazine on the condition of anonymity and did not wish to disclose identifying details of the yacht in question, but this was just one of several instances of cybercrime he has been familiar with in recent years. The examples described ranged from intercepted wire transfers to hackers remotely turning on a yacht and trying to sail it away from the dock unmanned (it was tied down, thankfully).
There was a time when sailing out to sea was about escape. Pick a blue spot on the map and you were untethered, free to find brighter horizons and grow a long, wispy white beard. Maybe start a feud with a whale along the way. Punch a tuna. Who knows? You could lie about what happened out there and get away with it too, because when you left that dock, you also left behind the world and its endless conversation.
Alas, today your average big boat is only a button away from dry land and few marine vessels demonstrate this desire for connectivity as clearly as the modern yacht, which—unless you want it to get made fun of by the other yachts—needs high-speed WiFi, LTE broadband, and 4K HD satellite TV. It’s both a luxury and a practicality. These boats carry important cargo in the form of powerful businessmen, lounging celebrities, and discreet politicians—all of whom might need to send an important email or wire a few hundred grand back to the mainland while floating in the Med or Caribbean.
Such technology has consequences, though, and one such consequence has been the rise of maritime cybercrime. It stretches wide in scope and severity. When it strikes, it can be a mosquito bite or it can be a sledgehammer.
Maybe a digital mooch strolling the docks uses a boat’s unsecured WiFi network to watch Youtube videos. Not so bad, right? But what if that same unsecured network is invaded by a hacker who wants to seize control of the boat’s navigation system and steer it into the nearest inanimate object?
“Once you start putting navigation data over the airwaves,” says Steve Spitzer, the Director of Standards for the National Marine Electronics Association, “it’s susceptible.”
“Hacking ships is easy”
At the 2017 Superyacht Investor London conference, the demonstration that grabbed the most headlines came courtesy of cybercrime expert Campbell Murray. In less time than it takes your average pizza delivery, he claimed to have hacked into a nearby yacht. “We had control of the satellite communications. We had control of the telephone system, the Wi-Fi, the navigation… And we could wipe the data to erase any evidence of what we had done,” Murray told The Guardian after the demonstration.
The susceptibilities he exposed weren’t exactly news to the marine industry. The topic of ocean-dwelling cybercrime has gotten coverage from high-profile outlets like CNN and BBC. In an article from 2014, Reuters warned the sea could be “the next hacker playground.” Commercial ships have fallen victim to high-profile hacks before too. Last year global shipping giant Maersk admitted to losing millions in a cyberattack that forced it to temporarily shut down some of its port terminals.
Nonetheless, Murray and warnings from experts like him have sent a jolt through the yachting community, who didn’t expect for this threat to board their ships quite so soon.
“I’d say it’s becoming more of a problem than it’s ever been as more and more boats get equipped with cellular and satellite internet systems on board,” says Brian Kane, the chief technology officer at Fort Lauderdale-based GOST, a maritime security company. GOST specializes in security systems for yachts, which have generally come in the form of alarms, on-board surveillance, and GPS tracking in the event a boat is stolen from its dock. Most of their services protect against theft in the physical sense, but Kane says he began to notice cybersecurity incidents happening on yachts around 2008 “in regards to obvious things like making sure that your Wi-Fi on board is properly secured.” Today, Kane admits awareness in the industry still isn’t where it ought to be. “The clients are generally not asking for it as much as they should.”
The lack of common-sense cybersecurity measures taken by boats of all sizes tends to be striking. Last year, an anonymous online hacker who goes by the digital pseudonym x0rz made news for using a public ship-tracking website to find boats with open networks. X0rz gained access to one because it was still using the default username and password of “admin” and “1234,” respectively. “Hacking ships is easy,” x0rz tweeted out with a winky face emoji.
Even yachts with decently secured networks can suffer the consequences of an indiscreet crew. These boats often have full-time staff onboard to help run things. A deckhand ashore—especially after a few beers—might let slip some sensitive information or not think twice about sharing a Wi-Fi password with a flustered passerby. If one of them clicks on a malicious link in an email, that can be all a hacker needs to gain access to the entire ship. “I tell all our clients, one easy way to avoid these issues is to make sure you have intelligent crew management systems. These boats have 10, 20 crew members and they all want to be connected and it’s tough to know what they’re doing online.” A simple geotagged social media post can tip off hackers to the whereabouts of a ship carrying high-profile clientele. A good hacker can do a lot with that information.
“Let’s say a yacht owner is going from the Med to Florida,” Steve Spitzer says. “And over some sort of satellite receiver and transmitter, they send their data to their home port. And suddenly a hacker has all that data. Now somebody knows exactly when, where, and what they’re routing.” From there, the severity of the situation depends on the intentions of the hacker. “You can go all the way to the extreme that somebody could attempt to steal that yacht and take whatever they want or, if it’s a business, somebody could have ransomware.”
Real world examples of yacht hacking can be very disparate like that, which makes it a bit difficult to conceptualize and explain to potential victims. How do you defend against an attack that can come from any direction and assume multiple forms? It’s tough—but it’s becoming a question too important to ignore.
One yacht industry professional with over a decade of experience, who spoke to Fort Lauderdale Magazine under the condition of anonymity, described coming across several instances of yacht hacking in their career. Two of those instances were pricey examples of a wire transfer gone wrong. During the sale of a yacht, one party went to wire the payment to the other but it was intercepted and redirected by a hacker who had already gained access to the system and, just like that, six figures vanishes. The same thing happened with a party looking to charter a yacht.
The other scenario was a bit scarier. The industry professional described a yacht at sea that had its control system seized, at which point hackers threatened to “drive it into a reef” unless a ransom payment was made. These situations often leave their victims confused and unsure of how to proceed. “Everyone turns to each other and asks: Who’s fixing this?” the industry professional says. “And no one really knows.”
Fighting the Pirates
The marine industry is not taking all this lying down. Defensive walls are being fortified throughout the marine tech industry by companies both big and small.
KVH Industries is one of those (big) companies responsible for outfitting boats with satellite communications including mobile TV, internet, LTE broadband and more (they’re responsible for those little white domes you see atop most yachts). The majority of their clientele are larger commercial ships, but about 35 percent of their customers consist of leisure vessels and superyachts.
“Cybercrime in general has been a growing need over the past several years,” says Jill Connors, the media relations and industry analyst manager for KVH. “Whether it’s a container ship or a superyacht out in the middle of the ocean, they need to stay connected.”
KVH has a lot at stake in this fight. They currently have more than 8,000 satellite communications antennas on boats around the world. In June of this year, KVH rolled out a six-level cybersecurity initiative, which sought to strengthen its own network as well as educate an industry in desperate need. They produced a new training video on basic cybersecurity and distributed it to clients free of charge. The 26-minute video touches on simple prevention (don’t have your login credentials written on your computer) and response (tell your boss if you think you may have just given a hacker access to your network, even if the phishing email you fell for is a tad embarrassing).
“If a yacht captain thinks that something is going on with their vessel, we also have a cybersecurity response team to help that captain figure out what’s going on and how to stop it,” Connors says. “We found that the worst thing people can do is kind of pretend that nothing happened for a while, because it’s only going to get worse.”
Steve Spitzer and the National Marine Electronics Association are currently at work on developing a new industry standard for marine network communications called the OneNet. “We’ll have a robust security built in to the very beginning of it,” Spitzer says. OneNet will demand a stricter authentication from its users, requiring extra steps to ensure the person using the system is who they say they are. He likens some of OneNet’s new security standards to the measures already in place with many online banking websites (you may need to verify your identity via email or phone before you’re allowed to proceed).
If all this extra security does fail to stop a determined hacker – which is entirely possible, by the way – victims still may be able to turn to people like John Jarvie, insurance broker and vice president at Fort Lauderdale’s Oversea Yacht Insurance. “We’ve been on top of this cyber thing for a while now,” Jarvie says. “We saw this happen to a variety of different businesses and knew it would probably wiggle its way into yachting.” Sure enough, he was right. Now one of Jarvie’s priorities is to develop comprehensive insurance plans to ensure protection from hacking in all its multiple forms.
“Over the last couple of years we’ve started to see incidents where these private yachts are getting hacked. It started to happen for a couple of boats, then it got real serious and we thought, well, shoot, what do we need to do to not only make others aware, but to try to protect people from this in the future?”
That seems to be the common refrain from the yacht industry across the board: looking towards the future.
“We’re not only in a connected world. In a few years, we will be in a hyper-connected world for just about everything and anything,”Spitzer says. “If we take a snapshot right now, I don’t know whether or not yacht owners are concerned about cybersecurity. If they’re concerned about cybersecurity in their home networks, they should be concerned about security on their yachts because it’s going to be an open system where, if they’re not secured, there will be those malicious actors out there who try to get in and do anything.”
Defenses must become more robust as technology seeps into every aspect of yachts.
“Now it seems every year these boats come more and more technology driven,” Jarvie says, “not just in some of the computer systems and map systems, but everything talks to each other. The wheelhouse talks to the engine room. The engine room talks to the kitchen. The kitchen talks to the laptop. Everything is communication.”
And it’s a safe bet to assume that someone, somewhere is trying to listen in.