Expert insight: Inside the secret world of superyacht hacking
by Miranda Blazeby
Tales of successfully hacked superyachts are be hard to come by. Owners are reluctant to recount personal experiences of loss to hackers and their keyboards. As Tony Gee, associate partner at cyber security firm Pen Test Partners says, “There is very little proper knowledge about yachts being attacked.” But this doesn’t mean it isn’t happening.
Gee, along with Malcolm Taylor, director of cyber security at ITC Secure, has opened up about what causes a yacht to become compromised. Such incidents, they say, are the result of a trailing industry “playing catch up” with shrewd hackers and slack cyber security. Both say it is a growing problem. “There are industries that are ahead on this issue and the nautical industry is not one of them,” says Taylor. Gee agrees, branding the business “massively behind” on matters of security. “There is maybe a handful of people out there who have got a view on this issue,” Gee says, “but basically no-one is looking at security on superyachts.”
The yachting community’s approach to the tech revolution of the last 25 years bears significant blame. As the internet has saturated more and more of our lives, the priority of owners and builders has largely been to transfer the latest tech on to superyachts. Cyber security has been left by the wayside, according to Taylor. “The demand was for performance and somewhere in the middle of that, the notion that we need to worry about security was lost,” he says. “We’re much more capable than we are secure and there’s a big gap between those two things.”
Newly launched superyachts carry a plethora of cutting-edge tech, from the standard staples of Wi-Fi, smart TVs and audio systems, to connected lighting, drones, smart mirrors and virtual concierges akin to Amazon's Alexa that can even place orders with the yacht's chef. "The problem is that much of this technology is very vulnerable. There are a lot of ways for it to be attacked," Gee says.
Gee highlights one website Shodan.io, which allows users to search for other people's devices online. It can also be used to search for satellite communication systems and, Gee warns, “more and more people" are using it to find the communication systems of superyachts. Speaking at BOAT International’s Superyacht Design Symposium in January, Gee demonstrated how easy it is to log into the satellite communication systems of a yacht live onstage. He revealed it is even possible to hack into the navigational system of a yacht and re-write its location, tricking the yacht into thinking it is somewhere else.
However, Taylor says such an incident is "extremely unlikely.” Instead, he argues that cyber criminals are targeting superyachts for instant financial gain. “Some hackers are motivated by ideological reasons but for most cyber criminals, it’s how they make their living – they want money."
Taylor, who is brought in to aid and advise hacking victims on asset recovery, can recall many instances of owners who “lost seven figures” through phishing fraud. In one such case, the captain of a yacht received an email asking for a $100,000 fuel payment. The only thing that made it different from the fuel company’s previous emails was its request to pay the money into a different account. “The hackers made the email look exactly the same as previous ones,” Taylor explains. Caught unaware, the crew made the transaction to the false account, losing $100,000. Phishing emails like these are common, Taylor says, and successful when operated by skilled hackers. “They make the emails look like they’ve come from the right person and the right place.”
In the most extreme occasion he recalls, an owner was defrauded of $11 million in one transaction. But this was not your typical phishing email. After hacking the yacht’s systems, the criminals carried out a drawn-out period of communication surveillance, gaining access to negotiation conversations between the owner and a broker. “The hackers realised that the owner was preparing to buy something. When the price had been agreed, they sent a confirmation email asking for the money to be paid into a bank account,” Taylor explains. “The individual at that time was expecting such an email and he paid the money.”
Taylor also reports cases of sensitive business documents being stolen. Another owner had “very personal photos” taken. “The hackers began asking for money to send them back and threatened to publish if they didn’t get it.” For every one of Taylor’s stories, countless others remain untold. “The thing about cyber-attacks is that the ones you hear about are the tip of the iceberg because people just don’t want to admit it.”
Sloppy security on board can be traced back to two parties, Gee and Taylor agree; the owner and the captain, but there is a tendency for each one to shirk the responsibility onto the other. “The captain has a responsibility to ensure the technology is kept up to date and maintained but they may not think that’s their problem,” Gee said. For a yacht to have watertight security, both parties need to take responsibility. “Captains should care about cyber security on board and owners need to understand how secure their yacht is.” Simple rules, such as ensuring the captain keeps a clean USB for navigational purposes, which is locked away after use, could dramatically reduce a yacht’s vulnerability, the pair say. Greater importance should also be placed on training crew to deal with such situations. “Something that owners, yards and yacht management companies could certainly improve on is training the crew,” Taylor says. “They’re the ones dealing with the emails, they’re the ones on the front line.”
Experts’ tips for owners
- Ask the captain when the satcom and navigation systems were last updated
- Regularly audit charter yachts for rouge systems and devices
- Seek training for captains and crew on good security practices
- Seek assurances that smart devices cannot interact with safety critical systems
Experts’ tips for captains
- Change default passwords for all systems
- Test on board systems for issues
- Train your crew on good security practice such as where they can charge their devices and what they can do with them while they are on the yacht
- Ensure maintenance windows for updates are allowed