Our 360 Maritime Security team attended Monaco Yacht Show 2019 last month and conducted cyber testing whilst manning the stands. Cyber experts conducted basic passive tests to gain a high-level view of the quality of WI-FI security controls implemented on yachts, as well as a review of the security posture of the show itself.
Whilst wireless is only a small component of a yacht’s security, it can be visible to people nearby. Potential attackers will be attracted to vessels that appear ‘less secured’ than others.
The team did not carry out any intrusive or in-depth testing as they would do under a formal penetration testing engagement, however by passively monitoring the airwaves they were able to gain information about the security controls onboard.
Owners, Captains, Crew and Management were invited to our live hacking demonstration on Friday and Saturday of MYS2019, which demonstrated how quickly we could gain complete uncontrolled access to multiple types of wireless, control and CCTV networks on various yachts.
Using practical examples our Cyber team explained the best methods for reviewing and securing existing networks onboard, demonstrating the ease of use and immediate benefit of our decoy and deception system. By luring attackers to connect to a fake deception system, it acts as an early warning system of a cyber-attack. Technology improvements can often take several months to implement on a vessel due to the approval and testing process. A deception system gets around this delay because there are no changes to the existing systems whilst giving you an immediate level of visibility and an indication of a positive breach.
The tests were split into 2 sections:
1. A review of the WI-FI and visible security systems protecting owners, crew and guests, and automation designed to highlight whether there are any obvious flaws that would allow unauthorised access.
2. Deployment of a fake deception system on the show WI-FI, with enhanced monitoring of security activity. Designed to highlight if anyone is running security reconnaissance and attempting to hack systems at the show.
The team only conducted passive scans of the airwaves: no active scans were conducted that would have required approval. However, it does beg the question: would anyone have noticed? The only time the team were challenged during the demonstration period was when we openly walked around the show with a device that looked like a TV antenna (see image below).
Security scanning and assessments were performed covertly from a device the size of a mobile phone hidden in a pocket. It would be expected that onboard cyber monitoring would pick up suspicious behaviour, not just identify a threat when a 2-foot antenna is pointed towards a vessel.
Previously to this our team performed penetration tests at the London Olympics. Again unattended and unchallenged, a ‘hacking laptop’ was placed in full view, blatantly evaluating the security of the yachts and WIFI in Canary Wharf.
Privacy impact: The goal behind the analysis was to gain a quick view of the general protection levels on ships in the area and their typical security posture. The test team did not specifically target any specific vessel or include any specific data or screenshots as they contained information that may lead to the identification of vessel, onboard systems and crew or owner.
Please complete the form below to read our full Monaco Yacht Show WiFi assessment report…
If you do not receive the download link within a few minutes, please check your spam folder just in case the email has been delivered there instead of your inbox.